Q&A: UW researchers discover privacy risks with 3D tours on real estate websites

Engineering | Expert Quotes | Press releases | Technology

November 16, 2022

Researchers at the University of Washington examined 44 3D tours in 44 states across the United States to look for potential security issues when personal information was included in the tour. Here is a screenshot of a 3D tour accessed through the Redfin website.

3D virtual tours on real estate websites, such as Zillow and Redfin, allow viewers to explore homes without leaving the comfort of their sofa.

Sometimes the homes of these visits are staged, but other times they contain evidence of the lives of current residents. The University of Washington researchers were curious whether personal effects visible in 3D tours could introduce privacy risks.

The team reviewed 44 3D tours of a real estate site. Each visit was to a home in a different condition and had at least one personal detail — like a letter, college degree, or photos — visible. The researchers concluded that details left behind during these visits could expose residents to various threats, including phishing attacks or credit card fraud.

The team published these results on November 8 and will present them at the USENIX Security Symposium 2023.

UW News contacted lead author Rachel McAmis, a UW doctoral student at the Paul G. Allen School of Computer Science & Engineering, for more details on the study.

Portrait of Rachel McAmis

Rachel McFriends

What makes 3D tours more problematic than photos?

RM: With 3D tours, it is possible to see all the rooms of a house and many more angles of a room than with photos. It is also possible to zoom in on details more easily than on photos – if someone accidentally omits a sensitive document, such as a letter, it may be possible to read the letter from a 3D tour if the quality of the device photo is good enough.

What different types of privacy issues have you found?

RM: We found traditionally sensitive information that you are never supposed to share with strangers, as well as information that reveals people’s behavior and preferences.

Most of the 3D visits in our study revealed the full names of residents due to various items that were omitted. Some examples were labeled medications, passwords, credit card information, and a letter indicating a violation of the law.

Viewers of 3D tours can also see people’s behaviors and preferences, including the products and brands someone buys, their political affiliation, the cleanliness of their home, the number of family members who live together, their religion and if they have a pet.

A drawing of a desk showing a high school diploma, a bottle of whiskey and a saved password on a computer screen

Shown here is an artist’s rendering of a 3D tour where an adversary could obtain information about a person’s education, hobbies, and passwords.Akira Ohiso

Why these privacy issues and what are the potential threats that could arise from them?

RM: Anyone with access to a real estate website that hosts these 3D tours can get their hands on the sensitive information listed above, which could lead to credit card fraud, hacked accounts, identity theft and other harms.

Behavioral and preference information revealed in 3D tours could allow someone to target a resident with a personalized message, such as fraudulently claiming to be an email from a brand the resident frequently purchases from. Others may wish to post information about socially harmful behaviors and preferences they find in the 3D tour.

Of course, if someone already shares their preference information on a public social media page, removing that information from their 3D tour isn’t enough to prevent that information from being widely available on the internet.

Would you expect to see the same kinds of issues on any 3D home tour on any real estate website?

RM: We believe this is an industry-wide problem. Any online real estate website that uses 3D tours may have tours that reveal sensitive information, even apartment rental websites and other properties. For example, there have been a few articles in the past about people finding celebrity homes on several real estate websites by looking at 3D tour details.

Is it possible to make a 3D tour without danger for privacy? If not, what are the potential solutions to these problems?

RM: Generally yes, and most 3D tours on real estate sites are already properly staged to remove sensitive information from view. Houses where all belongings are removed and rooms are either empty or furnished with furniture would not have the same privacy issues as a house where residents’ belongings are visible. However, as we have seen in our study, many residents omit their information.

A drawing of a bathroom with a portrait on the wall.  The face in the portrait is blurred by the reflection of the face in the bathroom mirror is not

Here’s an artist’s rendering of a 3D tour where a person’s face in a photo is blurred, but the reflection of the face is not. An adversary could identify the resident based on the reflection.Akira Ohiso

Are there any specific safeguards people can use when preparing their home for a 3D tour?

RM: Residents should be aware of personal items they forget when taking the 3D scan. For example, Residents may want to remove any objects that contain text that reveals information about them, or items that reveal other information about behavior or preferences that they do not want to see publicly online.

Choosing to use a 3D tour can benefit the home seller in many ways, but sellers should be careful to hide their belongings before having their home scanned for a 3D tour.

Tadayoshi Kohno, a UW professor at the Allen School, is also a co-author of this article. This research was supported by the National Science Foundation and the University of Washington’s Tech Policy Lab and donations from Google, Meta, Qualcomm, and Woven Planet.

For more information, contact McAmis at [email protected] and Kohno at [email protected]

Grant number: 1565252

Tag(s): College of Engineering • Paul G. Allen School of Computer Science and Engineering • Rachel McAmis • Tadayoshi Kohno

About Madeline Powers

Check Also

How to Disable “Hide IP Address” of a Website on iPhone

Apple introduced privacy-focused features in iOS 15 with the ability to hide your IP address, …