Virtual 3D tours of homes can violate privacy

"...if someone accidentally leaves out a sensitive document, such as a letter, it might be possible to read the letter from a 3D tour if the camera quality is good enough," says Rachel McAmis. (Credit: Nicolas Solerieu/Unsplash)

Virtual 3D tours on real estate websites, such as Zillow and Redfin, could pose privacy risks to the current residents.

Sometimes the homes in these tours are staged, but other times they contain evidence of current residents’ lives. University of Washington researchers were curious about whether personal belongings visible in 3D tours could introduce privacy risks.

The team examined 44 3D tours on a real estate website. Each tour was for a home in a different state and had at least one personal detail—such as a letter, a college diploma, or photos—visible. The researchers conclude that the details left in these tours could expose residents to a variety of threats, including phishing attacks or credit card fraud.

The team will present their findings at the USENIX Security Symposium 2023. Support for the work came from the National Science Foundation, the university’s Tech Policy Lab, Google, Meta, Qualcomm, and Woven Planet.

Lead author of the study Rachel McAmis, a doctoral student in the University of Washington’s Paul G. Allen School of Computer Science & Engineering, describes the findings:

Q

What makes 3D tours more of a privacy issue than photos?

A

With 3D tours, it is possible to see all rooms in a house and many more angles of a room than with photos. It is also possible to zoom in on details more easily than in photos—if someone accidentally leaves out a sensitive document, such as a letter, it might be possible to read the letter from a 3D tour if the camera quality is good enough.

Q

What are the different types of privacy issues that you found?

A

We found traditionally sensitive information that you are never supposed to share with strangers, along with information that reveals people’s behavior and preferences.

Most 3D tours in our study revealed full names of residents because of various items that were left out. Some examples were labeled medication, passwords, credit card information, and a letter indicating a legal violation.

Viewers of 3D tours can also see people’s behaviors and preferences, including the products and brands someone purchases, their political affiliation, how clean their house is, how many family members live together, their religion, and whether they have a pet.

Q

Why are these privacy issues and what are the potential threats that could come out of this?

A

Anyone with access to a real estate website that hosts these 3D tours can get their hands on the sensitive information listed above, which could lead to credit card fraud, hacked accounts, identity theft, and other harms.

Behavior and preference information revealed in the 3D tours could allow someone to target a resident with a personalized message, such as fraudulently pretending to be an email from a brand that the resident frequently purchases from. Others may want to publicize socially damaging behavioral and preference information that they find in the 3D tour.

Of course, if someone is already sharing their preference information on a public social media page, removing this information from their 3D tour is not enough to prevent this information from being widely available on the internet.

Q

Would you expect to see the same types of issues on any 3D home tour on any real estate website?

A

We believe this is an industry-wide issue. Any online real estate website that uses 3D tours might have tours that reveal sensitive information, even apartment and other property rental websites. For example, there have been a few articles in the past about people finding celebrity homes on multiple real estate websites by looking at details in the 3D tour.

Q

Is it possible to make a 3D tour that’s privacy safe? If not, what are some potential solutions to these issues?

A

In general, yes, and most 3D tours on real estate websites are already properly staged to remove sensitive information from view. Homes where all personal belongings are removed, and the rooms are either empty or staged with furniture, would not have the same privacy concerns as a home that has residents’ personal belongings visible. However, as seen in our study, many residents do leave their information out.

Q

Are there any specific safeguards people can use when they are setting up their home for a 3D tour?

A

Residents should be aware of the belongings they leave out when the 3D scan is being taken. For example, residents may want to remove any objects with text that reveals information about them, or items that reveal other behavior or preference information that they do not want publicly available online.

Choosing to use a 3D tour can benefit the home seller in many ways, but sellers should be careful to hide personal belongings before having their home scanned for a 3D tour.