Cyber security

Halifax woman’s profile photos stolen for click fraud

A bot used her pictures to create a fake identity on Tinder

Mollie Cronin lives in Halifax.

Her friend David Protech was on Tinder, a popular dating app, in Montreal, and by chance stumbled on a profile that looked just like her.

It was a series of photos of Cronin, but the name associated with it was Arya. There was no profile description or other information, only a link with a redirect to a webcam pornography website called strip for tips.

Protech showed Cronin these Tinder pictures of “Arya.” This image is a screenshot of a Facebook exchange.   Genevieve Nickel

Cronin was initially surprised, but now isn’t too worried.

“Not stressed, it happens,” she wrote in an email to The Signal.

Misrepresentation on online dating sites and apps seems to be so common, that even Tinder itself makes fun of this. Below is a video from its official Twitter account.

How does this happen?

In Cronin’s case, it appears that a bot is responsible, as she had used the same photos on her own Tinder profile.

Srinivas Sampali, a Dalhousie University computer science professor, is an expert in cyber security. He says Cronin’s pictures appear to have been snatched by a web robot. People responsible for creating and maintaining bots, which are autonomous software, have typically retrieved the information people might want to obtain illegally.

Sampali explains that information, such as Cronin’s Tinder pictures, are released from bots to third parties — if they want to pay for it. This usually comes at the cost of a few dollars for a few hours of work.

People willing to pay for this illegal service make money from the volume of clicks they get using information from the bots.

What can you do once this happens?

Linda Boutin, works at the Canadian Anti-Fraud Centre (CAFC) and says the CAFC aren’t experts with this type of fraud, so there isn’t much they can do.

“We just don’t have enough information about whether this link is being used for click fraud or phishing,” says Boutin.

Usually the CAFC deals with the traditional sense of identity fraud, such as when someone is impersonating someone to get money out of their victim.

“We don’t know enough about this particular URL, but getting money for clicks isn’t necessarily illegal,” says Boutin.

Rob Currie, a law professor from Dalhousie University and an expert on social media law, says it would be hard to sue the person using Cronin’s pictures without her consent. This is because it is difficult to identify who is responsible.

Sampali agrees. The people buying information from bots do it anonymously, he says, and they’re able to stay anonymous by using bitcoins, an electronic currency.

Is taking someone’s picture from Tinder legal?

Currie says that Cronin has the copyright to her pictures, however depending on the app’s terms of agreement, people might be giving up their copyright.

According to its terms of use, Tinder says content uploaded by users is allowed to be used by Tinder for “operating, developing, providing, promoting and improving the service and researching and developing new ones.”

However, Tinder doesn’t allow third-party users to upload “images of another person without his or her permission.” Also, third parties are not supposed to to use people’s content for marketing purposes. Tinder says it’s not responsible for third parties who misuse the app.

David Shipley, a cyber security expert and director of strategic initiatives within Information Technology Services at the University of New Brunswick, says the question is “what obligation do companies have to shut down these third parties using people’s information this way?”

Shipley says there aren’t many laws that protect people online. This makes it difficult for many social media companies to determine if they are the ones responsible for their users’ security.

Security measures that can potentially protect you online

Alec Couros, a professor at the University of Regina and an expert in Information and Communication Technologies, says “anyone can be a potential victim.” So, it is important for a person to make sure this hasn’t happened to them already.

These are the security measures he recommends:

  • Reverse Google search: search an image of yourself that you frequently use and it will try to find whether it has been used elsewhere.
  • Place a Google alert with your name: it will alert you, via email, anytime your name is used.

To avoid having someone steal your pictures in the first place, you should upload pictures that thieves do not want. These are the takeaway tips from an online guide on how to protect your pictures:

  • Upload low resolution pictures.
  • Add a watermark to your picture. The extra effort to remove the watermark won’t make your pictures worth stealing.

Sampali says these are the different security measures people should take to protect their online privacy

  • Check if the website is secure or not secured. A secure website will have a link that starts with https, whereas a non secure website will have a link that starts with http.
  • A browser that doesn’t recognize a website is a bad sign. If the website doesn’t have a certificate, you are proceeding at your own risk.
  • You should hover your mouse on a link  (this will not work on a smartphone) to make sure it is directing you to the right website.
  • It you find something suspicious — report it. The service provider should be the first point of contact. Example: Facebook, Tinder, etc

Protech has reported “Arya’s” account to Tinder. Tinder thanked him for doing so and said they would investigate the account. Neither Cronin or Protech have heard from Tinder since.