UW News

November 16, 2022

Q&A: UW researchers find privacy risks with 3D tours on real estate websites

UW News

A screenshot of a virtual tour of a house. The scene is in a living room and there is a bar over the picture that says "click to explore this 3D space"

University of Washington researchers examined 44 3D tours in 44 states across the U.S. to look for potential security issues when personal details were included in the tour. Shown here is a screenshot of a 3D tour accessed via the Redfin website.

Virtual 3D tours on real estate websites, such as Zillow and Redfin, allow viewers to explore homes without leaving the comfort of their couch.

Sometimes the homes in these tours are staged, but other times they contain evidence of current residents’ lives. University of Washington researchers were curious about whether personal belongings visible in 3D tours could introduce privacy risks.

The team examined 44 3D tours on a real estate website. Each tour was for a home in a different state and had at least one personal detail — such as a letter, a college diploma or photos — visible. The researchers concluded that the details left in these tours could expose residents to a variety of threats, including phishing attacks or credit card fraud.

The team published these findings Nov. 8 and will present them at USENIX Security Symposium 2023.

UW News reached out to lead author Rachel McAmis, a UW doctoral student in the Paul G. Allen School of Computer Science & Engineering, for details on the study.

Rachel McAmis headshot

Rachel McAmis

What makes 3D tours more of a privacy issue than photos?

RM: With 3D tours, it is possible to see all rooms in a house and many more angles of a room than with photos. It is also possible to zoom in on details more easily than in photos — if someone accidentally leaves out a sensitive document, such as a letter, it might be possible to read the letter from a 3D tour if the camera quality is good enough.

What are the different types of privacy issues that you found?

RM: We found traditionally sensitive information that you are never supposed to share with strangers, along with information that reveals people’s behavior and preferences.

Most 3D tours in our study revealed full names of residents because of various items that were left out. Some examples were labeled medication, passwords, credit card information and a letter indicating a legal violation.

Viewers of 3D tours can also see people’s behaviors and preferences, including the products and brands someone purchases, their political affiliation, how clean their house is, how many family members live together, their religion and whether they have a pet.

A drawing of a desk showing a high school diploma, a whiskey bottle and a password taped to a computer monitor

Shown here is an artist’s rendering of a 3D tour where an adversary could gain information about a person’s education, hobbies and passwords.Akira Ohiso

Why are these privacy issues and what are the potential threats that could come out of this?

RM: Anyone with access to a real estate website that hosts these 3D tours can get their hands on the sensitive information listed above, which could lead to credit card fraud, hacked accounts, identity theft and other harms.

Behavior and preference information revealed in the 3D tours could allow someone to target a resident with a personalized message, such as fraudulently pretending to be an email from a brand that the resident frequently purchases from. Others may want to publicize socially damaging behavioral and preference information that they find in the 3D tour.

Of course, if someone is already sharing their preference information on a public social media page, removing this information from their 3D tour is not enough to prevent this information from being widely available on the internet.

Would you expect to see the same types of issues on any 3D home tour on any real estate website?

RM: We believe this is an industry-wide issue. Any online real estate website that uses 3D tours might have tours that reveal sensitive information, even apartment and other property rental websites. For example, there have been a few articles in the past about people finding celebrity homes on multiple real estate websites by looking at details in the 3D tour.

Is it possible to make a 3D tour that’s privacy safe? If not, what are some potential solutions to these issues?

RM: In general, yes, and most 3D tours on real estate websites are already properly staged to remove sensitive information from view. Homes where all personal belongings are removed, and the rooms are either empty or staged with furniture, would not have the same privacy concerns as a home that has residents’ personal belongings visible. However, as seen in our study, many residents do leave their information out.

A drawing of a bathroom with a portrait on the wall. The face in the portrait is blurred by the reflection of the face in the bathroom mirror is not

Shown here is an artist’s rendering of a 3D tour where a person’s face in a photo is blurred, but the reflection of the face is not. An adversary could identify the resident based on the reflection.Akira Ohiso

Are there any specific safeguards people can use when they are setting up their home for a 3D tour?

RM: Residents should be aware of the belongings they leave out when the 3D scan is being taken. For example, residents may want to remove any objects with text that reveals information about them, or items that reveal other behavior or preference information that they do not want publicly available online.

Choosing to use a 3D tour can benefit the home seller in many ways, but sellers should be careful to hide personal belongings before having their home scanned for a 3D tour.

Tadayoshi Kohno, UW professor in the Allen School, is also a co-author on this paper. This research was supported by the National Science Foundation and the University of Washington Tech Policy Lab and gifts from Google, Meta, Qualcomm and Woven Planet.

For more information, contact McAmis at rcmcamis@cs.washington.edu and Kohno at yoshi@cs.washington.edu.

Grant number: 1565252