An international group of researchers has developed an algorithmic tool that uses Twitter to automatically predict exactly where you live in a matter of minutes, with more than 90 percent accuracy. It can also predict where you work, where you pray, and other information you might rather keep private, like, say, whether you’ve frequented a certain strip club or gone to rehab.

The tool, called LPAuditor (short for Location Privacy Auditor), exploits what the researchers call an "invasive policy" Twitter deployed after it introduced the ability to tag tweets with a location in 2009. For years, users who chose to geotag tweets with any location, even something as geographically broad as “New York City,” also automatically gave their precise GPS coordinates. Users wouldn’t see the coordinates displayed on Twitter. Nor would their followers. But the GPS information would still be included in the tweet’s metadata and accessible through Twitter’s API.

Twitter didn't change this policy across its apps until April of 2015. Now, users must opt-in to share their precise location—and, according to a Twitter spokesperson, a very small percentage of people do. But the GPS data people shared before the update remains available through the API to this day.

The researchers developed LPAuditor to analyze those geotagged tweets and infer detailed information about people’s most sensitive locations. They outline this process in a new, peer-reviewed paper that will be presented at the Network and Distributed System Security Symposium next month. By analyzing clusters of coordinates, as well as timestamps on the tweets, LPAuditor was able to suss out where tens of thousands of people lived, worked, and spent their private time.

A member of Twitter's site integrity team told WIRED that sharing location data on Twitter has always been voluntary and that the company has always given users a way to delete that data in its help section. "We recognized in 2015 that we could be even clearer with people about that, but our overarching perspective on location sharing has always been that it’s voluntary and that users can choose what they do and don't want to share," the Twitter employee said.

It's true that it's always been up to users to geotag their tweets or not. But there's a big difference between choosing to share that you're in Paris and choosing to share exactly where you live in Paris. And yet, for years, regardless of the square mileage of the locations users chose to share, Twitter was choosing to share their locations down to the GPS coordinates. The fact that these details were spelled out in Twitter's help section wouldn't do much good to users who didn't know they needed help in the first place.

"If you're not aware of the problem, you're never going to go remove that data," says Jason Polakis, a co-author of the study and an assistant professor of computer science at the University of Illinois at Chicago specializing in privacy and security. And according to the study, that data can reveal a lot.

In November of 2016, well after Twitter changed its settings, Polakis and researchers at the Foundation for Research and Technology in Crete began pulling Twitter metadata from the company’s API. They were building on prior research that showed it was possible to infer private information from geotagged tweets, but they wanted to see if they could do it at scale and with more precision, using automation.

The researchers analyzed a pool of about 15 million geotagged tweets from about 87,000 users. Some of the location data attached to those tweets may have come from users who wanted to share their exact locations, like, say, a museum or music venue. But there were also plenty of users who shared nothing more than a city or general vicinity, only to have their GPS location shared anyway.