Do your online photos respect your privacy?

Photo files typically contain additional data on shooting conditions, including a geotag. What happens to this data when the photo is published online?

An old-school habit, labelling the back of photos, has transitioned into something more appropriate for the digital age. These days, one needn’t scribble comments on a photo; your camera, an image-editing app, or the service you use to post your photo will add information for you.

This kind of photo information is more comprehensive than the likes of “2016 New Year’s party at our place.” Besides more esoteric attributes such as focal length and flash mode, the “note” might contain the model and serial number of the camera, the date of the photo, and, more important, geolocation data — where the picture was taken. Moreover, the service used to post you photo online will record the IP address you used to upload the picture.

Even if you are not highly concerned about privacy, having that much information attached to a photo may not sit easily with you. It can be used to track you down, and to find more photos taken by you — and perhaps find some private pics among them.

Searching photo metadata is a method of doxxing, which is the practice of gathering real-world data, such as the real name and home address, on a person of interest online.

One of the main metadata collectors is the EXIF block that is added to graphic files. The Exchangeable Image File Format standard was developed by the Japanese Electronics and IT Association (JEITA) and first published in 1995. EXIF was developed for JPEG and TIFF files. Other popular formats such as PNG and GIF might also contain similar metadata — in particular, Adobe’s XMP-based metadata. Moreover, camera vendors might use a proprietary metadata format, partially redundant with EXIF.

Embedded metadata, at times forgotten or ignored, can present a problem to both authors and the people in photographs. One of the most prominent examples of metadata being used in a manner not intended by a photographer is the apprehension of John McAfee in Guatemala in 2012. While on the run from criminal prosecution for the alleged murder of his neighbour, McAfee was interviewed by Vice, which also published his portrait. The photo’s metadata included a geotag that law enforcement used to catch McAfee.

We set out to learn how various photo editors and services handle metadata and see whether they delete potentially compromising tags or leave them there. Read on to find out what’s happening with that data when you share photos.

The experiment

First, we considered the possible scenarios that can expose private details when users post photos online:

1. You e-mail your photos or upload them to cloud services such as Google Drive or Dropbox.

2. You upload your photos to social media and photo services.

3. You post a photo of, say, your used bicycle to sell on a message board.

In the first case, your file remains unaltered. Anyone with whom you share the photo can access the associated metadata.

With social media and photo services, your privacy may be compromised. That really depends on the service — some delete it but others don’t. As far as other online services, stories abound of items in “for sale” posts being stolen, presumably a result of thieves figuring out their location from photo metadata. However, as you’ll see from our test results, some sites that help people sell stuff strip out metadata to protect users.

We tested some popular online services to see how they handle EXIF. To do that we used a Firefox plugin called Exif Viewer 2.00. The plugin shows the metadata of JPEG images posted to the Internet and stored locally; it also integrates with geolocation services and shows thumbnails. You can experiment with different services too; it’s easy to do and rather fascinating.

[tumbler-exif.tif]
[Caption: It’s a short path from an online photo to a real-life location]

Here are the results of our experiment:

∞ Facebook, Twitter, and VK.com delete metadata;

∞ Google+ does not delete metadata;

∞ Instagram deletes metadata;

∞ Flickr, Google Photo, and Tumblr do not delete metadata;

∞ eBay and Craigslist delete metadata.

The services that don’t delete metadata usually have privacy settings which at least let users hide it. The key word here is hide: Services can actually store metadata separately. The data is still can be used by services themselves (think ads), by law enforcement…by hackers — but that is a topic for another discussion.

Let my data flow

Let’s take a look at how Facebook deals with photo metadata. Although it deletes EXIF from picture files, it stores the information in its own database. It’s quite easy to check: just use the default backup copy feature. You’ll get an archive containing, among other information, any photos you uploaded to the social network, bundled with an .html description file. This file contains the photos’ geotags and the IP addresses from which they were uploaded.

[facebook-metadata.jpg]
[Caption: Metadata in the Facebook user profile archive]

The list of user data stored by Facebook is available in the information section. It’s about as long as your arm.

We also found a curious take on Facebook — law enforcement agencies’ relationship with the service is described in a guide explaining the process of requesting user data from Facebook. The document, published on netzpolitik.org, appears to come from the Sacramento, California, Sheriff’s Department.

The peculiarities of interaction between governments and online services on the issue of user data expand far beyond this article. However we see it as our responsibility to warn you about the increasing amount of metadata, which is more readily available than you might think. Under certain circumstances, online services can share that information with third parties.

The real action is behind the scenes

Apart from text information, metadata includes a thumbnail of the picture in question. That can be a problem.

As we were exploring the EXIF topic, we stumbled across a curious story. Back in 2003, television host Catherine Schwartz posted some photos on her blog. The photos, as it turned out, had been cropped — but their metadata included thumbnails of the original photos, in some of which Schwartz was unclothed.

A decade has passed since then, so developers will have dealt with this privacy threat, right? Well, we prefer not to assume.

We tested Adobe Photoshop Express, GIMP, Windows Paint, Microsoft Office Picture Manager, IrfanView, and XnView to make sure that every time a photo is edited the program updates the thumbnail. And they did.

There was another participant in our trial, however: the latest version of Corel Photo-Paint (X8). That test showed that when an image is saved as a JPEG, the thumbnail is not updated and continues to depict the original image.

Photo-Paint has a feature called “Export For Web,” which prepares an image for posting online. We thought that might delete metadata — but it doesn’t.

To exclude the potential impact of the file properties on the app’s ability to update thumbnails, we ran the test using various types of files from a DSLR and a smartphone, as well as a Windows 7 sample file (the one with the penguins).

[exif-thumbnail.png]
[Caption: Left: The file thumbnail Windows Explorer takes from metadata. Right: File preview. The file was just created, so it’s not a result of the OS caching thumbnails]

Recommendations

To avoid exposing something private while posting your photos, follow these rules:

1. Disable geotagging on the device you use to take photos (either for the camera only or all apps). The process varies depending on device.

2. Delete metadata before publishing files online. Try a free app for that, such as XnView. Note that Windows’ proprietary mechanism, called “Remove personal information from file properties” (in the “Details” tab of the File Properties window) preserves both thumbnails and EXIF data.

3. Delete metadata before posting photos from mobile devices, using special apps for iOS, Android and Windows Phone.

4. Use online services’ privacy settings and apply restrictions to saving metadata in photos.

As a last resort, you could simply not post pictures and data that can possibly be misused. That’s not advice we think many will take — we certainly wouldn’t! — which is why we prefer adhering to the four rules above.

Tips