{"id":7893,"date":"2016-10-31T08:53:17","date_gmt":"2016-10-31T12:53:17","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=7893"},"modified":"2019-11-22T10:08:56","modified_gmt":"2019-11-22T10:08:56","slug":"exif-privacy","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/exif-privacy\/7893\/","title":{"rendered":"Do your online photos respect your privacy?"},"content":{"rendered":"<p>An old-school habit, labelling the back of photos, has transitioned into something more appropriate for the digital age. These days, one needn\u2019t scribble comments on a photo; your camera, an image-editing app, or the service you use to post your photo will add information for you.<\/p>\n<p>This kind of photo information is more comprehensive than the likes of \u201c2016 New Year\u2019s party at our place.\u201d Besides more esoteric attributes such as focal length and flash mode, the \u201cnote\u201d might contain the model and serial number of the camera, the date of the photo, and, more important, geolocation data \u2014 where the picture was taken. Moreover, the service used to post you photo online will record the IP address you used to upload the picture.<\/p>\n<p>Even if you are not highly concerned about privacy, having that much information attached to a photo may not sit easily with you. It can be used to track you down, and to find more photos taken by you \u2014 and perhaps find some private pics among them.<\/p>\n<p>Searching photo metadata is a method of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Doxing\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">doxxing<\/a>, which is the practice of gathering real-world data, such as the real name and home address, on a person of interest online.<\/p>\n<p>One of the main metadata collectors is the EXIF block that is added to graphic files. The <a href=\"https:\/\/en.wikipedia.org\/wiki\/EXIF\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Exchangeable Image File Format<\/a> standard was developed by the Japanese Electronics and IT Association (JEITA) and first published in 1995. EXIF was developed for JPEG and TIFF files. Other popular formats such as PNG and GIF might also contain similar metadata \u2014 in particular, Adobe\u2019s XMP-based metadata. Moreover, camera vendors might use a proprietary metadata format, partially redundant with EXIF.<\/p>\n<p>Embedded metadata, at times forgotten or ignored, can present a problem to both authors and the people in photographs. One of the most prominent examples of metadata being used in a manner not intended by a photographer is the apprehension of John McAfee in Guatemala in 2012. While on the run from criminal prosecution for the alleged murder of his neighbour, McAfee was interviewed by Vice, which also published his portrait. <a href=\"http:\/\/thenextweb.com\/insider\/2012\/12\/03\/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">The photo\u2019s metadata included a geotag<\/a> that law enforcement used to catch McAfee.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Ooops. <a href=\"https:\/\/twitter.com\/hashtag\/Vice?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Vice<\/a> forgot to clean (or faked?) the GPS-location from the EXIF-tag on their picture with <a href=\"https:\/\/twitter.com\/hashtag\/McAffee?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#McAffee<\/a> : <a href=\"http:\/\/t.co\/Ycmb7ShQ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/Ycmb7ShQ<\/a><\/p>\n<p>\u2014 Frank Rieger (@frank_rieger) <a href=\"https:\/\/twitter.com\/frank_rieger\/status\/275702057707651072?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 3, 2012<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>We set out to learn how various photo editors and services handle metadata and see whether they delete potentially compromising tags or leave them there. Read on to find out what\u2019s happening with that data when you share photos.<\/p>\n<h3>The experiment<\/h3>\n<p>First, we considered the possible scenarios that can expose private details when users post photos online:<\/p>\n<p>1. You e-mail your photos or upload them to cloud services such as Google Drive or Dropbox.<\/p>\n<p>2. You upload your photos to social media and photo services.<\/p>\n<p>3. You post a photo of, say, your used bicycle to sell on a message board.<\/p>\n<p>In the first case, your file remains unaltered. Anyone with whom you share the photo can access the associated metadata.<\/p>\n<p>With social media and photo services, your privacy <em>may<\/em> be compromised. That really depends on the service \u2014 some delete it but others don\u2019t. As far as other online services, stories abound of items in \u201cfor sale\u201d posts being stolen, presumably a result of thieves figuring out their location from photo metadata. However, as you\u2019ll see from our test results, some sites that help people sell stuff strip out metadata to protect users.<\/p>\n<p>We tested some popular online services to see how they handle EXIF. To do that we used a Firefox plugin called <a href=\"https:\/\/addons.mozilla.org\/en\/firefox\/addon\/exif-viewer\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Exif Viewer 2.00<\/a>. The plugin shows the metadata of JPEG images posted to the Internet and stored locally; it also integrates with geolocation services and shows thumbnails. You can experiment with different services too; it\u2019s easy to do and rather fascinating.<\/p>\n<p>[tumbler-exif.tif]<br>\n[Caption: It\u2019s a short path from an online photo to a real-life location]<\/p>\n<p>Here are the results of our experiment:<\/p>\n<p>\u221e Facebook, Twitter, and VK.com <b>delete<\/b> metadata;<\/p>\n<p>\u221e Google+ <b>does not delete<\/b> metadata;<\/p>\n<p>\u221e Instagram <b>deletes<\/b> metadata;<\/p>\n<p>\u221e Flickr, Google Photo, and Tumblr <b>do not delete<\/b> metadata;<\/p>\n<p>\u221e eBay and Craigslist <b>delete<\/b> metadata.<\/p>\n<p>The services that don\u2019t delete metadata usually have privacy settings which at least let users hide it. The key word here is <em>hide<\/em>: Services can actually store metadata separately. The data is still can be used by services themselves (think ads), by law enforcement\u2026by hackers \u2014 but that is a topic for another discussion.<\/p>\n<h3>Let my data flow<\/h3>\n<p>Let\u2019s take a look at how Facebook deals with photo metadata. Although it deletes EXIF from picture files, it stores the information in its own database. It\u2019s quite easy to check: just use the default <a href=\"https:\/\/www.facebook.com\/help\/131112897028467\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">backup copy feature<\/a>. You\u2019ll get an archive containing, among other information, any photos you uploaded to the social network, bundled with an .html description file. This file contains the photos\u2019 geotags and the IP addresses from which they were uploaded.<\/p>\n<p>[facebook-metadata.jpg]<br>\n[Caption: Metadata in the Facebook user profile archive]<\/p>\n<p>The list of user data stored by Facebook is available in <a href=\"https:\/\/www.facebook.com\/help\/405183566203254\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">the information section<\/a>. It\u2019s about as long as your arm.<\/p>\n<p>We also found a curious take on Facebook \u2014 law enforcement agencies\u2019 relationship with the service is described in a guide explaining the process of requesting user data from Facebook. The <a href=\"http:\/\/netzpolitik.org\/wp-upload\/2016\/08\/facebook-law-enforcement-portal-inofficial-manual.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">document, published on netzpolitik.org<\/a>, appears to come from the Sacramento, California, Sheriff\u2019s Department.<\/p>\n<p>The peculiarities of interaction between governments and online services on the issue of user data expand far beyond this article. However we see it as our responsibility to warn you about the increasing amount of metadata, which is more readily available than you might think. Under certain circumstances, online services can share that information with third parties.<\/p>\n<h3>The real action is behind the scenes<\/h3>\n<p>Apart from text information, metadata includes a thumbnail of the picture in question. That can be a problem.<\/p>\n<p>As we were exploring the EXIF topic, we stumbled across a curious story. Back in 2003, television host Catherine Schwartz posted some photos on her blog. The photos, as it turned out, had been cropped \u2014 but their metadata included thumbnails of the original photos, in some of which Schwartz was unclothed.<\/p>\n<p>A decade has passed since then, so developers will have dealt with this privacy threat, right? Well, we prefer not to assume.<\/p>\n<p>We tested Adobe Photoshop Express, GIMP, Windows Paint, Microsoft Office Picture Manager, IrfanView, and XnView to make sure that every time a photo is edited the program updates the thumbnail. And they did.<\/p>\n<p>There was another participant in our trial, however: the latest version of Corel Photo-Paint (X8). That test showed that when an image is saved as a JPEG, the thumbnail is not updated and continues to depict the original image.<\/p>\n<p>Photo-Paint has a feature called \u201cExport For Web,\u201d which prepares an image for posting online. We thought that might delete metadata \u2014 but it doesn\u2019t.<\/p>\n<p>To exclude the potential impact of the file properties on the app\u2019s ability to update thumbnails, we ran the test using various types of files from a DSLR and a smartphone, as well as a Windows 7 sample file (the one with the penguins).<\/p>\n<p>[exif-thumbnail.png]<br>\n[Caption: Left: The file thumbnail Windows Explorer takes from metadata. Right: File preview. The file was just created, so it\u2019s not a result of the OS caching thumbnails]<\/p>\n<h3>Recommendations<\/h3>\n<p>To avoid exposing something private while posting your photos, follow these rules:<\/p>\n<p>1. Disable geotagging on the device you use to take photos (either for the camera only or all apps). The process varies depending on device.<\/p>\n<p>2. Delete metadata before publishing files online. Try a free app for that, such as XnView. Note that Windows\u2019 proprietary mechanism, called \u201cRemove personal information from file properties\u201d (in the \u201cDetails\u201d tab of the File Properties window) preserves both thumbnails and EXIF data.<\/p>\n<p>3. Delete metadata before posting photos from mobile devices, using special apps for <a href=\"https:\/\/itunes.apple.com\/us\/app\/viewexif\/id945320815\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">iOS<\/a>, <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.iudesk.android.photo.editor\" target=\"_blank\" rel=\"noopener nofollow\">Android<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/store\/p\/picture-info\/9wzdncrcww1p\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Windows Phone<\/a>.<\/p>\n<p>4. Use online services\u2019 privacy settings and apply restrictions to saving metadata in photos.<\/p>\n<p>As a last resort, you could simply not post pictures and data that can possibly be misused. That\u2019s not advice we think many will take \u2014 we certainly wouldn\u2019t! \u2014 which is why we prefer adhering to the four rules above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Photo files typically contain additional data on shooting conditions, including a geotag. What happens to this data when the photo is published online?<\/p>\n","protected":false},"author":2049,"featured_media":7894,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1622,9],"tags":[1681,1684,1682,1683,1570,43,98],"class_list":{"0":"post-7893","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-tips","9":"tag-exif","10":"tag-experiment","11":"tag-metadata","12":"tag-online-services","13":"tag-photos","14":"tag-privacy","15":"tag-social-networks"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/exif-privacy\/7893\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/exif-privacy\/7957\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/exif-privacy\/7915\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/exif-privacy\/9450\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/exif-privacy\/9266\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/exif-privacy\/13506\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/exif-privacy\/13356\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/exif-privacy\/6270\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/exif-privacy\/6742\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/exif-privacy\/5624\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/exif-privacy\/9124\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/exif-privacy\/13089\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/exif-privacy\/13506\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/exif-privacy\/13356\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/exif-privacy\/13356\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/exif\/","name":"EXIF"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2049"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=7893"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7893\/revisions"}],"predecessor-version":[{"id":17614,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/7893\/revisions\/17614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/7894"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=7893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=7893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=7893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}