Digital photos and privacy

Digital photos contain more than meets the eye: they have metadata and other hidden information that can compromise your privacy. Liz and Geoffrey take a look at Exif metadata and other non-obvious ways that photos from your phone or camera might be sharing more than they want. Also, iOS has some neat security features, and Yahoo! Mail has some not-so-neat privacy concerns.

Digital photos and privacy episode art

Timeline

  • 1:04 - Security news
  • 8:27 - Exif metadata and geotagging
  • 13:36 - XMP, edits, and crops
  • 15:18 - Social media sites and Exif removal
  • 19:13 - Computerized analyses of photo contents

Show notes & further reading

Exif analysis tools

As mentioned in the episode, we're hesitant to recommend a general-purpose Exif removal tool because endorsing software is always a difficult task. Even skilled and well-intentioned software developers are often not experts at maintaining secure infrastructure for compiling and delivering software, and Exif removal tools tend to be built by very small teams if not individuals.

However, we'll make two suggestions for special cases. If you're using a Linux distribution that has it packaged, or Homebrew for Mac, Phil Harvey's command-line tool exiftool is an old and well-respected utility for viewing and editing detailed information in Exif, IPTC, XMP, and many other formats. If you don't feel comfortable installing exiftool, an online interface is Jeffrey Friedl's Image Metadata Viewer, which has also been around for many years - although note that the site isn't HTTPS, and in any case you shouldn't be trusting it if you're not already comfortable sharing the photo and any potential metadata with someone you don't know. If you have a photo you've taken in a public place (for instance, you're on vacation), it could be a quick way to check whether a social media service is actually removing metadata (and not adding unwanted metadata!), but don't upload an image directly from your phone or camera if you're not willing to risk all the associated metadata being public.

Camera identification

There have been many projects about identifying the model of a camera from characteristics of the photo. Dartmouth computer science professor Hany Farid gave the technique the colorful name of "digital image ballistics" in a 2006 technical report about identifying patterns in JPEG quantization; you can also find many academic papers that refer to the problem as "source camera identification". In 2014, ExtremeTech wrote about a website that would analyze images to determine whether they've been edited, in part by determining what software likely created the image. The website and its parent company Fourandsix (co-founded by Farid) have since shut down, but the article details the approach. Another product that uses similar techniques to determine whether an image was edited is JPEG analysis tool JPEGsnoop, which has an example on their web page about finding the most likely camera that took a photo.

Identifying a photo location from its contents

Fast Company wrote an article in 2016 about PoseNet, the University of Cambridge project to identify the locations and directions of photos taken within a major street in Cambridge. You can still try the demo online.

Google doesn't have an online demo of PlaNet, their system for identifying the location of photos with deep neural networks, but you can read about their work in Technology Review and The Verge. They recently continued their research to make CPlaNet, which is even more accurate than PlaNet.

In the news

The Wall Street Journal broke the story about Yahoo! Mail and AOL Mail's practice of selling data in email to advertisers. You can also see secondary reporting from The Verge and from CNBC, among others. There is evidently a button to opt out on Yahoo!'s site; using a browser setting or extension to prevent tracking and block unwanted content, as we discussed in a previous episode, is also a good idea.

The New York Times' report on mobile games marketed towards children that track personal information is well worth a read. We didn't have time to go into the details in the episode, but it's an important topic for anyone with young children who enjoy playing games on smartphones or tablets. There's also the earlier academic report from March on the same subject, which shows how widespread these issues are.

iOS 12 comes with several changes, including more security changes than we were able to cover. TechCrunch has some recommendations for general ways to improve your security, some of which were available in older versions, some of which are new. Apple has also updated their technical iOS security guide for iOS 12; 9to5Mac takes a look at the biggest changes, all of which seem positive. Apple security engineer Ricky Mondello also posted a Twitter thread of iOS 12 changes as well as changes in the latest version of Safari for desktop. One thing to keep in mind: if you're looking to use the improved support for third-party password managers, make sure you update not just iOS but also the password manager app to the latest version.

Transcript

Geoffrey Thomas (GT): Hey, Liz, did you get that photo of the really cool flower I sent you when I was on vacation?

Liz Denys (LD): I did! It looks like the weather was really nice in Pasadena.

GT: Wait, how did you know that? I mean, yes, I was in the botanical gardens just outside Pasadena, but how did you figure out where I was from a photo of a bunch of flowers?

LD: Come on, Geoffrey, you had your phone tagging all your photos with your location.

GT: Oh. Well, I better figure out how to turn that off.

LD: Good thing this episode of Loose Leaf Security is all about unexpected ways photos might compromise your privacy.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

GT: Let's take a quick look at security news, starting off with some bad security news. A Wall Street Journal report says that Yahoo! Mail and AOL Mail, which are both owned by Verizon's digital-content arm Oath, are selling an advertising product that's based on scanning your emails for interesting keywords.

LD: Considering how much sensitive data is communicated over email these days, this is a pretty big privacy concern. Many things that really shouldn't be using email, like medical results and insurance information, often end up getting sent over email.

GT: There's two things that are interesting about this policy. The first is that just about everyone else has sworn off this practice. Gmail used to get a lot of flak for giving you ads based on scanning your inbox, but they stopped doing that in summer 2017.

LD: The other thing is that they're selling information they find in your email for advertisers to correlate with the rest of your browsing behavior, by using a tracking cookie.

GT: Even when Gmail was scanning your email, they had a policy for a long time of not associating that data with tracking cookies. Google would put ads above your inbox, but nobody else would get the information. They briefly changed that policy a few months before they decided not to scan emails for advertising purposes at all.

LD: If you're using Yahoo! or AOL for your email, it might be worth reading your email in a separate container or profile so that they can't associate your information with cookies that track your behavior on the rest of the web.

GT: You might also want to consider switching email providers, but that opens up a whole case full of cans of worms, only some of which are security problems. We'll have another episode in the future about the security concerns of switching email accounts.

LD: In the last episode of our series on web security, Keeping your web browsing private, we talked about how many web browsers are in currently the process of distrusting Symantec, which used to be one of the biggest TLS certificate vendors, but they've been caught being repeatedly lax about their internal security. That process is in its final stage - the October version of both Chrome and Firefox will distrust certificates issued by the old Symantec infrastructure.

GT: At the moment there are still a few sites using old Symantec certificates, notably including parts of the personal finance website Mint, CNN Indonesia, and the stylesheets for Fox News. All of these sites will probably find a new provider for their certificates very soon.

LD: If there are still any of these by the time the new Chrome and Firefox versions are released, the best thing to do is probably just avoid using the site for a day or two instead of trying to bypass the warning. They should update very quickly, because so many people use Chrome and Firefox.

GT: So there's nothing you need to do right now, but it's good to know that if you or your friends see a couple of sites with certificate errors all of a sudden, there's a pretty innocuous explanation.

LD: Also, it's good to know that we're finally getting past certificate authorities being too big to fail. Symantec used to be one of the biggest certificate authorities, and there was a worry that distrusting any major certificate authority - like Symantec - would break too many sites and be impossible to do. It's good to know that we're not actually succumbing to this fear, and that big certificate authorities do actually need to stay secure and behave properly to stay certificate authorities.

GT: Apple recently removed an app from the Mac App Store called "Adware Doctor," and a few days later they also removed several apps from security vendor Trend Micro. Researchers had found that Adware Doctor, a popular app that claimed to check your Mac for adware, was using its access to your home directory to collect browsing information and send it back to the servers of the people who wrote the software.

LD: It's not unusual for an app that's looking for malware to request access to your home directory, since it needs to look there for malware. But collecting the data is against Apple's policies.

GT: Trend Micro's apps were removed a few days later for similar reasons, although their apps are unrelated to Adware Doctor.

LD: In general, you probably should be pretty wary of adware and malware detectors and removers. Good ones are invaluable for recovering a badly infected computer, but it's a field that attracts a lot of misbehaving apps that actually install more malware. We'll talk about this more in our upcoming series on securing your desktops and laptops.

GT: In our news segment last episode. we talked about some of the positive outcomes of the EU's GDPR, but more recently, a negative outcome has surfaced.

LD: Uh oh.

GT: One of the GDPR's requirements is that it must be easy to get a copy of all your data. Most websites have implemented this by having a single-click download that just exports all of your data in an archive. As a result, if someone hacks into your account, that hacker has access to the single-click download of your data, too.

LD: This is an unfortunate side effect, and there's very little you can do beyond making sure your accounts are as secure as possible. If you want to learn more about securing your accounts, we'd recommend using a password manager to have strong, unique passwords for every site and enabling strong forms of two-factor authentication where you can.

GT: To learn more about that, check out our previous episodes "Securing your online accounts" and "Two-factor authentication and account recovery".

LD: The New York Times ran a feature about apps targeted at or otherwise popular with children that had been collecting personal information about their users. Their investigation springboarded off a paper published earlier this year by researchers from Berkeley and several other universities, A US federal law, the Children's Online Privacy Protection Act, heavily regulates gathering personal information for children under 13, and a lot of these apps appear to be a legal grey area because they're promoted as being for families instead of just for young children.

GT: Even if adults are setting them up, a lot of these apps are primarily played by children, so regardless of where exactly they fall legally, they seem like the sort of apps that shouldn't be tracking at all. There's not to much you can do about this beyond making sure you don't grant apps your child uses location permissions - or actively seek out games that work well offline and leave the device in airplane mode. Sadly, apps in general are moving away from being mostly offline, so this might be really tough, especially if all your kids' friends are playing a game that requires an internet connection. Our show notes will link to this story - it's well worth the read.

LD: One last thing - iOS 12 just came out. There's a bunch of security fixes, including one kernel bug and a handful of issues in Safari.

GT: These days, Apple only fixes security issues in the latest version of the OS, so if you have an iPhone or an iPad, you should plan to update pretty soon.

LD: They've made that a bit easier with a new automatic updates feature, although it's off by default. It's one of several security improvements in iOS 12.

GT: The one I'm most excited about is support for third-party password managers. You can go into Settings and pick your favorite password manager and allow it to auto-fill passwords anywhere on your phone. The major password manager apps all seem to support this already.

LD: Safari's built-in password manager also got a bit smarter. It will suggest stronger passwords by default, and it will also warn you if you've reused a password on multiple sites. Since the most common attacks on passwords these days come from breaches of other sites' password databases, it's very important to use different passwords on different sites.

GT: Also, if you're using SMS-based two-factor authentication, iOS now knows how to parse out the code when you receive a text and will suggest it in the keyboard's auto-completion. We don't recommend SMS as a second factor if better options are available, but when they're not, this makes using two-factor authentication easier.

LD: I hear there are also a lot of new features that have nothing to do with security, but since this is a security podcast, we'll let you explore those on your own and move on to our main segment about digital photos and privacy.

Transition music plays.

LD: When you take a photograph, either on a modern digital camera or your cell phone's camera, you don't just get the photo itself, but also a bunch of extra information about the photo. This information is encoded in the Exchangeable Image File Format, which is more commonly known as Exif.

GT: Back before digital cameras, photographers carried notepads to record information about things like which shutter speed and aperture they used to take photos when they were shooting, and they'd use that information back in the lab when developing images. Exif data removed a lot of that hassle.

LD: In addition to camera settings like aperture, shutter speed, and whether or not a flash was used, Exif data also stores information about the camera itself. If you have a bunch of folders of photos on your computer from a lot of old digital cameras and all the various phones you've had over the years, the Exif data can tell you whether your shots were from your current phone, the iPhone you had a couple years ago, your current digital camera, your older digital camera, and so on, because it includes information on the device's make and model.

GT: Exif also allows for the inclusion of location data. Your camera or phone might geotag each photo by adding latitude and longitude information to the Exif data, too.

LD: Your phone's photo app or a computer photo management system might make you helpful groupings of your vacations based on this location information.

GT: The latitude and longitude information in Exif is specific enough to determine the exact location you took a photo. I live on a dense city block with small lots, and Exif location data attached to photos I take at my home is specific enough that you can find not only the block I live on, but get within a couple buildings of the one I live in. Given how common photo sharing is in the age of smartphones and social media, there's a lot of privacy concerns involved in having this sort of detailed data attached to our photographs.

LD: It's also extremely easy to read Exif data. While you may never have thought to look for it, you can just natively read it in most operating systems when getting more info about a file. If your photo gets in the wrong hands, someone suddenly has a gigantic amount of information from this.

GT: The easiest way to make sure you're not leaking this location information is to just turn this off access to location information for your phone's camera app or find a setting in your digital camera to turn off location logging. That way, however you share photos, you're not at risk of leaking your location coordinates.

LD: On Android, you just go to Settings in the camera app, and there should be an option for not saving the location along with photos.

GT: It's a little less obvious on iOS. You have to go to the Settings App, under Privacy and Location Services, find the Camera app there, and then disable location access. If the Camera app has location access, it will automatically geotag your photos.

LD: If you're using a third-party camera app in either iOS or Android, you can do the same thing to make sure it's not geotagging your photos at all.

GT: One thing that caught me by surprise, although it makes sense, is that if you're taking a photo on iOS from within an app that has access to location services, it will get a geotag even if your camera app itself doesn't have location access. So a couple of photos I took with the Foursquare app are saved in my camera roll with their locations.

LD: If it's Foursquare, then you're basically intending to share the location, right?

GT: Mostly, yes, I'm uploading a photo of a place to the Foursquare profile for that place. But if I share the image with someone else, or I'm checking in to a private location on Foursquare like someone's home, the photo might have the exact GPS location.

LD: Most social media apps these days remove geotagging information, and all Exif info, from your photos. But you should check the apps you use before counting on this, ad also keep in mind there are more risks beyond just the location.

GT: For instance, Exif data tends to also include info about the model of your phone or camera, and some digital cameras also record their serial number.

LD: If you don't want people knowing that you were the person who took a photo, especially if there are just a small number of people who might have taken it and you're the only one with that model of phone or camera, it's important to remove all Exif data from the photo before you share it.

GT: There are various tools to remove Exif data, from desktop apps to command line tools to mobile apps to websites. It's a little hard for us to recommend one, because we don't use one ourselves and it's hard to endorse that software is doing what it claims to do and not secretly sending off your data - or just failing to remove everything.

LD: If you're going to use one, find one that's been around for a while, has good reviews, and also looks like it's being kept up-to-date.

GT: Exif isn't the only format for storing metadata about your photo. The International Press Telecommunications Council developed a standard for tracking information useful in newsroom photo editing, generally things like a caption or model release information, but also location and the time a photo was created and modified. This data is commonly just called IPTC, after the group that created it. Many professional photo editing apps will automatically add this data to photos they edit, and they'll often just copy the location from the Exif data in photos from your digital camera.

LD: You might not think that the timestamp of when a photo was created and modified is that interesting, but there are some cases you might care - if you're okay with people knowing you were at a place but you don't want them to know exactly when you were at that place, you'll probably want to make sure there isn't a timestamp.

GT: Also, if the creation time is very different from the modification time, it provides some evidence that the photo was edited a while after it was taken.

LD: Adobe also has a standard called XMP, the Extensible Metadata Platform. It's got its own set of tags that are useful in professional photo editing, but it also supports storing all the information from IPTC and all the information from Exif. So many apps just duplicate the Exif data in XMP.

GT: If you're using a tool to clear the Exif data, make sure it also knows enough about IPTC and XMP to delete that also.

LD: Or if you're trying to find information about a photo, use a recent tool that's capable of reading all of that data.

GT: XMP also stores some data about edit history, which is pretty useful for professional photo editors, but again it reveals some information about when the photo was opened and edited.

LD: Another feature of XMP that's useful for professional photographers is information about cropping and other edits to the file, which lets them preserve the original version for further edits. But if you're trying to crop something private out of a photo, this is not what you'd expect - you're trying to get the data to be completely gone from the file.

GT: In fact, until recently, the built-in photo editor on iOS would save edits in XMP format, so that the original image stayed around. If you used the share functionality, it would share a version of the image with the edits already applied, without the original version. But if you copied the image directly off the phone, like with a USB cable, you'd get this image that would look like it had the edits - in some programs that supported XMP - but also had the original image, and programs that didn't understand XMP would just show the original.

LD: So you might think you've edited something sensitive out, but it's secretly right there in the photo still.

GT: Nowadays iOS stores edits in a separate file, so at least if you only copy the original file it's obvious that you've copied the whole thing and not just the part you wanted to crop.

LD: In general, social media sites and many image upload sites like imgur strip at least the location information out of Exif data. It's definitely worth testing that they actually do this and specifically testing it with an image that is okay to have the Exif information leak from it. It's not any sort of secret that I used to go to school in Boston and know a bunch of people up there, so when I took a trip to Boston a few years back for a friend's wedding, I turned location services on for my phone's camera and took a really innocuous photo of a heavily trafficked location in Boston. It has all Exif data associated with it, and now that it's been a few years, I don't really mind potentially leaking that I was there back in the day. I use this photo for testing how new services or social media sites I use handle location data.

GT: Liz is pretty paranoid - I've just been testing with a photo I took from a bus line nearby, because it's not a secret that I live in Brooklyn.

LD: [chuckle] Yeah, I am definitely verging on the tinfoil hat side of paranoia with this one. I recently uploaded this photo to my relatively new Mastodon account to check how Mastodon handled my location data, and I'm happy to report that it doesn't keep my location information!

GT: I'd probably expect popular social media sites to handle this correctly, but it's still wise to check every site you use before uploading photos to see whether or not it leaks location or other Exif data. But it's especially important to do this whenever the site handles sharing images in the same manner as other types of files. Dropbox and Google Drive don't strip things like location information or other Exif data from your photos, which isn't surprising - they just treat them like files. And if you're using them as cloud storage or as backups or to work with other people on photo editing, you want all that Exif data there.

LD: Yeah, I've definitely forgotten about this, and shared Dropbox folders of my photos with friends before, accidentally leaking location information, and people that I'm close to have shared Google Drive photos of their trips on Facebook. Unfortunately, for many of them and me, that's revealed a lot of location information.

GT: Maybe it's not as worrying when it's a trip that ended a month ago, but I've definitely shared photos of furniture I was selling on Craigslist and I totally did not check whether Craigslist was removing geotags or other data.

LD: Oof. Yeah, I've also seen people unknowingly reveal their exact location when posting things like "I just moved to my new apartment, here's a bunch of pics, housewarming soon!" And the Exif data is still there because they're just sharing a Dropbox folder, and then you can find their new apartment's exact location.

GT: Yeah, since so many things do remove this risk, it's not surprising to forget that it exists other places.

LD: Oh! Also, lots of workplace collaboration tools don't strip out location information because they also treat images just like any other file attachment. So I'd double check what happens with any productivity or todo list tools you're using, too.

GT: Especially if you're sharing a photo of something cool in the work social channel and you don't really want your boss to know that you weren't "working from home" at 4 PM like you said you were.

LD: The other really frustrating thing is that your location might be revealed when your friends post things, too. I personally have a maybe kind of aggressive policy with my friends that they can't post photos of me in my home or post photos of me at an event in a public place when we're still there. I also try to limit sharing photos of me in my neighborhood or letting other people take pictures of me in my neighborhood, because once you pinpoint my micro-neighborhood, it would be pretty easy to run into me.

GT: Even if your friends have location data off?

LD: Yeah, I feel like it's a lot easier to say, "Please don't take my photo here," or, "If you take it, do not post it anywhere until after we're gone," than to double check their settings every time someone gets a new phone or camera. Also, if they don't have a photo of me somewhere in the first place, they won't have a photo to upload and then location-tag the post that has that photo on social media. That's a little less worrying than a photo with Exif location data getting posted somewhere, but mostly that's because their profiles and posts are generally private, and the location information is protected because those posts are private.

GT: Unlike with the image which could just be linked to anyone, Exif data and all.

LD: Exactly.

GT: So, there's one more way sharing your photos could harm your privacy, which is along the lines of what I thought Liz had originally done with my pictures - figure out where a photo was taken from the content of the photo itself.

LD: It's easier than you think to do this if there are visible landmarks or other identifying pieces of information, like street signs or business names, in the background.

GT: Yeah, my apartment has beautiful views of the sunset behind the Statue of Liberty, but I make a point of not sharing them on public social media, because you can very easily figure out where I live. There are a couple of recognizable streets nearby, and between that, and the angle of the sun, and the position of Lady Liberty, and a few other things, you'd be able to pretty easily track down not just which building but which window I took the photo from.

LD: Apps like Google Earth can simulate your position in 3D, and someone could use that to try to track down what floor you're on, even by just moving up and down until the view looks the same - and they'd have a high chance of succeeding. And then they'd effectively have your address including your apartment number.

GT: There was a pretty interesting research project from the University of Cambridge recently for automatically doing this sort of analysis. They took a lot of photos on King's Parade, a central street in Cambridge, from various angles, with Exif tags for precise location and angle, and they wrote a computer program to make a model of where the buildings are.

LD: You can upload another picture taken on that street to their website, and it will figure out the place along that street that's the best match.

GT: I tried it with a historical photo of King's College from Wikipedia, and it found the right spot, even though there's now a large tree blocking the view from that exact spot.

LD: It doesn't work outside that street because their program needs a lot of data and they only have a public dataset for that particular street, but it wouldn't be that hard to build your own data set for similar analysis if you have a rough guess of where someone might be.

GT: There was another project a few years back from Google Research where they applied deep learning techniques to figure out what area a photo was likely to be from - what part of the world, what city, and so forth.

LD: This one is less accurate at guessing the specific street or block where a photo was taken, because it's just looking at general features, like how the buildings or vegetation looks. But it tends to be accurate for regions and sometimes even specific cities.

GT: So if you've moved cities recently and you don't want folks to know where you live now, it's probably safer not to post photos publicly that were taken near your new home.

LD: That reminds me of a different kind of attack - there's another interesting threat that stems from the information hidden in image files. When your digital camera or cell phone saves a compressed image like a JPEG, each implementation of JPEG compression tends to leave its own identifying characteristics - anything from different color maps to just laying the JPEG file out in a slightly different order. So it's possible to take an image and say, this was most likely taken by a digital camera from one particular manufacturer.

GT: That might be a concern if you're worried about someone tracking down your camera as the one behind a certain picture, but this probably isn't too big of a concern for most people unless you're a whistleblower or you're taking questionably-legal photos during urban exploration or something like that. The best way to mitigate this issue is to open your image in an image editor and re-save it with a slightly different compression setting,

LD: These are pretty specialized threats, and in many cases they're not relevant. If you're taking a picture in Millennium Park in Chicago and sending it to your friend with iMessage, you're not really revealing anything by having Chicago buildings in the background and metadata showing you took it with an iPhone.

GT: But these threats are worth thinking about, especially for photos you're taking at home or at other private locations like your friends' homes.

LD: As with many things in security, the most important thing is generally just to be aware of what the risks are and think about where the right tradeoff is for you.

GT: And if you're checking in on Foursquare while on vacation with a photo of some really cool latte art in your coffee, you might be totally fine with all this metadata being sent along with your photo. Just make sure it's all under your control.

LD: So that about wraps it up for privacy threats from digital photos. We're changing up our schedule for our next episode: instead of releasing another episode in two weeks, we'll be spending a little extra time researching and framing our upcoming series on keeping your laptop and desktop computers secure.

GT: Both of us are pretty paranoid about our personal computing devices, but there's a lot of material to cover and it's important to us that we take the time to get this right. So we'll catch you in about a month for the first episode in this series!

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.