These days we share more photos than ever before. On websites, blogs and social media. What a lot of people don’t realize is that a photo has a lot of hidden information in it (metadata or EXIF data) or underestimate just how much information can be extracted. While this information is not always accessible by the end user looking at it (whoever views it on Facebook or a blog), the information is accessible to the service you upload it to. No-one really cares about shutter speed or flash information but location data is important. I took a photo of something random and put that photo on my desktop.
From this information we can tell this photo was made with an Apple iPhone 5 and we can see some of the specs like exposure, focal length etc. Ok not too bad. Then i tried another tool called ExifTool. Plenty of other free tools are available online so anyone can extract metadata. ExifTool is a command line tool but there are GUI tools out there too. ExifTool showed me the following:
Hello!, there we go. I’ve got everything from the iOS version my phone has installed to location data. Not just location data, it even told me which way i was facing and the altitude i was on when i took this photo. Entering the coordinates into a website like this or this confirmed it was spot on. Imagine taking a photo of something very expensive and i am a thief that wants that something. Your photo could tell me you are at this location, facing that direction. With the altitude information i could even figure out approximately what floor that photo was taken on, crazy.
Ok so this is the information that can be extracted using free tools in a matter of minutes but the file is on my desktop so what do i care. I need to know how much of that information can still be extracted once it has been uploaded to one of the many services out there so i tested the following:
A web server
First i tested this by uploading the image to my web server using FTP, then i called up the image in Safari and saved it to my computer again. I used Get Info and ExifTool and found the exact same information. So uploading a photo to a web server and making it available through direct link (like is often done on forums etc.) revealed everything.
A blog (self-hosted WordPress)
I uploaded the image to this blog and added it to a page. The photo was uploaded and processed and put into my page. I opened the page, clicked on the image, saved it to my desktop and extracted the information again. All information was still there. This goes for photos that are uploaded to a self hosted WordPress blog straight from the phone as well.
I uploaded the photo to Facebook straight from my iPhone and saved the photo back to my Mac via Safari. Facebook had changed the file name to a random string of numbers and the extracted metadata did not show anything that could reveal my location. I was able to see the photo was made with an Apple device and some specs about color signatures etc. Much better, Facebook’s process stripped away much of the information i’d rather not have out there. Even with location services enabled and people tagged, the metadata did not change. Uploading the photo from my Mac and then downloading it again showed that even less information was available. Good, no-one can see where this photo was taken. Only thing to keep in mind is that FaceBook’s servers do know and have added that data to an ever growing collection of data that builds a more complete profile of you every day. If targeted ads don’t bother you then i guess all is well.
Location not revealed (only to Facebook…)
I don’t have a Google+ profile so stole someone else’s picture. I found that Google+ shows some of the metadata info right along side the photo without me even asking. My friend took his photo with a Samsung on this date and that time. It actually showed me more information than i was able to extract myself, thanks Google! It did not show me any location information though. This goes to show that Google has all the metadata and has saved it in their system, they even publish some of it.
Location not revealed (only to Google…)
I emailed my original photo to my wife and had her save it. I took that photo from her desktop and found all the metadata available.
I sent the image to my wife and asked her to save it to her desktop on the Mac and also send it back to me from her phone. All the metadata from the original photo was visible.
Unless a service deals with a huge amount of photos, processes and changes it to work with an internal system (Facebook, Google, Tumblr etc.), the metadata can usually be extracted. While most won’t worry about photos that are emailed or sent through iMessage because you know the person it ends up with, photos are forwarded to others or uploaded somewhere more often than you think. Services that are in the business of collecting and selling information like Facebook and Google but really anyone who has an interest in finding out where you are and have been, use this information to build very detailed profiles of you. Someone with malicious intent can use information like this to see when you are out of town or simply away from home. Wether it’s for companies pushing targeted ads, someone having malicious intent or your boss being able to see that car crash photo you sent to show why you are late is not really yours or was taken a year ago, you want to keep your location info private.
The best way to keep your location info hidden is by not having any embedded in your photos, turn off location services on your phone. This will keep your camera app from geotagging your photo and will keep apps from attaching geotags when you upload something. If you do want to keep your location information available (i love the iPhoto map feature too) then you can still get rid of that info before you upload or send the photo. Applications such as Pixelgarde can strip your photos of almost all metadata. Every photo that leaves my Mac has been sanitized by Pixelgarde first. Think of something that someone could do based on your location data, think how much someone could learn just by watching your location data, you don’t want that information out there for a number of reasons.