Digital photos can reveal your location, raise privacy fears
Skim through the photos on Flickr or Photobucket, and you’ll find pictures of cats pawing at living-room sofas, children playing in backyards and mothers gardening at home.
Dig a little deeper, and you can unearth the exact locations of many of those homes, embedded in data within the pictures.
Images often contain a bundle of information and various traces left by digital cameras or photo manipulation software.
This data, called Exchangeable Image File Format (EXIF), is a key tool for many professionals. It can detail whether the photographer used a flash, which digital effects were applied to a picture and when the photo was taken.
EXIF can also contain the precise GPS coordinates for where a photo was taken. This information is readily accessible and can be plugged into software such as Google Maps — leading some security and photography experts to express concerns about amateurs unknowingly disclosing private information, such as the location of their home.
“What could go wrong with that?” Roger Thompson, the chief research officer for digital security firm AVG, said sarcastically.
Thomas Hawk, an active Flickr user and the former chief executive of competing photo site Zooomr, said EXIF is an important part of his archival process. But he has also used that data to track down someone who was harassing him online and managed to coerce an apology, he said.
“I don’t geotag any pictures to my house,” Hawk said on the phone last week. “I think it’s a huge concern. I think a lot of people don’t realize or recognize what’s in all of the EXIF data that they’re publishing.”
Most gadgets ignore the geotagging component of EXIF because relatively few cameras contain the GPS chips needed to tag them. However, many smartphones, such as those from Apple and Google’s Android system, let users employ this feature.
Apple’s and Google’s systems ask each user once or a few times for permission to access their location in order to provide additional services. If they click “OK” on that popup, every photo they take is tagged with GPS coordinates.
Smartphones are fast becoming the camera of choice for many people. Cameras on newer phones have come to rival dedicated point-and-shoots, and many smartphone owners carry them just about everywhere. Smartphone sales have increased 50 percent since last year, according to a report by research firm Gartner.
Millions of images are uploaded to Facebook using the company’s iPhone, Android and BlackBerry applications. The iPhone 3G is the most popular shooter among photographers on Yahoo’s Flickr website, according to a report on that site.
Judging by the abundance of pictures in Flickr’s database that include geolocation data in the EXIF, some smartphone owners aren’t thinking twice about opting into their devices’ GPS feature. Doing so can facilitate useful tools. For example, software like iPhoto and Picasa can group images by location and display them on a map.
But amateur photographers may not realize that this info stays with the image when it’s uploaded to Flickr, Photobucket, Picasa Web Albums and some other photo-sharing services. (Facebook says it strips the EXIF data from all photos to protect its users’ privacy.)
Pictures uploaded to Photobucket by one woman show her children preparing lunch and bathing in a kitchen sink. The location data, which is displayed directly on each photo’s webpage, can be inputted into Google Maps to find a satellite image of her rural home in Edmond, Oklahoma. The woman couldn’t be reached for comment.
“We added EXIF data a few years ago at the request of our users,” Rob Newton, a spokesman for Photobucket, wrote in an e-mail. “To date, we have not received any complaints from users who were previously unaware of the GPS tagging feature.”
Displaying the GPS coordinates on the page can be disabled in a user’s settings panel, Newton noted.
However, anyone could still download the original file using a link on Photobucket and view the location info in Adobe’s Photoshop or in software included with every new Mac and Windows 7 computer.
Flickr’s and Picasa’s pages don’t show the coordinates by default. But the services similarly offer links to access the original files, which can contain EXIF.
“Having the ability to download the original version of photos on Flickr is an important feature for our members,” a Flickr spokeswoman wrote. “However, we help people maintain their privacy by stripping the EXIF data of an image from view on the site and making the default control option to keep this information private.”
Users who don’t want their photos tagged with GPS data can either disable the option on their cameras or run the images through software, such as Photoshop, that can remove the EXIF.
“We realize not everyone wants to share this information with others,” a Google spokeswoman wrote in an e-mail. She notes how to disable GPS tagging, but added: “This is a popular Picasa feature that many people find useful.”
Some photo services, including Facebook, TwitPic and Yfrog, strip EXIF once a file is uploaded and don’t offer a way for users to access the original.
For Yfrog, the lack of EXIF is a byproduct of automatic image optimizations done by the system, not something designed specifically with privacy in mind, Mike Harkey, a spokesman for the ImageShack-owned Yfrog site, wrote in an e-mail.
While Facebook’s system compresses some photos, it doesn’t do so for every one.
“For those that we don’t compress, we still strip out EXIF data,” Facebook spokeswoman Jaime Schopflin wrote in an e-mail. “We do this since users can unintentionally leak sensitive information in EXIF data.”
Thompson, the security expert from AVG, commended these efforts.
“Chalk one up to Facebook for that one,” he said. “One of the alarming things is that every [Facebook] application wants to access your profile and your contacts and your photos. So if they weren’t stripping that [EXIF data], it would be particularly alarming.”
Original Article By Mark Milian, CNN
October 15, 2010 10:45 a.m. EDT