[Cialug] Security issue with geotagging your photos

Josh More MoreJ at alliancetechnologies.net
Wed Mar 2 09:01:39 CST 2011 

It's easy enough to test if Facebook is doing it.  Just download your photos and compare the downloaded to the originals via exiftool and diff.

I'm on an assignment now, so I'm not going to launch Facebook, but someone else should be able to test with minimal effort.

So far as privacy goes, yes, you should be careful about what you post online, but I wouldn't be overly worried about kids.  The vast majority of abduction cases of young children are by people that already know the child.  The bad guys aren't scoping the Internet looking for just any kid.  They usually are going after a specific kid.  Sharing settings and exif data control won't protect against that threat.

The more serious risk is when the kids get older and start using the Internet themselves.  At 13-17, there ARE people out there looking for easy targets.  The best way to protect against this is to share data on the Internet when the kids are 0-12, but do so making sure they understand what you are doing and why.  That way, when they hit 13, they already have a decent chance of being responsible with the data that they're sharing on the Internet themselves.

At the age of 10-12, I would suggest working with a kid and showing them how to insert false metadata into photos and videos.  They can have fun making up stupid stuff and watching their photos appear on the map in Uzbekistan, but along the way they'll learn about hidden data and how to protect themselves.

Josh More | Senior Security Consultant - CISSP, GIAC-GSLC Gold, GIAC-GCIH
Alliance Technologies | www.AllianceTechnologies.net<http://www.AllianceTechnologies.net>
400 Locust St., Suite 840 | Des Moines, IA 50309
515.245.7701 | 888.387.5670 x7701

Blog: Don't just blame the bad guys, it's your fault too
http://www.alliancetechnologies.net/blogs/morej

How are we doing? Let us know here:
http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey
________________________________
From: cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf of Matthew Nuzum [newz at bearfruit.org]
Sent: Wednesday, March 02, 2011 08:48
To: Central Iowa Linux Users Group
Cc: Zachary Kotlarek
Subject: Re: [Cialug] Security issue with geotagging your photos

On Tue, Mar 1, 2011 at 10:52 PM, Zachary Kotlarek <zach at kotlarek.com<mailto:zach at kotlarek.com>> wrote:

On Mar 1, 2011, at 8:19 PM, Matthew Nuzum wrote:

> This may seem obvious to you but believe me, it's not obvious to everyone.
>
> When you enable geotagging of your photos on your smartphone it may give strangers the ability to know exactly where you (and your kids or friends) like to hang out. You may want to consider disabling it by default.
>
> http://www.cybersalt.org/general-news/smartphone-pictures-pose-privacy-risks


I think that is the wrong battle. Don't get me wrong -- I think controlling image metadata is important and people should be made aware -- but I think it's an awfully subtle thing to sell to people who are intentionally broadcasting their images on the Internet.

For this to be a problem you have to already be exposing pictures of you, your cohorts, your surroundings and probably some bits of your behavior to the world at large. The fact that there are GPS coordinates in the photo just make your location easier to index, but that is far less data than you're exposing already with the image itself.

I think the right answer is to only share images with people you explicitly want to see them. While that's contrary to the way that many image-sharing services work, and perhaps even contrary to the way people want to conduct themselves, it would all but eliminate the problem described here. It's also a consistent, easy-to-understand message about privacy, as opposed to some technical detail related invisible data your phone may or may not put into the private-data-rich photo you're already intentionally sharing with all of FaceBook.


I don't disagree, I myself am cautious about posting pictures, especially of kids. However, by their very nature, photos ask to be shown around. Even someone who is cautious will probably make mistakes.

I just downloaded a picture that I had uploaded to facebook and found the exif data was all stripped. Can someone confirm that it is the exif data that is important here? Anyone else care to confirm that facebook is actually doing this?

--
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca<http://identi.ca> and twitter

"An investment in knowledge pays the best interest." -Benjamin Franklin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20110302/ffe8e5ad/attachment.html>

More information about the Cialug mailing list