Location, location, location

Location, location, location

This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live.

What is EXIF data?

Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements.

What can I do?

For users:

Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device.

On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off.

You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off.

On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera.

These steps only disable location information. Time and date stamps, as well as device information will still be retained.

For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images:

$ mogrify -strip *

In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata.

Alternatively, there are many other image editing tools to choose from.

For administrators:

Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users.

Happy (and safe) snapping!
Charelle.