A friend showed me a video from a Missouri news station
(from a newscast almost 3 years ago, mind you). In the video, the reporters
discuss a "new threat" with "new technology." While the video engages in the usual FUD
(fear, uncertainty, and doubt) to oversell the risk, there is a nugget of truth
that bears repeating.
Smartphones, tablets, and many standalone digital cameras
have a GPS built-in, and can "geo-tag" photos with the location at
which they were taken. This can make it easy to group photos by location (as
in, group all my photos from the Grand Canyon, or from Disney World, or from
Jamaica ... assuming I had vacationed at any of these places). But it makes it
equally easy for someone else to do the same.
In the news story, the reporters used photos posted by a
selected family, and by examining the GPS tagging data in the photos were able
to identify with great accuracy the layout of the family’s home (Where did the
children sleep? Where is the living room? Where is the dining room?), the park
they liked to play at, the school their children attended, and more. Granted
much of this is not too difficult to determine, but it’s a little unnerving to
see total strangers mapping out a family’s daily routine.
There have been some well-publicized examples of actual harm
that originated with location gleaned from photographs. Last year, geo-tagged photos of an Army flightline in Iraq led to 4 Apache helicopters being attacked and destroyed.
A couple of years ago, a security researcher was hiding out after some threats
accidentally revealed his location when he posted photos of himself. More benignly, in a hacker contest I participated in earlier this year, one of my competitors used geo-tagged Twitter posts to locate contest objectives.
I did some research to see how great a risk this poses, and what I found was quite a different story from the one presented by
this news article.
.jpg)
First, a little background education. The JPEG, or JPG, image format is a widely
used way of storing images. All modern browsers, and most if not all modern
digital cameras, can use this format for handling photographs. Newer versions
of the format standard support something known as the “Exchangable image fileformat,” or Exif. Exif specifies a standard way for non-visual information to
be stored in an image file. Some of this data is directly related to the image
itself – file size and type, image dimensions, information about how the colors
in the image are encoded. Other data may include the device that created the
image (i.e. camera model), camera settings (aperture, exposure time, focal
length), information about ambient lighting and the flash used, and more to our
point, GPS coordinates and timestamp.
All this information can be viewed with readily-available
Exif data viewers. For the sake of example, I took an image of a Styrofoam cup
and used the web site exifdata.com to inspect its Exif tags. This is what I
found:
System
File Name IMG_20130904_133459_626.jpg
File Size 1206 kB
File Modify Date 2013:09:04 14:36:56-04:00
File Permissions rw-r--r--
File
File Type JPEG
MIME Type image/jpeg
Exif Byte Order Big-endian (Motorola, MM)
Image Width 1836
Image Height 3264
Encoding Process Baseline DCT, Huffman coding
Bits Per Sample 8
Color Components 3
Y Cb Cr Sub Sampling YCbCr4:2:0 (2 2)
IFD0
Make Motorola
Model DROID RAZR HD
Orientation Horizontal (normal)
X Resolution 72
Y Resolution 72
Resolution Unit inches
Modify Date 2013:09:04 13:34:58
Y Cb Cr Positioning Centered
Exif IFD
Exposure Time 1/24
F Number 2.4
Exif Version 0220
Date Time Original 2013:09:04
13:34:58
Create Date 2013:09:04 13:34:58
Components Configuration Y, Cb, Cr, -
Shutter Speed Value 1
Aperture Value 2.4
Brightness Value undef
Max Aperture Value 2.4
Metering Mode Average
Light Source Cool White Fluorescent
Flash Auto, Did not fire
Focal Length 4.4 mm
Flashpix Version 0100
Color Space sRGB
Exif Image Width 1836
Exif Image Height 3264
Scene Type Directly photographed
Custom Rendered Normal
Exposure Mode Auto
White Balance Auto
Digital Zoom Ratio 1.51
Scene Capture Type Standard
Contrast Normal
Saturation Normal
Sharpness Soft
Interop IFD
Interop Index R98 - DCF basic file (sRGB)
Interop Version 0100
GPS
GPS Version ID 2.2.0.0
GPS Latitude Ref North
GPS Latitude 30.xxxxxx degrees
GPS Longitude Ref West
GPS Longitude 97.xxxxxx degrees
GPS Altitude Ref Above Sea Level
GPS Altitude 0 m
GPS Time Stamp 18:34:43
GPS Map Datum WGS-84
GPS Processing Method ASCII
GPS Date Stamp 2013:09:04
The actual GPS latitude and longitude tags were detailed enough
to pinpoint my work desk in my home office, and in fact the web site displayed
a Google Maps map with a marker at my home. Eerie.
But, a picture on my camera is one thing. What happens if I
share that picture?
To find out, I uploaded this picture to four common social
media platforms: Facebook, Instagram, Twitter, and Pinterest. As it turns out,
each of these platforms modifies the image file to both fit its own size
preferences, and to remove the vast majority of Exif data. In each case, the
GPS data was stripped out. The lesson? While modern cameras and smartphones may
geotag photos with location information, the most common photo-sharing platforms
wipe that data out, so the photos as shared reveal no GPS information.
Risk averted? Well, somewhat. Keep in mind that the image
itself may include recognizable features (street signs, school signs, business
signs, address labels, familiar landmarks, etc.). Images shared via text/SMS,
or obtained directly from a phone or camera, may have this geotagging data
embedded in them.
Bottom line: The age-old advice of not posting online anything
that you wouldn’t want the whole world to see still holds true. Turning off geotagging on your camera when you don't specifically want to use it is wise. But news
articles about “new threats” brought about by “new technology” are more hype
than substance.
