Internet Mozilla Security

Protecting Photo Privacy Via Browsers

Browsers can do more to protect users from inadvertently violating their own privacy. The NY Times today had an article about a topic that has been discussed in various circles several times now. The existence of geotagging data in photos. Many cameras, in particular smart phones like the iPhone can tag photos with GPS data. This is pretty handy for various purposes including organizing photos at a later date, iPhoto for example does a pretty nice job of it. Most photo applications however don’t make this information very visible, as a result many users don’t even know it exists, others simply forget.

What the problem looks like

The data, embedded in a photo looks something like this:

GPSLatitude                    : 57.64911
GPSLongitude                   : 10.40744
GPSPosition                    : 57.64911 10.40744

Which I could map.


I propose that browsers need to have a content policy for when users upload images that can better protect them from uploading information they may not even realize. Here’s what I’m imagining:

The first time a user attempts to upload a photo that has EXIF or XMP data containing location they are prompted if they want it stripped from the image they are uploading. The original file remains unharmed, just the uploaded version won’t have the data. They can also choose to have the browser remember their preference to prevent being prompted in the future. They can revise their choice in the preferences window later if they want. This isn’t to different from how popups are handled. I thnk that per-site policy might be too confusing and not warranted, but perhaps I’m wrong.

Warning users about hidden information they may be revealing is a worthwhile effort. It’s only a matter of time before someone uses a “contest” or some other form of social engineering to solicit pictures that may reveal location data for users. Evildoers always find creative ways to exploit people.


There are a notable caveat to this approach. The most notable is that flash uploaders would bypass this security measure though individual uploaders could do it themselves, or Adobe could do it, but I don’t think that’s enough of a turnoff to this approach. The same caveat applied to “private browsing” in browsers.

Prior Work

As far as I know no browser actually implements a security feature like this yet. There are a few Firefox Add-ons like Exif Viewer and FxIF (both written in pure JavaScript) that look at EXIF data but nothing that intercepts uploads.

Who Can Do It First?

I’m curious who can do it first. By add-on (seems like it should be possible at least in Firefox), and dare I say include in a browser itself? If this were earlier in the year I would have added this to the Summer of Code ideas list. Instead I’m just throwing it into the wind until 2011 rolls around.

10 replies on “Protecting Photo Privacy Via Browsers”

Cool idea. I would want us to word this so that it is more of an “inform and opt in” as opposed to “warn.” Unfortunately some of these features end up working against us in that users “don’t like the fact that Firefox is violating their privacy” (because we drew attention to something that everyone else was ignoring). The implicit assumption that the browsers that don’t ask are nicer and friendlier is unfair and illogical, but nonetheless can happen.

So, something like the large format geolocation icon (http://blog.stephenhorlander.c.....ion-icons/ ) and then:

[x] include the location these photos were taken

So we would avoiding a direct value judgement on if doing so is good or bad.

It’s not the purpose of the browser to do that. it’s of the photo application: flick, whatever.

Browsers still do much wrong that are of area of purpose that’s waste trying to be everything for everyone. And I certainly don’t want a Browser Nanny!

I think with Faaborg’s comment’s taken into account, we wouldn’t end up with anything nanny-like at all. I think this is an excellent idea.

It’s worth noting that browsers already do similar things to protect users. They warn against phishing and malware for example. They are often the only line of defense a user has any control of.

One thing to take into consideration. Leaving out smartphones, most cameras don’t ship with GPS built-in, but, there’s a large group who do intentionally opt-in to having GPS location in their photos (devices exist for just this reason, both as camera add-ons for SLRs and standalone devices that let you geotag after the fact.) Websites like flickr have features to allow users to explictly tag on a map for this same reason, its not just an evil function, there’s legitimate desire for the feature. (Which unfortunately, the NYT article seems to only have covered as scary reasons for evildoers.)

Smartphone vendors should not be enabling tagging as an opt-out feature, but rather an opt-in, which is an area that should be evangelized on. but with the ever growing world of mobile devices, these users are probably more likely to be using an app or external uploader rather than the browser (simply put, uploading through the browser is too painful for many photos, most of the time). So i’m not sure how much this warning would actually accomplish. (Particularly given mobile browsers fascination with providing GPS data directly themselves…)

I don’t doubt its possible with an add-on (and i’d certainly think it would be, it probably even belongs in any of the addons that are serious about attempting to protect user’s privacy.), though in the core browser, I don’t think so, (but i’m against the idea, and would just find it intrusive since I opt-in to sharing location data of my photos intentionally.) In EXIF/XMP is the geolocation data even the only thing “scary” from a user’s point of view? Many non-tech users are surprised to even know EXIF is there at all, otherwise you’d have many fewer people roaming around with the date imprint’s on their photos. πŸ˜‰

One thing about Alex’s comment though… if the user is unaware of the existence of the geolocation information in their photo, I’m not sure if such a simple message would not be further misunderstood, where did this location data come from? Is Firefox adding it? (which is what it sounds like, in some ways.)

@Wolf: People who knowingly add geotagging to their photos wouldn’t be impacted since they know the information is there and will just allow the files to be transferred. The reality is many people don’t realize this data even exists. For users like yourself you’d just opt to let the files be uploaded and not notify you.

Geolocation is by far the most harmful data generally put in EXIF/XMP. The second is likely the date/time since that could in theory be used by someone to learn a persons routine (Mary is typically walking to the bus at 5:30 PM every day), or camera’s make (theft mainly). Both pale in comparison to an actual address.

Mobile bandwidth is still limited especially in the US. Uploading is still easier and faster via the computer. Thanks to things like an iPhone and iPhoto transferring is easy too. Also: remember Firefox is mobile too πŸ˜‰

Sadly there’s undoubtedly amateur porn,that will reveal the subjects location if the viewer knows what they are doing. A quick Google search proves that I’m right. I won’t link to it here, but there’s at least 1 huge forum thread dedicated to the topic out there.

One issue of the system as explained in your blog posts is that you might want to have these data in your photo for personal reasons such as geolocating on a map, but you might not want them when you share the exact same uploaded photo on the same service with someone else.

A binary call (strip or keep) will not solve the issue. Having a warning from the browsers can be cool. BUT be careful if the warning is systematic, people will not use it and remove the feature. Exemple: Just try for one week to put your browser with cookies accepted only after validation.

I would imagine a system more about policy negotiation. If your site only share in public, strip my exif data. If your site makes the possibility of managing these different views of the same image, keep my data.

@karl: Actually it would be handled. The original wouldn’t be modified, it would be stripped from the upload. You’re free to do with the original what you want. You can adjust the preferences for the future (if you had previously selected to always trip) anytime you want.

Leave a Reply

Your email address will not be published. Required fields are marked *