I don’t like giving air-time to scare stories – indeed I seem to spend rather a lot of my time debunking them. I find a lot of them distasteful in attempting to use the most extreme means they can to frighten people. This American “NBC Action News” report (video) definitely falls into that category. I think I need to explain this – sensibly – without trying to frighten anyone.
The story, for those who choose not to watch, is that if you post images from your smartphone to online images services (such as flickr) you could be giving away a hell of a lot of personal information that you had no intention of making public. That information could be very useful to criminals.
Now between the ridiculous hyperbole, the desperate attempts of the newscasters to instil panic into every parent and an American “expert” who is clearly no expert at all there is actually some degree of truth behind this. Not only that but it somewhat falls into my area of expertise.
What we’re talking about is geo-tagging and it’s not new(s) – it’s been going on for years. Pretty much all smart phones and a good number of digital cameras have an option to record where and when the photo was taken (generally using GPS, the same system that sat-navs use to work out where you are). Those phones and cameras then write that information into the image itself in what’s called a geo-tag. If you post that image to an online image service then, depending on which one you use and various options etc. that information might stay in the file and it’s possible that someone viewing the file might be able to retrieve that information.
To do so – to find this information out – is in no way hacking. You don’t need to get access to any accounts or run any strange programs downloaded from dodgy darknets. Beneath is a screenshot of a free tool that came with my camera and all I’ve done is to use it on the image at the top of this page (which I’m very deliberately posting publicly).
Yeah, that’s pretty much the Dove St Inn!
You could use this tool on any image that contains a geo-tag to find out when and where it was taken. This one is a few metres out – basically the wrong side of the street. That’s fairly typical. I did some experiments around my house last night however and it was possible for me to identify which room I was in when the photo was taken.
Now if it had been one of those images that I’d taken last night that I’d used in this article, rather than giving away the location of The Dove St Inn I would have given away my home address.
The amount of information you could give away like this can build up. If you post an image for which the content is clearly identifiable, or there are comments that clearly identify the place or activity then someone could quite easily build up a picture of your life. Your home address, your childrens’ schools, what parks they play in and when, when you’re away from your house, your elderly relatives houses and when you typically visit them, when you’re on holiday, etc. etc.
They could, but actually the chances that anyone is actively stalking you are pretty slim. There are billions of people out there after all. Also remember that there are quite a few ducks that have to line up for this information to be revealed and if even one of them is out of line then you won’t be publishing this information to the entire planet.
Another aspect of this is story is the fact that if the geo-tag information is in the image and that image is publicly available it can be indexed for searching. So it’s possible to search for images by their location – instead of searching for just images of kittens you could search for images of kittens within, say, 500m of a particular location. If you got any results the chances are that you’d know pretty much the house that they were at. I do find that a little concerning.
Over lunch I thought I’d give it a go – I wondered who else had posted public pictures of – or from – The Dove St Inn. So I searched flickr for “Dove” within a small area of Ipswich.
All perfectly innocent in this case but it proves the point – you can search for a term and find images connected with that term in a given area.
So what can we do to prevent this from happening? Essentially the message is simple, don’t post geo-tagged images to public sites unless you’re really happy about what it reveals. Your options are as follows.
- Turn off geo-tagging on your phone and cameras. My smartphone has an easy option in the camera app itself called “store location”. If you turn it off, the location is never stored in the image and it can never be made public.
It is kind of handy to know when and where an image was taken though – thankfully there are other options. - Make sure that you never post anything publicly. Many social networking sites and image hosting sites have privacy controls that allow you to ensure that only people you trust can see the photos.
- Remove the geo-tags before posting. The Nikon ViewNX utility that came free with my camera can remove geo-tags as well as view them. I bet there are smartphone apps for it too.
- Use an image service that has the ability to remove geo-tags of images that you’ve posted – flickr for instance has this option (under “defaults for new uploads”) and I imagine most of them do.
If you don’t find “geo-tag” or “location data” in your privacy settings then look out for the term “EXIF” – this is the format that most smartphones and cameras use to add information such as the camera brand and exposure details as well as the location to the image file.
Personally I prefer option 2 – I tend to restrict who can view my images. I only make a few publicly available and I pay close attention to what those ones reveal, not just through geo-tags but also through the content of the image itself.
So in conclusion your smartphone is not a hot-line to the Cosa Nostra and it’s really rather unlikely that anyone with any criminal intentions is paying any attention to any images you’re posting online.
It is however worth checking if you’re posting geo-tagged images with no privacy control and if you are then have a think about whether or not you’re happy with that. If not then delete them, remove the geo-tags or make them private and then implement some sort of strategy to make sure you stop doing it.