How much EXIF information is tracked by photo sharing sites?

On 2014-11-18 17:16:09 +0000, John McWilliams said:

linux froup x'ed.

On 11/18/14 PDT, 9:00 AM, Warren Oates wrote:
In article ,
William Unruh wrote:

The GPS data could certainly be "intensely personal".

Yeah. Here's my cousin Zeke in front of the Eiffel Tower. I'd better
delete the geo-locating data so no one knows where he really is.

Here's my cousin Zeke's meths lab; I think I'll leave that metadata in
place.

All of your, er, "examples" are extreme film-noir worst-case scenarios.
What's your proposal? Ban metadata? Think about all the metadata in the
chip on your passport. What might Kang and Kodos do with that?

Srsly, though, I don't have any sympathy for anyone trys to post
something "anonymously" who has no idea how to do it properly.

And I like the idea of the murderer/thief/philanderer being stupid
enough to post incriminating evidence..... Priceless!

....and coincidently all on the above have happened, from posting images
of crime scenes, stolen items, and conquests on various social media.
These days investigators are going to check Facebook accounts, Twitter
& Instagram feeds, and personal blog sites. That said, much more
damaging evidence can be found, unshared on a phone, and those photos &
other stuff can only be accessed, and admitted as evidence with the
permission of the phone's owner, or a search warrant.
--
Regards,

Savageduck

In article , William Unruh wrote:

William Unruh:
The GPS data could certainly be "intensely personal". Say you
took a picture of a beautiful object. It happened to be in your
mistresses flat. The gps coordinates would show you were there,
despite your protestations you never knew her.

Sandman:
False logic.

That is only "intensively personal" if someone already knwos the
photo belongs to you and know who you are - in which case you as a
person is already a known entity and the added data becomes highly
sensitive if the wrong person (your wife) sees it.

No. The concern was the posting of the EXIF data on public sites.
The data mining was one example of how the data could be misued, not
the only example.

Uh, yeah it was:

A. Beck.
How much EXIF information is tracked by photo sharing sites?
10/28/2014

"But ... how much of that personal EXIF information is
retained by the web site (and used for their possibly
nefarious purposes)?"

That's from the OP.

And even for data mining, when most of the pictures turn out to have gps
location of your house, then associating them with you is not exactly
difficult.

Sure it is. GPS is never that accurate, so it could be you, your neighbour,
your wife, your daughter, your son. The point is that there is no way to
*knows*, at least not automatically.

So, basically, your daughter could be posting pictures to Flickr from your
house, and an automatic process could pinpoint that, with data from more
pictures, to the likely house, and use public records to find out who owns
the premises - NOT your daughter.

And, finding out *who* took the picture using geodata may constitute
personal information, but hardly "intensly personal" as quoted by the OP.

Then the occurance of your mistresses house associates you
with your mistress.

You're just repeating the same invalid example. Consider this - Flickr has
an account with an anonymous name and anonymous email address, and on that
account exists ten photos, where the majority has the GPS data set to
somewhere in the vicinity of 20-25:th Main St. in a specific town.

Now that's a data point. The only other data point they can add is the
house owner's of those addresses, which I repeat - does NOT necessarily
mean that any one of these took that picture. In fact, the house *owner*
may not even live in the house.

They don't have enough data to make it in to a personal data.

Your examples hinge on the EXIF data being viewed by someone else than
these "web sites" and by a party that has more data points about YOU, and
knows that the photos are taken by YOU. That's not data that Flickr has
unless you give it to them.

Sandman:
The discussion is about EXIF data as "mined" by social media sites
for "nefarious purposes"

No, it was not. The discussion is about whether or not EXIF data
could be used for purposes you, as the poster, did not approve of,
or harmed you.

Perhaps you should go back to the OP and re-read it.

Sandman:
The idea is that EXIF containes "intensly personal" information,
and your example does not show such information, it is only
personal if you as a person is already a known variable.

If *I* were to download that very photo from an anonymous source,
and I don't know anything about you - there is *nothing* personal
in that EXIF data at all. I can see, if it has GPS data, where it
was taken which tells me nothing about you.

If your credit card information and your tax forms (without your
name on the form) were in the exif data, would that be personal
information?

Of course. Even intensely so. The OP only listed date, GPS and what camera
was used as the data points in the EXIF that he was concerned with. It's
not like he said that he has purposfully put very sensitive and personal
information in the EXIF and were wondering whether it could be used for
nefarious purposes.

You would be OK with that since if they did not know
your name, that information would be useless to them? Is any
information to you "intensely personal"? Note that it is very
possible that your photo DOES contain your name in the exif
information, under a copyright tag for example.

Indeed, but the OP never talked about him putting personal information in
the EXIF in the first place, only listed automatically added data by the
camera.

The argument is NOT whether exif information is always intensely
personal. The question is if it can be. If you do not know what is
being published, could it harm you?

Here's the OP again:

A. Beck.
How much EXIF information is tracked by photo sharing sites?
10/28/2014

"The EXIF, as you know, can reveal exactly where and when the
photo was taken, and even what camera was used, and, of
course, the time and date, etc, the combination of which
could easily reveal intensely personal information."

Where he incorrectly, and explicitly, states that the combination of GPS
data, date and camera model is "intensely personal information". It just
isn't.

Sandman:
But again, the topic was EXIF being used for supposed "nefarious
purposes" by these social media sites and whether or not there was
"intensly personal" information in the EXIF. There isn't - all
your examples hinges on the fact that one has to know you to begin
with for it to be intensly *sensitive*, not personal.

I think that "intesely sensitive" and "intensely personal" can be
taken to be synonymous here.

Not at all. In your example, the GPS location isn't personal information at
all, but since it reveals something you want to keep a secret to one
specific person, it is sensitive data to you in the context. It is NOT
personal data as far as Flickr/Facebook/Whatever is concerned, which is the
topic.

William Unruh:
The question was not whether or not it could be removed. The
question was whether or not the data could store "intensely
personal" information, since it is stored automatically unless
you take action and delete it.

Sandman:
EXIF certainly *can* store intensively personal information, no
doubt - but if it does, the user has put it there themselves, not
added automatically by their software (unless they have it set up,
a lot of photo management apps can have templates of EXIF data
added upon import)

I was giving the example of GPS data, which is automatically added
by many modern cameras, being intesely personal

It is not.

expecially when it is often trivial for someone to figure out who you are
by looking at either the account under which it was stored, or even
looking at the photos (selfies ARE a common use of photos and are
posted).

The question of personal data in EXIF is rather superfluous if the pictures
depict personal information themselves. Again, the OP didn't bring up the
content of the photograph as a data point.

Yes, one may have to combine data from various sources to make the
data on that one particular photon intensely personal

What sources? Please be specific. Combining data sources is what automatic
software does best, so I'm interested in your theory here.

but that extra data is often trivial to get. It is the shock of
discovering that the police posted your photo of a mob hit onto a web
site to plead for more into, and that the EXIF information on that photo
could make it more likely that the mob could figure out you took the
photo that makes it "intensely personal".

And how do they go about to do that? I mean, from the viewpoint that the
EXIF doesn't contain my name and the photo isn't of me. How do they do it?
Please be specific.


--
Sandman[.net]

In article , Sandman
wrote:

And even for data mining, when most of the pictures turn out to have gps
location of your house, then associating them with you is not exactly
difficult.

Sure it is. GPS is never that accurate, so it could be you, your neighbour,
your wife, your daughter, your son. The point is that there is no way to
*knows*, at least not automatically.

gps is generally very accurate, often 10-20 foot range, but it only
identifies the location, not the persons involved. however, the latter
can usually be determined.

So, basically, your daughter could be posting pictures to Flickr from your
house, and an automatic process could pinpoint that, with data from more
pictures, to the likely house, and use public records to find out who owns
the premises - NOT your daughter.

the content of the photos would likely indicate it was the daughter and
not the parent who took the photo or is in the photos.

And, finding out *who* took the picture using geodata may constitute
personal information, but hardly "intensly personal" as quoted by the OP.

depends on what someone considers intensely personal.

Then the occurance of your mistresses house associates you
with your mistress.

You're just repeating the same invalid example. Consider this - Flickr has
an account with an anonymous name and anonymous email address, and on that
account exists ten photos, where the majority has the GPS data set to
somewhere in the vicinity of 20-25:th Main St. in a specific town.

Now that's a data point. The only other data point they can add is the
house owner's of those addresses, which I repeat - does NOT necessarily
mean that any one of these took that picture. In fact, the house *owner*
may not even live in the house.

it's not hard to figure out who is living there.

They don't have enough data to make it in to a personal data.

like hell they don't.

Your examples hinge on the EXIF data being viewed by someone else than
these "web sites" and by a party that has more data points about YOU, and
knows that the photos are taken by YOU. That's not data that Flickr has
unless you give it to them.

you do have to give the data to them, but once you do, that data can be
analyzed.

simple solution: don't give it to them.

On 2014-11-18, Warren Oates wrote:
In article ,
William Unruh wrote:

The GPS data could certainly be "intensely personal".

Yeah. Here's my cousin Zeke in front of the Eiffel Tower. I'd better
delete the geo-locating data so no one knows where he really is.

Here's my cousin Zeke's meths lab; I think I'll leave that metadata in
place.

All of your, er, "examples" are extreme film-noir worst-case scenarios.
What's your proposal? Ban metadata? Think about all the metadata in the
chip on your passport. What might Kang and Kodos do with that?

Srsly, though, I don't have any sympathy for anyone trys to post
something "anonymously" who has no idea how to do it properly.

So you admit that the data could be "intesely personal". You just think
that it should be up to the person posting to scrub such data, and they
deserve what they get if they do not. That is a possible attitude, but
then they must know what data it is that they are posting to even know
they should scrub it. Most people do not know about EXIF data, so do not
know they should, perhaps, scrub it.
You are also pretty tough on mistakes. Had you, in your life "reaped
what you sowed" at all times, you would probably not be here.
Forgiveness and forgetting is part of life as well. Unfortunately the
net does not forget. If you make a mistake, you are stuck with it for
life.

On 2014-11-18, nospam wrote:
In article , Mayayana
wrote:


Whenever the privacy issue comes up in any venue there's
always the vehement camp that starts in with accusations of
paranoia and tin foil hats, trying to make *any* privacy concerns
seem silly. They don't want to think about the issue and they
don't really want to know how much they're being tracked. For
one simple reason: to acknowledge it would face them with a
decision that might be inconvenient, especially if they live with
Google, Facebook, GPS on smartphones, etc.

nope.

the tin foil hat accusations come out when people make ludicrous and
unsubstantiated claims that are almost always, full of misinformation.

there's nothing wrong with maintaining privacy. the problem is that
some people claim everyone is out to exploit them when in reality, it's
the users who decide whether or not to use a service and *willingly*
provide information for the service offered.

Well, not so willingly often. For example, most do not know about EXIF data.
They do not know they posted it. The default should be that such data
gets scrubbed unless the user explicitly OKs it, not the other way
around.


in other words, it's a consensual agreement, not exploitation.

No, and agreement in which there is a huge disparity in knowledge is not
a consentual agreement. A consentual agreement must be informed consent,
not "silence means yes".


I only mention these things for the sake of people who might
not have thought about it but who may actually be interested in
minimizing their "Google dossier".

you assume people are morons. some might be, but the vast majority are
smart enough to make their own decisions about what information to
provide.

No, most people are ignorant. As are you on huge areas in your life,
including some which could kill you.


A. Beck seems to be posting lots of photos and simply wants
to minimize the trail he's leaving. I don't see anything extreme,
unreasonable, or paranoid about that. It seems like common
sense to me. Though I would question his general logic: Anyone
who is having their social life hosted through corporate
advertising companies such as Facebook and Pinterest is hardly
in a position to be concerned about privacy. The biggest risk
with A. Beck's metadata is the fact that he's linked himself to
it personally by putting it on his own "social network" pages.
Who needs Google spying when they're documenting their
entire life on Facebook anyway?

there you go with the tin foil hat nonsense. it's not spying when
someone provides it willingly.

Willingly implies knowledge.

In article , William Unruh
wrote:

Whenever the privacy issue comes up in any venue there's
always the vehement camp that starts in with accusations of
paranoia and tin foil hats, trying to make *any* privacy concerns
seem silly. They don't want to think about the issue and they
don't really want to know how much they're being tracked. For
one simple reason: to acknowledge it would face them with a
decision that might be inconvenient, especially if they live with
Google, Facebook, GPS on smartphones, etc.

nope.

the tin foil hat accusations come out when people make ludicrous and
unsubstantiated claims that are almost always, full of misinformation.

there's nothing wrong with maintaining privacy. the problem is that
some people claim everyone is out to exploit them when in reality, it's
the users who decide whether or not to use a service and *willingly*
provide information for the service offered.

Well, not so willingly often. For example, most do not know about EXIF data.
They do not know they posted it.

and whose fault is that?

The default should be that such data
gets scrubbed unless the user explicitly OKs it, not the other way
around.

no it shouldn't.

in other words, it's a consensual agreement, not exploitation.

No, and agreement in which there is a huge disparity in knowledge is not
a consentual agreement. A consentual agreement must be informed consent,
not "silence means yes".

it's a user's choice to download an app, launch the app, optionally
provide identifying information to the app and actually use the app for
that information to be data mined.

that does *not* happen without the user's consent. it's *always* up to
the user.

I only mention these things for the sake of people who might
not have thought about it but who may actually be interested in
minimizing their "Google dossier".

you assume people are morons. some might be, but the vast majority are
smart enough to make their own decisions about what information to
provide.

No, most people are ignorant. As are you on huge areas in your life,
including some which could kill you.

nonsense. people know full well that giving out identifying information
can be abused. some choose to give it out because of the benefits of a
particular service and others do not.

the user decides what to do.

A. Beck seems to be posting lots of photos and simply wants
to minimize the trail he's leaving. I don't see anything extreme,
unreasonable, or paranoid about that. It seems like common
sense to me. Though I would question his general logic: Anyone
who is having their social life hosted through corporate
advertising companies such as Facebook and Pinterest is hardly
in a position to be concerned about privacy. The biggest risk
with A. Beck's metadata is the fact that he's linked himself to
it personally by putting it on his own "social network" pages.
Who needs Google spying when they're documenting their
entire life on Facebook anyway?

there you go with the tin foil hat nonsense. it's not spying when
someone provides it willingly.

Willingly implies knowledge.

and people have that knowledge. not everyone does, but most do. people
aren't the morons you think they are.

Warren Oates:
Exactly. I challenge Mayayana to post the EXIF data from a couple of
random jpegs so we can see the "intensely personal" stuff that's in
there.

I look at a couple-three random images, the most "intensely personal"
stuff I see is the creation date, the name of the camera, the date the
image was modified, and the image processing software I used to modify
it (if I did). To be fair, none of our cameras have GPS hardware, so
there's no location data, but nevertheless ...

Now: we add copyright info to the pictures we actually publish, but we
do that knowingly and I know how to remove it....

This paranoia is, er, insane. Don't want people to know who you are?
Get off the Internet. Get off the grid. Move to Mongolia and herd
goats.

I make photos of small arthropods and sometimes other creatures, some
of which are harvested from my Flickr page by the Encyclopedia of Life
and the Maryland Biodiversity Project. These photos must contain my
identity, the genus and species (binomial) of the subject, the date
that I made the photo, and the location where the subject was found.
When I use a camera without a GPS I use the Flickr map facility to
pinpoint the location; the photos are useless without a location.

My photos are intended to be useful to researchers, educators, and
others who may be interested. As such, they are published under the
Creative Commons license
http://creativecommons.org/licenses/by-nc-sa/4.0/, under which just
about anything goes--take it, use it, modify it, practically anything
but commercialize it. This doesn't stop me from licensing a photo for
commercial use from time to time, though that is not my objective.

Commercial photographers who don't want their copyrighted photos taken
and passed around should keep them off the Internet.

It gets worse! My full name is in my sig, and a look at
switchboard.intellius.com will tell people where I live if they haven't
gotten that information from my Flickr photos!

http://www.flickr.com/photos/primeval

http://www.primordial-light.com

--
I agree with almost everything that you have said and almost everything that
you will say in your entire life.

usenet *at* davidillig dawt cawm

On 2014-11-18, Davoud wrote:
Warren Oates:
Exactly. I challenge Mayayana to post the EXIF data from a couple of
random jpegs so we can see the "intensely personal" stuff that's in
there.

I look at a couple-three random images, the most "intensely personal"
stuff I see is the creation date, the name of the camera, the date the
image was modified, and the image processing software I used to modify
it (if I did). To be fair, none of our cameras have GPS hardware, so
there's no location data, but nevertheless ...

Now: we add copyright info to the pictures we actually publish, but we
do that knowingly and I know how to remove it....

This paranoia is, er, insane. Don't want people to know who you are?
Get off the Internet. Get off the grid. Move to Mongolia and herd
goats.

That is fine. YOu find it paranoid. Others find it being careful. Or do
you not accept that different people can have different opinions.


I make photos of small arthropods and sometimes other creatures, some
of which are harvested from my Flickr page by the Encyclopedia of Life
and the Maryland Biodiversity Project. These photos must contain my
identity, the genus and species (binomial) of the subject, the date
that I made the photo, and the location where the subject was found.
When I use a camera without a GPS I use the Flickr map facility to
pinpoint the location; the photos are useless without a location.

And I look at your photos and find many of them are taken in Arizona.
But suddenly you post one taken today in Alaska. You are highly probably
on a trip to Alaska and there is a good chance that your home is now
empty. I go around, knock on the door, and with no answer have a
reasonable expectation that I have all the time I want to strip your
place. Paranoia? Perhaps-- until it happens to you. (PS, this is used by
crooks regarding say funeral notices in the papers).


My photos are intended to be useful to researchers, educators, and
others who may be interested. As such, they are published under the
Creative Commons license
http://creativecommons.org/licenses/by-nc-sa/4.0/, under which just
about anything goes--take it, use it, modify it, practically anything
but commercialize it. This doesn't stop me from licensing a photo for
commercial use from time to time, though that is not my objective.

??? Go ahead. But do not pretend that there is no way that the
information you post could not be used against you.


Commercial photographers who don't want their copyrighted photos taken
and passed around should keep them off the Internet.

It gets worse! My full name is in my sig, and a look at
switchboard.intellius.com will tell people where I live if they haven't
gotten that information from my Flickr photos!

http://www.flickr.com/photos/primeval

http://www.primordial-light.com


And this is supposed to tell us what? You also have unprotected sex with
prostitutes as well I suppose, and drink 10 shots of whiskey per day,
and play a game of Russian roulette every morning to give yourself a
kick, and see, you are still alive.

Just because you do something and it hasn't bitten you in the ass yet
does not imply that there is nothing to worry about.

On 11/18/2014 5:18 PM, Davoud wrote:

snip


It gets worse! My full name is in my sig, and a look at
switchboard.intellius.com will tell people where I live if they haven't
gotten that information from my Flickr photos!

That iis your privilege and right Similarly if others don't want that
information disclosed, they should take appropriate measures.


http://www.flickr.com/photos/primeval

http://www.primordial-light.com


I like your macro shots. They are clean and sharp. I use macro for
different purposes. Clearly my style is not appropriate for scientific
purposes.

https://dl.dropboxusercontent.com/u/97242118/1%20Needs%20A%20Shower.jpg


--
PeterN

In article , Lewis
wrote:

The GPS data could certainly be "intensely personal". Say you took a
picture of a beautiful object. It happened to be in your mistresses
flat. The gps coordinates would show you were there, despite your
protestations you never knew her. Similarly for some innocuous photo
taken at a crime scene. Again it would prove you were there. Something
which could destroy your marriage/land you in jail I would certainly
call "intensely personal".

If GPS data was super accurate on photos, which it is not, that might be
an issue. I've had GPS data that showed I was more than 10 miles from
where I actually was when the photo was taken. Either than or I had like
a 50,000 mm telephoto lens.

if you just turned on the camera (and therefore the gps), it may not
have an exact fix yet and if you're indoors or otherwise obscured, it
may not ever get an exact fix, but the rest of the time it's typically
very accurate.