April 20, 2012 | By Hanni Fakhoury

A Picture is Worth a Thousand Words, Including Your Location

At first blush, it seems obvious that a picture could reveal your location. A picture of you standing in front of the Golden Gate Bridge sensibly leads to the conclusion you're in the San Francisco Bay Area when the photo was taken. But now that smartphones are quickly supplanting traditional digital cameras, and even traditional cameras now have wifi built in, many more pictures are finding their way onto the web, in places like Twitter, Flickr, Google+ and Tumblr. In a span of 10 days, popular photo social network Instagram added 10 million new users as a result of the release of its Android app and its acquisition by Facebook. And the location data hidden in these quick and candid pictures -- even when your location isn't as obvious as "standing in front of the Golden Gate Bridge" -- is becoming another easy way for anyone, including law enforcement, to figure out where you are.

Take the case of "w0rmer," a member of an Anonymous offshoot called "CabinCr3w," for example. According to the federal government (PDF), "w0rmer" broke into a number of different law enforcement databases and obtained a wealth of sensitive information. In a Twitter post, "w0rmer" provided a link to a website that contained the sensitive information as well as a picture of a woman (NSFW) posing with a sign taunting the authorities. Because the picture was taken with an iPhone 4, which contains a GPS device built in, the GPS coordinates of where the picture was taken was embedded into the picture's EXIF metadata. The FBI was able to use the EXIF data to determine that the picture was taken at a house in Wantirna South, Australia. 

The FBI tracked down other online references to "w0rmer," with one website containing the name Higinio Ochoa. The feds took a look at Ochoa's Facebook account, which detailed that his girlfriend was Australian. Combined with the EXIF metadata, the government believed they had corroborated the identity of "w0rmer" as Ochoa, and in turn arrested him. 

Even for photos not taken with a smartphone and not embedded with GPS coordinates (for example, point and shoot or SLR cameras that do not geotag), it's still possible for the police to get location information through EXIF metadata. You can upload a picture here and see the metadata stored in a picture for yourself. Contained within that metadata is the camera's serial number. Armed with that information, the police can easily scour the internet for other pictures tagged with the same serial number.  In Australia, a man whose camera was stolen was able to track it down using stolencamerafinder.com because the thief had taken a picture with the camera and uploaded it to Flickr, where he had listed his address. But even if the thief's Flickr site didn't contain his address, police could have subpoenaed Flickr - like law enforcement have attempted to do with Twitter - for information concerning a user's temporarily assigned IP address, as well as session times and logs, to eventually determine where a person uploaded a picture from. All of which can be used to piece together a snapshot of not only your movements, but as in the case of "w0rmer," potentially your identity. In the United States, police are being trained about the broader investigative (PDF) potential of this information.

It might be tempting to say the problem is overblown, because some social media sites, including Facebook and Twitter, strip the metadata out of photos uploaded by their members. But not all do. Twitpic's default is to use a picture's location tag unless you opt out. Flickr gives you the option to hide a photo's EXIF data, but many casual photographers tempted by the rapid growth of photo sharing may not understand what EXIF data is, and the implication of making it publicly available.

The bigger problem is that courts have been expanding the police's right to search digital devices without a warrant under the "search incident to arrest" exception of the Fourth Amendment. While many of the cases involve warrantless searches of cell phones, there has been at least one case in California (PDF) where the police used the "search incident to arrest" exception to search a juvenile's digital camera. And there are other reported incidents of photojournalists having their cameras confiscated and searched when covering political protests and rallies. If the cops have the physical camera (and thus the memory cards that store the photos), whatever scrubbing that happens when a photo is uploaded to the web is no obstacle.

So if you value your privacy, you should take steps to ensure the EXIF metadata in your pictures isn't an easy way for anyone on the Internet to figure out your location. If you're using a smartphone to take pictures, disable geotagging from your pictures. If you're uploading your pictures to a website like Flickr or Twitpic that defaults to automatically include EXIF data and location information, take the steps to turn it off. And if you're using a traditional SLR or point and shoot camera that doesn't geotag, but does contain a breadth of EXIF data, the make sure you scrub its metadata before you upload it on the Internet. There are free online tools that will help you do precisely that. These simple steps will help ensure that the thousand words a picture describes doesn't include your location. 


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Celebrate the 4th by giving to EFF! We're fighting to stop mass surveillance in the US and worldwide. https://eff.org/EFF25

Jul 4 @ 5:36pm

A deep dive into XKEYSCORE, one of the NSA's creepiest spying tools: https://eff.org/r.c6hp

Jul 3 @ 3:12pm

Come to EFF HQ on July 8 for a book talk with author of "Geek Heresy: Rescuing Social Change from the Cult of Tech" https://eff.org/r.i3fv

Jul 2 @ 4:57pm
JavaScript license information