Lately, a new trend in media is observed. It's a debate related to many rumors about the abuse of power by governments and agencies. Modern society lives in a fear of losing one of their basic rights – privacy. Invigilation and eavesdropping remind people of futuristic visions of total surveillance. Is it a truth that people are scared or a slogan repeated by masses? Are programs like PRISM a real danger, or is there a risk much bigger than that?

In this episode of Security Demystified, we will discuss a problem related to user data and the exposure on platforms like Steemit. It is considered to be a gentle warm-up to reader mindset.

Data, Metadata and Privacy

World is filled with data. They are everywhere and play important role in every aspect of humans life. Basically, a term data means information or its piece, a form of representation of facts or concepts, a set of values of qualitative or quantitative variables. Due to the nature, data can be collected, interpreted, analyzed, processed, visualized. It's done every day, all over the world to speculate stock market moves, forecast weather or invent a new antibiotic.

While it does not require more introduction, a similar one - metadata, seems to be confusing to many. It got a massive attraction since used by a government agency to describe the type of their actions. As a quick reminder: NSA representative said that they do not collect user data, but metadata.
What kind of difference makes that statement? Does it mean, that a user, should not worry. Not necessarily.

Metadata is simply speaking data, that describes or gives a certain information about data. It has a loosely defined scope, which means information like:

• A type of an event.
• A location of an event.
• A time of start and end of an event.
• Involved parties.

And much more depending on an actual event.

The most obvious events are phone calls, emails, photos, visited pages, etc. All these information are carefully gathered and analyzed. To be precise, e.g. in case of phone calls collecting metadata means that the call itself was not recorded. However, in many cases the subject of the call may not be the only important piece. Let’s consider calls like a private psychiatrist, a brothel or a sex line, a suicide prevention line. It does not take much to understand a full the scenario even when the topic of the call remains ‘unknown’.

It is a real problem, but are people really scared about it? Do they actually care about privacy and anonymity?

Internet & Social Platforms. Free Data Giveaway

There is a big misunderstanding between people's expectations and their actual actions. While privacy and anonymity have been treated seriously since 90s by those who understood the range of potential abuse, new generation ignores the subject completely. The need to be accepted by society, liked, followed - to be visible, popular and unique has taken privilege over rational thinking. It has led to the creation of social phenomena like Myspace, Facebook, Twitter or Instagram.

This social paradox creates massive data storages filled with sensitive data – with users acceptance. They are real treasures to both organizations and individuals who want to get information about a person. Who would place a date of birth, an email address and a phone number and a photo all around a city, a country or the whole world? Visible to everyone! Despite a fear of being invigilated, exactly this kind of actions is observed on a big scale. How about check-ins, comments, relationships and work statuses, updates on daily activities? Are these different from metadata collections, mentioned earlier?

There are differences:

• Making it public is a choice (well, so is jumping from a plane without parachute...).
• Public means for everyone, not only to privileged units.
• These data are clearly pointing a subject, categorized and not secured in any way.

STEEMIT. Selling data for SteemDollars.

The platform promotes transparency, honesty and verification over anonymity and safety. It is generally a great way to make friends in real life, but puts at risk people who are unaware of possible consequences.
Every person, who shares information on this platform, makes them public (to view and use). While it is not a @dan's primary goal to make a blockchain-based blog corner, it is fully allowed to use Steemit that way.

Published data let users to infer about the author. Writing articles about photography may imply author's interest in the area. On the other hand, a post about being happy at the beautiful beach on vacations may be interpreted like:

• You may find me here till the end of the week.
• I am here alone.
• I am not at home and I will not be there soon.

Unfortunately, it is where things just start to be interesting. As posts are stored in blockchain, all data is saved permanently with no option to delete them. It makes the full history of a user's activity visible and a future employer, friends, children, random people – everyone have an access to this collection. If that is not enough, more and more tools are created to present users data in an understandable fashion.

Pictures, silent killers.

Pictures make a post unique and attractive to readers. They are also a great source of data and metadata. While media talk about great algorithms which match pictures by content to a specific location, it is the last thing to care about. The real issue is not in a photography which tells your chosen story, but in silently given information related to the photography itself, like:
• A timestamp.
• A type of your camera (including smartphones).
• Software used to edit the picture.
• Picture miniature (original, before crop etc.).
• Geotags.

Why pictures reveal so many secrets? This information (Exif, IPTC IIM and XMP data) should actually make user's life easier. They are used to make files easy to process, categorize, etc. They are not completely hidden, users can see them almost all the time but somehow forget about them when post images in the internet.

How to check it?

There is a variety of tools available (both command line and graphics editors). A very popular and powerful one is called ExifTool (made by Phil Harvey). Several online tools use it under the hood, among them a popular Exif Viewer. Another popular program is ImageMagick. It is not recommend to use, except photos from known sources, due to the various vulnerabilities found by researchers.

Example I:

In this example ExifTool is used. It has a great tutorial with a set of examples for all platforms. Give it a try! Remember that it is safer for a user to play with any picture at home, not through online tools.

Let's assume we have a file: photo.jpg like the one below:

Get all image metadata and safe them to the file: $ exiftool -a -u -g1 photo.jpg > output It returns a lot of information about tested pictures. Note: Above one actually does not contain many data on purpose to make the output smaller. Get Image Thumbnail: If the picture contains a thumbnail, it can be extracted by using a command: $ exiftool -b -ThumbnailImage photo.jpg > thumbnail.jpg An image may contain a thumbnail but it does not have to. The important part is that simple transformations like crop etc. does not always modify a thumbnail, which may reveal the complete picture (now, imagine these 'seductive' pictures published in the network...). Still, that is not all! A thumbnail despite its original purpose does not have to contain information related to the actual picture. It may contain a picture before modifications or any other image. Sounds impossible? Test it on the included picture. Get only GPS cordinates: $ exiftool -gpslatitude -gpslongitude photo.jpg Picture may show the exact location where it was taken. In this case it is: 38.869184 degrees N and 77.056267 degrees W, which happens to be the Pentagon. Once again, try it!

Lesson: Pictures contain a lot of sensitive data. It is possible to both read and modify picture's metadata.

Example II:

ExifTool and more photos. Let's talk about a popular user, a girl, a traveler, a perfect victim to oppressors – Heidi (aka @heiditravels). Do you want to know where she lives? You can check where her pictures were taken! No, it is a joke, you cannot. Her Canon EOS 5D does not support geotagging.

One may check that uploaded pictures were taken with exactly this type of camera. Two sets (from different posts) are tested in this example: almost all pictures return the same camera model type, the only different one, is a picture of Heidi (on the right). Timestamps within presented sets also match really closely, only one picture was taken several days later or date was modified while photos were edited (the one on the left). Overall, even if Heidi is not on her pictures, there is a pretty good sign (but not a proof, since one can modify metadata) that she is the author of presented photos or at least they travel together.

Lesson: Image metadata can be used e.g. to discover potential plagiarism or various modifications of pictures. They reveal a lot of information about pictures (presented example was an easy usecase).
Metadata are not created to be a weapon of stalkers, but there is no limitation to their use. It is important to understand that it is a matter of hours and a fairly easy task for an experienced software engineer to create a full database of e.g. all Steemit users, their photos with a timeline, locations etc.

Limit your exposure.

How to deal with leaking data?

Review the content.

It is as simple as it can be. Publish only data you are ready to share with everyone. Your privacy and safety is more important than a chance to become a temporary Steemit celebrity. Is your home address and phone number worth to you 10SD or 100SD? Probably not. Look at your post and focus on information available via your story or pictures. Don't try to be sneaky, thinking that you will remove your pictures later. If there is a link available at least for a moment, there might exist a person who made a copy already.

Remove unnecessary metadata.

You can turn off geotagging features on your phone or camera but the best way to handle the situation is to always review photos and remove some or all metadata from pictures.

Solutions for casual users (who do not like console tools)

Windows Explorer	Windows Explorer offers users metadata removal. It is a quick operation. go to Details and click Remove Properties and Personal Information. It is not recommended as it does not necessarily remove all metadata. Don't use it.
Tools for photographers, graphic designers etc.	Advanced tools like e.g. Adobe Photoshop Lightroom have often built-in options to remove some or all metadata. User can choose to remove them while saving the image.
Dedicated tool with Graphic User Interface	A big group of tool that can be found under keywords: exif editor. Generally, despite different names, they are very similar and quite intuitive. It is only a matter of user taste and preferences, therefore pick your favourite!

For those less casual (when using mouse is too mainstream):
There is a variety of console tools which allow users to remove image metadata. It may be a faster solution if someone needs to process a lot of images. If you would like to give them a try:

ExifTool	$ exiftool -all= photo.jpg
ImageMagick	$ mogrify -strip photo.jpg
jpegtran	$ jpegtran -copy none photo.jpg > output.jpg

3-rd party platforms

Image metadata can cause many problems bigger than only user exposure (hint: metadata modifications). Therefore, it is often a good practice to remove them during the upload to the server. Big social media platforms like Facebook remove metadata automatically. It is however not enough to keep users safe (it only keeps Facebook safe). Spying tools gather all data from images, check-ins, tags on social plaforms.

Steemit has its own (well, not in legal terms) image hosting, called SteemIMG provided by @blueorgy. It allows users to upload the image without Exif metadata.

Conclusion

Society is spied by powerful organizations, no doubts about it. The equally or even more serious problem is, however in the number of information published and leaked by unaware people themselves. Repeatedly mentioned precautions like Tor, various VPNs, Tails, PGP etc. do not fully solve this issue.

Steemit is a great platform for content creators, but at the same time, it is a massive source of user data. Therefore, consciousness is highly advised. Simple actions presented in this article may help everyone.
Keep your private data to yourself!

Appendix

• This is the first article from the Steemit series: Cybersecurity Demystified. Learn more.
• Heidi knew about the article before it was published. She agreed to be 'an example'. Tested photos come from her posts: Anarchist in the Jungle and Lost In The Amazon. Thank you!
• More information about image metadata can be find e.g. in the guideline provided by Metadata Working Group. It contains also links to other specifications, therefore these are not listed here.
• The picture of a cute girl from the first example (and the thumbnail) comes from Pixabay.
• Finally, articles found recently on Steemit, you may also find interesting (author's pick):
  • The most famous Field Cipher: ADfGVX - And its important Role during WWI by @renzoarg (published on @timsaid).
  • How I hacked Quicken and made off with over $600,000 - True confessions by @mikehere.
• Finally, if you have an IPhone THIS may be important to you.
  
  
  
  Do you like this article?
  Show your support!

A note about the author:
@radoslaw is a software architect from Poland. Highly interested in complex, distributed systems and information security. Author's introduction.