Lately, a new trend in media is observed. It's a debate related to many rumors about the abuse of power by governments and agencies. Modern society lives in a fear of losing one of their basic rights – privacy. Invigilation and eavesdropping remind people of futuristic visions of total surveillance. Is it a truth that people are scared or a slogan repeated by masses? Are programs like PRISM a real danger, or is there a risk much bigger than that?
In this episode of Security Demystified, we will discuss a problem related to user data and the exposure on platforms like Steemit. It is considered to be a gentle warm-up to reader mindset.
Data, Metadata and Privacy
World is filled with data. They are everywhere and play important role in every aspect of humans life. Basically, a term data means information or its piece, a form of representation of facts or concepts, a set of values of qualitative or quantitative variables. Due to the nature, data can be collected, interpreted, analyzed, processed, visualized. It's done every day, all over the world to speculate stock market moves, forecast weather or invent a new antibiotic.
While it does not require more introduction, a similar one - metadata, seems to be confusing to many. It got a massive attraction since used by a government agency to describe the type of their actions. As a quick reminder: NSA representative said that they do not collect user data, but metadata.
What kind of difference makes that statement? Does it mean, that a user, should not worry. Not necessarily.
Metadata is simply speaking data, that describes or gives a certain information about data. It has a loosely defined scope, which means information like:
- A type of an event.
- A location of an event.
- A time of start and end of an event.
- Involved parties.
And much more depending on an actual event.
The most obvious events are phone calls, emails, photos, visited pages, etc. All these information are carefully gathered and analyzed. To be precise, e.g. in case of phone calls collecting metadata means that the call itself was not recorded. However, in many cases the subject of the call may not be the only important piece. Let’s consider calls like a private psychiatrist, a brothel or a sex line, a suicide prevention line. It does not take much to understand a full the scenario even when the topic of the call remains ‘unknown’.
It is a real problem, but are people really scared about it? Do they actually care about privacy and anonymity?
Internet & Social Platforms. Free Data Giveaway
There is a big misunderstanding between people's expectations and their actual actions. While privacy and anonymity have been treated seriously since 90s by those who understood the range of potential abuse, new generation ignores the subject completely. The need to be accepted by society, liked, followed - to be visible, popular and unique has taken privilege over rational thinking. It has led to the creation of social phenomena like Myspace, Facebook, Twitter or Instagram.
This social paradox creates massive data storages filled with sensitive data – with users acceptance. They are real treasures to both organizations and individuals who want to get information about a person. Who would place a date of birth, an email address and a phone number and a photo all around a city, a country or the whole world? Visible to everyone! Despite a fear of being invigilated, exactly this kind of actions is observed on a big scale. How about check-ins, comments, relationships and work statuses, updates on daily activities? Are these different from metadata collections, mentioned earlier?
There are differences:
- Making it public is a choice (well, so is jumping from a plane without parachute...).
- Public means for everyone, not only to privileged units.
- These data are clearly pointing a subject, categorized and not secured in any way.
STEEMIT. Selling data for SteemDollars.
The platform promotes transparency, honesty and verification over anonymity and safety. It is generally a great way to make friends in real life, but puts at risk people who are unaware of possible consequences.
Every person, who shares information on this platform, makes them public (to view and use). While it is not a @dan's primary goal to make a blockchain-based blog corner, it is fully allowed to use Steemit that way.
Published data let users to infer about the author. Writing articles about photography may imply author's interest in the area. On the other hand, a post about being happy at the beautiful beach on vacations may be interpreted like:
- You may find me here till the end of the week.
- I am here alone.
- I am not at home and I will not be there soon.
Unfortunately, it is where things just start to be interesting. As posts are stored in blockchain, all data is saved permanently with no option to delete them. It makes the full history of a user's activity visible and a future employer, friends, children, random people – everyone have an access to this collection. If that is not enough, more and more tools are created to present users data in an understandable fashion.
Pictures, silent killers.
Pictures make a post unique and attractive to readers. They are also a great source of data and metadata. While media talk about great algorithms which match pictures by content to a specific location, it is the last thing to care about. The real issue is not in a photography which tells your chosen story, but in silently given information related to the photography itself, like:
• A timestamp.
• A type of your camera (including smartphones).
• Software used to edit the picture.
• Picture miniature (original, before crop etc.).
Why pictures reveal so many secrets? This information (Exif, IPTC IIM and XMP data) should actually make user's life easier. They are used to make files easy to process, categorize, etc. They are not completely hidden, users can see them almost all the time but somehow forget about them when post images in the internet.
How to check it?
There is a variety of tools available (both command line and graphics editors). A very popular and powerful one is called ExifTool (made by Phil Harvey). Several online tools use it under the hood, among them a popular Exif Viewer. Another popular program is ImageMagick. It is not recommend to use, except photos from known sources, due to the various vulnerabilities found by researchers.
In this example ExifTool is used. It has a great tutorial with a set of examples for all platforms. Give it a try! Remember that it is safer for a user to play with any picture at home, not through online tools.
Let's assume we have a file: photo.jpg like the one below:
Get all image metadata and safe them to the file:
It returns a lot of information about tested pictures.
Get Image Thumbnail:
An image may contain a thumbnail but it does not have to. The important part is that simple transformations like crop etc. does not always modify a thumbnail, which may reveal the complete picture (now, imagine these 'seductive' pictures published in the network...). Still, that is not all! A thumbnail despite its original purpose does not have to contain information related to the actual picture. It may contain a picture before modifications or any other image. Sounds impossible? Test it on the included picture.
Get only GPS cordinates:
Picture may show the exact location where it was taken. In this case it is: 38.869184 degrees N and 77.056267 degrees W, which happens to be the Pentagon. Once again, try it!
|Tools for photographers, graphic designers etc.|
|Dedicated tool with Graphic User Interface||A big group of tool that can be found under keywords: exif editor. Generally, despite different names, they are very similar and quite intuitive. It is only a matter of user taste and preferences, therefore pick your favourite!|
For those less casual (when using mouse is too mainstream):
There is a variety of console tools which allow users to remove image metadata. It may be a faster solution if someone needs to process a lot of images. If you would like to give them a try:
3-rd party platforms
Image metadata can cause many problems bigger than only user exposure (hint: metadata modifications). Therefore, it is often a good practice to remove them during the upload to the server. Big social media platforms like Facebook remove metadata automatically. It is however not enough to keep users safe (it only keeps Facebook safe). Spying tools gather all data from images, check-ins, tags on social plaforms.
Society is spied by powerful organizations, no doubts about it. The equally or even more serious problem is, however in the number of information published and leaked by unaware people themselves. Repeatedly mentioned precautions like Tor, various VPNs, Tails, PGP etc. do not fully solve this issue.
Steemit is a great platform for content creators, but at the same time, it is a massive source of user data. Therefore, consciousness is highly advised. Simple actions presented in this article may help everyone.
Keep your private data to yourself!
- This is the first article from the Steemit series: Cybersecurity Demystified. Learn more.
- Heidi knew about the article before it was published. She agreed to be 'an example'. Tested photos come from her posts: Anarchist in the Jungle and Lost In The Amazon. Thank you!
- More information about image metadata can be find e.g. in the guideline provided by Metadata Working Group. It contains also links to other specifications, therefore these are not listed here.
- The picture of a cute girl from the first example (and the thumbnail) comes from Pixabay.
- Finally, articles found recently on Steemit, you may also find interesting (author's pick):
- Finally, if you have an IPhone THIS may be important to you.
Do you like this article?
Show your support!