Taking
a picture with a cell phone is an intuitive maneuver for modern society.
Whether exhibiting yourself in front of a mirror, updating your friends through
Instagrams on Facebook, or documenting an interesting event, using a
cellphone's camera is the most convenient way to capture and share your
experiences. However, it carries a serious identity risk because of the
significant amount of metadata recorded. EXIF, or Exchangeable Image File
Format, is typically used by photographers to remember important technical data
(aperture, ISO, shutter speed, white balance, etc.) of a particular shot, so to
recreate (or avoid recreating) similar results in the future. Cell phones, who
frequently have GPS capabilities, include the specific location of the event.
The ease of taking multiple photos, combined with the need to include these
photos with Tweets and Facebook
statuses, which reward these compulsive habits with retweets and “Likes”
respectively, allow someone to parse out routines and stalk someone successfully. Such information, unless specifically scrubbed out (either by uploading to
particular websites or finding the settings, which are often buried in your phone. Therefore, there are serious self-imposed privacy risks even if your phone was
not hacked, especially if you document your routine. People may be able to
predict where you will be, when your home is unoccupied, or when you are alone.
All because you wanted to keep your friends up to date on your activities.
There's
an additional danger of including potentially sensitive information in the
photo since cell phones are not as precise as cameras when composing and taking
images. This can impact you, who or what you photograph, and your business. Chelsea
Walsh, a waitress at Applebees, noticed a receipt that denied a colleague of a
tip. Since it came from a pastor, Alois Bell, who claimed she already gave 10% to god, it
seemed appropriate to post it to an atheism forum. Unfortunately, the picture had the pastor’s signature. The forum in question has over 1.5 million members, and there was at least one member able to read that signature correctly. Even though Chelsea attempted to amend her post with one that excluded the signature, it was too late. The pastor’s address and picture were posted
online and Internet vigilantism ensued. Applebees, citing that the privacy of
the pastor was compromised, fired Chelsea in retaliation. The story went viral. The pastor has since apologized for her actions (claiming she did leave a tip in cash). Applebees, on the other hand is facing a PR nightmare. It is undergoing an unsuccessful damage control on its Facebook page on multiple occasions (1)(2)(3). Thousands of customer comments have flooded on these posts alone suggesting boycotts, insulting the pastor, and suggesting they rehire Chelsea. Such criticisms have spilled over to their drinks and food posts. The end result from a mere photograph is the identity of both Chelsea and Alois is known, the Internet is familiar with what they look like, where they live and worked, and that even
restaurant receipts are scrutinized.
There
are only three cases in Minnesota and the 8th Circuit that
specifically mention EXIF data in the last ten years, and they involve child
pornography. Two of the most recent cases that even mention EXIF by name, U.S.
v. Lemke (2008 WL 4999246) and U.S. v. Hager (2011 WL 3862072), are unpublished
opinions. Those cases did not describe privacy in detail. Lemke did not discuss
EXIF data outside of its ability to identify the make and model of a camera.
Hager ruled that the lack of EXIF data on a photograph did not make a
difference in a warranted search for “for evidence of crimes,” and notes that
the EXIF data does not identify the serial number of the camera, which is
wrong: there are websites that use the EXIF data to identify pictures taken by stolen cameras based on prior photos. In none of
these cases were cellphone data used, nor has the court discussed the privacy
implications they pose, especially in such an unsavory context.
Although
courts have begun to discuss the Constitutionality of tracking devices thanks
to U.S. v. Jones, the ability for our own devices to betray our positions is
currently overlooked. There has been no major regulation, at least in
Minnesota, for websites to scrub EXIF data of GPS locations or for device
manufacturers to notify its users what data accompanies a photograph.
I'm not particularly tech savvy--is this kind of metadata available to any viewer of your photos? For example, if you post a cell phone selfie on Facebook, can all of your friends access that metadata or would they need to have physical access to your phone? The linked source suggests that such metadata may be retained by photo storage sites, but doesn't specify whether it is accessible to other users.
ReplyDeleteThis distinction matters because we could control this privacy risk by regulating collection and retention of such data, but since it appears to be useful in at least some contexts, regulating access to it might be a better choice.
The inclusion of metadata facilitates this type of identification but isn't required by any means. You can use the variable intensity of the photoreceptors in the camera to provide a match between photographs. This could scrubbed with a suitable database of control photos (or at least minimized with a noise layer addition) but that certainly isn't within the perview of the typical camera user.
ReplyDeletePari, this data, assuming it's not scrubbed out (In your selfie picture, people won't know, since Facebook strips it: http://www.windowsitpro.com/blog/security-blog-12/socialmedia/facebook-handles-image-exif-data-141543#/0), can be accessed without needing access to your phone or materials. The video I linked had a guy who was able to program and figure out the metadata without access to the celebrities' phones or cameras.
ReplyDeleteEDN: I suppose figuring out the location through that technique has some uses, but IMHO the bigger concern is the accurate time stamps that also come with it. I doubt picture comparisons will be this sophisticated, though: http://www.youtube.com/watch?v=KUFkb0d1kbU