Is There a Major Security Hole in Flickr’s New “Geo-Fences” Feature?

Security Hole In Flickr's New Geo Fence Feature

Today Flickr rolled out their latest new feature called “geofences.” Essentially the feature allows you to hide the geolocational data on some of your photos and creates a privacy setting for who will be allowed to view it.

So, for instance, if you want to go ahead and geotag where you live, or where your kids go to school, or other sensitive information, you can theoretically feel comfortable doing that — as long as you put up a “geofence” restricting who has access to this sensitive geolocational data on Flickr.

For the most part the new feature works as advertised. I tested it out today by restricting the geolocational information on this photo of mine in Boston, which I had previously geotagged.

After creating a geo fence around this location, Flickr asked me if I wanted to apply it only to photos going forward, or also to images that I’d already geotagged. I told flickr to go ahead and apply this setting to all of my past and future photos — which included a thumbnail of the photo I linked. So now when you go to this photo on flickr, indeed, the geotag seems to be removed from the photo page for the image.

Except that there is one pretty major security hole.

Although the geotag information is indeed pulled from the flickr photo page, ANYONE can potentially still get your geolocational data simply by downloading the original sized file and looking into the EXIF data.

This only seems to apply to images that were geotaged at the file level (i.e. by you or your device/phone, etc.) and not photos geotagged using flickr — but still, with cell phones and software that auto geotag things, you could easily be lulled into a false sense of security on Flickr when you should not be.

All anyone has to do is simply right click and download your original sized photo (flickr won’t let you disable original sized photo downloading if you use a creative commons license), open that file in Photoshop, go to the “File Info” menu, and look into the EXIF data and the geolocational data is still right there — even though this file came from a location that you’d put in your geofence.

To test this, on the above geo fenced image of mine I set it so that only my account could see the geolocation. Next I logged into another Flickr account of mine, went to the original size of the file, right clicked and saved it to my hard drive. I then opened up the image in Photoshop using the commands above to get the geolocational information from the file as evidenced in the screenshot above.

How could flickr fix this pretty serious security hole in their new feature? One way would be to strip the geolocational data from a photo’s EXIF data when it’s in a geofence and downloaded by anyone but you — but if they don’t want to do that, they really should probably include some sort of disclaimer with this new feature that even if a photo of yours is in a geofence, people still may be able to get the location on the photo simply by downloading the file.

Although it takes a little bit of work to get the geolocational data from a photo in a geofence, it would be unfortunate if someone were lulled into a false sense of security and uploaded photos to flickr, thinking that the location data was safe because of the flickr geofence, when it was in fact not.

There is a forum where flickr has set up a page to discuss this new feature, but I can’t post about this security flaw there because I’ve been permanently banned from Flickr’s Help Forum. Go figure.

Update: Apparently Flickr does have some language on one of the pages in the feature settings warning about this. It was up and to the left and I missed it when I set my geofence up. I think alot of other people will miss it as well. It reads, in part, “If you upload a photo with geo data, that info will be embedded in the EXIF data of the original file.”

Given that alot of people on Flickr have no idea what EXIF data even means, Flickr should be more clear about this than they are.

Also this disclaimer was not mentioned anywhere in the original blog post which highlighted sharing very sensitive geolocational data (where you live and where your kids go to school) — it should have been. To have it buried on a settings page is not good enough.

In fact, if you are using a geofence on a photo and the geolocational data is still easily accessible by downloading the file, in these cases I’d suggest flickr put a small disclaimer under the map on the photo page (that you can still see but others can’t) that reads: “this photo is in a geo fence, which means that you can see it’s location, but others cannot, others still can, however, download your file and view the location data.”

This way people would be warned right there on the photo page. It would be very likely that people could set up a geofence, miss the original disclaimer, and then two months later upload a photo from their iPhone (the number one camera on flickr) thinking that they were safe when they were not.

Finally, it sucks that Flickr will not let you opt out of hiding your embedded geolocational data on your file if you are using a Creative Commons license. At present the only way to hide your original file (with this geolocational data) on flickr is to change your licensing to all rights reserved and then prohibit the downloading of original files. Flickr should allow people who use Creative Commons licenses to also restrict the downloading of their original files, or at a minimum restrict the downloading of any of their original files that are in geofences.

Loading Facebook Comments ...
20 comments on “Is There a Major Security Hole in Flickr’s New “Geo-Fences” Feature?
  1. Teri Bidwell says:

    Trouble is, maybe the photo has a stego message in it that overwrites exif headers. Or maybe you’re passing critical information in exif other than geolocation. If you give Flickr permission to edit your photo, you can’t guarantee authenticity any more. Since watermarks are a form of steganography, giving Flickr permission to edit your photo could possibly muck with watermarks that ensure your copyrights.

    As I said in an earlier post, the correct implementation is to give the originator of the photo control over whether or not the geoloc goes into the exif in the first place. To do this requires new cameras that are gps capable, not websites that can’t possibly do what is required.

  2. Thomas Hawk says:

    Teri, maybe, but the example flickr uses on their blog is where you live and where your kid goes to school. And this still doesn’t change the fact that you might think this information is protected when in fact it really is not.

  3. Drew says:

    How did Flickr’s old geotagging system handle EXIF data?

    Seems to me that this isn’t as much a “Major Security Hole” as much as it is a lesson that Flickr doesn’t affect the photo’s original EXIF data.

  4. Thomas Hawk says:

    Drew, flickr’s old geotagging system would automatically import EXIF geotags, and then show them on the map on flickr on the photo page.

    Now when you put it in a geofence, it removes that map on the photo page generated by your EXIF data, except that by simply right clicking and downloading the original file you can still get it in the file’s geolocational data from the file that anyone can download on the internet.

    I think that there is a chance that people might assume that because they put a geo fence on a location (like their home or where there kid goes to school, like the flickr blog suggests) and because it’s no longer on a map on the photo page, that people won’t be able to get that location — when in fact it’s super easy to still get that location as long as their photo was geotagged automatically by their phone or other software or device.

  5. Kenton says:

    Thomas, I posted a question to the forum page, so we’ll see if they answer.

  6. Thomas Hawk says:

    Thanks Kenton. Nice to see that you’re not banned and blacklisted from the forum like I am.

  7. Drew says:

    Yeah, I hear you. Maybe the solution is something as simple as a notification that Flickr doesn’t strip or alter the original EXIF data in any way (even if it includes Geo-data).

    I wonder if this could potentially open a whole other can of worms on the other end of things. I can’t imagine people would look too fondly on Flickr altering file info in any way, but maybe not.

  8. I think I will stick with omitting the geotagging stuff on photos I take from home etc. No security hole that way.

  9. Seneschal says:

    This ‘fearure’ is a non-feature.

    It’s like getting tinted windows for your car… then if anyone downloaded the windows they could see into your car.

    OK, so I’m struggling in the analogy department today.

    Bad analogies are like chicken soup, once you pop you can’t stop.

    Damn, that’s one more bad analogy.

    I’ll just quit while I am a head.

  10. Clearlight says:

    Is this more stuff about the photo sharing wars?

  11. Nerxual Oh says:

    I’ll make sure they are notify of this. It’s kinda dumb that they banned you for trying to help out. They probably banned you cause it’s bad for their business but it’s really their own fault for mistakes on the site. :/

  12. It has always been the case that you can get the EXIF information from the original, if you made the original available. This is the way EXIF data works anywhere on the web and is not related to Geofences.

    We never touch the original file you upload so if EXIF data is embedded in the file we can’t modify the file to take it out. When you choose to not show your location we make sure it doesn’t show on any part of the site and even strip it out on the photo detail page that shows EXIF.

    But it still may be in the file at times. This is an issue we had thought about and already included a message on the geo preferences page to help educate Flickr members, "Please note: If you upload a photo with geo data, that info will be embedded in the EXIF data of the original file. If you don’t want people to have access to this information, you should restrict who can download your originals."

    After considering a few options we decided that educating people on this was the best way to handle it. We have always put a lot of thought into the privacy options on Flickr to make them detailed but still simple. Including notes to help members understand how all of these concepts work together but still give them all the flexibility they get on Flickr is a part of continuing on that same methodology.

  13. Sorry forgot to note, I work at Flickr

  14. Thomas Hawk says:

    Nerxual, the banning me from the Help forum thing is really more of a petty and personal thing that Flickr staff likes to lord over me.

    It’s counterproductive.

    I asked Zack about it twice yesterday on a blog post when he commented here on my blog but he refuses to address it.

    I’ve also asked to be unbanned privately with correspondance between myself and flickr staff and they refused and will not provide me any actual reason as to why I’m banned.

    It’s more of a fun thing for them to abuse one of their photographers who has been critical of some of their practices in the past than anything. It’s sad that Yahoo management supports that sort of behavior and poor customer service.

  15. Thomas Hawk says:

    Zack,

    Do you think it’s possible that someone could miss that disclaimer in your settings? I know I did. Do most of your users know what EXIF data even is?

    Especially since someone could create the geofence and then months later upload a photo from their iphone thinking that they were protected when they are not, wouldn’t it make sense to also warn them on the geotag on their photo (that only they could see). Some language to the effect that I suggested above reading something like: “this photo is in a geo fence, which means that you can see it’s location, but others cannot, others still can, however, download your file and view the location data.”

    The use cases that you used on the flickr blog were of pretty sensitive locations, where people live and where their kids go to school. Wouldn’t the more responsible thing to have done have been to mention this important fact in the blog post itself?

    Also, as you know, anyone who is licensing their photos as Creative Commons cannot restrict their files from being downloaded unless they change their license to “all rights reserved.” This sort of sucks. You should at least let them restrict download on Creative Commons licensed photos that they have in a geofence. There’s no reason why someone should be forced to change their license on a photo simply to hide the geolocational data if they so choose.

    Finally, how about you stop dodging the question that I asked you twice when *you* commented on my blog post yesterday and explain to me why I’m permanently banned from the help forum. Step up as a community manager and take some responsibility for your decisions rather than try to hide from that question. Transparency is not something to be feared.

  16. Brian says:

    I like this new feature. I always had to set my default on geo location sharing to “Family Only” then go and batch change all of my non-home photos to public. I would even go so far as to log out and check my house on a flickr map to see if I had inadvertently added some in by mistake. I don’t geo tag till I get into Flickr at this point so it’s not embedded in my exif data anyway, plus I do leave my photos all rights reserved so the originals aren’t available. This way, I can be more open with my geo location and set my default to anyone (which is probably the primary intended effect that Flickr was trying to achieve, get more Publicly available geo tagged photos) and not have to do all the leg work I used to do. Now I can just set it and forget it just like Ron Popeil. I agree that some might miss the disclaimer, but to be honest, you could have increased the font 8 times and made it bright red and there still would be people that would miss the disclaimer.

  17. sirshannon says:

    “flickr won’t let you disable original sized photo downloading if you use a creative commons license”

    As far as I know, Flickr won’t let you disable original sized viewing or downloading unless you disable all downloading IF you have a “pro” account. The only way to avoid original size photo viewing is to not have a “pro” account. If you have a “pro” account, the only way to avoid original size photo downloading is to turn off all downloading. I actually canceled my first flickr “pro” account because of this.

    Did they change this?

  18. Dean says:

    It’s interesting to read such a spin dictated by motivated reasoning.

  19. Richard says:

    storm + teacup.

  20. Frank says:

    I wonder if they’ve applied a patch which has somehow messed things up. Prior to Labor Day weekend I was able to look at maps off pool photos. This past weekend maps of pool photos were blank.