Is There a Major Security Hole in Flickr’s New “Geo-Fences” Feature?
Today Flickr rolled out their latest new feature called “geofences.” Essentially the feature allows you to hide the geolocational data on some of your photos and creates a privacy setting for who will be allowed to view it.
So, for instance, if you want to go ahead and geotag where you live, or where your kids go to school, or other sensitive information, you can theoretically feel comfortable doing that — as long as you put up a “geofence” restricting who has access to this sensitive geolocational data on Flickr.
For the most part the new feature works as advertised. I tested it out today by restricting the geolocational information on this photo of mine in Boston, which I had previously geotagged.
After creating a geo fence around this location, Flickr asked me if I wanted to apply it only to photos going forward, or also to images that I’d already geotagged. I told flickr to go ahead and apply this setting to all of my past and future photos — which included a thumbnail of the photo I linked. So now when you go to this photo on flickr, indeed, the geotag seems to be removed from the photo page for the image.
Except that there is one pretty major security hole.
Although the geotag information is indeed pulled from the flickr photo page, ANYONE can potentially still get your geolocational data simply by downloading the original sized file and looking into the EXIF data.
This only seems to apply to images that were geotaged at the file level (i.e. by you or your device/phone, etc.) and not photos geotagged using flickr — but still, with cell phones and software that auto geotag things, you could easily be lulled into a false sense of security on Flickr when you should not be.
All anyone has to do is simply right click and download your original sized photo (flickr won’t let you disable original sized photo downloading if you use a creative commons license), open that file in Photoshop, go to the “File Info” menu, and look into the EXIF data and the geolocational data is still right there — even though this file came from a location that you’d put in your geofence.
To test this, on the above geo fenced image of mine I set it so that only my account could see the geolocation. Next I logged into another Flickr account of mine, went to the original size of the file, right clicked and saved it to my hard drive. I then opened up the image in Photoshop using the commands above to get the geolocational information from the file as evidenced in the screenshot above.
How could flickr fix this pretty serious security hole in their new feature? One way would be to strip the geolocational data from a photo’s EXIF data when it’s in a geofence and downloaded by anyone but you — but if they don’t want to do that, they really should probably include some sort of disclaimer with this new feature that even if a photo of yours is in a geofence, people still may be able to get the location on the photo simply by downloading the file.
Although it takes a little bit of work to get the geolocational data from a photo in a geofence, it would be unfortunate if someone were lulled into a false sense of security and uploaded photos to flickr, thinking that the location data was safe because of the flickr geofence, when it was in fact not.
There is a forum where flickr has set up a page to discuss this new feature, but I can’t post about this security flaw there because I’ve been permanently banned from Flickr’s Help Forum. Go figure.
Update: Apparently Flickr does have some language on one of the pages in the feature settings warning about this. It was up and to the left and I missed it when I set my geofence up. I think alot of other people will miss it as well. It reads, in part, “If you upload a photo with geo data, that info will be embedded in the EXIF data of the original file.”
Given that alot of people on Flickr have no idea what EXIF data even means, Flickr should be more clear about this than they are.
Also this disclaimer was not mentioned anywhere in the original blog post which highlighted sharing very sensitive geolocational data (where you live and where your kids go to school) — it should have been. To have it buried on a settings page is not good enough.
In fact, if you are using a geofence on a photo and the geolocational data is still easily accessible by downloading the file, in these cases I’d suggest flickr put a small disclaimer under the map on the photo page (that you can still see but others can’t) that reads: “this photo is in a geo fence, which means that you can see it’s location, but others cannot, others still can, however, download your file and view the location data.”
This way people would be warned right there on the photo page. It would be very likely that people could set up a geofence, miss the original disclaimer, and then two months later upload a photo from their iPhone (the number one camera on flickr) thinking that they were safe when they were not.
Finally, it sucks that Flickr will not let you opt out of hiding your embedded geolocational data on your file if you are using a Creative Commons license. At present the only way to hide your original file (with this geolocational data) on flickr is to change your licensing to all rights reserved and then prohibit the downloading of original files. Flickr should allow people who use Creative Commons licenses to also restrict the downloading of their original files, or at a minimum restrict the downloading of any of their original files that are in geofences.