August 11, 2010

EXIF information from digital cameras

Digital cameras are a huge boon to consumers and professionals alike, not least because of the privacy they offer. Photographers no longer have to choose between chemically developing the film themselves, or outsourcing it to some minimum-wage type who might call the police about photos of your grandchild. But there are still a few secrets to digital photography that the privacy-aware should know.

Digital cameras usually store extra, "hidden" text metainformation in the digital pictures they take. The metadata specification for JPEG and TIFF files is EXIF. This isn't inherently nefarious: this information is kept as a record of the camera settings at the time of the photo, and is used by some image-manipulation programs like Photoshop. However, a photograph of your family members, home, current location, or assets could leak sensitive information without your knowledge.

For example, here is the EXIF information from a potentially sensitive JPG file, obtained with jhead:

File name : pchsat1.jpg
File size : 3168150 bytes
File date : 2010:04:26 09:52:36
Camera make : SONY
Camera model : DSC-V3
Date/Time : 2010:04:24 15:30:51
Resolution : 3072 x 2304
Flash used : No
Focal length : 7.0mm
Exposure time: 0.0025 s (1/400)
Aperture : f/8.0
ISO equiv. : 100
Whitebalance : Auto
Metering Mode: matrix
Exposure : program (auto)

Note the time, 3:30:51 p.m. on April 24th, 2010, and the camera model: Sony DSC-V3. This is just an example of the most basic EXIF metadata found in digital photos. jhead is public domain software and works on Windows command line, MacOS X, Linux, FreeBSD and other versions of Unix.

I originally came across the EXIF specification when I noticed that Wikipedia was automatically reading and storing photo metadata from uploaded photographs.

Some of the most sensitive data revealed is the DateTime of the exposure, the camera model used, and especially any embedded GPS location recorded by the camera at the time of the photograph, if present. Some professional-grade cameras may even include the camera serial number in the EXIF metadata. The biggest potential privacy threat is that Google and other web organizations will data mine time and location data from EXIF fields of photos published on social networking sites.

The shareware-licensed Windows program JPEG Japery can strip and modify EXIF information from JPeg files.

September 25, 2009

Oligarch's yacht uses laser defenses against passive optical spying

Billionaire Russian oligarch Roman Abramovich is known for the measures he takes to protect his privacy. Like Michael Dell, the interiors of his homes and vehicles aren't photographed.

The Times reports that Abramovich's 170 meter yacht M/Y Eclipse, currently undergoing shakedown cruises, has been fitted with a state-of-the-art optics countermeasure system:

Infrared lasers detect the electronic light sensors in nearby cameras, known as charge-coupled devices. When the system detects such a device, it fires a focused beam of light at the camera, disrupting its ability to record a digital image.

Although this report says a digital camera's CCDs are detected, it seems likely that this is instead an active optics detector. An optics detector works by emitting a brief laser pulse and then waiting for any glint from reflected optics. In this case, the system then targets a laser on the hostile lenses, flooding them with light and rendering the viewing optics ineffective.

If this system indeed detects optics and not just camera CCDs, then all optics would be flared with laser light, including binoculars, telescopes, and film cameras lacking digital Charged-Coupled Devices.

Wired speculates on the legality of this system under British law:

UK photo magazine Amateur Photographer asked a London lawyer about the legalities of destroying photos from afar. Here’s what he said: "intermeddling with goods belonging to someone else, or altering their condition, is a trespass to goods and will entitle the photographer to claim compensation without having to prove loss."

Defense against optical surveillance isn't the Russian businessman's only concern: M/Y Eclipse is also fitted with armor plate, bullet-resistant glass and a missile defense system.

August 21, 2009

Facebook Privacy Guide

Erudite tech site Ars Technica has published a short reference to Facebook privacy features:
Many users are aware that Facebook has numerous privacy controls, for example, but even the most experienced Facebook users often don't know just how much they can control who sees what. For instance, did you know that you can specify exactly who can see your status updates, down to different groups of friends (not just "friends" versus "everyone")? What about controlling which groups of people can even find you in a Facebook search to begin with?

April 21, 2009

Data mine online profiles with one keypress

Glenn Jones' Identify Firefox browser plugin uses Google's Social Graph API to correlate identities between social networking and media-sharing sites. Says ReadWriteWeb:
Jones's tool is a Firefox plug-in you can evoke from any web page that has links tagged rel="me". Just click the control key and the "i" key to get a pop-up offering information put together from all around the web about the person the page is associated with. It works on Twitter profile pages, LinkedIn pages, blogs with good markup and other profile pages.

The data that gets displayed can be frightening if you've exposed more information about yourself than you'd like on a rel="me" linked page.

Explicit is the potential for data mining personally identifiable information online:
The tool is clearly very useful as a way to learn more about people whose usernames you come across online.

April 18, 2009

You may be a Canadian citizen. Then again, you may not...

The WSJ reports that an amendment to Canada's Citzenship Act automatically restores nationality to many children of Canadian citizens forced to renounce it or born outside the country, and to their children's children:
Eligible individuals automatically become Canadian citizens. But they don't get proof of that citizenship unless they apply for it, meaning other countries -- including those that allow people to be citizens of only one nation -- won't be alerted, according to the immigration office spokeswoman. Those people also may renounce their citizenship rights, she said.

The citizenship bonanza is the byproduct of a decades-long struggle by a motley group of people who claim they were unfairly denied or lost their Canadian nationality. Canadian families who crossed the border in 1947 to 1977 to have their babies in a U.S. hospital found those children weren't recognized as Canadians unless the families registered them with the government. Some foreign brides of Canadian World War II servicemen lost their citizenship if they stayed out of the country for a decade or more.

Then there are the Canadian Mennonites who moved to Mexico in the 1920s to the 1960s. When their children and grandchildren returned to Canada, many found their nationality unclear.

Some such cases languished in litigation for years. Others surfaced in 2007, when new U.S. rules requiring passports for travel between Canada and the U.S. uncovered significant numbers of people who thought they were Canadian, but weren't.

April 5, 2008

Magstripe Bandits

Jack Dunning says the mail-order companies are really in the business of selling your personal information. Their partners in crime are credit agencies, and with the power of a card swipe they tie it all into a neat little package to be sold at a high markup:

She even gives a blueprint of how to pull off the caper. You lift the information from the magnetic strip on the back of the card, which normally includes the card holder’s name and address. Then, proceed to the third party data service -- which Experian provides -- to append the extra juicy stuff like your age, income, occupation, education, home value, and the list goes on and on. They even know if you gamble, drink, smoke and have your medical ailments and prescriptions taken.

The first rule of personal privacy: use cash. The second rule of personal privacy: USE CASH.

March 1, 2008

Defeat infrared surveillance cameras

A German arts group is publicizing a technique to defeat surveillance cameras that can see in the infrared range by overwhelming their arrays with infrared light from IR LEDs mounted on a headband or hat.

According to commenters, this technique would work best against low-light surveillance cameras with particular sensitivity in the infrared range, optimized for low-light situations.

Many cameras have sensitivity into the IR but wouldn't be so easily overwhelmed by the brighter infrared LEDs.

Security Insider claims this technique would only work intermittently against cheap CCTV cameras:
I can tell you that this may work for a second or two on cameras that have a cut filter (that's the real name for "IR sensitive" cameras), but all that is really going to happen is your face will get illuminated in between the frames that are actually "flared" out by the light. Also, you're more likely to be noticed doing this due to the motion detection alarms going off due to the large pixel change. You would be much better off with a laser, than an LED. We've been doing these type of tricks for years in the lab to try to trick the cameras. Anymore, its not the cameras you need to trick, but the intelligent video algorithms that are going to pick up on the anomaly and register it as an event. Oh, one more thing. Don't even try to attempt this during the daytime. Like another poster said, the cut filter doesn't activate until a timer either trips it (set on a schedule) or a preset low lux threshhold is met. (it gets dark). Even then many cameras these days have dynamic range circuits that will tame the bright spots and highlight the dark spots. Look up some Pelco, Panasonic, or Sony cctv specs for more info.