How Exif Data in Your Photos Impacts Your Privacy

When is a picture worth more than a thousand words?  When it contains hidden data that is transferred within the picture file you just emailed unsecurely or shared with the world on Google+.  Exif, which stands for exchangeable image file format, is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.

Exif data contains a number of metadata tags about the photo such as the date and time it was taken, make and model of the camera, various camera settings and other information including GPS information.  The GPS information is the most disturbing part from a privacy perspective.  If you take a photo inside your home and upload it to Google+ someone trying to dox you can instantly determine where you live by simply looking at the GPS coordinates embedded in the photo you uploaded.  Not all cameras record GPS data and some cameras record more exif data than others, but all modern cameras record at least some exif data with each photo taken.  This data follows your photo around, unless you actively take steps to remove it before the photo is uploaded to the internet.

Various social media sites treat exif data differently.  Facebook resizes and compresses photos uploaded to its servers and removes some of the associated exif data.  So does Twitter.  Google+ on the other hand, leaves all of the exif data intact and available for viewing by anyone who has access.

Here is a sample photo I found on the internet that contains a substantial amount of exif data:

You can download this photo to your computer to examine the exif data or you can use various online tools.  If you download it to your computer, you can go to file manager, right click on the photo, select properties and click on the details tab.

If you are browsing the internet and you want to see the exif data without downloading the photo, you can go to a number of online sites, like exifdata.com, which will analyze the photo for you and report the exif data.

If you right click on the photo you want to research and select 'Copy Link Address' or 'Copy Image URL' you can paste it into the 'Submit an image URL' box here:

When we submit that URL, the site returns a significant amount of metadata information related to this photograph:

You can see the photo that was analyzed and some summary information, including where the photo was taken.  If you click on the 'detailed' button, there is even more information about this photo.

That photo you thought was just a picture of you and your family actually tells an entire story that cannot be seen by viewing the photo.

Next week, I will discuss how to remove exif data from your photos.

How To Keep Yourself From Being Doxxed

Yesterday, I discussed some internet resources people use to dox others.  If you recall from yesterday's post, doxxing someone means to 'document' what you can find on the internet about someone and build a dossier on them.

Privacy Action Plan (PAP) - How to Keep Yourself from Being Doxxed
PRS - Level 3

The number one way to keep yourself from being doxxed on the internet is to keep your personal information private.  Whether you are playing online games with anonymous friends or watching youtube videos with friends on tinychat,  you should always limit the personal information you share with people unless you know them well enough to feel comfortable giving them your information.  Even little bits of information, which by themselves may not dox you, can dox you when put these pieces together with other information.  Some people like the challenge of building a dox on another person and will gather the seemingly innocuous things you say together over a period of months to build a dox on you.

Use pseudonyms for every site you register on.  There are no laws that require that you need to use your real name on any site.  If you need to make an email to register, try yandex.com, which allows you to create an email address without providing an identifying information.  While it may be against the site Terms of Service to use a fake name on Facebook, it isn't illegal to do so.  And you should if you want to avoid being doxxed.  Take care in choosing an alias.  Using the fake name 'gameplayer' is far less revealing than something like James1984 if your name is James and you were born in 1984.  James1984 in and of itself isn't going to reveal much about you, but as you talk to people and they learn little bits and pieces about you, this information will become useful in a dox.  In fact, even just your IP address and James1984 would narrow down who you are to just a few possibilities without you saying anything.  If you want to use a real sounding but totally fake name and address, try fakenamegenerator.com.

Use proxies and VPNs (virtual private networks) to hide your IP address.  I am going to have a future post on proxies and VPN's but for now I will summarize.  Proxies and VPN's allow you to browse the internet with a high level of anonymity.  The proxy acts like a shield between your computer and the internet.  Your computer communicates with the proxy server, which goes out and fetches your data and sends it back to you, (typically communications are sent from your computer and received back to you in encrypted form).  There are an abundance of free proxy server choices out there.  For simple proxies suitable for web viewing, try hidemyass.com or look for another at proxy.org.  VPN's are a bit more complex but offer even greater protection.

Remove all exif data from any photos you upload to the internet.  Tomorrow, I will discuss exactly what exif data is, how it can be used to dox you and how it can be removed from your photographs.

What is Doxxing?

You may have never heard the word doxxing, but doxxing is something that has been done, in one form or another, since the first person on the planet learned that someone else is here with them.  There are various definitions on the internet of precisely what this term means, but in summary it means to 'document' what you can find on the internet about someone and build a dossier on them.  Some people take this a step further and publicly reveal what they have learned as part of the doxxing process.  What used to take a private investigator weeks of visiting courthouses and libraries, can be done in minutes using the internet.

In its simplest form, a doxxer might learn of your email address from an innocuous post and trace your email to your real name and address.  In more complex cases, they may be able to dox your family members, learn your medical history, criminal record, education levels and even salaries.  None of this is against the law.  Even publishing this information is legal if all of it was obtained from legal sources (ie - not obtained from stealing someone's password and getting into their Facebook account or hacking into their credit card account, email accounts, etc).  Try using these sites to dox yourself by typing in your name and city or your username (any site will do) or email address and learn what anyone can find out about you.

There are multiple websites you can use to dox someone using various bits and pieces of information you may have obtained about someone and all of them are free:

If someone has sent you an email, you can find out their IP address (Internet protocol address) using helpful information from this site:
http://aruljohn.com/info/howtofindipaddress/.  IP addresses are helpful when performing a dox because you can learn the general area where the person you are doxxing lives (Click here to learn your IP address and associated location data or to search the IP address of someone you know).  An IP address, which works much like a street address used by the postal service, is simply the address of your computer on the internet.  Having an IP address of the person you are doxxing can eliminate 99.99% of the geographical area of the world, though it will not reveal the exact location of the person.  Also, having the ability to decipher an IP address is a great tool if you are receiving emails from multiple accounts claiming to be different people.  You can check their email IP's to know if they are being sent from the same IP, and are thus the same person.

If you don't have an email from the person you are trying to dox, but you are in contact with them in a chat room, forum or IRC, you can use this site if you are clever enough to get the person you are doxxing to click on the link the site provides.  After they click on the link, their IP address is emailed to you (it's free, but your email address is required).

Perhaps one of the best ways to dox someone is through the social media site Facebook.  There is an enormous amount of information on Facebook and Facebook's default settings tend to make everything a user posts public unless a user takes action to increase their privacy.  So even if you aren't friends with someone, you may still be able to glean a significant amount of information from what is available 'publicly' without being friends.

Linkedin.com is another great one for finding people's career history and professional credentials.  It can also be used to determine if you and the person you are doxxing know some of the same people (up to 3 degrees of separation).  Both Facebook and LinkedIn will require you to set up an account in order to access any information.

Pipl.com has accumulated significant amounts of information on millions of people.  When doxxing people, if you have usernames, email addresses or real names, try this site first as they will present multiple options to you as to who you might be looking for.  Often, the person you are looking for is on the pipl.com list.

You can also try typing any information you have about someone into google.com, which can yield surprisingly detailed results.  Another good one is people.yahoo.com.

Spokeo.com gathers similar information to the ones above and even includes some ancestry information.  They say they have more information if you buy a subscription, though I have not tried this.

Zabasearch.com is good for verifying information you have about a specific person to know you are on target during your dox work.  Let's say you are looking for the phone number of John Smith in Anyplace, CA and you know Mr. Smith was born in November of 1982.  If Zabasearch returns a hit, you have added assurance that this is the right John Smith because it includes his city, state and birthday.  The additional data Zabasearch returns, namely the phone and address, is almost surely his current or previous address and phone number.

Some other internet sites you can use for doxxing:
http://www.wink.com/
http://www.123people.com/
http://www.peekyou.com/
http://www.yasni.com/
http://www.anywho.com/whitepages
http://www.peoplefinders.com/

Another site to assist with doxxing is tineye.com.  This site searches an image you upload or a url location you provide and searches it against the trillions of images on the internet.  If the picture you have is anywhere else on the internet, tineye will find it.  Maybe it is in a blog or on Facebook or at reunion.com which can assist you with your doxxing work.

Google also has a powerful image search engine located here: http://www.google.com/imghp
This site can be used to read exif data from photos: http://regex.info/exif.cgi.  Exif data is simply information that your camera stored inside your photo.  It often includes things like where you were when the photo was taken as well as the time and date and potentially other information.  I will have a future post on removing exif data from photos you upload to the internet.

Other great sources of information are county property appraisal websites (Google <county name> property appraiser) and state business registration websites (Google <state name> division of corporations) run by the county and state governments.  With states involved in so many aspects of business these days, many millions of people are in publicly available state licensing websites (Google <state name> professional licensing website).  Everyone from doctors to dentists to hairstylists to dog groomers are in state licensing databases.  These websites and free and are available to the public for browsing.  Also, official records from the courthouse provide pdf copies of things like mortgage documents and can be used to verify things like handwriting and signatures and include information about debts, judgments, liens, divorces and other personal matters (Google <county name> official records).

My next post will be how to best protect yourself from doxxing.

Tracking You Through Your Automobile

The Detroit News recently reported that a Ford Motor Company executive, Jim Farley, revealed that Ford tracks all of its customers while they are driving their vehicles.  Farley, who was the headliner at the Consumer Electronics Show in Las Vegas a couple of weeks ago, made this disturbing statement during his presentation:

“We know everyone who breaks the law, we know when you’re doing it,” Farley said, according to a report in Business Insider. “We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone.”

Not surprisingly, Ford denounced those comments and Mr. Farley apologized for saying it.  Senator Al Franken, MN (D) demanded answers from Ford about their tracking customers and said that Ford does in fact share this information with third parties.  Ford says that nobody is tracked without providing their express consent.  Express consent, however, is provided when customers use a navigation or voice-activated system, which the vast majority of people with newer model vehicles do.  So despite Ford denouncing those comments and Mr. Farley apologizing, his comments for all intents and purposes are true.

Perhaps all of this discussion about tracking is moot though, because congress passed a law several years ago requiring that by model year 2015, all manufacturers are to install event data recorders, commonly known as 'black boxes' inside their vehicles.  The black boxes record all sorts of information, purportedly to aid crash investigators at accident sites.  96% of new vehicles already have them.  Some of them are tied into GPS systems and it won't be long until all of them are.  Some believe these boxes are less about accidents and more of segway into usage based vehicle taxes.

Perhaps not surprisingly, some people are already voluntarily allowing insurance companies to track their vehicle usage in return for lower premiums.  This insurance, known as usage-based insurance or black box insurance has been around since 1998 and thankfully, hasn't taken off here in the US.

There aren't many laws about who owns black box data as only 13 states have passed any legislation regulating the control of this information.  Vehicles that currently have black boxes are reportedly accessed regularly at crash sites or tow yards without consumer authorization.  Even if you were able to protect your information in the black box, other people may be willing to give up your black box after an accident.  Normally, when your car is totaled, the insurance company 'buys' the car from you, so they can provide the black box to whomever they choose.  There is a good article here with more details about how these black boxes work and what to expect when they are in your vehicle, if they aren't already there.

Privacy Action Plan - How to maintain the locational privacy of your vehicle.
PRS - Level 3

The simplest way to maintain your privacy is to not purchase a car with a navigation system installed.  Most smartphones have navigation apps which you can use and then turn them off when you are finished.  Do not use any voice activated systems installed in the vehicle either.  The added bonus is that by buying cars without these features, you will be able to save money on the car.

Don't buy usage-based/black box insurance.  These boxes are obviously a serious invasion of privacy.

Check your owner's manual to see if your car has a black box (manufacturers are required to include this information somewhere in the owner's manual).  If you do have a black box, take your car to a knowledgeable car technician and see if it can be removed or disabled, without affecting other features of the vehicle, such as airbags, which some black boxes are tied into.  Check the laws in your state.

Weekly Review of Privacy in the News - Week of January 13, 2014

Businesses using your phone to build a customer profile on you:
http://online.wsj.com/news/articles/SB10001424052702303453004579290632128929194

Identity thieves increasingly using tax returns to steal identities:
http://www.cnbc.com/id/101332463

Google pays $3.2 billion for NEST, expanding reach into homes:
http://www.zdnet.com/googles-reach-expands-into-your-home-more-via-3-2-billion-nest-acquisition-7000025109/

Edward Snowden to join board of Freedom of the Press Foundation:
http://www.nytimes.com/2014/01/15/us/politics/snowden-to-join-board-of-press-freedom-foundation.html?src=twr&_r=0

Law enforcement agencies 'borrowing' drones supposed to be used for border patrols:
http://www.washingtonpost.com/world/national-security/border-patrol-drones-being-borrowed-by-other-agencies-more-often-than-previously-known/2014/01/14/5f987af0-7d49-11e3-9556-4a4bf7bcbd84_print.html

Secret surveillance court judges are against changes recommend by panel
http://www.latimes.com/nation/la-na-nsa-reform-20140115,0,5995749.story#axzz2qfmDhF1D including recommendations for a privacy advocate to participate in proceedings http://apnews.myway.com/article/20140115/DABATCVO3.html

Few changes expected at NSA:
http://www.cbsnews.com/news/obama-expected-to-preserve-nsa-programs-but-bolster-oversight/

Target data breach part of broad effort by hackers to steal information from retailers:
http://online.wsj.com/news/articles/SB10001424052702304419104579324902602426862

Starbucks was caught storing mobile passwords in clear text:
http://wtop.com/1373/3543679/Starbucks-caught-storing-mobile-passwords-in-clear-text

The National Security Agency (NSA) collects 200 million text messages per day:
http://www.theguardian.com/world/2014/jan/16/nsa-collects-millions-text-messages-daily-untargeted-global-sweep and the president's own review panel concluded that the program has not been responsible for preventing any terrorist attacks: http://www.nationaljournal.com/technology/obama-s-plan-to-rein-in-nsa-phone-sweeps-20140117

President Barack Obama announces that he had no idea about the extent of NSA snooping:
http://www.truthrevolt.org/news/obama-claims-ignorance-extent-nsa-surveillance

President Barack Obama is going to recommend that private companies hold the phone, email and text message data collected from nearly all Americans on a daily basis:
http://www.wtop.com/289/3544357/AP-Source-NSA-phone-data-control-may-come-to-end

NSA Official claims NSA data regularly used in in court cases for prosecuting Americans and instructs local law enforcement to create parallel data to make it look like the information came from somewhere else since the NSA data is being collected without a warrant and is inadmissible:
http://www.cnsnews.com/mrctv-blog/matt-vespa/nsa-official-we-are-now-police-state

A Phone that the NSA Cannot Hack?

An interesting article was published yesterday about a Madrid-based communications firm introducing an encrypted cellular phone called the Blackphone.  The phone is pictured here:

This cellular phone offers all of the conveniences of a normal smartphone, but offers encryption for everything you do on the phone, going so far as to claim that the phone will protect you from the prying eyes of everyone and anyone, including hackers and even the NSA.

Readers of this blog know that this is a PRS Level 0.  It is impossible to do what the company is claiming using standard operating systems and regular apps on normal cell towers, but this is a clever marketing gimmick!

Tips for protecting privacy on your cellphone were discussed in a previous blog post which can be found here.

Your Computer Could Be Accessed Even When Not Connected to the Internet

As if right out of a James Bond movie, the New York Times reported today that there is technology that has been in use since 2008 that allows your computer to be monitored, even when it is not connected to the internet.  This is done through a tiny specially designed radio chip that can be implanted into a computer allowing activity on the non-connected computer to be monitored.  The tiny chips operate off of radio frequencies and are typically installed by a spy, a manufacturer or an unwittingly user.  I would add hackers to that list as well.

It was recently reported that the NSA is able to intercept packages of computer equipment sent through the mail and divert them to a facility where they carefully open the packages and install monitoring software (a process called interdiction).  I would certainly think that these chips would be part of the 'standard surveillance package' secretly inserted into these computers during interdiction.

The monitoring part happens when anyone with access to these chips activates the one inside your computer.  They can be miles away and send a radio wave to your computer and your computer will communicate back to them allowing access to your files or even allowing them to reactivate your internet connection.  Science fiction becomes reality.

Most computers parts today are made in China, Japan and Taiwan.  One has to wonder if these countries are already installing such equipment on these computers without anyone's knowledge.  After all, while China may be the premier trading partner with the US, socially, culturally and otherwise the Chinese and US governments have many differences.  What a great way for the Chinese government to learn all about what Americans are doing by simply implanting these tiny chips into the computers they ship.

That this technology exists is the most worrisome part.  Your computer could be compromised by hackers or others looking to do you harm even when you aren't connected.  The computer you are using now could have been interdicted and infected.  The chip could have been implanted by the manufacturer, by the NSA, by a postal service crime organization, by your company's IT department or by someone who broke into your home.  If you bought your computer used, the chances are even higher because you don't know who has had access to that computer and installed this bug.

Privacy Action Plan - How to protect the data on your computer when it is not connected to the internet
PRS - Level 4

Thankfully, the solution to gaining privacy in this area is simple.  Turn your computer off when you are not using it.  Since many computers still have many areas that are 'on' even after the computer is shut down, you should unplug it and remove the battery as well.  If you don't want to remove the battery each time you shut down, a Faraday Bag should work since these bugs reportedly work off of covert, but ordinary radio waves.