From time to time, when a new protest movement reaches full force, it is important to remember the most practical aspects of operational security. This article deals with EXIF data, and how it can be used to compromise you. Much of this is an excerpt from a larger guide which we have taken out of publication, and which will later be reworked into a much more comprehensive book on the topic of operational security.

Let us begin our example with a short explanation. Most pictures taken on smartphones today contain an extensive amount of data about the photographic device, using a metadata format called EXIF (Exchangeable Image File Format). While some vendors are beginning to ommit the fields which can expose someone the most, such as GPS data, a smartphone model number may be enough to implicate you in participating in a protest (which the bourgeois state has already determined is a crime to be punished with torture and bomb threats by right-wing groups).

This poses an obvious security issue, and it has been treated as such. Most social media and blogging platforms today remove EXIF data from published images. However, this is not a guarantee that they aren’t keeping the data for themselves. This problem extends beyond major platforms and onto self-hosted ones. For example, in Wordpress, metadata removal in full-sized images is handled by third-party plugins, which means an attacker could introduce a compromised plugin to extract and store EXIF data.

But what metadata may a picture contain, exactly? That depends on the device it’s taken on, but for presentation purposes, let us take an image from the Git repository located at https://github.com/ianare/exif-samples, at jpg/gps/DSCN0010.jpg:

A nice picture. Now, we ask ourselves: how do we inspect, and how do we remove, EXIF data from this image? For this, we will need a personal computer with a utility called exiftool. This utility can, to our knowledge, only be obtained on Unix-like operating systems, such as Linux. If you are on Windows, you will need to activate the Windows Subsystem for Linux (there are tutorials about this in other places online). If you are new to technical computing, this may intimidate you into using an online service, which may or may not harvest data from your pictures. We ask that you don’t be discouraged, as safety often comes at the cost of convenience.

If you are on Debian, or a Debian-based Linux distribution, such as Ubuntu, you may install exiftool with the following command (invoking sudo for administrator privileges):

sudo apt install exiftool

With the tool installed, assuming the directory we are in is the same directory the image is located, let’s open a terminal window and inspect the image’s EXIF data:

exiftool DSCN0010.jpg

The output is long, presented in plain-text, and contains more metadata than the one contained in the EXIF data itself, but are the critical parts, compiled into a spreadsheet for ease-of-viewing:

GPS Latitude Ref	North
GPS Longitude Ref	East
GPS Altitude Ref	Above Sea Level
GPS Time Stamp	14:27:07.24
GPS Satellites	06
GPS Map Datum	WGS-84
GPS Date Stamp	2008:10:23
GPS Date/Time	2008:10:23 14:27:07.24Z
GPS Latitude	43 deg 28’ 2.81” N
GPS Longitude	11 deg 53’ 6.46” E
Circle of Confusion	0.006 mm
Field of View	18.3 deg
GPS Position	43 deg 28’ 2.81” N, 11 deg 53’ 6.46” E

Not good! Using this information, we can pinpoint this image to the northern end of Parco della Fortezza Medicea, Arezzo, Tuscany, Italy. And if we actually put in the effort, we could probably figure out the exact angle it was taken from.

Thankfully, we can remove all this undesired data with a simple parameter in exiftool:

exiftool -all=DSCN0010.png

Now, this image has no compromising metadata, and can be safely published. If we were to re-examine the metadata after running this command, we would find nothing useful.