The Revolutionary Technical Collective is a correspondence and publishing group which utilizes technical knowledge to amplify communist agitation and propaganda.
↫ This site dedicated to the Public Domain via Creative Commons 1.0 Universal.
From time to time, when a new protest movement reaches full force, it is important to remember the most practical aspects of operational security. This article deals with EXIF data, and how it can be used to compromise you. Much of this is an excerpt from a larger guide which we have taken out of publication, and which will later be reworked into a much more comprehensive book on the topic of operational security.
Let us begin our example with a short explanation. Most pictures taken on smartphones today contain an extensive amount of data about the photographic device, using a metadata format called EXIF (Exchangeable Image File Format). While some vendors are beginning to ommit the fields which can expose someone the most, such as GPS data, a smartphone model number may be enough to implicate you in participating in a protest (which the bourgeois state has already determined is a crime to be punished with torture and bomb threats by right-wing groups).
This poses an obvious security issue, and it has been treated as such. Most social media and blogging platforms today remove EXIF data from published images. However, this is not a guarantee that they aren’t keeping the data for themselves. This problem extends beyond major platforms and onto self-hosted ones. For example, in Wordpress, metadata removal in full-sized images is handled by third-party plugins, which means an attacker could introduce a compromised plugin to extract and store EXIF data.
But what metadata may a picture contain, exactly? That depends on the device it’s taken on, but for presentation purposes, let us take an image from the Git repository located at https://github.com/ianare/exif-samples, at jpg/gps/DSCN0010.jpg
:
A nice picture. Now, we ask ourselves: how do we inspect, and how do we remove, EXIF data from this image? For this, we will need a personal computer with a utility called exiftool
. This utility can, to our knowledge, only be obtained on Unix-like operating systems, such as Linux. If you are on Windows, you will need to activate the Windows Subsystem for Linux (there are tutorials about this in other places online). If you are new to technical computing, this may intimidate you into using an online service, which may or may not harvest data from your pictures. We ask that you don’t be discouraged, as safety often comes at the cost of convenience.
If you are on Debian, or a Debian-based Linux distribution, such as Ubuntu, you may install exiftool
with the following command (invoking sudo
for administrator privileges):
sudo apt install exiftool
With the tool installed, assuming the directory we are in is the same directory the image is located, let’s open a terminal window and inspect the image’s EXIF data:
exiftool DSCN0010.jpg
The output is long, presented in plain-text, and contains more metadata than the one contained in the EXIF data itself, but are the critical parts, compiled into a spreadsheet for ease-of-viewing:
GPS Latitude Ref | North |
GPS Longitude Ref | East |
GPS Altitude Ref | Above Sea Level |
GPS Time Stamp | 14:27:07.24 |
GPS Satellites | 06 |
GPS Map Datum | WGS-84 |
GPS Date Stamp | 2008:10:23 |
GPS Date/Time | 2008:10:23 14:27:07.24Z |
GPS Latitude | 43 deg 28’ 2.81” N |
GPS Longitude | 11 deg 53’ 6.46” E |
Circle of Confusion | 0.006 mm |
Field of View | 18.3 deg |
GPS Position | 43 deg 28’ 2.81” N, 11 deg 53’ 6.46” E |
Not good! Using this information, we can pinpoint this image to the northern end of Parco della Fortezza Medicea, Arezzo, Tuscany, Italy. And if we actually put in the effort, we could probably figure out the exact angle it was taken from.
Thankfully, we can remove all this undesired data with a simple parameter in exiftool
:
exiftool -all=DSCN0010.png
Now, this image has no compromising metadata, and can be safely published. If we were to re-examine the metadata after running this command, we would find nothing useful.