Privacy: All of these sites are doing their own thing

I watched Sesame Street when I was young, and one of my favourite games on Sesame Street was “One of these kids is doing his own thing”. You played the game by spotting the kid who was doing something different from all the rest of the kids. 

When it comes to spotting what websites do with your personal information, you soon realise that the sites are all doing their own thing, and sometimes inconsistently at that. So, today, I intend to focus on how innocuous activity on photo sharing sites (like posting photos) can be particularly hazardous to oneself, and more importantly, why and how some sites should do more in protecting end users’ privacy.

There you are

When most people post photos on photo sharing websites, they usually know that the photos are for all to see (though they may not necessarily be aware of the consequences). Unless access to the photos is restricted, the photos are public and everyone can view them. The user essentially does not have privacy in relation to that image. That much is made clear in most photo sharing websites’ privacy policies. They make it clear that everyone can see your image.

As you can imagine, intentionally or unthinkingly posting photos on websites or social networking sites can cause problems. Hence, when a 17 year old girl in Australia photographs her grandmother counting money, and posts the photo on Facebook, which then results in a burglary, most reasonable people will say the girl should have (to put it nicely) been more circumspect in her posting. The US Army has also warned that soldiers are putting their lives at risk bygeotagging their photos or “checking-in” social networking sites (four helicopters were apparently destroyed in Iraq due to army personnel posting photos of them).

Another problem is where the user is not aware of information that is associated with the photo (i.e the location data), and unknowingly has disclosed this information via the website. Adam Savage, the host of Mythbusters, is perhaps one of the more famous personalities who had given away his home location this way.

I think that these problems, while different, have similar beginnings. Although users have been using social networking or photo-sharing services for sometime already, many still may not understand or care about the extent and consequences of its use. I believe that one reason for this lack of understanding or caring is that most individuals are generally not inclined to reading or understanding details, and are more interested in getting on with the functionality of the site (ie. sharing, posting - interacting with their friends is more important).

Consider this little game in this video.

Most people are just concentrating on sharing the photo, the information, or the post – just like how most of us concentrated in the video to the exclusion of everything else. Some users are generally not aware of, or give no second thought to the second and third order consequences of a post, or the use of technology. The allure of the first order consequences (i.e. the gratification obtained from using the technology) is much more appealing than thinking of the probability of problems that may result from its use.

I believe that some regulators understand and accept this as a reality. For example, the Office of Fair Trading in the UK had mentioned in a guidance note that “In practice consumers often do not read, and rarely understand fully, any but the shortest and simplest contracts”. This is of course not helpful for companies who are used to placing lengthy privacy policies in discrete sections of the website.

What should or could companies do when faced with this reality?

Privacy by Design

As a framework, I like the 7 "privacy by design" principles mentioned by Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada: Proactive, By Default, Embedded, Positive Sum, Lifecycle Protection,Visibility/Transparency, and Respect for Users.

I think that companies providing services via their websites could do a lot for consumers by developing services based around these principles.

Let’s take the example of photo sharing sites. I think that photo sharing sites should, as a default, not display geographic location or geotag a photo.

(As a quick primer: If you enable location services (or the GPS function) for the camera on your mobile phone, or even some digital SLR cameras, the camera will include the longitude and latitude co-ordinates of the location where you took that photo. This information is embedded in the photo (which is usually saved as a JPEG file) as EXIF data which can then be easily viewed through freely available software found on the Internet. The information (i.e. the location data) may not always be completely pinpoint as there are various factors which may affect accuracy. None of this is new. You can read more about this here and here.)

As I was saying, I think that photo sharing sites should, as a default, not display geographic location or geotag a photo. It is one thing for the photo to show you in a room in an apartment (which is a conscious decision of the photographer and in most cases the subject of the photo), and another thing altogether for the photo to contain information which shows where the apartment is on a map.

Rather than talk in a vacuum, here are a few examples of different websites I have found which take different approaches in restricting the display or availability of location information in uploaded photos.

All of these sites are doing their own thing

In testing these websites, I took a photo using the camera app on my iPhone 3GS and activated location services for the camera. I also reviewed publicly available photos on these sites.

Photobucket, as a default, does not strip out the EXIF data (which may store GPS co-ordinates) in JPEG files which are uploaded. A user's account settings are also set to show, as a default, where the photos were taken. As a result, the longitude and latitude co-ordinates of the location where the photo was taken are set out in the Photo Info section of the website. Permanently removing location information in relation to your photo requires you to take the active step of opting-out.

Photobucket displays GPS location next to the photo

Photobucket default settings are set to display location





Streamzoo, as a default, does not display the location where the photo was taken and any geotagging is an opt-in requirement when you take a photo using their mobile app (which is a good thing). It also strips out the GPS location information in photos when you upload the photo using their mobile app (another good thing). However, Streamzoo does not strip out GPS co-ordinates in the EXIF data in JPEG files when you upload the photo using their website from your computer (for example, if the photo was taken on your mobile phone, saved on your computer for editing, and later uploaded onto the website from your computer). So, I was still able to determine where someone had taken a photo by viewing the GPS co-ordinates in the EXIF data, and using Google Earth to display the location on a map.

Tumblr converts JPEG files into PNG files when you upload a photo whether from your computer or from your phone. This process removes any EXIF data, and any location information along with it (which is a good thing). However, if a third party site is used to repost the photo onto Tumblr, and if those third party sites do not remove the location metadata, Tumblr does not strip the GPS co-ordinates from those JPEG files. For example, when photos with GPS co-ordinates were uploaded onto Streamzoo via the Streamzoo website (using a computer) and then shared with Tumblr, the photos posted on Tumblr still contained the GPS location co-ordinates. Again, I was able to determine where someone had taken a photo by viewing the GPS co-ordinates in the EXIF data, and using Google Earth to display the location on a map.

On the other hand, Flickr does a good job of asking users whether they want to geotag their photo, and the site also removes EXIF data (and hence location information) from the uploaded JPEG file. So, unless you opt-in to geotagging your photo, the only person other than yourself who knows where the photo was taken is Flickr.

Flickr asks whether you want to show location information

What should they do?

I think that the default of photo-sharing sites should be to limit disclosure of information. Why should this be so?

Even now, some people do not realise that location data will be incorporated into the photo if location services or GPS are enabled for the camera in the phone. While people may use the technology, they may not be technologically-savvy, and hence may not be aware of the consequences of the use. Some people may just be concentrating on functionality, to the exclusion of other consequences. As in the video, some of us concentrated on the 13 people passing the ball instead of the moonwalking bear. To help address these tendencies, the default should therefore be to protect someone’s privacy unless that person has taken positive action to make his or her location known. Again, while someone may want a photo of a dinner at home to be publicly available, it is another thing altogether for the photo to contain information which shows where home is on a map.

I feel that Photobucket should change the default for location information in the account settings to be opt-in rather than opt-out. Some might say it is an unfair burden on sites and companies, but having strong defaults which require users to opt-in goes a long way to help those who are not that aware both on a technological or privacy front.

Privacy should be embedded in the design. While Tumblr converts JPEG files into PNG files, it allows JPEG files with location information to be reposted onto Tumblr via third party sites. It also seems odd that Streamzoo would remove location information from a photo if the photo is uploaded from its mobile app but not do the same thing if the uploading is via its website. I believe that these are oversights from a privacy perspective in the design of the sites, and should be resolved.

On a positive note, I think the approach taken by Flickr is very user-centric as it is defaulted to not display or disclose location, and it is easy to choose otherwise.

Doing the same thing

Websites can do a lot more to help the less circumspect or thoughtful users in navigating the potential risks in using technology.

Besides the functionality of the site, proprietors of these websites could also consider thinking about their users’ privacy in a comprehensive way. Doing your own thing is great for product differentiation, but when it comes to incorporating privacy into the design of a service, I would like to see more websites doing the same thing by applying privacy by design.


* As a footnote: There are some issues relating to stripping out metadata (like the protection of copyright), though I believe that some sites do not strip out the IPTC tag (which can contain author and copyright information), and if the photographer is concerned about copyright and royalties it can use other sites which include visible watermarks on the photo unless a license is purchased.