Privacy Implications of EXIF Data

With privacy concerns being paramount in online education, one older feature in some online education platforms has become a new safety concern for all users: exchangeable image file (EXIF) data.

Virtually all online education platforms allow users to upload a profile image. These images enable users to build personas and express their identities, and they also provide users with an easy way to identify those with whom they are interacting. However, in some cases, these images reveal more information than the user originally intended. Depending on how a picture is taken, longitude and latitude or Global Positioning System (GPS) coordinates can be stored as metadata within the image itself. This invariably happens with photos that are taken with mobile phones and high-end digital cameras. This data, referred to as EXIF data, is frequently embedded in images without the photographer's knowledge. If the location data persists, wherever the image is uploaded, those who view the image can potentially retrieve this data. If someone with ill intent downloads a person's profile image, they could gain insight into where the photo was taken and possibly track down the person's current location (if the photo was taken at their residence or workplace, for example). Metadata can be used to analyze a person's movements over time, and scrutiny of this information has had real-world impacts, such as forced resignations and fugitive arrests.^Footnote1

Although EXIF data has an educational value in some instances, such as the collection of location data for field research, EXIF data in relation to profile images is unlikely to be of value. In most cases, modern online educational technology service providers understand that EXIF image data possibly presents a privacy issue, so they remove it from profile images that are accessible through their services. However, not all of them do.^Footnote2 Some larger services such as Slack have only recently begun to remove EXIF data from all uploaded images.^Footnote3 The risk is that new technology startup companies will not concern themselves with stripping this data, particularly if they are striving for a minimum viable product. If a service does not strip this information from images, technology managers at educational institutions are put in a predicament where they need to protect their users, such as staff and students, from themselves.

While it would be beneficial if users were mindful of the details that are embedded in their images, this level of digital literacy cannot be relied upon and is therefore not a viable way to maintain the security of their information.

How to Check for Unintended Exposure of Location Data

Users can perform a simple test to see if a service is exposing their data or removing it. The following test should be implemented during the evaluation stage.

1. Upload a profile picture that contains EXIF data to an online service. EXIF data can be seen in the file properties.
2. Download the saved profile image by inspecting the page and downloading the image. Images can be stored in multiple ways, so methods for obtaining profile images will vary.
3. See whether the EXIF data has been retained.^Footnote4

The profile image on this page may or may not be the only vendor-retained copy of the picture, so searching for multiple accessible variants is worthwhile. In performing this test on various profile images, we found that if a profile image is cropped by the online educational platform, the geographic information is removed in most cases.

Considerations for Technologists

Technologists should add the removal of EXIF data from profile images to the larger set of security considerations they use when adopting a new technology or evaluating an existing one. The retention or removal of EXIF data could be seen as similar to phishing. While phishing isn't insecure in and of itself, it exposes users to an increased risk of harm. In essence, if someone is using a college or university service and that user's information is gained by a third party, regardless of whether the user inadvertently provided the data, the user may still take issue with the institution's stewardship of their data.

Tips for Dealing with Vendors

If, through testing, technologists find that a service is not removing EXIF data from profile images, they should contact the vendor and undertake a few different actions:

1. Ask for location-specific EXIF data to be removed from existing images.
2. Ask that future images that are uploaded by users not retain this data. This will most likely require a software update and could take some time, depending on the vendor's current roadmaps.
3. If the vendor cannot do either of the above things, it may be wise to remove the profile picture functionality until the vendor is able to rectify the issue. Before this decision is made, determine the acceptable risk level (as deemed by the educational institution), as removing profile images may have a negative impact on user experience in most services.^Footnote5

Understanding the Pervasiveness of Retaining EXIF Data

We tested a small subset of major online education technologies to see whether and how much EXIF data the services stripped from thumbnail copies of profile images. All of the tested technologies were at least somewhat compliant with the removal of this data, as they generate a separate thumbnail of the profile image after the user uploads it. That is not to say a full-sized copy of the original uploaded image (and all of its EXIF data) doesn't exist somewhere on each service. In one test, a prominent online service retained the geographic details that were embedded in an image that was uploaded to create a profile picture, and the full-size profile picture was publicly accessible once it was uploaded. Thankfully, that service quickly patched the issue after being alerted.

The concern moving forward is that as vendors change the underlying technologies that they use to manage profile images, their compliance with stripping out metadata could also change over time. Possibly one mitigation for this is to periodically retest when software updates are made.

The International Organization for Standardization (ISO) has published an ISO standard (ISO 19115-1:2014) that addresses metadata and the retention of geographic data in files. This standards document can be referred to for more detailed information related to existing standards in the space.^Footnote6

The Severity of the Issue, If Found

In an academic setting, the potential adverse impact of the retention of location details in profile images is somewhat determined by the availability of profile information to different user groups. These groups can be broadly defined as follows:

• Student-teacher: Details are only visible to a student and their teacher (in an assessment system, for example).
  • The severity of the EXIF data present in this instance may be quite minor as a teacher may have access to much more information in their normal academic work.
• Student cohort: Details are only visible in a closed class (within an LMS, for example).
  • The severity of this data leakage and the increasing severity of the situations below may be unacceptable to many institutions.
• Institution-wide: Details are available to all users in an institution (in online social spaces, for example).
• Cross-institution: Details are available across multiple institutions (in systems related to peer learning, for example).
• Full system or public: Details are available to any user of the platform (on social networks, for example).

The level of comfort an institution has for any of the above designations may be nil and may also depend on different privacy regulations in different legal jurisdictions.

Potential for Data Breaches of Stored Profile Content a User Can't See

If a user is comfortable that the thumbnails generated by an online service (and other copies of the image that the user is able to retrieve) do not contain geographic information, the user may think all is well. However, while the metadata may be stripped from a re-represented version of the user's profile image (usually a smaller thumbnail version of the image is retained in its original form by the vendor), this information could still be exposed if a data breach occurs on the vendor side.

Educational Benefits of EXIF Data

EXIF data should not be stripped from every service in every instance, as there may be valid use cases in educational settings, particularly those related to the collection of observations in various scientific disciplines where the geography of photographic data may be needed. While EXIF data has a valid purpose in various educational contexts, EXIF data that is retrieved from a user's profile image is unlikely to be beneficial in most (or any) contexts. Indeed, some of the services we tested retained the EXIF data of images that users had saved in their personal storage spaces but removed the data when that image was used as a profile image. Some thought should be given to the specific use cases of the technology being assessed as to whether EXIF data has an educational benefit, such as the aforementioned field research. In some instances, there is no valid reason to retain this information. If this is the case, institutions should approach vendors with any concerns they have.

Future Considerations

As most larger online services strip EXIF data when an image is uploaded or reconstitute profile images as new images without this data, institutions should consider collating a centralized list of services that are compliant with the removal of GPS data. This could save each institution from having to test every educational service. Perhaps a graphic designation could be created to easily identify whether a service is compliant with removing this data. This would provide potential institutional software buyers clear information about whether a service is compliant with removing GPS data from images.

Students and other users should be warned about the dangers of retaining this information in their images. Their knowledge and attention can help to mitigate this issue over time. At a minimum, vendors should be made aware of this concern and rectify it wherever it is present. Technologists usually have detailed checklists related to the security requirements they expect vendors to meet. Institutions should add this to the security requirements checklist that they send to vendors. Ideally, a vendor should provide details about how files are handled and what jurisdictional file requirements need to be met.

While most modern services remove EXIF data from images as a standard procedure, this practice is not universal and should be tested, especially for newly established web services.

Notes

1. "Behind the Data: Investigating Metadata," Exposing the Invisible (website), page updated on July 30, 2020. Jump back to footnote 1 in the text.↩
2. Joe Mueller, "What Social Networks Protect Your EXIF (and GPS Location) Data from Other Users?" GPS for Today (blog), January 29, 2013. Jump back to footnote 2 in the text.↩
3. Zach Whittaker, "Slack Now Strips Location Data from Uploaded Images," TechCrunch (website), May 11, 2020. Jump back to footnote 3 in the text.↩
4. "Profile Image Privacy Check," Profile Image Security Information, Charles Sturt University (CSU) ThinkSpace, accessed April 15, 2021. Jump back to footnote 4 in the text.↩
5. Send this email (or something similar to it) to address vendor issues related to the removal of EXIF data. Jump back to footnote 5 in the text.↩
6. International Organization for Standardization, "ISO 19115-1:2014: Geographic Information — Metadata — Part 1: Fundamentals," ISO (website), accessed March 16, 2021. Jump back to footnote 6 in the text.↩

---

Sam Parker is a Manager of Learning Technologies at Charles Sturt University.

Michael Sankey is the Director of Learning Futures and the Lead Education Architect at Charles Darwin University.