This photo, taken during the interview, contained the location of fugitive McAfee in the EXIF data. Photo: Robert King, Vice
About a month ago the location of a prominent “person of interest” in a homicide investigation was accidentally revealed when a magazine published a photo of him and forgot to erase the embedded GPS location. It’s a lesson that NGOs should learn.
You’ve probably heard of McAfee, the anti-virus company. However, unless you are extremely interested in technology, you probably haven’t heard that the founder of the company, John McAfee, has turned more than a little weird, retreated to a jungle-complex in Belize, became a person of interest in a murder investigation, escaped to Guatemala and was subsequently deported to the US. (You can read the full story in Wired: “John McAfee’s last stand”)
The reason you should care, is how the location of the fugitive got accidentally leaked: the editor of Vice magazine met with McAfee for an interview, took a photo with his mobile phone and sent it home to be published on their website. Unfortunately, they forgot to remove the GPS coordinates that were automatically embedded into the so called EXIF data of the photo when it was taken.
This information showed clearly that the photo was taken in a small border town in Guatemala on the same day.
Of course it didn’t take long for somebody to notice this:
The location where the interview took place as recorded in the photos embedded EXIF data.
(McAfee then claimed on his blog that the EXIF data was intentionally falsified to hide his location but this turned out to be not true as he was subsequently detained in Guatemala for entering the country illegally. And yes, he was a blogging while on the run – it’s a weird story).
There are a few lessons to be learned from this, particularly for NGOs that work with human rights activists, people prosecuted by the state they live in or people who rely on you to keep their whereabouts hidden – for example the location of a safe house for battered women.
- Switch geolocation off. Here are instructions how to do this on an iPhone, Android and Blackberry.
- Realize that the geolocation data stays intact, even if you edit the photo.
- When receiving location-sensitive photos from someone else, remove the EXIF data from originals or at least the version that you are uploading/sharing. “JPG & PNG Stripper” and “Jpeg Scrubber” are two free programmes that allow you to remove all EXIF data in bulk from large sets of photos.
- Use photo management software like “Adobe Lightroom” to bulk-edit the information, if, for example, you don’t need the exact GPS coordinates, but would like to add the name of the country instead.
Don’t get me wrong – geolocation data can be a great and useful thing in photos. It can for example help you create beautiful maps of your organization’s activities around the world. But you should be aware of the information you are sharing and understand the risks.
Further recommended reading on the topic of data confidentiality:
- “Security in a box” toolkit for organizations worried about digital security.
- Frontline SMS guide and case studies on handling sensitive data
- I have also heard that ICRC works on new data protection guidelines that will include something on digital security and which are supposedly due to be published this year (I’ll update you once I know more).
Do you have thoughts or comments? Please comment below!