The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, June 14, 2006
I've posted on a number of times about something called metadata. It is hidden information in different kinds of digital files that may reveal information about the document, its author or information that the distributor did not want to disclose. For example, Microsft Word is notorious for the metadata that can be hidden in documents but we've also seen information leakage through Adobe Acrobat files (See: The Canadian Privacy Law Blog: More on metadata, The Canadian Privacy Law Blog: Document meta-data FAQ and risk information, The Canadian Privacy Law Blog: Security problems with hidden data in Acrobat PDF files).
I've known for some time that most digital cameras generate metadata (in the EXIF format), such as information about when the photo was taken, whether a flash was used, the exposure, lens focal length, etc. Flickr shows most metadata associated with photos. Check this out for an example: Flickr: More detail about leave.
What I did not know until today is that digital cameras will often embed a small thumbnail image of the photo as originally taken. In many cases, if you subsequently edit the photo, the original thumbnail remains. If the image is edited to cut out someone who didn't want to be photographed or if you blur the face of someone to protect their privacy, that information may still be available to anyone who gets the image.
There is no better illustration of the problem than the website created by Tonu Samuel. His site pulls images off the 'net then shows the original thumbnail and the modified image. One image generated by Samuel's site is a very vivid demonstration of why this is an issue: Hidden EXIF thumbnail security problem (may not be safe for work - it shows a young woman in a bikini whose face was obscured but is clearly identifiable in the thumbnail).
In short: Be very careful when you distribute modified digital images.
Thanks to michaelzimmer.org - The Hidden Photos Within Photos for the link.
UPDATE: I was browsing some of the photos that hav been put through Tonu Samuel's EXIF extractor and came upon this great demonstration of why this can be a risk. The photos on this page are from the US Federal Bureau of Investigation (http://www.fbi.gov/wanted/seekinfo/erienote1.jpg). The published version shows a letter with significant portions blacked out. The embedded thumbnail is missing all the blacked out portions.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.