
Facebook is embedding tracking data inside the photos you download - meerita
https://twitter.com/oasace/status/1149181539000864769
======
snek
If anyone who works at Facebook reads this, I am so very curious, when you're
asked to build something like this, how do you approach that morally? I really
want to know the opinion of someone actually working there.

~~~
villedepommes
If you live and work in the US, the substantial part of your taxes is spent on
invading other countries, killing innocent people and propping up dictators.

> how do you approach that morally? I really want to know the opinion of
> someone actually working there.

~~~
snek
Whatever country I live in, I certainly didn't choose to be born there, and
moving to another country is often more expensive than is possible for most
people. I don't see how this compares to actively seeking a job at Facebook. I
also don't think that the US doing bad things is an excuse for Facebook to do
bad things.

~~~
PavlovsCat
The question was "how does it feel?". Not a really useful or interesting
question, but there it is, at the top, and for a lot of people here, the
answer is "exactly like what you're doing".

> _See what gross inconsistency is tolerated. I have heard some of my townsmen
> say, “I should like to have them order me out to help put down an
> insurrection of the slaves, or to march to Mexico;—see if I would go”; and
> yet these very men have each, directly by their allegiance, and so
> indirectly, at least, by their money, furnished a substitute. The soldier is
> applauded who refuses to serve in an unjust war by those who do not refuse
> to sustain the unjust government which makes the war; is applauded by those
> whose own act and authority he disregards and sets at naught; as if the
> state were penitent to that degree that it differed one to scourge it while
> it sinned, but not to that degree that it left off sinning for a moment.
> Thus, under the name of Order and Civil Government, we are all made at last
> to pay homage to and support our own meanness. After the first blush of sin
> comes its indifference; and from immoral it becomes, as it were, unmoral,
> and not quite unnecessary to that life which we have made._

\-- Henry David Thoreau

------
rohan1024
Someone else dug further into this
[https://stackoverflow.com/questions/31120222/iptc-
metadata-a...](https://stackoverflow.com/questions/31120222/iptc-metadata-
automatically-added-to-uploaded-images-on-facebook)

~~~
jdillaaa
Yeah, years ago. Nothing new here. Running "exiftool FB_IMG" would reveal the
same "structural abnormality" (not an abnormality though because its part of
the valid IIM block of the file). See
[https://sno.phy.queensu.ca/~phil/exiftool/TagNames/IPTC.html](https://sno.phy.queensu.ca/~phil/exiftool/TagNames/IPTC.html)

------
bastawhiz
I can see this being an extremely valuable tool for preventing identity theft
on the site. One of my teachers had been the victim of a scammer who had
cloned her profile and was reaching out to everyone on her friend list. When
the fake profile was reported, it was taken down very quickly, which I imagine
could have been done programmatically with this data on the photos.

There's speculation that FB could infer relationships with this. If you've
ever shared memes, you'll know this this is unlikely to be effective.

At the end of the day, in an age of reverse image search and public profiles
and commodity facial recognition, what is actually the threat model here? That
someone is able to tie an unattributed photo back to the URL it was downloaded
from? That if someone downloads your photo without permission (why did you
upload it in the first place?) and they share it but don't say where they got
it, someone else can potentially find out where it came from?

It's unclear whether this ID even uniquely identifies the uploader or
downloader publicly. If it's a random UUID, then what? Facebook doesn't
reasonably need it to track you (they could use the hash, face recognition,
your session, etc). I honestly can't think of a case that would make this
valuable to a malicious third party. Beyond content moderation (and maybe
saving some CPU time), I can't see much of a use case for Facebook either.

~~~
spunker540
Yeah I can't tell what the harm is from the metadata and would appreciate
someone actually explaining, rather than seeing some metadata and immediately
jumping to the conclusion that there's definite harm and "tracking" going on.

------
Stubb
ExifTool is the standard app for playing with photo metadata:

[https://www.sno.phy.queensu.ca/~phil/exiftool/](https://www.sno.phy.queensu.ca/~phil/exiftool/)

Looks like Facebook is adding IPTC field Original Transmission Reference,
which you can view with:

exiftool -IPTC:OriginalTransmissionReference image.jpg

It seems different for each picture.

~~~
lelf
It is

    
    
      exiftool -IPTC:SpecialInstructions
    

(it will be a string starting with FBMD.)

And while it’s obviously (can be used for) for tracking, it’s just a exif tag,
“Special instructions” is a text for humans, not machine instructions.

So s/Structural abnormality IPTC special instruction/a standard exif tag/ for
less click-bait.

~~~
zetor
FBMD01000ab5030000930700008b130000ae130000011400005d3f00009b740000ce750000f1750000277600005eaa0000

------
jarfil
This isn't something new, it's been known for years:
[https://www.hackerfactor.com/blog/index.php?/archives/726-Fa...](https://www.hackerfactor.com/blog/index.php?/archives/726-Facebook-
Tracking.html)

~~~
mattigames
The value derived from this post is not it's "recentness" but to make aware of
a practice by fb to the users of this site, specially in the light of fb
importance on privacy matters and global politics in recent years

------
pmlnr
As a hobby photographer who dealt with some image metadata manipulation, I
find this quite interesting. Interesting enough to question if this could be
something we ourselves can be using, say, for a WordPress plugin, so tracking
down copyright abuse would be more simpler.

Does anyone know existing, working solutions for this? Is IPTC purged as well
by CMS systems, similarly to XMP or EXIF?

~~~
wil421
Certain providers will strip your exif data completely. I’ve seen email
providers, I think yahoo, and other websites do it. The geotagging has
definitely been removed as well as the exif camera data. It might be hard to
track images this way if everyone is manipulating it including FB/Insta.

------
raverbashing
What's exactly an IPTC instruction? Seems to be this
[https://iptc.org/standards/photo-metadata/](https://iptc.org/standards/photo-
metadata/)

It's also not clear what the data contains. Is it info about the original
account? The account downloading the picture

I would not be surprised if this was being used to prevent fake accounts being
created with pictures taken from legitimate accounts.

~~~
gmueckl
It would in theory be enough to embed a random unique ID and keep the
associated data on your own server so the actual data doesn't leak.

~~~
mattigames
Is not only so the data doesn't leak, is also to make it as small as possible
so is less likely to be corrupted unintendedly by third party software or
protocols.

------
Ultramanoid
Therefore this is happening with Instagram as well, of course.

~~~
eyeball
Is WhatsApp doing it too?

~~~
busymom0
So far no, whatsapp isn’t doing it as someone checked. Maybe in the future:

[https://mobile.twitter.com/17haval/status/114997853789964288...](https://mobile.twitter.com/17haval/status/1149978537899642880)

------
Ultramanoid
If the photograph is copyrighted, how does this modification and embedding of
tracking data by a third party affect the owner, if it does at all ?

~~~
jjeaff
By posting the photo to Facebook in the first place, you are giving them near
unlimited freedom to do with it as they will according to their usage
policies.

~~~
jen20
That freedom can only be granted by the copyright holder, however.

~~~
wolph
It's apparently a bit of a hassle to get it removed at times though. And in
most cases far to late for it to really matter:
[https://www.youtube.com/watch?v=L6A1Lt0kvMA](https://www.youtube.com/watch?v=L6A1Lt0kvMA)

------
baby
Is it possible that this is for finding out who is re-posting private
pictures, like on ex revenge websites and co?

~~~
jakeogh
The knowledge that people can ref things by their hash is a serious problem
for power centers.

~~~
gmueckl
What does this comment mean? I understand the words, but not the meaning.

------
shawnz
> The take from this is that they can potentially track photos outside of
> their own platform with a disturbing level of precision about who originally
> uploaded the photo (and much more).

How is it any more powerful in that regard than just hashing the photo?

~~~
shakna
Uploaded photos on many sites undergo postprocessing that may change the hash
of the image, different compression technique, etc. without modifying the EXIF
data.

~~~
shawnz
Not if you use a perceptual hash, which is a well established technique that
Facebook already uses for other purposes

~~~
doubleunplussed
Furthermore, plenty of platforms will remove EXIF data.

I made a LaTeX equation rendering script that embedded the source LaTeX in
EXIF data, the idea being that you could edit the equation after the fact
without having to save the source. But practically every tool I used would
strip the EXIF data - so I moved to storing the source in the least
significant few bits of the pixel values. This worked much better with the
places I was uploading the images to (google docs mostly). Obviously fragile
to image format conversion though.

~~~
zild3d
Love that idea for LaTeX.

For anyone interested, storing information/messages inside another file is
called steganography
([https://en.wikipedia.org/wiki/Steganography](https://en.wikipedia.org/wiki/Steganography))

------
gmueckl
Looking at some examples given in the linked pages on this here, it stands out
that there is a structure to each of the 32 bit records in this data. The
first 16 bits are nearly random, but the second set obeys some rule: the third
octet is a low number and the hole set of records is sorted by that. The
fourth is always zero. If this is intended to be a kind of tracking
identifier, this structure is a bit odd. Intuitively, I would rather interpret
this as a list of tags that are stored in-band with the image.

------
eqtn
Indian government has asked whatsapp to make all messages traceable to it its
origin.

From the twitter thread, whatsapp isn't currently doing it though. But this
can be used to find the origin of images.

[https://thenextweb.com/security/2019/06/18/india-is-still-
ho...](https://thenextweb.com/security/2019/06/18/india-is-still-hounding-
whatsapp-to-make-its-messages-traceable/)

------
harel
Isn't it the same as printers watermarking printouts? I don't see this as a
necessarily bad thing. In a public forum in a far from perfect world there
should be a place for accountability when people distribute photos they
shouldn't.

~~~
verroq
Printers shouldn't be watermarking printouts and neither should Facebook.

~~~
harel
They shouldn't, true. But they are. And have been for a very long time. People
who require anonymity would/should/could subvert all those things. But just to
give one example: if the daughter I don't have for example was to be targeted
by some ex boyfriend posting private photos, I would like to be able to
pinpoint the source of those photos. In the case of Facebook that
tracking/watermarking is limited to stuff coming out of the FB platforms. Open
any photo done with a digital camera and you can get a lot of information from
the raw data as well. What I'm saying - a blanket objection of all 'meta'
tracking data is not helpful - because it does and will keep on happening.
Education on how to work around it when it's needed is maybe the solution. And
in some cases, like the example I gave, that tracking data can actually be
used to do good.

~~~
verroq
No amount of tracking is acceptable in the same way the freedom of speech is
absolute (no censorship is acceptable).

You can say it is not a slippery slope but our rights _are_ eroded when we
compromise.

If you need tracking you put the dots on your own print outs. There is no need
to have dots on everyone else’s print outs.

~~~
harel
I do not approve of any printer that watermarks my printouts. There is no two
ways about that. Tracking is a side effect of showing us ads. We will be shown
ads no matter what because they pay for the services we get for free and the
99% don't mind them. Without tracking on the ad front we'll see random ads,
they would be less effective, that industry will ultimately collapse and we
will start paying for every single service we use. Again - I do not condone
it, but I don't have the will personally to fight it or let it affect me in
any way. When i want my actions to be untrackable, I will take steps to make
them so. I would however like both the ad world and consumers to reach some
sort of middle ground in regards to what is acceptable and what is not. They
way things are now are out of balance in favour of advertisers. It should be
corrected.

------
unilynx
Does this 'IPTC' tag survive common image editing? Or are they targeting it
towards an external application?

If it was just for recognizing re-uploads, they could have just stored the
sha-256 hash serverside..

~~~
lucb1e
It's up to the editor to keep metadata. In Gimp you can choose in the advanced
export settings, but I don't know the default. Re-encoding will definitely
change any hash, but editors may (not sure how commonly) keep these tags.
You'd have to do steganography if you want it to be more persistent than a
metadata tag.

Edit: I just saw it's not a normal EXIF tag, this is something else. I'm not
sure how this is handled, might be interesting to do some empirical testing!

------
wolco
Normally this would make everyone stop uploading photos to facebook. But most
have already.

My facebook usuage has gone from every second to maybe once a day. There is a
rot happening and this will become a dangerous time for anyone who used
facebook as facebook will slowly sell them out and in the end exort them. Want
to keep these photos private you uploaded 10 years ago and deleted? Pay..

------
tmaly
I think if you email a photo on gmail it strips the meta data from the photo.

I had this problem when I was trying to use the meta data to get the
orientation.

~~~
TazeTSchnitzel
It's good practice for any website that takes image uploads to strip
unnecessary metadata, as people can inadvertently reveal their location
(geotags) or identity (serial numbers etc) otherwise.

~~~
mschuster91
For websites in general yes but I do not want an e-mail client that,
unbeknownst to me, manipulates data in transit. Time to pgp-sign the
attachments on mails, too? :/

------
kabwj
No indication of what it means. Has anybody tried to download the same picture
from two accounts and see if the data changes? Maybe this is some data they
embed into the picture for bookkeeping when inside their infrastructure and
they forget to strip it when they let you download it.

~~~
mattigames
Nah, is extremely useful for them to know when a picture is being re-uploaded
so I dont believe for a second they "forgot to strip it"

------
ksajadi
I’m curious, but are we biased here on HN or is it literally every piece of
news that’s coming out on that company is about another nasty privacy invading
practice at Facebook? Although I admit there are some posts about FB open
source projects here too.

~~~
outside1234
I think Facebook is biased itself towards doing a whole bunch of nasty privacy
practices, not HN in reporting them.

------
cbzbc
I think this may well have been found a while back:

[https://stackoverflow.com/questions/31120222/iptc-
metadata-a...](https://stackoverflow.com/questions/31120222/iptc-metadata-
automatically-added-to-uploaded-images-on-facebook)

~~~
blumomo
What you thought one hour ago, had been already replied 4 hours earlier to the
tweet. I'm not sure if you copied it from there?

~~~
luxuryballs
perhaps that’s why he thought it

------
johnchristopher
Why don't they encrypt that kind of payload? I suppose tampering with it is
easy enough that it would prevent using this data in litigation issues, right?

------
tjpnz
Shouldn't a privacy friendly browser/extension be able to defeat this
technique by passing said images through exiftool (or similar) and then
caching it?

------
xxxpupugo
Not to jump on the bashing train, this tracking might not be for advertising
purpose only right, this could be put in place for copyright protection.

~~~
qrbLPHiKpiux
It's Facebook. FB doesn't give 2 licks about an individual.

------
baybal2
One should note that they went to quite a length to hide it from mainstream
EXIF readers

It is not in a comment field, nor it reuses any EXIF guid equivalent

A much more grievous thing they may be doing is speculated to be them encoding
tracking into photo's hue channel.

There was time when you was able to see a stripe of odd pixels in the right
bottom side of some photos.

Later, I read a blog post saying that if you upload a solid grey picture, you
will see weird subtle colour banding patterns on it if you download it back.

I tried myself now, and it did not work for me.

~~~
cookiecaper
"Mainstream EXIF readers" are mostly derivatives/wrappers around Phil Harvey's
ExifTool, which has supported IPTC tags for a very long time. Whatever may be
interesting about this, the fact that the data is stored in an IPTC tag is not
really part of it. IPTC/IIM structures predate Exif by decades:
[https://en.wikipedia.org/wiki/IPTC_Information_Interchange_M...](https://en.wikipedia.org/wiki/IPTC_Information_Interchange_Model)

------
jammygit
Right after that $5B fine too

------
modzu
when i read the headline i thought stenography. is it possible to know if they
are using such techniques? making exif data a red herring

~~~
Tharkun
You could try uploading a bunch of images and downloading them again, finding
out where they differ. This should be reasonably straightforward. However, FB
likely modifies the image in various ways (resizing, maybe they recompress the
image to save space, etc). Showing the presence or absence of steganography
will probably require a large sample size.

------
sound_and_form
There's a simple solution to any problem related to Facebook. Stop using it.

~~~
zerr
Any alternatives for maintaining remote friendships?

EDIT: with passive updates.

~~~
tadzik_
Any other form of communication – email, IMs, phones etc. If you're not having
a conversation but just "like" each other's photos it's not "maintaining a
remote friendship" anyway.

~~~
zerr
Passively receiving some updates, i.e. where they've checked in, some new
photos, posts/comments, etc... is also useful I think.

~~~
tadzik_
Yeah, good point. I often find myself wanting to follow what some people are
up to (friends or not), and it's always frustrating how it requires you to be
a part of a certain platform to do that – you can't follow anyone's instagram,
facebook, twitter etc without an account, and even then you still need to go
on instagram/facebook/twitter to actually check it out.

I recently created myself a Pixelfed (a federated instagram, basically) and
was pleasantly surprised how my profile has a plain, old RSS feed, so that
anyone can "track" me without ever visiting a website (which is something that
ActivityPub itself also allows, but AP still forces you to be a part of the
"system", so to say).

I'd much prefer that kind of Federated world, but I don't see how we can get
there in any other way than spreading awareness about it and basically nagging
our friends (at the risk of isolating ourselves) – “I wish I could follow your
adventures and thoughts, but I don't want a facebook account”. This of course
requires a critical mass for basically each person, and probably a way of
automatically updating the locked-in platforms (for each post you push to
pixelfed/blog it updates your instagram/facebook) so that the ones who take a
step out don't need to leave their locked-in friends behind.

~~~
ubercow13
How is using ActivityPub any more being part of the system than having to use
the RSS 'system'?

~~~
tadzik_
ActivityPub requires an account on a server of some sort. RSS is client-only,
so the "friction" is much lower.

Of all the people who listen to podcasts through some kind of an app, how many
of them have created an account anywhere?

