Opened 6 months ago

Last modified 4 months ago

#24965 new defect

Automatically remove metadata from images (EXIF) before upload

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, gsoc-proposed
Cc: richard@…, brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should enhance Tor Browser to wipe dangerous (EXIF or other) metadata from any images the user decides to upload (both on desktop and mobile). But keep the landscape/portrait tags. Bonus points for video/audio, or other common file formats.

Child Tickets

Change History (7)

comment:1 Changed 6 months ago by pospeselr

Cc: richard@… added

comment:2 Changed 6 months ago by mcs

Cc: brade mcs added

This seems like a good idea and something Firefox and other browsers should have as well. I did find this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1067211

comment:3 in reply to:  2 Changed 6 months ago by sysrqb

Replying to mcs:

This seems like a good idea and something Firefox and other browsers should have as well. I did find this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1067211

Oh, nice. That's surprisingly appropriate. We can also look at MAT as an example, as well as the alternatives.

https://mat.boum.org/

comment:4 Changed 6 months ago by cypherpunks

By default, seems really great to protect users (would such a benefit apply to GlobaLeaks as well?). What if I want to have EXIF data uploaded? There should be some pref for that I can flip in such cases.

PS: What about PDFs as well?

Last edited 6 months ago by cypherpunks (previous) (diff)

comment:5 in reply to:  4 Changed 5 months ago by arthuredelstein

Replying to cypherpunks:

By default, seems really great to protect users (would such a benefit apply to GlobaLeaks as well?). What if I want to have EXIF data uploaded? There should be some pref for that I can flip in such cases.

Yes, I can imagine a checkbox in the upload dialog or a pref might be a possibility. I think it's important that metadata is stripped by default, though.

PS: What about PDFs as well?

Yes! There's a list on https://mat.boum.org that could serve as inspiration:

Portable Network Graphics (.png)
JPEG (.jpg, .jpeg, …)
TIFF (.tif, tiff, …)
Open Documents (.odt, .odx, .ods, …)
Office OpenXml (.docx, .pptx, .xlsx, …)
Portable Document Fileformat (.pdf)
Tape ARchives (.tar, .tar.bz2, …)
MPEG AUdio (.mp3, .mp2, .mp1, …)
Ogg Vorbis (.ogg, …)
Free Lossless Audio Codec (.flac)
Torrent (.torrent)

comment:6 Changed 4 months ago by arma

I spoke to a person in Facebook legal who said that Facebook strips metadata from uploaded media (yay), but that they quietly store it separately in case somebody asks them for it (boo).

So, yes, having Tor Browser do it on the user side would be yet another good case of having the user enforce their own safety through technical means, rather than hoping (policy means) that some third party does the right thing.

comment:7 Changed 4 months ago by arthuredelstein

This project has been proposed for the Tor Summer of Privacy program for 2018 and we are currently receiving applicants.

Note: See TracTickets for help on using tickets.