Closed Bug 743152 Opened 14 years ago Closed 14 years ago

Automatically delete personal EXIF data from images when uploading

Categories

(Firefox :: General, enhancement)

Product:
Firefox
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: birtles, Unassigned)

References

Details

(Keywords: privacy)

When users upload photos to the Web they may unwittingly be sending personal information by means of the photo's EXIF data. One example is the serial number which can be used to find all photos taken with the same camera (http://www.stolencamerafinder.com/). Another would be geolocation data. Firefox should automatically strip this data when uploading JPEG files etc. There would, of course, need to be the ability to selectively upload it (e.g. when you want geolocation data to be included for use on photo sharing sites that put photos on a map). Firefox should be protecting users' privacy, especially those who have never heard of EXIF. Using the serial number it would be possible to take a photo someone took for professional purposes and match it up with photos taken for personal purposes which seems like an infringement on a user's privacy, especially since the user may be quite unaware that this is possible.
Note that, as per bug 298619, we wouldn't necessarily want to drop all EXIF data since some might be useful.
I don't want that my browser changes my data that I try to upload. This should be optional and opt-in or better done in an extension.
Severity: normal → enhancement
(In reply to Matthias Versen (Matti) from comment #2) > I don't want that my browser changes my data that I try to upload. > This should be optional and opt-in or better done in an extension. It would have to be configurable, for sure, perhaps on a per-site/per-upload basis. However, I don't think opt-in/extension approach would be useful since it would fail to protect the people who need it most. It wouldn't change the image data, simply remove personal information from the EXIF data.
I'm going to WONTFIX this as filed... It's certainly an interesting idea (and oh my has it bitten people before), but it's entirely unclear to me how this could be exposed in a useful way without confusing people... Or, put differently, to be effective it would need to be on by default -- the users most in need are least likely to understand it -- but given that it could break expected functionality it's hard to see enabling this as a default (consider Flickr users who want exposure data and unmodified images as a backup). There's also the technical issue of there being other ways to access files (see http://www.w3.org/TR/FileAPI/), and so filtering out EXIF on uploads wouldn't always be possible or desired. [Though if the other issues could be overcome, this might not be a big deal in practice.] I'd suggest the best path forward on something like this would be to write an extension that does such filtering. Or just makes it easier to see EXIF data in images (greater awareness would help). Might need platform support to hook into file uploading, or for built-in EXIF support. The latter, especially, would probably be a really useful thing to have.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Keywords: privacy
Sounds like this one for mobile https://bugzilla.mozilla.org/show_bug.cgi?id=1067211 which has NOT been closed as WONTFIX -- so holding out some hope something like this could be made for desktop. What if the UI looked like this: - if you select an image in a file-dialog, check if there's EXIF data - if there's EXIF data, one of these: - ask the user ("warning, there is the following EXIF data in this image; still upload?") - ask the user, but with an additional option ("remove all EXIF data before uploading") - just refuse (i.e. probably with some "about:config" change enabled) - maybe this could be further refined to kinds of tags -- e.g. refuse if there's any GPS data And yes, I agree this would need to be "on by default" the be effective. Would it be sufficient that either of the first two dialogs suggested above have a "[x] don't ask me again"..? (Does Firefox have design-guidelines around questions like this?)
See Also: → 1067211
See Also: → 1316026
There are some neat ideas in bug 1316026. I like the idea of NOT using the word EXIF, of showing what information is being sent, and of being able to selectively clear location data or device data (or both). That said, I don't know if we've done this kind of in-content doorhanger before. Maybe if it hung off the "Browse..." button it would be ok.
You need to log in before you can comment on or make changes to this bug.