Tuesday, 22 November 2011

Does Facebook leak your child's location?

A recent story in free London paper The Metro suggests that child abusers could locate victims by analysing images posted on Facebook. The claim is that locational metadata (specifically GPS coordinates) is retained in the image, which can then be viewed by anyone able to right-click and choose Properties.

In the report Bradley Anstis from M86 Security Labs is quoted as saying that, "If your kids use Facebook to upload a photo of their new bedroom to show friends, an attacker could find the co-ordinates for that address."

I've just tested this and the claim appears to be incorrect.

When I uploaded an image that contained GPS coordinates, the result on Facebook was completely stripped of all Exif metadata.

The image I used was one from a collection available from SpatiaLite's site.

This file (DSCN0010.JPG) contained metadata,
including GPS coords.
 You can clearly see in the screenshot above that the EXIF version is 0220 and that the GPS coordinates are available. I then uploaded the image to Facebook, downloaded the result and viewed its Properties.

The uploaded file is stripped of all metadata.
The result was an image completely devoid of metadata. Even the EXIF version field is empty.