Metadata and Thumbnails Can Out Your Anonymous Sources
An artfully disguised photo, presumably of the hacker known as 0x80. Photograph by Sarah L. Voisin for The Washington Post.
An EXIF and IPTC metadata utility revealed that the location data was still embedded.
Most photojournalists have started tagging their photos with IPTC metadata to aid with copyright and indexing their massive collections of images. Some news organizations also require that all digital images be tagged to properly track and attribute each file during the production process. This metadata, however, can lead to compromising privacy if not properly sanitized or redacted before publication.
An article by Brian Krebs that ran in The Washington Post earlier this year sparked a flurry of activity as an anonymous source's location was seemingly outed by the metadata the photojournalist embedded in one of the article’s photos. The photo was eventually pulled from the Post's website, but not before Slashdot readers posted the probable location of the source and later used Google Maps to track down locations mentioned in the article. Although not a career-ending move, the situation could have turned out much worse had the source's real name been left in the metadata.
After the metadata leak, the anonymous source came forward, revealing that they were the hacker known online as 0x80. In the now-deleted comments section of The Washington Post article, a commenter claiming to be 0x80 replied: “funny is that that is way off from where i reside apprently from what i gathered from brian kreps was it was old metadata so im still safe. haha i guess luck is on my side :)”
In a now-archived discussion thread, when 0x80 was asked if they were “aware that the Post failed to scrub the metadata from the images used in this article, leaving information about your town,”Brian Krebs replied, “As you know we take our obligations with sources very seriously and I don't want to comment about any speculation about sources.”
The published version of the photo was a closeup of Catherine “Cat” Schwartz’s eyes, but its embedded thumbnail contained a preview version of the original uncropped topless photo.
Another published photo was a closeup of Catherine “Cat” Schwartz leaning back while smoking, but its embedded thumbnail contained a preview version of the original uncropped topless photo. Also illustrated is a censored version of the original topless photos.
Also serious is when photographers or editors do not properly export an image after executing minor crops or edits. Under some circumstances, Adobe Photoshop and other image editing programs may use the original, unedited image to generate the thumbnail icon. This can happen if an image with minor edits is saved in place using the Save command instead of the Export or Save As… command.
One such widely-publicized incident resulted in topless photos of then-TechTV correspondent Catherine “Cat” Schwartz getting posted publicly on the web. While the final, published photos were tightly-cropped closeups of Schwartz’s face, the photoshoot was actually shot wide angle with her lounging topless in the photography studio.
When fans downloaded the images, the thumbnail icons and embedded preview revealed the original uncropped topless image. Although the thumbnails weren't high-resolution, it was still enough to result in an embarrassing moment.
Even now, three years after the incident, a page containing the enlarged topless photos is still #2 on Google when searching for Schwartz’s name.
Updated on Friday, May 12, 2023 to add additional details and context. Even today, nearly a decade after the 0x80 and Cat Schwartz metadata leaks, many photographers and journalists are still making the mistake of not stripping sensitive metadata from their images. This, in part, is due to the fact that smartphones, digital cameras, and image editing programs now embed verbose metadata for copyright enforcement.
