Facebook Adding Metadata – Hiding Special Instructions in Photos



Let’s face it – today many of us are becoming increasingly more aware about our privacy online and becoming concerned. How many of us have pondered about whether it is possible to use the internet under complete anonymity and wondered about how much of our personal information is out there. How much is too much, and how vulnerable are we due to sharing content online?

At snapWONDERS, I have been leading the team on analysing media content and metadata with the focus on exposing privacy, copyright and tracking concerns. It is very possible that metadata contained within photos can be used for tracking and forensic purposes. Imagine my surprise when I spotted something that looked highly suspicious and my early assumptions was that it looked like that Facebook was adding metadata information that could potentially used for tracking and other nefarious or unconsented purposes. This potentially allowed a method to track what happens to media content that is shared outside of Facebook and infer relationships from the way the media is exchanged.

I spotted that under the APP13 metadata within the photo with the signature “Photoshop 3.0” that there was an addition of tags under the IPTC section called “Special Instructions” which started with “FBMD” followed by at least 32 bytes of hexadecimal encoded data. The photo was originally uploaded to Facebook so my immediate thoughts was that FBMD looks like it could potentially have the acronym “Facebook Metadata”. Furthermore, the content didn’t look like a “Special instructions” encoding content.

Researching further online, it seems that these concerns was raised as far back as 2015 by a StackOverflow user Patrick Peccattee who raised questions about the images uploaded on Facebook which contain the IPTC/IIM fields which are added automatically during the uploading process. It seems two tags were added named “Special Instructions” and “Original Transmission Reference”.

This was further elaborated by Edin Jusupovic, a cybersecurity expert with a twitter post back in July 2019 which states that this enables Facebook to track photos outside of their platform with high precision and to track who originally uploaded the photos.

The encodings are visible within the metadata however Jusupovic warned that “if the technology is weaponised then Facebook could potentially track its users without zero proof”.

This leaves me to wonder whether the future would see steganography becoming more prevalent with media content shared online. Steganography is the practice of concealing a file, message, image or content within another file (in this case it would be the photos and media).

The ability to assign unique references attached to content and associate this with a “person” via an account (or a device) provides mechanisms to track and gather information in a way that can learn patterns, infer relationships, behavioural analysis and for forensic purposes.

For example: if I shared an original source photo on a social platform or online with my mum in which extra tracking metadata was added marking me as the source. If mum downloaded the photo and emailed to my sister in which my sister later shares the photo using her secret account on the same social platform unknown to my mum and myself, then via the means of tracking, the social platform can almost infer there’s a relationship between my sister to myself and mum even though we were not connected in any way. This certainly could create an insightful motive and trigger further analytical analysis on potential relationships between all parties involved. In similar respects such tracking could potentially uncover friends of friends or indirect relationships amongst users through organisations / clubs or points on common interest.

Alternatively, such metadata could be used to track the originating ownership of the photos as to who originally uploaded the photos. Potentially this could be used to automatically settle ownership disputes. This certainly has good merits, but it would be more concerning if this intention wasn’t conveyed in any way to the end users on how content being uploaded was being used. This is because there’s a difference in whether information is used to help protect ownership or being used for profiling purposes.

At snapWONDERS we care about privacy, copyrights and tracking especially in relation to digital photos. If you have anything to share about hidden metadata within photos or discovered a smartphone or camera that has a privacy concern, then we would be interested in learning more.

Meanwhile, you can automatically run our tool at snapWONDERS to automatically assess and expose concerns with privacy, copyrights and tracking issues with your digital photos and media content online.