Page MenuHomePhabricator

[MW] EXIF data needs to be possible to remove automatically or optionally
Closed, DuplicatePublic


EXIF data can be used to discover the owner of valuables photographed and uploaded to a MediaWiki site. From there, kidnappings and other tragedies are a serious risk that cannot be ignored. Most people believe kidnappings are rare, but in fact, they are just not reported for the obvious reason that the anxious parents want their kids back, and they will not report the kidnapping if that puts their children at risk (it does). Kidnappings are common enough that the insurance industry is involved in paying ransoms:

Kidnappings are the worst case scenario, but anything that attracts criminal attention should be carefully evaluated and dealt with like any other security risk, and not dismissed as unlikely or "not my problem" - just ask Kevin Mitnick, who exploited "unimportant" underlings to reach larger criminal objectives, in much the same way a kidnapper exploits children to reach the parents, and the parents' bank.

GPS data is the most potent risk in EXIF data, but the other data may provide enough information to cause the identification of a criminal target. The ability remove GPS data, and/or most other EXIF data, is critical for protecting both the ignorant and the innocent, who can be indirectly harmed by EXIF data that they may not even be aware of.

Simply hiding the EXIF metadata display is worse than displaying it, because not displaying it still leaves the ignorant unaware that it exists. That is one of the well-known pitfalls of security through obscurity.

So, there needs to be at least something like a checkbox that an uploader can use to indicate they want MediaWiki to remove EXIF data. The ability for a wiki to be configured to always automatically remove EXIF data is also required to achieve "fail safe", in some circumstances.

The stakes are potentially very high, so until this is implemented, the bare minimum would be some sort of link to a page like this one, with information on how to remove the EXIF data:

Of course, informing the uploader of the risks would also be helpful in dealing with the ignorance part of the problem, which that page currently does not have. There has been media attention to the problems that EXIF data can cause for people:

That causes people to be hesitant in uploading their images. Addressing this issue can eliminate some of the objections potential contributers might have that prevents them from sharing their images.

Version: 1.18.x
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:18 AM
bzimport set Reference to bz35514.
bzimport added a subscriber: Unknown Object (MLST).

Dupe of bug 20326 (Although you give a much more in depth explanation for the why we need to do this then the other bug does)

  • This bug has been marked as a duplicate of bug 20326 ***

I thought I had thoroughly searched for dupes, but the main keyword I used was "EXIF", so that previous report didn't show up for me. Thanks for finding it for me.