XF 1.2 EXIF Jpg Image Info Geo Privacy - Remove jpg geographic data

[ProCom]

As more and more phones w/cameras and cameras have GPS data added into images, the more privacy concerns arise.

A lot of people have no idea that the specific location of the picture is stored inside the image (as well as camera information, etc.)

I believe Facebook and many other services automatically strip out this info to protect users from themselves.

Is there a way to have xF automatically strip out the information, especially geographic data, on upload?

 

[Jeremy]

You'll need an add-on, I do not believe its done.

 

[ProCom]

Where should I suggest that this be added to the core? Removing exif data from uploaded pics is a VERY good idea (which is why Facebook, Twitter, etc. do it on upload).

McAffe got caught because of someone not being careful with their exif data: http://www.kernelmag.com/features/report/5488/what-your-photos-say-about-you/#

 

[Jeremy]

Any suggestions for the core go in the suggestions forum:
http://xenforo.com/community/forums/xenforo-suggestions.18/

 

[TPerry]

Is there a way to have xF automatically strip out the information, especially geographic data, on upload?

If so, it needs to be end user selectable. I have some plans on a photography forum I am setting up to have a gallery - and eventually work so that the photos will map to a Google Maps that will be user viewable.

 

[sonnb]

Where should I suggest that this be added to the core? Removing exif data from uploaded pics is a VERY good idea (which is why Facebook, Twitter, etc. do it on upload).

McAffe got caught because of someone not being careful with their exif data: http://www.kernelmag.com/features/report/5488/what-your-photos-say-about-you/#

They did not remove it actually (or we are not sure). You cannot see it because they serve you resized images which do not contains EXIF. You could check out Flickr, resized images do not contain EXIF but original images do.

 

[HWS]

We do this for a long tome now with jhead, since we see this as a serious privacy issue. We auto-orientate the image and strip the location data at the time of uploading automatically.

You can just (for example) put that line of code to the correct location into the file library/XenForo/Upload.php:

exec("/usr/bin/jhead -purejpg -di -autorot -q $this->_tempFile");

Of course you need jhead installed at your server, so a VPS is minimum to allow you to do that.

It is hard to make an add-on for that because it depends too much on what you have installed at your server and if "exec" is allowed in your php config.

Autorotation for uploaded pictures should definitely be in the core. That can also be done with core php commands only, if ImageMagick PHP extension is installed. For this someone could make an add-on. But useres would have to switch Xenforo to "ImageMagick" to be able to use it.

 

[TPerry]

You can just (for example) put that line of code to the correct location into the file library/XenForo/Upload.php:

exec("/usr/bin/jhead -purejpg -di -autorot -q $this->_tempFile");

OK.. any hint on where the command line needs to go in the PHP? I'm a neophyte (I know just enough to break something) to PHP.

 

[ProCom]

Wow, I totally agree that both auto-rotate and exif strip should be in the core.

You mentioned the "correct location" in upload.php... where would that location be?

 

[ProCom]

BTW, until these are added to the core, I'd love to see an addon that would work with jhead, imagemagick, or whatever other options might be installed on a server.

 

[TPerry]

Wow, I totally agree that both auto-rotate and exif strip should be in the core.

You mentioned the "correct location" in upload.php... where would that location be?

@RobCom Try line 204 of the Upload.php. It worked there for me and did auto-rotation (just tested it). About to roll it out to my other 3 forums.

 

[HWS]

After some thinking, it is rather easy to strip location data out of an uploaded image and auto-orientate it.

Just call this function and you are set. It will work with GD and ImageMagick, you just need to have the php exif extension in your php.

function autoImageOrientation($file) {
  if (function_exists('exif_read_data')) {      // if exif read function exists (PHP was compiled with exif support)
    $exif = exif_read_data($file);
    if($exif && isset($exif['Orientation'])) {  // if file includes the exif orientation info
      $ori = $exif['Orientation'];
      $img = imagecreatefromjpeg($file);
      if($ori != 1){                    // if there is any rotation necessary
        $d = 0;
        switch ($ori) {
          case 3:
            $d = 180;
            break;
          case 6:
            $d = 270;
            break;
          case 8:
            $d = 90;
            break;
        }
        if ($d) {
          $img = imagerotate($img, $d, 0);   
        }
      }
      // then rewrite the rotated and exifless image back to the disk
      imagejpeg($img, $file, 95);
    }
  }
}

This function checks if your php has exif extension activated, if your image has exif data available and if the location data shows a need for rotation.

After that it auto-rotates the image and because a new image gets written with imagecreatefromjpeg the exif location data will automatically get stripped out too.

Just call this function with

autoImageOrientation($yourImageFilename);

in a suitable location in the file library/XenForo/Upload.php

I will add this code to suggestions also, maybe it can be adapted and included into XenForo core.

 

[TPerry]

I will add this code to suggestions also, maybe it can be adapted and included into XenForo core.

Only with options if they implement it. All I need it to do is auto-rotate (which I have jhead doing now). Need to keep the EXIF data for geo-location (probably will be useful in both the camera and astronomy forums I am starting) and I'm pretty sure that @Chris Deeming's gallery is going to support EXIF data for camera info (I think @sonnb's already does).

 

[HWS]

Only with options if they implement it. All I need it to do is auto-rotate (which I have jhead doing now). Need to keep the EXIF data for geo-location (probably will be useful in both the camera and astronomy forums I am starting) and I'm pretty sure that @Chris Deeming's gallery is going to support EXIF data for camera info (I think @sonnb's already does).

Both of them store the exif data in a database table at the time of upload (it does not make sense to read it from the file each time someone accesses it). You just have to make sure that this function will be called after that. But they need to handle the rebuilds differently since the stored images won't have any exif data available any more.

However this is just a suggestion. If and how it gets implemented and how add-on developers will deal with it is out of my scope. ;-)

But I still think that both auto-orientation and (with an admin switch to disable) exif location data strip should be in core.

 

[TPerry]

Both of them store the exif data in a database table at the time of upload (it does not make sense to read it from the file each time someone accesses it). You just have to make sure that this function will be called after that. But they need to handle the rebuilds differently since the stored images won't have any exif data available any more.

Exactly... I know that CopperMine Gallery has the ability to rebuild the EXIF data - and if it's stripped from the image then you have nothing to rebuild from. About the only time I could see that happening would be if for some weird reason the DB table got corrupted.

 

[sonnb]

Exactly... I know that CopperMine Gallery has the ability to rebuild the EXIF data - and if it's stripped from the image then you have nothing to rebuild from. About the only time I could see that happening would be if for some weird reason the DB table got corrupted.

There are several cases EXIF in images could be used:
- You do not have EXIF extension then later you want to install it, you might want to rebuild gallery to fetch exif data.
- You import from a gallery to another, you might want to rebuild to read exif as each gallery has different way to work with exif.

It only can be a risk if everyone can download your files with exif (like XenForo attachment system). It probably not if users have control who can download your files which contains EXIF data (like XenGallery offers with privacy for Original images).

 

[HWS]

We use sonnb's highly recommendable XenGallery together with the jhead solution above since some time now and it works perfectly. However the "rebuild with exif data" feature won't be working for us. If we ever switch to another gallery we'll find a custom solution to ex- and import the exif data from the database or any old photos won't have exif data in the new gallery.

But speaking about the Xenforo core attachment system it is true that it currently does not auto-rotate images taken in portrait mode (and even worse has no feature that allows the user to rotate it afterwards). And it also let each user with access to the attachment read the included exif data with the location and date. With both of those informations you can really stalk any (otherwise anonymous) forum user.

 

[ProCom]

Great discussion everyone!

My biggest worry is that the vast majority of my members don't know that their mobile phones are attaching their coordinates into the image they are uploading for public view. I cringe when I think of a case where:

1. A member signs up with an obscure userID, free gmail account, etc. and is very cautious about their private info.
2. They take a picture of a flower in their backyard with their iPhone and post it to my xF based site
3. A year later they get into a big fight with another member who happens to be a crazy nut-job. We ban the nut-job, but that just makes them more crazy.
4. The nut-job finds the picture and the geo-coordinates of the person's house and starts sending them threats to their address... or worse.

It might be a 1 in 1,000,000 chance of happening, but if you multiply average members per forum and all the xF forums and users (which total more than millions of users), that means it will happen.

I know some sites may want exif data, but we've never used it and never plan to use it, so the option in the admin panel to "Automatically strip exif on upload" option would be great!

 

[Digital Doctor]

I cringe when I think of a case where

It's probably happened alot already.
It's bound to happen again.

 

[AndyB]

Here's a link in Resources to modify the Upload.php file so it will Auto Rotate the image.

http://xenforo.com/community/resources/auto-image-orientation-for-iphone-and-ipad.1755/

Unfortunately as far as I know the Upload.php file cannot be extended, so an add-on cannot be made to Auto Rotate images.