Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Metadata on an escort website
Mon 25 November 2019 — download

Last year, during my holidays, I had the sempiternal conversation about the "I have nothing to hide" argument; but this time, it was with a feminist, and while there is a vast diversity of views on prostitution, everyone agrees that escorts deserve the same rights as anyone else, including privacy. Why prostitution? Because someone had linked me a couple of days ago a community-run escort website, that of course had media on it. Also, it was the perfect example of why privacy matters.

I had a super-old C++ binary lying around, that I used to threw against hidden onion services, to show picture's metadata with the help of QtLocation on a nice globe map. Unfortunately, the website had special url for pictures, and since I didn't manage to find the source code of my binary (also, C++, eww.), I rewrote something from scratch: I whipped up a ghetto python script glueing together requests exiftool, and leaflet, and got a nice interactive map precise up to the second, looking like this (yes, I censored the pictures), for the Canada alone:

map of the USA with geolocalized pictures

I sent an email to the website with a screenshot and a short description of the issue, they've replied, been super friendly, and fixed the issue in roughly one week, which is pretty impressive! they fixed it wrongly, and aren't replying to my emails anymore. But since this was a bit more than one year ago, I don't feel bad writing about it.

Because my steaming pile of Python is ugly beyond reasonable, I don't plan to open-sauce it. Beside it's trivial to rewrite it in less than one hours. So what is the point of this article like this, beside the clickbait title?

Mostly to show that files can and do contain metadata, that you should care about this, because everybody needs privacy even if it's not obvious for everyone. Also to help websites and service providers realizing that they need to expunges user-uploaded files, especially when they're dealing with sensitive pictures. I'm also secretly hoping that they'll use mat2 to do it, battle-testing it on a large corpus of different files, and give me back useful bug reports (or congratulations, who knows), so that I can make it even more reliable.