I received a couple of enquiries today about yet another Facebook's
super dick move: it seems that metadata are silently
added to uploaded
pictures, in a custom
with a value starting with
FBDM, likely standing for Facebook Metadata.
This isn't a new trick, as Neal Krawetz already wrote a blogpost about this in 2016, mentioning that this practice dates back to July 2014.
Adding a custom metadata field to pictures allows Facebook to:
- Track which user downloaded what picture, simply by looking at it, even on other websites: If someone downloads a dog picture from Facebook, and put it on reddit, Facebook will know who uploaded it, when it was downloaded from Facebook, from where, and by whom.
- Create a cross-site social graph: Alice took a funny picture of cat, and uploaded it on Facebook. Her good friend Malory downloaded the picture, and sent it to her coworker Eve, via MMS. The picture being funny, Eve, who doesn't even have a facebook account, sent it to her Tinder date, Jasin, who uploaded it back on Facebook. Facebook now knows that Alice is friend with Malory and that Jasmin knows that someone who likes cat pictures is friend with Malory.
$ exiftool facebook_metadata_sample.jpg | grep FB Special Instructions : FBMD01000a9d03000068040000c0040000e10400001a050000bc05000021060000c9060000ea06000017070000ad070000 Profile Copyright : FB $
Fortunately, mat2 can remove them:
$ mat2 facebook_metadata_sample.jpg $ exiftool facebook_metadata_sample.cleaned.jpg | grep FB $
So don't forget to remove the metadata from pictures before sharing them. Depending on your platform, there are different possibilities:
- mat2 on Linux
- Scambled Exif on Android (also available on fdroid)
- The web version of mat2, hosted by the friendly people of systemli, for everything else
And of course, don't use Facebook in the first place.