Title: On Facebook's pictures watermarking
Date: 2019-07-13 16:00

I received a couple of enquiries today about yet another Facebook's 
super dick move: it seems that metadata are [silently
added](https://twitter.com/oasace/status/1149181539000864769) to uploaded
pictures, in a custom
[IPTC](https://en.wikipedia.org/wiki/IPTC_Information_Interchange_Model) field,
with a value starting with `FBDM`, likely standing for Facebook Metadata.

This isn't a new trick, as Neal Krawetz already wrote a
[blogpost](https://www.hackerfactor.com/blog/index.php?/archives/726-Facebook-Tracking.html)
about this in 2016, mentioning that this practice dates back to July 2014.

Adding a custom metadata field to pictures allows Facebook to:

- Track which user downloaded what picture, simply by looking at it,
	even on other websites: If someone downloads a dog picture from Facebook, and
	put it on reddit, Facebook will know who uploaded it, when it was downloaded
	from Facebook, from where, and by whom.
- Create a cross-site social graph: Alice took a funny picture of cat,
  and uploaded it on Facebook. Her good friend Malory downloaded the picture,
	and sent it to her coworker Eve, via MMS. The picture being funny, Eve,
	who doesn't even have a facebook account,
	sent it to her Tinder date, Jasin, who uploaded it back on Facebook.
	Facebook now knows that Alice is friend with Malory and that Jasmin knows
	that someone who likes cat pictures is friend with Malory.

This is what a [sample]({static}/images/facebook_metadata_sample.jpg) (courtesy
of [Dhaval](https://twitter.com/17haval/status/1149978537899642880)) is looking
like via [exiftool](https://www.sno.phy.queensu.ca/~phil/exiftool/):

```bash
$ exiftool facebook_metadata_sample.jpg | grep FB
Special Instructions            :
FBMD01000a9d03000068040000c0040000e10400001a050000bc05000021060000c9060000ea06000017070000ad070000
Profile Copyright               : FB
$
```

Fortunately, [mat2](https://0xacab.org/jvoisin/mat2) can remove them:

```bash
$ mat2 facebook_metadata_sample.jpg
$ exiftool facebook_metadata_sample.cleaned.jpg | grep FB
$
```

So don't forget to remove the metadata from pictures before sharing them.
Depending on your platform, there are different possibilities:

- [mat2](https://0xacab.org/jvoisin/mat2/blob/master/INSTALL.md) on Linux
- [Scambled Exif](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif) on Android (also available on [fdroid](https://f-droid.org/packages/com.jarsilio.android.scrambledeggsif/))
- The [web version of mat2](https://www.systemli.org/en/service/metadata.html), hosted by the friendly people of systemli, for everything else

And of course, don't use Facebook in the first place.