How to Manage Privacy in Photos after Publication
Srinivas Madhisetty, Mary-Anne Williams, John Massy-Greene, Luke Franco and Mark El Khoury
Magic Lab, University of Technology Sydney, Ultimo, Sydney, Australia
Keywords: Privacy in Photos, Tacit Information, Grounded Theory.
Abstract: Photos and videos once published may stay available for people to view it unless they are deleted by the
publisher of the photograph. If the content is downloaded and uploaded by others then they lose all the privacy
settings once afforded by the publisher of the photograph or video via social media settings. This means that
they could be modified or in some cases misused by others. Photos also contain tacit information, which
cannot be completely interpreted at the time of their publication. Sensitive information may be revealed to
others as the information is coded as tacit information. Tacit information allows different interpretations and
creates difficulty in understanding loss of privacy. Free flow and availability of tacit information embedded
in a photograph could have serious privacy problems. Our solution discussed in this paper illuminates the
difficulty of managing privacy due the tacit information embedded in a photo. It also provides an offline
solution for the photograph such that it cannot be modified or altered and gets automatically deleted over a
period of time. By extending the Exif data of a photograph by incorporating an in-built feature of automatic
deletion, and the access to an image by scrambling the image via adding a hash value. Only a customized
application can unscramble the image therefore making it available. This intends to provide a novel offline
solution to manage the availability of the image post publication.
1 INTRODUCTION
Currently there have been a few solutions which deal
with data immortality. One of the solution has been
implemented by Snapchat which is a popular social
media application. Its core features is that media such
as photos or videos are deleted after 24 hours. (Snap
Inc., 2018). This solution requires that the user be
online and give control of their data to Snapchat.
However while snapchat says it will delete most
messages, it also states in various online
documentation that Snapchat "can't guarantee that
messages and corresponding metadata will be deleted
within a specific timeframe" (SMH, 2015).
This research contributes by investigating how to
manage privacy in the context of sharing and storing
photos.
He et al., (2016) suggests that when images are
uploaded to platforms such as Facebook, users are
giving up the privacy of the image as they are giving
it over to the platform holder.
Social media applications like Facebook, Twitter,
WhatsApp and many more applications are becoming
popular. The instant sharing of information via photos
and videos is making the management of issues which
rise out of loss of privacy more difficult.
An example of loss of privacy due to lack of
proper photo data management was when security
researcher John McAfee was arrested in Guatemala
(Finke, 2012).
Identifying sensitive information in a photo or a
video is a major problem. For example, what is
sensitive to one person may not be sensitive to others.
Therefore, rather than making assertions about what
is sensitive in a photo this research asked 21
participants why they share content and what are their
concerns. The data was analysed using Grounded
Theory to determine privacy sensitive information.
This paper discusses the difficulties in managing
privacy post publication of a photograph. The idea
presented in this paper is at the first stages to develop
a comprehensive ontology based on the privacy
management, post publication of the content.
Therefore, an offline solution, using Python was
developed allowing people to share their images
without compromising certain critical aspects
privacy. The critical aspects of privacy were
determined by asking questions to participants about
162
Madhisetty, S., Williams, M., Massy-Greene, J., Franco, L. and El Khoury, M.
How to Manage Privacy in Photos after Publication.
DOI: 10.5220/0007614001620168
In Proceedings of the 21st International Conference on Enterprise Information Systems (ICEIS 2019), pages 162-168
ISBN: 978-989-758-372-8
Copyright
c
2019 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
their privacy concerns. The collected data from the
interviews was analysed using Grounded Theory.
Privacy may be called as a social construct, there
are many definitions of privacy. Oxford dictionary
defines privacy as A state in which one is not
observed or disturbed by other people”.
In layman term’s, loss of privacy may be
considered when any sharing of information such as
photos takes place. This is irrespective of whether the
information shared is sensitive or not.
The problem of managing privacy in photographs
or videos is such that, for example when a document
is shared the context of the document can be easily
understood. Such grounding of the context may not
be present, when photos are shared. This is because a
photos may contain rich semantic and syntactic
information coded as tacit knowledge.
This makes it more difficult to manage content as
information freely passes through without any checks
or balances that are afforded in other means of
communication.
By regulating the flow of information in photos
and videos, privacy is managed effectively. (Bennett
and Raab, 2002) envision a privacy “regime” that
integrates privacy policy instruments including data
protection legislation, voluntary fair information
codes and privacy-protective information practices -
in a global economy which is characterized by
regulatory interdependence.
Social networks provide unprecedented
opportunity for individuals and organisations to share
information. At the same time they present significant
challenges to privacy (Chen and Williams 2009).
The main problem is that, after initial publication
of the content using social media, its subsequent
persistence makes the content not ephemeral.
Technology enables the content to be available, such
loss of privacy can be attributed to the lack of control
about the content published using this relatively new
technology.
It may have a significant impact on individual
privacy. The ephemeral nature of such information
shared it is important to be able to have desirable
levels of privacy. For example, when people move on
from and into relationships and other major life
events, an individual should be able to exercise the
right to be left alone. With others able to republish
photos and videos using social media the individual’s
privacy is breached significantly. “People should
have the freedom to share whatever information they
want, in any medium and any format”, the freedom to
access all of the information made available to them
by others” and “the freedom to build trust and
reputation through their identity and connections”
(Facebook, 2011).
2 THE PRIVACY PROBLEM
The first problem is that people need a reliable
method to share photos only with those who are the
intended recipient. The second problem is the internet
makes images immortal because they can be shared
and manipulated. There is a need to introduce
mortality or lifespans to images so they don’t cause
privacy issues in the future.
The final problem is that many people understand
that metadata is information about images but don’t
know how it’s used or how to access it. There is a
definite need to simply the process of viewing,
understanding and controlling the metadata found
within photos.
The two main artefacts that were diagnosed from
conducting this research were that there was
inadequate information about privacy and its
consequences after users publishing their content
such as a photo or a video.
This research was conducted by asking people
why they like to or has shared their photos or videos
using social media. By understanding the
expectations for publishing content, this research
could arrive at a clearer picture about the objective
opinion on why participants consider their privacy
has been breached.
Questions about the metadata of the photo or
video, were asked to understand the tacit properties of
the photo or a video.
This did not give the exact contextual properties,
but have given a clear indication under which
circumstances the photo or video was taken. The
information captured was about the shutter speed,
ISO, aperture, type of lens being used, etc.
Through this tacit information tagged in a photo it
is easy to make inferences about the circumstances
the photo was taken at that time.
In order to develop a proof of concept that an
application could be built to incorporate the findings
which were produced using analysis from Grounded
Theory.
The most common form file format for images
shared online are JPEGs. JPEGs are common due to
the fact that they are a lossy file format. Lossy images
are files whose data has been compressed which
means that less storage is required to host them. This
is an advantage on the internet where data storage
costs money.
How to Manage Privacy in Photos after Publication
163
While JPEG files store the image data they also
contain another file format called Exchangeable
image file format or “Exif”. The Exif file format
contains all the metadata about an image and refers to
metadata as “tags”. These tags include information
like owner information, GPS data, times and dates.
This information is organized into five groups or
“Image File Directories” (IFDs). The IFDs are as
follows:
1. 0th - Information that is necessary for the
construction of the image.
2. 1th - Information about the construction of the
image thumbnail.
3. Exif - This is the main metadata that gives context
to the image. It can include a range of extra
information such creation date, owner name,
camera lens used and even humidity.
4. GPS - Contains location information.
5. Thumbnail - contains the raw bytes of the image
thumbnail.
While many of the tags contained in these groups are
specified has having a data type such as string or
integer some are left as undefined and the
implementation can be left up to decision of the
programmer. Some tags are also defined as having a
range of allowable values.
The maker note and user comment tags which are
meant to be used by photographers and manufacturers
and are often undocumented.
2.1 Research Question
How can metadata in a photo be abstracted such that
no further inferences could be made about a when a
photograph is shared.
How can privacy be managed using an offline
solution post sharing of a photograph?
In order to answer those questions, first it is
essential to determine what sensitive information
people believe exists in a photo. Second, it is
important to associate these findings to assist in
developing a framework which will assist the general
public to manage their privacy effectively.
It is also equally important to understand the
underlying motivations in sharing the photo and to be
able to understand its context. These critical features
which will allow information in a photo to pass
through without affecting its privacy need to be
understood and investigated.
This understanding of expectations versus their
consequences have given rise to the determinants of
privacy. These determinants will manage how the
information in a photo will be stored and retrieved.
One such determinant to manage privacy was the
availability of the photograph, the second determinant
was the ability to download the photo and republish
the photograph by modifying it.
2.2 Motivation and Significance
Using social media where anyone can publish photos
and videos of any other individual, mostly well-
intended at the time, may result in a privacy concern
later.
Once the photo or video is published, it is
available for people to see until it is removed by the
publisher of that content. During data analysis the key
aspect which was determined as a major inhibitor of
privacy is the instant availability of information. Such
as the availability of a photograph or a video.
Henry et al., (2017) Anastasia Powell said, her
study had uncovered significant levels of image-
based sexual abuse. One in 10 adults has had a nude
or semi-nude picture of them taken without their
permission. The same proportion has had a sexually
explicit image of them sent to others without their
permission, or had someone threaten to publicly share
such an image.
Revenge porn, has become a big problem in
today’s society. According to Henry et al., (2017)
survey, it is estimated that 1 in 5 Australians have
experienced image-based abuse also young people
aged 16 to 29 years are also at higher risk of image-
based abuse. There is a consensus among the survey
that 4 in 5 Australians agree it should be a crime to
share sexual or nude images without permission.
An example of image immortality having
negative consequences is revenge pornography.
Revenge pornography is described as “online release
of explicit photographs or videos of an individual
without permission for the purpose of humiliation”
(Kamal and Newman, 2016).
Kamal and Newman (2016) also state that not
only do victims of revenge pornography experience
humiliation but they also experience a never-ending
struggle to maintain their dignity. There is a need to
introduce “mortality” to images and give them a finite
lifespan that is only controlled by the owner.
2.2.1 Research Methodology
The research design adopted was of two types the first
is to gather the evidence via interviews to understand
the nature of the problem. The second is to implement
the findings from the analysis of the data gathered
ICEIS 2019 - 21st International Conference on Enterprise Information Systems
164
into a software program which could be used to
manage privacy.
For the first part of this research, twenty one open
ended interviews were coded using Grounded
Theory. The Straussian approach to develop
descriptive accounts in the place of theory
development is the approach taken to conduct this
study. Strauss and Corbin guidelines in the process of
data collection, coding and analysis were used to
conduct this research. This approach encourages
flexibility to use techniques or steps; it characterizes
the situation objectively to obtain a general view from
different perspectives as opposed to that of a
quantitative study.
Some of the questions were framed in such a way
that they repeat themselves. This was done
intentionally to get a clearer picture of what the
participant is describing to get contextually rich
descriptions. Any participant who had a vested
interest in technology such as suppliers or producers
of web cameras and other electronic devices were
omitted as their opinion could be biased, although it
is unintentional, but will have a certain impact on the
research, i.e. any participant who has a commercial
interest in the growth of privacy-inhibiting
technologies were also omitted. Open-ended
questions are the best approach as they allow the
interviewer to obtain tacit information, which was
later, contextualized the meaning of the response.
For this research after twenty one interviews
sample saturation was reached. All participants
interviewed were social media users. They should
have uploaded and viewed photos and videos of
themselves and others through social media.
The second part was to implement the design via
a prototype using Python as a programing language.
An offline solution, via software was developed
which will allow people to share their images without
compromising certain critical aspects privacy.
The developed software will be able to encrypt
the image, set up password and a hash value and
finally specify a deletion date. When the deletion date
is reached the photo gets deleted automatically. The
viewer of this photo can only view the content if they
have the hash value.
Python was chosen to develop the software because it
is suitable for rapid prototyping. The version of
python used in the prototype is the latest release 3.6.
Below is a list of libraries selected and the reasons as
to why they were selected:
Tkinter - This is a standard library built into
python 3 is usable across all major os desktops
(Tkinter, 2018).
Pillow - This is an extension of Tkinter which is
well documented and allows for the use of images
within a GUI. This library could be extended or
removed in later builds after the initial
development (Pillow, 2017).
Piexif - This library is a major part of the project.
Testing with this library allowed for Exif data to
be cleared as well as added with ease (Piexif,
2015). It should be noted that Piexif is the only
library available for Python that manipulates
metadata
Cryptography - This library was used as the basis
for allowing image encryption to work. Contains
the required tools to generate crypto keys and
check their validity. (Cryptography, 2017)
The development and testing has been conducted on
a windows device.
2.2.2 Key Findings
Timeframe on how long the content is made available
was found to be one of the key vectors to manage
privacy. For content to be managed effectively a
timeline or a timeframe is to be determined for photos
and videos before making them available.
Select a timeline for each photo or a video, after
which it would automatically disappear from the
public space. The photo or video would only be made
available for others to see after it had been renewed.
Participant p10 “I think a timeline of five to six
months is enough for a photo to exist in the public
sphere. Managing photos and videos is easier that
way.”
Participant p17 said, I think it is a good idea to
have a timeline for each photo made public”.
After the moment the photo or video is consume
there was no reason for it to be available for others
to view.
Currently there is no time limit on how many days
content is made available to end users.
This research has found that by limiting the
number of users who can view the content, or
selectively sharing information with a particular
group of individuals, is a more effective way to
manage privacy when photos and videos are shared.
The interviewers also identified trust and control
of information is essential for effective management
of privacy. However there was ambiguity in terms of
what trust and control actually meant. Control is a
simple choice of what information they intend to use
to communicate with others, as discussed in (Altman,
1977) view of privacy.
How to Manage Privacy in Photos after Publication
165
Control meant several things - it was about the
type of information or the nature of the information
which was sensitive or perceived as sensitive, and
also the way the flow of such information that can be
managed through various elaborate privacy settings.
2.3 Software Solution for Effective
Privacy Management Post
Publication of a Photograph
Figure 1: Process to manage privacy in a photo by providing
an offline solution.
The proposed solution is a flexible application
which can incorporate many more features which are
critical to manage privacy. There are other
applications which are available that can scramble an
image. However, this application was developed to
customize the implementation of the Key
Performance Indicators which were derived through
analysis of interview data using Grounded Theory
study.
The owner and the recipient have the hash code to
be able to view the image. However, this application
not only just checks the hash value, but also checks
for a deletion date. The meta-data of the image could
be further spoofed or modified to allow other features
in managing privacy to be embedded. The other
feature that circumvent privacy concerns which may
arise due to profiling of metadata embedded in the
image is the ability to spoof the metadata. This
spoofing of metadata could give rise to inconsistent
profile may give more privacy to the end user as it
anonymizes the context.
Data Mortality.
As data immortality is a problem when addressing
image privacy. The software provides a means to
implement software mortality.
This is achieved by introducing a date that the
image will be deleted through the software. A
deletion date will be inserted into the user comment
section of the images metadata and checked each time
the image is checked. This date is stored in UNIX date
format which is single integer number that is easy to
compare.
A limitation of this is that the software clock can
be manually changed so deletion date may never be
reached. In order to overcome this problem there are
actually two dates inserted and separated by a double
colon, one is deletion date and the second being the
date the image was last opened.
This second date is modified each time the image
is opened so that it will shorten the life of the image
each time that it is open. This strategy allows the
program to overcome possible manipulation of the
software clocks.
Both these dates are checked when the image is
opened. If either date has passed, the image will be
considered compromised and then deleted.
Image Privacy.
Managing privacy of a photograph while in transit
from one user to another requires some form of
encryption.
A symmetric encryption scheme will be used as
the key can be shared between trusted parties when
the image is exchanged. The python library named
Fig 1 Process involved to deliver offline solution
for the management of privacy.
Cryptography provides a simple to use encryption
scheme that requires a 32-byte key for both
encryption and decryption.
This key is generated by the user and then the
output is padded with ones in order to meet the 32-
byte requirement of the key. The library offers no
measures in order to accept a key that is shorter or
longer than 32 bytes. The cryptography library
creates an object that will encrypt the images data
using 128 AES encryption (Cryptography, 2017).
This procedure is completed in reverse when the
image is opened.
To ensure that the image has not been tampered
with a hash is taken before encryption and compared
ICEIS 2019 - 21st International Conference on Enterprise Information Systems
166
once the image is opened again to ensure that no
alterations have occurred. If there is a difference in
the hash then the image is then deemed compromised
and deleted from the file system.
Metadata and Exif Manipulation.
The ease of manipulating metadata Exif tags. Piexif
is a library used to manipulate metadata. Exif tags
have specific formats required when being written to.
For this reason, the software developed only allows
Exif tags that have a finite range of allowable values
to be edited. These Exif tags appear in the software as
dropdown menus. This design means that the owner
of an image will not render the image unusable due to
a format error within the Exif data.
To achieve this, a data structure was created that
matches all the Exif metadata tags hexadecimal
values with the human readable name, as well as the
corresponding allowed values that a tag can be. This
data structure is contained in tagList.py.
Metadata can also be removed according to 3
levels of KPI’s which are called minimum, medium
and maximum privacy were afforded.
The deletion of metadata according to KPI’s was
suggested by the earlier analysis using interview data
and Grounded Theory. The functionality has been
developed as a proof of concept and not according to
specific research.
Discussion.
There are hundreds of official tags each with their
own data type and allowable values. In addition to
this there are countless manufacturer maker note tags
that have no official interpretation.
Due to sheer number of official and
undocumented metadata available this research
allowed to interpret a small set. This was also
hampered by the Python library Piexif which is used
to extract metadata is not well documented.
To be able manage privacy Exif tags names were
examined which were in hexadecimal format. For
example the tag BitsPerSample is represented as
0x0102. This means translation was required for
every tag and thus the program has a large self-
developed translation library. Any tags unable to be
translated are referred to as “Undefined”.
Another limitation with the Piexif library is that
the metadata values can be data structures such as
tuples and byte arrays. This is difficult to
programmatically render as a string that is
understandable to a viewer. Thus, for this version of
the program we were required to limit the amount of
metadata that a viewer could edit or spoof.
The limitation of being a purely offline solution
meant that the software is unable to check online
clocks to make sure the deletion date hasn’t passed.
The software compensates by using the computer’s
clock to save the date the image was last opened. The
next time the image is opened it checks the
computer’s clock to check if the last time the image
was opened was actually in the past and not the future.
This was extra checking to make sure the deletion
date is honoured.
3 CONCLUSIONS
Managing privacy in photo and videos should not be
an after thought after the sharing has occurred using
social media. As privacy is a loosely defined it is very
difficult to for see all the consequences before
publishing content. However managing the content
effectively will mitigate risks of privacy. The ideal
way of managing privacy is to derive a contextual
meaning from a photo, and then to draw a conclusion
about which photos (or which portions of photos) are
appropriate for other users to see, and to manage
privacy in the photo or a video before it is shared.
Further research needs to be done to derive an
over arching picture about privacy because as
technology keeps moving forward, an equal emphasis
needs to be given for privacy concerns of individuals.
A system that manages user privacy in a digital world
is difficult, because privacy is considered by many as
a social construct.
This paper presents a software program that gives
a proof of concept on how publishers of images can
gain control over what to share with others and
manage the privacy settings in an offline method.
Users are given control through data mortality and
deletion dates as well as passwords and authorization.
An offline solution means that there is no need for
users to trust that 3rd parties to store their images in
an ethical manner. This designed software is flexible
for further implementation of features which give
more control over the photograph post publication by
editing metadata tags. Many such iterations of
privacy issues will result in an effective way to retain
privacy when photographs are shared on the internet.
REFERENCES
Altman I 1977, ‘Privacy regulation: culturally universal or
culturally specific?’, Journal of Social Issues 33 (3):
6684.
How to Manage Privacy in Photos after Publication
167
Andrews, L. 2012, 'Facebook is using you', The New York
Times, 4 February.
Bennett, C. and Raab, C. 2002, Governance of Privacy:
Policy Instruments in Global Perspective, Barnes and
Noble, London.
Creswell, J.W. 2003, Research Design: Qualitative,
Quantitative and mixed methods approaches, Sage
Publication, Thousand Oaks, California.
Charmaz, K. 2006, Constructing grounded theory. A
practical guide through qualitative analysis, Sage
Publication, London.
Chen, S. and Williams, M-A. 2009, ' Privacy in Social
networks: A comparative study', PACIS, vol. 4, pp. 81.
Cryptography 2017, Welcome to pyca/cryptography,
Viewed 23 April 2018, https://cryptography.io/en/latest/.
Facebook 2011, Facebook principles, viewed 17 February
2014, <http://www.facebook.com/principles.php.>.
FC. K. 2010, 'The fundamental limits of privacy for social
networks', MIT Technology Review Physics arXiv
Blog, viewed 5 May 2010, <http://www.
technologyreview.com/view/418819/the-fundamental-
limits-of-privacy-for-social>.
Finke, B. 2012, ‘John McAfee's location may have been
accidentally given away by Vice magazine’, The
Telegraph, 4th December, viewed 28th November
2018, <https://www.telegraph.co.uk/news/worldnews/
centralamericaandthecaribbean/guatemala/9720514/Jo
hn-McAfees-location-may-have-been-accidentally-
given-away-by-Vice-magazine.html
Grey, D.E. 2009, 'Doing Research in the Real World', 2nd
edn, Sage Publication, London.
He, K., Bidan, C. and Guelvouit, t.L. 2016, 'Privacy
Protection for JPEG Content on Image-Sharing
Platforms', paper presented to the Proceedings of the
4th ACM Workshop on Information Hiding and
Multimedia Security, Vigo, Galicia, Spain.
Henry, N., Powell, A. and Flynn, A. (2017).
Not Just ‘Revenge Pornography’: Australians’
Experiences of ImageBased Abuse. A Summary
Report. Melbourne: RMIT University.
Stratus, A. and Corbin, J. 1998, Basics of qualitative
research, Sage Publication, Thousand Oaks, California.
Smh 2015, Snapchat-Now-Owns-Your-Photos-Even-After-
They-Disappear. Viewed 27 November 2018,
https://www.smh.com.au/technology/snapchat-now-
owns-your-photos-even-after-they-disappear-
20151102-gkobrl.html
Smh 2015, ‘Revenge Porn: Government Urged to Make it
Illegal. Viewed 10 Nov ember 2018,
http://www.smh.com.au/national/government-urgedto-
outlaw-revenge-porn-20150926-gjvod5.html
Snap Inc. 2018, When does Snapchat delete Snaps and
Chats?, viewed 28th November 2018, https://support.
snapchat.com/en-US/a/when-are-snaps-chats-deleted
Maykut, P. and Morehouse, R. 1994, Beginning Qualitative
Research: A Philosophic and Practical Guide, The
Farmer Press, London.
Tkinter, Python interface to Tcl/Tk, Viewed 20 May 2018,
https://docs.python.org/3.6/library/tkinter.html.
Kamal, M. and Newman, W.J. 2016, 'Revenge
Pornography: Mental Health Implications and Related
Legislation', Journal of the American Academy of
Psychiatry and the Law Online, vol. 44, no. 3, pp. 359-
67.
Pillow 2017, Pillow, Viewed 19 March 2018, https://
pillow.readthedocs.io/en/5.1.x/ .
Piexif 2015, Welcome to Piexif’s documentation!, Viewed
20 April 2018, http://piexif.readthedocs.io/en/latest/
index.html.
Warburton, W.I. 2005, 'What are grounded theories made
of? 2005', LASS Faculty Post-Graduate Research
Conference University of Southhampton, UK, 6-7 June.
ICEIS 2019 - 21st International Conference on Enterprise Information Systems
168