Posted as received.

April 20, 2012 | By Hanni Fakhoury

A Picture is Worth a Thousand Words, Including Your Location

At first blush, it seems obvious that a picture could reveal your
location. A picture of you standing in front of the Golden Gate Bridge
sensibly leads to the conclusion you're in the San Francisco Bay Area
when the photo was taken. But now that smartphones are quickly supplanting traditional digital cameras, and even traditional cameras now have wifi
built in, many more pictures are finding their way onto the web, in
places like Twitter, Flickr, Google+ and Tumblr. In a span of 10 days,
popular photo social network Instagram added 10 million new users as
a result of the release of its Android app and its acquisition by
Facebook. And the location data hidden in these quick and candid
pictures -- even when your location isn't as obvious as "standing in
front of the Golden Gate Bridge" -- is becoming another easy way for
anyone, including law enforcement, to figure out where you are.
Take the case of "w0rmer," a member of an Anonymous offshoot called "CabinCr3w," for example. According to the federal government (PDF), "w0rmer" broke into a number of different law enforcement databases
and obtained a wealth of sensitive information. In a Twitter post,
"w0rmer" provided a link to a website that contained the sensitive
information as well as a picture of a woman (NSFW)
posing with a sign taunting the authorities. Because the picture was
taken with an iPhone 4, which contains a GPS device built in, the GPS
coordinates of where the picture was taken was embedded into the
picture's EXIF
metadata. The FBI was able to use the EXIF data to determine that the
picture was taken at a house in Wantirna South, Australia. 
The FBI tracked down other online references to "w0rmer," with one
website containing the name Higinio Ochoa. The feds took a look at
Ochoa's Facebook account, which detailed that his girlfriend was
Australian. Combined with the EXIF metadata, the government believed
they had corroborated the identity of "w0rmer" as Ochoa, and in turn
arrested him.
Even for photos not taken with a smartphone and not embedded with
GPS coordinates (for example, point and shoot or SLR cameras that do
not geotag), it's still possible for the police to get location
information through EXIF metadata. You can upload a picture here
and see the metadata stored in a picture for yourself. Contained within
that metadata is the camera's serial number. Armed with that
information, the police can easily scour the internet for other pictures tagged with the same serial number. In Australia, a man whose camera was stolen was able to track it down using stolencamerafinder.com because
the thief had taken a picture with the camera and uploaded it to
Flickr, where had had listed his address. But even if the thief's
Flickr site didn't contain his address, police could have subpoenaed
Flickr - like law enforcement have attempted to do with Twitter
- for information concerning a user's temporarily assigned IP address,
as well as session times and logs, to eventually determine where a
person uploaded a picture from. All of which can be used to piece
together a snapshot of not only your movements, but as in the case of "w0rmer," potentially your identity. In the United States, police are being trained about the broader investigative (PDF) potential of this information.
It might be tempting to say the problem is overblown, because some
social media sites, including Facebook and Twitter, strip the metadata
out of photos uploaded by their members. But not all do. Twitpic's
default is to use a picture's location tag unless you opt out. Flickr
gives you the option to hide a photo's EXIF data, but many casual
photographers tempted by the rapid growth of photo sharing may not
understand what EXIF data is, and the implication of making it publicly
available.
The bigger problem is that courts have been expanding the police's right to search digital devices without a warrant under the "search incident to arrest"
exception of the Fourth Amendment. While many of the cases involve
warrantless searches of cell phones, there has been at least one case in California(PDF)
where the police used the "search incident to arrest" exception to
search a juvenile's digital camera. And there are other reported incidents
of photojournalists having their cameras confiscated and searched when
covering political protests and rallies. If the cops have the physical
camera (and thus the memory cards that store the photos), whatever
scrubbing that happens when a photo is uploaded to the web is no
obstacle.
So if you value your privacy, you should take steps to ensure the
EXIF metadata in your pictures isn't an easy way for anyone on the
Internet to figure out your location. If you're using a smartphone to
take pictures, disable geotagging
from your pictures. If you're uploading your pictures to a website like
Flickr or Twitpic that defaults to automatically include EXIF data and
location information, take the steps to turn it off. And if you're
using a traditional SLR or point and shoot camera that doesn't geotag,
but does contain a breadth of EXIF data, the make sure you scrub its
metadata before you upload it on the Internet. There are free online tools
that will help you do precisely that. These simple steps will help
ensure that the thousand words a picture describes doesn't include your
location.