Facebook IPTC Tags

Are Facebook Embedding Tracking Data in Your Photos?

On July 11th 2019 a Twitter user, Edin Jusupovic (a cybersecurity programmer), posted a tweet exposing social media giant, Facebook. The ethically questionable company is, once again, coming under fire for tracking its users. This time via the photos they upload on any of its services.

Edin claims that he discovered this information by noticing a “structural abnormality” within a hex dump of an image that he downloaded from an “unknown origin”. That sentence may not mean much without some explanation, so here goes.

A hex dump is a process which changes a digital medium into a hexadecimal (hex) number. It does this by representing each byte (8 bits) of data as a two digit hex code. Specialists can then analyse the hex dump to detect hidden data embedded in the original file. A hex code is an alphanumerical string which contains the numbers 0 – 9 and letters A – F.

He then went on to explain that the ‘structural abnormality’ is a specific type of data called an ‘IPTC special instruction’.

According to photomedia.org IPTC instructions are meta data tags which include any number of instructions from the provider, to the receiver of the media. These instructions can be for anything from licensing rights, to connecting people who have shared or seen the media.

Edin went on further to explain the severity of the situation. He states that this is just one of many methods companies use to inject data into photos. Even more concerning is his claim that multiple of these techniques are “impossible to forensically detect”.

So What, I Don’t Have Facebook

Many people may be reading this and thinking that this news does not affect them, due to their lack of a Facebook account. Sadly, if you are thinking that, you’re wrong.

The way the mentioned IPTC tags operate enables them to collect data from anybody who shares one of the affected pictures. Regardless of whether they do so on Facebook, Reddit, Tumblr, Pinterest or pretty much any other social platform.

How Does That Work?

Reddit user SongForPenny took the time to explain, in detail, how this data can (and probably will) be used by Facebook. If you would like to read their full explanation you can find it on the following link. Alternatively a basic explanation is as follows:

Let’s say person A uploads a picture to their Facebook timeline. When they do so Facebook’s software will first scan the picture uploaded, to look for an IPTC tag in the metadata. Person A’s photo has just been snapped, thus does not have a IPTC tag. Upon noticing this Facebook’s software adds the tag “AE453DF2” to the photo’s metadata.

Now, person B has just logged in and seen person A’s photo. They think their friend person C would find it interesting, although person C does not have Facebook. As a result they download the image and send it to person C via email.

Person C opens the email from person B and finds it hilarious. Person C doesn’t have Facebook but they do have a Reddit account. They decide that the people in r/Funny will enjoy it so they decide to share the photo.

At this point Facebook’s web bots scan Reddit and see the photo posted by person C. They check the metadata and, sure enough, see the “AE453DF2” IPTC tag. From this they know that this photo was originally uploaded by person A.

Facebook now knows that person A, B and C are all connected, albeit loosely, and have a similar sense of humour. Even though person C doesn’t have a Facebook account. This information enables Facebook to target advertisements to person C via the data collected from persons A and B.

This is a basic example, if you wanted to take it deeper you could then theorise that Reddit have also added a tag. Lets say the tag is “BF87C32E”. Now, when Facebook scan person C’s photo on Reddit the can check other Facebook user photos for the tag “BF87C32E”. This will enable them to further target person C, even though they have never used any of Facebook’s services.

What Can You Do?

The sad truth is that there is actually very little you can do. We can all get VPNs and anonymous emails until we are blue in the face but they will realistically do little to hinder prying eyes.

While that may be true, if you are concerned about Facebook tracking you, and you’re on an Apple machine, there may be a workaround.

Using the OSX hosts file it is possible to block any incoming or outgoing connections from any specified server. This can be manipulated to block any connection to Facebook, or anyone else for that matter. To do so simply follow these instructions:

Please note, you will be using your admin password to edit system files. If you decide to follow these instructions you do so at your own risk. Please make sure you understand what you are doing before you proceed as Something Decent will not be held accountable for any damages incurred.

  • Open Terminal
  • Type sudo nano /etc/hosts and press enter
  • Enter your admin password and press enter
  • Copy and paste the following into your console and then press enter:
    # Block Facebook www.facebook.com facebook.com login.facebook.com www.login.facebook.com fbcdn.net www.fbcdn.net fbcdn.com www.fbcdn.com static.ak.fbcdn.net static.ak.connect.facebook.com connect.facebook.net www.connect.facebook.net apps.facebook.com

Now all facebook servers will be blocked from connecting to your machine. It is important to note that ALL services will be removed from web pages. This also means you will not be displayed the like button etc.

Finally, watzon.tech have released a tool which allows users to obfuscate the IPTC tags which Facebook embed into photos. It does not remove the data, instead it jumbles it up to make it useless. In order to take advantage of it you simply need to upload your photo to it. You can access it here.

Love, peace and happiness.