by sixhobbits 4 days ago
It's a sad story and a fun-looking project but I think Google 100% did the right thing here. Most people have no idea how much information is included in photo metadata, and stripping it as much as possible lines up to how people expect the world to work.
But surely there's a way to do this without totally killing valuable functionality? It's like the Android Sideloading debate all over again.
Something that is very useful to 1% of users is stripped away. And we end up with dumb appliances (and ironically - most likely still no privacy )
You can probably get around this problem by compressing the file and uploading it in a .zip. Google Files allows for making zip files at least, so I don't think it's a rare feature.
I think the linked spec suggestion makes the most sense: make the feature opt-in in the file picker, probably require the user to grant location permissions when uploading files with EXIF location information.
yeah it does sound kind of dodge that there's no option even for advanced users to bypass this, I would guess mainly a moat to protect Google Photos. I wonder if online photo competitors are finding a workaround or not as searching your photos by location seems like a big feature there
I don't know when Google's EXIF protections are supposed to kick in, but so far my photos auto-synced to Nextcloud still contain location information as expected.
I don't think this has anything to do with Google Photos. People fall victim to doxxing or stalking or even location history tracking by third party apps all the time because they don't realize their pictures contain location information. It's extra confusion to laypeople now that many apps (such as Discord) will strip EXIF data but others (websites, some chat apps) don't.
Important point:
> It's extra confusion to laypeople now that many apps (such as Discord) will strip EXIF data but others (websites, some chat apps) don't.
You've given me a lot of sympathy for the young'uns whose first experiences on the web might have been with EXIF-safe apps. Then one day they use a web browser to send a photo, and there's an entirely new behavior they've never learned.
> Then one day they use a web browser to send a photo, and there's an entirely new behavior they've never learned.
The article is actually about Google's web browser stripping the EXIF location-data when uploading a photo to a webpage, and the author complains about that behavior.
This is not an implementation of the browser itself. Android Chrome is behaving in that way because the app didn't request the required permission for that data from the OS (which would ask the user), so the files it receives to upload already has the data removed
Thank you! Meant my comment for anyone who's not on the very latest version, anyone who experienced Android or another OS with disparate privacy-related behaviors as long as that OS has been around. Yes, now, the issue I'm talking about is solved for the general public on the latest Android devices! At reported cost to power users.
Just to add some more context: The change was applied in Android 10, which was released in 2019.
On OS-level there is no reduction in functionality, the implementation just ensures that the user agrees on sharing his location data to an app, and until that has been agreed it is not being shared (as to not hinder any normal app-operation).
Now the fact that the Chrome app doesn't trigger to ask the user-permissions is another topic, with its own (huge) complexity: If the user disagrees to share his location-history to a webpage, and Android can only ensure this for known media file types (while i.e. Windows cannot do this for ANY filetype, and on iOS I believe the user cannot even decide to not have it stripped), Chrome actually cannot commit to any decision taken by the user.
It's a known dilemma in the W3C, the Browser should ensure user privacy but for binary data it technically can't...
This is honestly a horrible argument. Any app on Android can still get EXIF data
You're replying to someone who is talking about a native app, but the overall issue here is about web apps. Chrome and Firefox don't request the appropriate permission (which, as things stand right now, is probably the safer choice), and there's no way for a website to signal to the browser that it wants that permission, so that the browser could prompt the user only for websites that ask for it, and persist the allow/deny response, similarly to how general location permission works via the JS location APIs.
Seems to be quite simple, an App which wants to access this info just needs to set the permission for it.
Chrome doesn't seem to request that permission, so the OS doesn't provide the location-data to the app. So Chrome rather ended up in this state by doing nothing, not by explicitly doing something...
If your app targets Android 10 (API level 29) or higher and needs to retrieve unredacted EXIF metadata from photos, you need to declare the ACCESS_MEDIA_LOCATION permission in your app's manifest, then request this permission at runtime.
Source: https://developer.android.com/training/data-storage/shared/m...
That's not sufficient. We need a standardized attribute on the HTML form to request the permission as well. If Chrome requests the permission, great, but that's not fine-grained enough for a web browser.
Well yes, agree, but as stated Chrome didn't end up with this behavior because they did something, the Browser behaves like this because they didn't implement any logic for this permission.
A standardized attribute on an HTML-form would be difficult to define, because in this context the page just requests/receives a binary file, so a generic "strip embedded location information" decision from the user would be hard to enforce and uphold (also, by whom?).
In this case Android only knows the file-structure and EXIF because the file is requested by Chrome from a Media Library in the OS, not a file-manager.
W3C keeps thinking about this data-minimization topic repeatedly [0], so far they managed to define the principles [1], but enforcing them technically is quite hard if any kind of content can be submitted from a storage to a webpage...
[0] https://www.w3.org/blog/2019/adding-another-permission/
[1] https://www.w3.org/TR/security-privacy-questionnaire/#data-m...
If google really cared about privacy, they wouldn't have moved maps away from a subdomain. now if I want maps to have my location (logical), I need to grant google _search_ my location too.
It's not all-or-nothing; sometimes some people at Google push for some things to improve privacy. Rarely happens when revenue is at stake.
Android used to ask you "do you want to alllow internet access?" as an app permission. Google removed that, as it would stop ads from showing up. Devastating change for privacy and security, great for revenue.
It's not great for revenue, it is their revenue.
People act like Google products are a charity that had been free forever, and then this mega-corp called Google came along and started harvesting the data of innocent people who just want to get directions to Starbucks.
Google is pretty much just a wrapper around DoubleClick.
GrapheneOS still does this -- allows controlling internet access on a per-app basis.
It's one of the big reasons I advocate for graphene even if one chooses to install Google services afterward.
Also notable: as of last year, OnePlus allowed mobile and WiFi network toggle, effectively doing the same thing.
For those of us stuck on normal android, is there a way to achieve that? I know it used to work with some firewall apps but nowdays they all require root access.
Rethink DNS can block internet access of an app (besides doing DNS-based blocking, etc.): https://rethinkdns.com
It uses the VPN functionality, but you can stack a Wireguard VPN on top of it.
Netguard No Root Firewall still works for me: https://github.com/M66B/NetGuard
+1 for Netguard, it is awesome. A bit clumsy UI, but indispensible.
It looks like you can't revoke the internet permission, but you can use the firewall via ADB. Settings are lost on reboot, but you can use an automation with Tasker or similar to set them on boot:
https://www.reddit.com/r/tasker/comments/1mxjnvs/how_to_bloc...
Not the same thing, but you can install an app like Blokada Libre to block ads and trackers in all apps.
Or you can set your DNS resolver to dns.adguard-dns.com and it blocks almost all ads. You can search "private dns" in Android settings app and set it there.
This has the disadvantage that you can’t whitelist specific domains, which is something I need pretty often.
You can signup for private adguard dns, then you should be able to whitelist domains.
Go to settings > App > $SCUMMY_APP > Mobile Data & WiFi. Uncheck all.
Not a thing on stock android
Why does Apple not give that Wi-Fi option there? I mean, is there a reason we’d be sympathetic to?
iOS allows this, but only on mobile data, which is pretty infuriating. Why should I not be able to also restrict apps from dialing home/anywhere just because I'm on a Wi-Fi network (which isn't even necessarily unmetered)?
It's really annoying. I have a sudoku game on my phone, works great but give it internet access and it's suddenly full of sketchy adverts.
If I'm playing it on my commute, it's usable with mobile data disabled for the app. But when the train stops in a station long enough to auto-connect to wifi, immediate full screen adverts :(
The OS ought to let you deny internet access to an app entirely, but DNS-based adblocking might solve your problem: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
Then don’t use an ad supported app? I have one as supported app on my phone - Overcast. The developer created their own ad platform and serves topic based ads based on the podcast you are listening to right now. Ironically enough I started to pay for a subscription even though it didn’t give me any real benefit just to support him until he started having ads.
I’ve found a lot of useful podcasts from the ads.
I’m gonna be That Guy for a minute: if you enjoy using a Sudoku app, isn’t there one available on more acceptable terms, e.g. a single purchase or a IAP that removes the ads from this one? I’m not saying you have to pay like $3.99/week for a scam one, but more like pointing out that if you don’t like ads (as I also don’t) why not support the developers who believe in selling software to you for a few bucks rather than selling your annoyance to Google via Adsense?
Google doesn't care about privacy, but its easier for them to keep collecting your data if they can also keep it from getting unintentionally leaked to others. The last thing Google wants is for people to start thinking about the amount of data they're handing over.
Google has your location either way. What difference does it make?
You can lock down their usage. Limit it to three months storage and minimize sharing. They still report an old address for home and work for me since I dialed up the restrictions years ago. They have the data but it is less exposed.
I honestly don’t understand the scenario you’re defending against. Google still knows where you actually live and work trivially. If you don’t trust Google you should just de-Google completely.
I also don't trust my government. So should I just degovernment completely? Sounds just as practical or realistic for most people.
"Just move" seems to be a pretty popular sentiment, in that scenario.
As if the government doesn't monitor both non-citizens and ex-citizens living in other countries too.
You’re saying moving on from Google is similar to switching government?
Switching government and deleting google are probably on the same order of magnitude of difficulty for most people.
In a way, yes, as google de facto governs and controls much of the internet.
Have you tried moving on from Google, and preferably not to Apple?
Yes, it’s trivial. What are you having difficulty with? There are plenty of threads here on HN about this
If you think it's trivial you must not be paying attention. You cannot keep your data from Google. Government websites include google tracking. Google drives past your house to take photos and sniff your wifi traffic. Your employer hands your data over to google. Your doctor hands your data over to google. Your bank hands your data over to google. You can limit how much you actively and voluntarily give them, but you can't free yourself from them entirely and still function in society.
Trivial? Ha! Way to say that you never tried it. Either that, or that you don't care for things like push notifications. Yes, most of the things work, but not nearly all of them.
Not GGP, but I suppose the general idea is: Granting permanent location permission to maps.google.com seems a bit more privacy preserving than granting it to *.google.com, assuming one opens maps significantly less often than e.g. GMail, search etc.
I'm not sure I follow. maps.google.com still resolves?
maps.google.com now redirects to google.com/maps and has done for the past few years.
Ahh I see. Thanks.
[flagged]
It's not that hard to add a little checkmark "include location" under it, rather than unconditionally remove it.
As per op, it seems they've shut down _any_ means for you to get the data out of the phone other than using a USB cable.
Seems to be quite simple, an App which wants to access this info just needs to set the permission for it.
Chrome doesn't seem to request that permission, so the OS doesn't provide the location-data to the app. So Chrome rather ended up in this state by doing nothing, not by explicitly doing something...
If your app targets Android 10 (API level 29) or higher and needs to retrieve unredacted EXIF metadata from photos, you need to declare the ACCESS_MEDIA_LOCATION permission in your app's manifest, then request this permission at runtime.
Source: https://developer.android.com/training/data-storage/shared/m...
100% agreed; people generally don't realize how deanonymizing EXIF data can be.
I remember one of my cameras or phones including a "seconds since device startup" counter; together with the exact time the photo was taken, this yields a precise timestamp of when a phone was last restarted. This by itself can be highly deanonymizing out of a small to medium sized set of candidate phones/photographers.
I mean the serial number of the camera and possibly lens are included too…
Not for most phones, fortunately.
This kills an entire class of useful crowdsourcing web apps though. Just off the top of my head, contributing to OSM is much easier when you can just take a bunch of photos and see them displayed on a map.
Seems like such a shitty thing to victimize the potential victim. But… if you didn’t know that images you took had metadata… maybe you shouldn’t be allowed to use a computer. I mean. I’m going on decades of knowing this. Feel like there is a mid 90s X-Files episode that even like breaks this down. If not NCIS or some shit.
Even people who know it, don't think about it and don't connect it with the potential consequences of uploading a picture to a website. And why would they? It's not visible, there's no warning, it's just not something that's going to be top of mind.
So we should educate people about it. Don't you think that constantly coddling people about tech just breeds tech-illiterate people?
Wouldn't it be better if people were more tech-literate?
Coddling only works when those who are in charge of the tech play nice. But then breeds people who will more easily fall victim to the bad actors.
I said that people who already know don't think about it. That's not something you can solve by educating them more. When I'm sharing a photo, I am going to think about what I can see in the photo as a data risk, not the invisible stuff that I might intellectually have heard about. It's just not going to come to mind.
People who know about phishing get got by phishing attacks, too. How well has however many years of "cyber awareness training" gone?
Agree. That's also the dilemma with asking the user for his permission, it is very difficult to frame a concise question and get an educated decision there. So, better to only ask if the App explicitly requests that permission sounds reasonable.
The prior threat-model was, that e.g. a camera/gallery app which may/may not have a permission to a users current location, also has access to the history of a users' locations just by scanning the images when showing the camera roll.
It frankly makes sense to create a separate permission just for this location metadata AND strip this data when no permission was granted, I believe everything else would be MUCH harder to explain the user...
I assume Google are very hesitant to add additional permissions, and any additions get very carefully thought about. Having too many prompts can lead to popup blindness, which defeats the entire purposr of the permission system in the first place.
I'm sure I recall much older Android versions presenting all of the app's permissions at install-time. I'm very willing to bet that most users didn't actually read any of it. Overall, it seems like a very interesting problem to solve.
You're right - this is a shitty view on this. It's incredibly opaque that images secretly contain the GPS coordinates of where they were taken. There's no way that's obvious or intuitive.
I think the 'ideal' thing to do would be an opt-in toggle for sharing "location and other extended info" for photos when selecting them, but I'm sure you can understand why a dev team took a shortcut to solve the immediate pain for most users most of the time.
When you upload the photo, at risk of great confusion they could essentially watermark the photo or add a banner showing the location and perhaps some of the other key details, like camera model, right on the photo so it would at least get across to the user that there is an association between these two things that needs to be disabled.
To dismiss the banner you'd have to click a dismiss button which would ask you to confirm that you want to get rid of the location data completely. Then there would be a tiny little button that says “hide this location inside the photo, where I can't see it easily, but everyone totally could”. (But less stupid.)
It would be terrible because there would be huge support threads on why it's trying to share an image with an overlay, but it would get it across. Would be a different failure mode for user privacy than what you would have with a text prompt or an interstitial or whatever.
Sounds fun, but in this case it's actually the OS which is stripping the meta-data before fulfilling the file-access request to the app.
Now an app maybe just wants to set the image as wallpaper, send it to a printer or set as an avatar, so it requests to read it from storage. The OS injecting a watermark here or adding some UI would break decades of apps...
100% of the people that don't know that HN exists, most likely don't know images have metadata.
On reddit half of "the is it AI?" question are answered by "Yes, it say so in the metadata".
They could probably include an option for sending metadata for people who want to. I guess it should default to off.
AFAIK a lot of the bigger sites / services already hide or outright strip EXIF.
Its better to do it from the source, obviously.
You do realize that Google only cares about user privacy when it doesn't affect their own business model to do so, right? And also, like in this case, where not caring could end up creating some nasty headlines that hurt their reputation?
Meanwhile, Google probably has one of the most comprehensive databases on the planet of user behavior, gleaned from tracking their users all over the internet. Surveillance capitalism at its finest. But hey, they protect people from accidentally sending their photo geolocations to random websites, so good job Google, pat on the back for you.
Because most people have no idea how the tools they chose to buy and operate work, the few rational people who educate themselves have to suffer...
This sounds like a downward spiral concerning freedom.
You don't have to be irrational to not know things.
True, but isn't it irrational to continue operating something you know could cause harm to you when used wrongly, despite not knowing how to use it correctly?
The hypothetical person we're considering does have an entire life, too. Their rationale may have emerged from careful risk analysis and weighing of opportunity costs.
I agree with you. The next steps should be to disable the internet nationwide like North Korea. People have no idea how much bad things are there. Also I don't like fun things.