Facebook is embedding tracking data inside the photos you download

It’s time to kiss your privacy goodbye. We live in the age of social media where tech giants continue to track users’ activities across the internet without their consent. Just yesterday, FTC slapped Facebook on the wrist with a $5 billion fine that could potentially end an investigation into its privacy practices. This is a drop in bucket considering Facebook has a market capitalization of $585 billion.

However, it turns out that Facebook has been tracking every images sent on its platform. Patrick Peccatte, a StackOverflow member, first raised the questions back in 2015. “Many images uploaded on Facebook contain IPTC/IIM fields which are apparently automatically added during the upload process: Special Instruction, a string beginning with “FBMD” and Original Transmission Reference, what is this?” Peccatte asked.

IPTC instructions are a set of metadata that describes and gives information about other data. Photo metadata allows information to be transported with an image file, in a way that can be understood by other software, hardware, and end users, regardless of the format.

Then three days ago, Edin Jusupovic, a cybersecurity expert and a law student (LLB) at UNE, noticed a structural abnormality when looking at a hex dump of an image file from an unknown origin only to discover it contained what he later found to be an IPTC special instructions. He later traced the data image file originated from Facebook.

#facebook is embedding tracking data inside photos you download.

I noticed a structural abnormality when looking at a hex dump of an image file from an unknown origin only to discover it contained what I now understand is an IPTC special instruction. Shocking level of tracking.. pic.twitter.com/WC1u7Zh5gN

— Edin Jusupovic (@oasace) July 11, 2019

Jusupovic said Facebook could potentially track photos outside of their own platform with a disturbing level of precision about who originally uploaded the photo. “I suppose the more concerning issue here is that there is already a variety of advanced techniques to inject data inside photos using steganography such that it would be impossible to forensically detect,” he added. Jusupovic warned that Facebook could potentially track its users without zero proof, if the technology is weaponized.

The story quickly takes a life of its own on Reddit. SongForPenny, Reddit member, provided in-depth explanation and use case scenario of how Facebook could track its users with the embedded tracking data. Below is what he said:

“Upload picture, and Facebook tags it with a secretly embedded tag: A008E8E97FA55

Friend “A” on Facebook downloads it.

Friend “A” texts it to another friend – someone you don’t know, their friend Friend “B”, and another friend of theirs Friend “C.”

Friend “B” isn’t on Facebook, or maybe they mostly just post to Reddit.

Friend “B” posts to Reddit. Facebook sees this (by scouring Reddit systematically, the way search engines scour the entire ‘web’ in general). After seeing this a few times, quickly repeated, Facebook now knows you are somewhat close to Friend “B.”

So now Facebook knows who another of your “Friend of a Friend” connections are – a person you don’t even know about yourself!

Here comes the second trick: Friend “C” (another person who is friends with “A”) actually **does** upload to Facebook. They got the text message, too. Friend “C” re-uploads the image, from the text message they got.

Facebook sees this, and knows that you are communicating indirectly to Friend C, or someone close to Friend C (ie: Friend “A”). Again, you don’t know Friend C, either, but Facebook knows you are close to Friend C.

Now Friend “C” uploads the picture you uploaded … but now Facebook puts a NEW secret tag on it. Facebook changes A008E8E97FA55 to BD0GE4EAG3A11.

Now Facebook can see if Friend “C” texted it to another person – Friend “X”, or if that person is a friend of YOURS. Or maybe neither you, nor C know X, but you likely are friends of a friend of X, and friend A is less likely to be close to X than you and Friend C are. Not only can they track which picture goes where and when, but they can see the sequence of movements with astonishing accuracy.

Repeat this activity on a large scale, and now Facebook knows your Facebook friends, Facebook followers, and your real-world friends, co-workers, and associations. They even know your “friends of friends” (people you don’t know) and their buying and lifestyle details, and yours, and how your friendship circles fit together, even outside of facebook.

Now look at how they watch your purchasing and browsing habits, and you’ve got a stew going. A horrible, horrible, creepy stew, with a lot of power over society.

Say, for example, Facebook wants to throw an election. They could determine who ‘everyone’ is, watch their purchases, note their connections, note who their friends are, and run behavioral tests 24×7 to see if people in certain categories are swayed by certain political ads.

They determine: You are extremely likely to vote. You vote in District “XXX.” People in your district are concerned about “Topics Blah1, Blah2, and Blah3.” Your purchases, friendships, and outside-of-facebook relationships say you are probably concerned with “Blah2” issues.

They target you with ads every couple of days about Candidate Peterson. Candidate Peterson is running in your district, and she HATES facebook’s endless power grabs and privacy violations. She also wants Silicon Valley companies to pay their fair share of taxes. So, the ads they pump at you will say “Candidate Peterson is really shitty about issue ‘Blah2’ – don’t vote Peterson!” Maybe the ads are complete lies and smears, but testing has shown that it changes minds of people in your district, with your friends and lifestyle patterns.”