I think it has become obvious by now that no matter how many times they apologize, let's be honest, Facebook doesn't really care about user privacy. In fact, it is quite clear that they will do anything to collect as much personal user data and track users around the Internet (not just on Facebook) as much as they can.

The latest revelation proves this. Edin Jusopovic, a cybersecurity researcher and law student based in Australia, has discovered that Facebook is "embedding tracking data inside photos you download."

"I noticed a structural abnormality when looking at a hex dump of an image file from an unknown origin only to discover it contained what I now understand is an IPTC special instruction. Shocking level of tracking...The take from this is that they can potentially track photos outside of their own platform with a disturbing level of precision about who originally uploaded the photo (and much more). I suppose the more concerning issue here is that there is already a variety of advanced techniques to inject data inside photos using steganography such that it would be impossible to forensically detect.  If weaponized, it could be used for tracking; with zero proof, " wrote Jusopovic in a series of tweets.

Hex dump of an image file. Source: Edin Jusopovic

Facebook's privacy violations

This discover by Jusopovic becomes more concerning when you consider that just recently the USA's Federal Trade Commission approved a fine of approximately $5 billion as a settlement with Facebook to end an investigation into the social media platform's privacy practices. That fine comes several weeks after the Delaware Chancery Court in the USA ruled that Facebook shareholders had a "credible basis" to believe that the social media company's directors had done some wrong in relation to data breaches, such as the one involving Cambridge Analytica.

As the Delaware Chancery Court has also noted, the problem with Facebook's privacy violations is not only that it fails to protect users' privacy, but that it intentionally deceives users and all other stakeholders about how it handles their data.

In this case of embedding tracking data inside uploaded images, nowhere in Facebook's Data Policy does it mention this practice nor does it mention how users can opt-out of it.

What does this mean?

What is worrying is that Facebook could use this (if it isn't already doing this) type of image tracking to understand who your friends and family are considering that it owns WhatsApp and Instagram. Furthermore, it could enhance its abilities to further add data to the shadow profiles it keeps of people who don't have Facebook accounts.

This is best described by Reddit user, SongForPenny, who paints the scenario of how Facebook could use such image tracking as follows:

Upload picture, and Facebook tags it with a secretly embedded tag: A008E8E97FA55

Friend "A" on Facebook downloads it.

Friend "A" texts it to another friend - someone you don't know, their friend Friend "B", and another friend of theirs Friend "C."

Friend "B" isn't on Facebook, or maybe they mostly just post to Reddit.

Friend "B" posts to Reddit. Facebook sees this (by scouring Reddit systematically, the way search engines scour the entire 'web' in general). After seeing this a few times, quickly repeated, Facebook now knows you are somewhat close to Friend "B."

So now Facebook knows who another of your "Friend of a Friend" connections are - a person you don't even know about yourself!

Here comes the second trick: Friend "C" (another person who is friends with "A") actually **does** upload to Facebook. They got the text message, too. Friend "C" re-uploads the image, from the text message they got.

Facebook sees this, and knows that you are communicating indirectly to Friend C, or someone close to Friend C (ie: Friend "A"). Again, you don't know Friend C, either, but Facebook knows you are close to Friend C.

Now Friend "C" uploads the picture you uploaded ... but now Facebook puts a NEW secret tag on it. Facebook changes A008E8E97FA55 to BD0GE4EAG3A11.

Now Facebook can see if Friend "C" texted it to another person - Friend "X", or if that person is a friend of YOURS. Or maybe neither you, nor C know X, but you likely are friends of a friend of X, and friend A is less likely to be close to X than you and Friend C are. Not only can they track which picture goes where and when, but they can see the sequence of movements with astonishing accuracy.

Repeat this activity on a large scale, and now Facebook knows your Facebook friends, Facebook followers, and your real-world friends, co-workers, and associations. They even know your "friends of friends" (people you don't know) and their buying and lifestyle details, and yours, and how your friendship circles fit together, even outside of facebook.

This can be further possibly used for more targeted Ads and even political campaigns. We've asked Facebook for an explanation and we will update this article as soon as we have an answer from them.

Share this via: