Just about everyone has heard by now the cautionary tale of Vice Magazine’s accidental outing of a source’s location, and that source’s subsequent arrest. John McAfee, computer software tycoon turned colorful fugitive, had recently gone missing after being declared a person of interest in the death of his neighbor in Belize. A Vice editor and photographer caught up with him to document his life on the lam, which they promised readers would be “nothing but absolutely epic.” Their first post from the trip, posted on December 3 of last year, featured a photograph and a headline that taunted and trolled: “We Are with John McAfee Right Now, Suckers.”
That photograph, we now know, had been taken with an iPhone, and had been automatically embedded with information that pinpointed their location to a swimming pool at a hotel in Izabal, Guatemala. Vice soon replaced the photo with a one scrubbed of its GPS coordinates, but he had already been exposed. Guatemalan police arrested McAfee two days later. As Forbes writer Kashmir Hill said of the Vice staffers at the time, “With that posting, they went from chroniclers of vices to inadvertent narcs.”
For any journalist protecting a sensitive source—much less one who is actively being pursued by law enforcement—this is a worst-case-scenario come true. But as well-known as this very cringe-worthy anecdote has become, much less known is how to prevent it from happening.
First, understand what the metadata is. Exchangeable image file format, or Exif, is the format for digital image and sound files as well as the metadata “tags” that accompany them. Metadata for photos taken by digital cameras can include the date and time the file was saved, the settings of the camera, the camera’s make and model, and even a thumbnail version of the photo itself. (A friend recently bought a used digital camera from a camera store; when he uploaded photos he had taken onto his computer, he noticed that the “author” field in the photo information was already filled in with the previous owner’s full name. It wasn’t exactly a security threat, but it still seemed a little creepy.)
GPS, cell-tower, and Wi-Fi connections together add yet another layer of identifying information, a particularly valuable layer, at that—just ask the NSA. A phone’s default settings will record this location information when a photo is taken. Many new (non-phone) digital cameras now have GPS and Wi-Fi capability as well.
PBS’ IdeaLab has an excellent rundown of all of the different ways to scrub metadata from both digital-camera photos and mobile-phone photos, along with a helpful video put together by MobileActive.org. Mac users can view and edit exif tags in Preview using the “Inspector” tool from the “Tools” menu, while PC users can just click on the “Properties” of the file. Googling “Exif viewer” will also bring you to a number of free programs and websites, like this one, that allow you to see the exif tags embedded in your file and then make changes to them.
If you upload your photos to Facebook, Twitter, Instagram, or any other social media service, those services may actually wipe the location information from the photos for you—but, at the same time, the services may be recording your current physical location when you post. To avoid that, make sure you have “Location services” specifically switched off for those apps in your phone’s privacy settings.
If this sounds a little too complicated, there is another, easier solution, which Wired writer Quinn Norton mentioned recently. Norton is very tech-savvy, and is known especially for her reporting on extremely low-profile members of high-profile hacker collectives. But for a 2006 assignment for Wired, she relied on a simple hack to protect the identity of a source who wanted to remain anonymous. Norton had traveled to Sweden to report on the BitTorrent file-sharing website The Pirate Bay. At the time, some of the site’s staffers had already been arrested; the remaining ones, not surprisingly, wanted their identities protected. While reporting, Norton took a photo of one of her sources in his living room (that source, she can say now that his identity is publicly known, was Pirate Bay co-founder Peter Sunde).