Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Options to strip EXIF metadata from media uploads. #4426

Open
ara4n opened this issue Jun 26, 2017 · 22 comments
Open

Options to strip EXIF metadata from media uploads. #4426

ara4n opened this issue Jun 26, 2017 · 22 comments
Labels
A-File-Upload Attachments and file uploads A-Media O-Occasional Affects or can be seen by some users regularly or most users rarely Privacy S-Major Severely degrades major functionality or product features, with no satisfactory workaround Security T-Enhancement

Comments

@ara4n
Copy link
Member

ara4n commented Jun 26, 2017

A really useful privacy feature would be to be able to strip off any metadata from images (or audio or video) before uploading them to the server. This could be done at the server itself, but then the server would be able to sniff it and it wouldn't work with E2E uploads which are probably the most important ones anyway.

So instead we should probably implement it as an option for the client to mangle the image before uploading to strip it out.

@ara4n
Copy link
Member Author

ara4n commented Jun 26, 2017

(Given we already have the ability to mangle file-uploads before sending them to the server, when we do E2E encryption on them clientside before sending, this isn't impossible, although could be quite fiddly to get right and not pose performance problems).

@ara4n
Copy link
Member Author

ara4n commented Jun 26, 2017

http://jsfiddle.net/mowglisanu/frhwm2xe/3/ has a relatively plausible looking example of stripping exif metadata from JPEGs. The right place to insert this is around https://github.com/matrix-org/matrix-react-sdk/blob/443ab1add73390176478fc7ecd1a334aa157e833/src/ContentMessages.js#L293 - either replacing the file with a new file object pointing to the updated data stream, or changing all the downstream code to work on data streams rather than file objects.

@ara4n
Copy link
Member Author

ara4n commented Jun 26, 2017

actually, https://github.com/matrix-org/matrix-react-sdk/blob/443ab1add73390176478fc7ecd1a334aa157e833/src/ContentMessages.js#L237 is another option: just before we do the upload, we could check the mime type here for image/jpeg etc and then load the file into RAM and mangle it before sending (and then pass the same buffer to the e2e code as needed).

@ara4n
Copy link
Member Author

ara4n commented Jun 26, 2017

another complication is that if we strip off EXIF colour profile metadata we should be re-compressing the image to 'bake in' the correct profile first. the right solution here is probably to leave colour profile meta intact.

@turt2live
Copy link
Member

One concern with loading it into RAM would be issues like #4264

@ara4n
Copy link
Member Author

ara4n commented Jun 26, 2017

For some reason i couldn't get this out of my head, so i've pushed a totally untested and almost certainly broken proof-of-concept to matrix-org/matrix-react-sdk@a0eea2a. If someone felt like picking it up and testing/finishing it it'd be hugely appreciated, as I should be focusing on organisational stuff atm rather than writing code, sadly :(

@ara4n
Copy link
Member Author

ara4n commented Jul 20, 2017

@ara4n
Copy link
Member Author

ara4n commented Mar 20, 2019

matrix-org/matrix-react-sdk#1307 ended up being the PR for this, but we couldn't get it to work, and it bitrotted and got closed :( It should still be resurrectable by some kind soul in future though.

@hpdeifel
Copy link

hpdeifel commented Aug 8, 2019

Just some 2ct: I want to use matrix as a kind of shitty dropbox for sharing files including photos with perfectly crafted exif metadata. I wouldn't want matrix to mangle the files in any way, they should be bit for bit identical when I download them again.

➡️ so IMHO stripping exif should be configurable, although probably enabled by default.

@ara4n
Copy link
Member Author

ara4n commented May 10, 2020

after a brief 3 year hiatus, matrix-org/matrix-react-sdk#1307 now implements this.

@ptman
Copy link
Contributor

ptman commented May 12, 2020

Slack is now offering something similar: https://yro.slashdot.org/story/20/05/11/2051209/slack-now-strips-location-data-from-images . Does it make any sense at all to also allow this in synapse, so that every client wouldn't have to implement it separately? There are toolkits designed for this: https://0xacab.org/jvoisin/mat2

@t3chguy
Copy link
Member

t3chguy commented May 12, 2020

This is to prevent even your synapse knowing the metadata

@ptman
Copy link
Contributor

ptman commented May 12, 2020

@t3chguy I get that it's better to remove it on client than server. But as with many things in matrix, there can be different levels of doing stuff (not only e2e, but unencrypted rooms with ssl encryption between servers) and I think it could help many clients if there was a synapse fallback for clients that don't support removing metadata from all different media formats.

@t3chguy
Copy link
Member

t3chguy commented May 12, 2020

Oh and of course the fact that if you use synapse to do it for in an encrypted room then you'll leak that media.

@ptman
Copy link
Contributor

ptman commented May 12, 2020

Sure, but aren't also url previews disabled for encrypted rooms. I think public/unencrypted rooms may actually benefit more from having the publicly available media scrubbed of metadata

@aaronraimist
Copy link
Collaborator

Huh? This is for media uploads, not URL previews.

@ptman
Copy link
Contributor

ptman commented May 12, 2020

it was a comparison

@ghost
Copy link

ghost commented Jul 9, 2021

I thought Elemet was supposed to be private and secure, but not removing metadata goes completely against that.

@t3chguy t3chguy added the A-Media label Jul 9, 2021
@RealDolos
Copy link

I thought Elemet was supposed to be private and secure, but not removing metadata goes completely against that.

Dear fellow user, private and secure is not the same as anonymous 😉.
If I used element e.g. to send photos to family abroad, I probably wouldn't mind meta data. They already know who I am anyway and the meta data may help them organize their photos. All we want in this case is to have a private and secure channel to communicate.

My general user expectation would be that element does not "mess" with the content of the files I send, unless I specifically tell it to do so.
Your expectation differs, which is fine. Compromises, like an on/off toggle for such a feature, are possible.

Now if anything gets implemented, then it has to be clear how to enable/disable that, and when it is active.
Something like a "strip metadata" checkbox on the upload dialog thing (or a warning that the file type is not supported for stripping), and maybe a global setting to specify if stripping is enabled by default or not.

Regardless, stripping won't ever be perfect, because there are many many file types in the wild that can carry meta data and you'd need a custom stripper for each format, and moreover what is meta data at all and what is sensitive meta data in that regard is also not well specified and may differ for different people.
E.g. is the camera model that took a pic too sensitive? How about the embedded ICC color profile that is vital for the correct displaying of the image, as that sometimes can be fingerprinted to specific camera makes and models and sometimes even specific cameras?

Anyway, a good place to start I'd expect would be with

  • jpeg
  • png
  • webm
  • mov
  • heic

@t3chguy
Copy link
Member

t3chguy commented Sep 8, 2021

matrix-org/matrix-react-sdk#1307 is a partial solution for JPEGs, partial because it also strips some EXIF metadata which is kinda important, like orientation and colour space.

@olmari
Copy link

olmari commented Oct 1, 2021

I do have to agree with @RealDolos here, matrix (unbrella) shouldn't mangle files at all, and even if something like that is ever done, it needs to be very clear and opt-in.

@Salamandar
Copy link
Contributor

I do have to agree with @RealDolos here, matrix (unbrella) shouldn't mangle files at all, and even if something like that is ever done, it needs to be very clear and opt-in.

100% agree.
There's already a check box "send the real size image" on Android, meaning that when you forget to check it it's NOT the real file.
A check box "Remove image metadatas" would be a real good addition to the UI.

@kittykat kittykat added O-Occasional Affects or can be seen by some users regularly or most users rarely S-Major Severely degrades major functionality or product features, with no satisfactory workaround and removed P2 labels Feb 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-File-Upload Attachments and file uploads A-Media O-Occasional Affects or can be seen by some users regularly or most users rarely Privacy S-Major Severely degrades major functionality or product features, with no satisfactory workaround Security T-Enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.