2

What are the risks of posting family pictures online, for example on a blog site, without any access control in place? What should be my threat model?

I am weary of posting (recognizable) pictures of my self and my family on Facebook. Facebook is a foreign company whose primary goal is making money for their shareholders by milking other people's personal information. Combined with the current state of AI, they could do a lot worse then passing personal information to low-lives like Cambridge Analytica. Even a fairly innocent future-use like 'selling' facial recognition to advertisement companies, who could then spam me and my loved ones IRL using in-store cameras would be horribly annoying.

A very simple solution would be to just post any pictures i want to share online on a blog. Coming up with a nefarious business case is a lot harder if you have to collect data from disparate sources, without any machine readable metadata (Facebook already has at least one email address, a name, a network of friends, login data, data from cookies and pixels to go with the pictures). As it would be very hard for a company to abuse openly available pictures on a large scale, the risks of an actual 'industrial scale attack' are nil. But there is no protection against individuals who may use the pictures for whatever purposes.

The risks i can see:

  • people using the pictures to aid building a fake persona online for criminal purposes (see this answer in related question) or just for fun.
  • people photoshopping the pictures just for fun and posting them somewhere. Obviously, this could be very unpleasant depending on what is photoshopped and who sees the results.
  • pictures could attract someone really disturbed

What else?

Ivana
  • 139
  • 3

1 Answers1

1

Well, other than the standard geolocation stuff and other metadata you should remove from the images and people being able to guess your location just by the image background, I don't see any.

That being said, with stuff like google crawlers, these images can be very easily harvested and facial recognition can probably associate them with you if you the company (FB) has pictures of you already.

And if you post links to them on social media, then to correlation would be even much easier. But if you do this, there is an interesting solution. Use a key to access the photos and just put them in the link. Something like: mypage.com/photos/my_holiday_photo.jpg?key=tGJ4sNcUYYz2Xagt

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28