Criminals have started to aggressively erase EXIF metadata from their photos to make it harder for authorities to locate them, Harvard University students Paul Lisker and Michael Rose find.
Unbeknownst to most, digital cameras and smartphones that shoot in JPG or TIFF formats write information on where a photograph was taken, when, and the camera used, every time the virtual shutter opens. That data is written in the "exchangeable image file format" (EXIF) standard.
The Harvard pair collected images of drugs and weapons taken by criminals and used in ads placed on dark markets and saved them to a data repository maintained by an independent security researcher Gwern Branwen.
That cache contains some 83 dark markets and 40 associated forums from 2013 to 2015, totalling 44 million files or 1.5Tb of data.
Bash scripts were used to search for EXIF data including longitude and latitude data among the included .jpg files.
They found 229 unique images that contained geolocation data that, unless spoofed, would locate the place the photos were taken within one or two kilometres.
Some 223,471 unique dark market images were analysed in total, with most missing their EXIF data.
The largest dark market, Agora, likely stripped metadata from images on its site, the pair found, since EXIF data was absent on all images after 18 March 2014.
"First, it was common in many cases to observe sites, typically residential, surrounded by 5–10 tagged images separated by a few meters," the pair say.
"This suggests the behavior of sellers who are careless on a regular basis, rather than the occasional forgetfulness of not stripping data or purposeful manipulation.
"We also found several instances of these clusters incorporating listings on multiple sites, pointing to sellers with activities across the darknet and failing to strip their products’ location on any of the sites up."
They blame sellers and dark market websites for failing to remove EXIF data from images. ®