Photo Apps Convenient But Rife With Privacy, Security Risks

By Rob Sabo

Photography’s shift from film to digital has brought about an unprecedented explosion of images taken.

In 2000, for instance, Kodak reported that consumers snapped a record 80 billion film photos. But this year, consumers are expected to capture 1.4 trillion digital images via smartphones, webcams, GoPros, drones and DSLR cameras.

Digital now rules the photography realm, but the power of the printed image hasn’t dissipated.

Photo-printing apps — Snapfish and Shutterfly, along with Costco, Walmart, Walgreens and other retailers — allow customers to upload and print digital images from smartphones or other devices.

Printing digital photos this way may be convenient, but that simplicity can compromise consumer privacy, experts told Digital Privacy News.

“Whenever a consumer uses a photo-sharing application, there’s an implicit privacy trade-off that has to be made,” said Aswin Pranam, instructor of continuing studies at Stanford University.

“Name, email address, phone number, home address, personal photos and other personally identifiable features are handed over to the service provider with the expectation of secure use and storage.

“However, not all companies are adequately prepared to protect your information,” Pranam said.

Oftentimes, privacy experts added, consumers unknowingly send a wealth of personal information when uploading images to photo-sharing or photo-printing apps and websites.

‘Hidden’ Data Exposed

Consumers often are unaware that their digital photos can reveal such details as the precise GPS location and time images are taken, experts said.

“Whenever a consumer uses a photo-sharing application, there’s an implicit privacy trade-off.”

Aswin Pranam, Stanford University.

These features are stored as Exchangeable Image File Format (EXIF) data. This embedded metadata can help people easily sift through thousands of images, but it also contains information most would consider private and confidential.

“EXIF data enables you to do things like automatically group photos by where and when they were taken — and for consumers with many thousands of photos, this can be hugely beneficial,” Paul Lipman, CEO of BullGuard, a global cybersecurity firm in San Francisco, told Digital Privacy News.

“However, this location data can provide insight into where you and your family live, go to school and work,” he added. “This is highly sensitive data most people would prefer to keep private.”

Digital Fingerprints

Metadata embedded in photos functions much like a digital fingerprint. Photographers often use this specific information to learn how others composed their images.

“Location data can provide insight into where you and your family live, go to school and work.”

Paul Lipman, BullGuard, San Francisco.

And while many popular image-hosting and photo-sharing services strip out metadata during uploads, it still can be used to create machine-learning models to better understand user habits and behaviors.

That data can be sold to advertisers, said Stanford’s Pranam.

“If the service mishandles customer data, it can lead to bad actors using the information for fraud, blackmail, identity theft and other malicious-use cases,” he told Digital Privacy News.

Exploding Popularity

Printed photographs are far more than tangible memories; they are heirlooms that chronicle stories.

Millions of photos are showcased on such image-hosting apps as Flickr, 500px or Instagram — but some consumers still prefer to print digital images using online services.

“You are putting trust in these organizations to protect your data, but a breach … or a hack can happen.”

Dave Hatter, Intrust IT, Cincinnati.

Companies in the online photo-printing industry are expected to take in $3.5 billion in 2020, according to the Los Angeles market-research firm IbisWorld.

Users grant these companies a lot of faith when uploading and purchasing prints, Dave Hatter, a cybersecurity consultant with Intrust IT in Cincinnati told Digital Privacy News.

“You are putting trust in these organizations to protect your data, but a breach from security incompetence or a hack can happen,” he said.

PhotoSquared Breach

Earlier this year, a data breach at the printing app PhotoSquared exposed the records of more than 100,000 customers dating back to 2016. Leaked information included customer photos, orders and shipping labels.

PhotoSquared secured its data-storage services in February after being notified of the lapse.

“Protect yourself by doing some research about the company.”

Mike Satter, OceanTech and WipeOS, Minneapolis.

The company and its parent, Strategic Factory in Owings Mills, Md., did not respond to an interview request from Digital Privacy News.

Still, photo-printing apps will continue to grow in popularity, said Mike Satter, president of OceanTech and WipeOS in Minneapolis.

Users should understand the implications of the data handoff when uploading images through an app or website, he advised.

“When a person provides personal information to a company or service, the data is totally in the hands of that company’s cyberdata security internal strategy,” Satter told Digital Privacy News.

“Protect yourself by doing some research about the company: What are they doing to prevent your data from being compromised?

“That information is there for you to review before moving forward to ensure you’re making an informed decision.”

Rob Sabo is a Nevada writer.

Security Falls on Both Ends

Consumers can limit risk of data exposure by using strong alphanumeric passwords and enabling two-factor authentication when creating accounts for photo-sharing and photo-printing apps and sites, experts told Digital Privacy News.

Users also can delete photos after ordering prints so those images can potentially be scrubbed from company databases.

Additionally, companies should pay heed to internal security measures — and that commitment should start at the executive level, said Stanford University’s Aswin Pranam.

“Information security is a difficult capability to build,” he said. “Setting up the appropriate protocols, systems and policies can be a sign of organizational commitment to privacy and security — but this may be difficult for early-stage companies.”

Data security, unfortunately, is often an afterthought, especially for fledgling companies thin on resources, Intrust IT’s Dave Hatter said. It takes time, costs money and slows project timelines.

But consumers are demanding more, he added.

“Eventually, companies will be forced either through litigation or regulation to take security more seriously,” Hatter told Digital Privacy News.

“And newer companies, despite the fact that it will slow them down, could potentially get competitive leverage out of taking the steps necessary to make sure their platforms are secure and advertise those facts in their marketing literature.”

— Rob Sabo

Sources (all external links):