On the Auth0 blog: How to read, edit, and erase location and other EXIF metadata from your photos

Auth0 logoMy latest article on the Auth0 blog, How to Read and Remove Metadata from Your Photos With Python, shows you how to use Python and the exif module to examine, alter, and even remove the metadata that your phone adds to pictures you take.

In addition to picture data, photos taken with smartphones and modern digital cameras contain metadata, which is additional information about the photo. This metadata is stored in a format called EXIF, which is short for EXchangeable Image File format, which is a continually evolving standard for information added to digital image and sound recordings.

In photos, EXIF can include information such as:

  • The dimensions and pixel density of the photo
  • The make and model of the device used to take the photo
  • Zoom, aperture, flash, and other camera settings when the photo was taken
  • The orientation of the device when the photo was taken
  • When the photo was taken
  • Where the photo was taken
  • Which direction the camera was facing
  • The altitude at which the photo was taken

My article will show you how to use Python’s exif module to access this information, as well as how to alter it (I show you how to tag your photos so it seems as if they were taken at Area 51) or erase it.

EXIF data was recently in the spotlight as a result of the January 6th riots in Washington, DC. Many of the rioters posted photos to Parler, which did not strip EXIF data from photos uploaded to it.

When Parler started to shut down as a result of Amazon and other providers kicking them off their services, it opened some security holes that a hacktivist who goes by the handle @donk_enby was able to exploit. They were able to scrape the posts and uploaded photos and videos and upload them to the Internet Archive. Soon after, it was discovered that Parler never removed the EXIF data from the photos and videos, which made it possible to easily identify participants in the riot, see who broke into the Capitol, and for authorities to make arrests. The New York Times used this data to make a timeline of events, which they published in their article, How a Presidential Rally Turned Into a Capitol Rampage.

Graphic from the New York Times. Tap to view at full size.

While Parler’s sloppy security was by and large good news, there’s still good reason to follow good security practices, and part of that is managing EXIF data in photographs. That’s what my article covers, and in a fun way as well!

Read the article on the Auth0 blog: How to Read and Remove Metadata from Your Photos With Python.



Mobile Developer News Roundup for Tuesday, July 31st, 2012

A Mobile Privacy Policy You Can Use and Customize

Here’s a set of open source mobile privacy policies that you can copy, modify and use for your own mobile apps. Created by Docracy, an online store of open legal documents, you can use them as-is, or use them as a starting point for your app’s privacy policy. Most users consider the mobile device to be more personal than their desktops or laptops (even though they’re called personal computers), and it’s expected that privacy policies will eventually be required for apps; grab these and get a head start! Best of all, Docracy lets you fork their documents GitHub-style.


ManiacDev’s Catalog of Open Source iPhone and iPad Apps

ManiacDev has updated their list of iOS apps for which the source code is available — there are now 85! 67 are currently available in the App Store, and while the remainder aren’t, they were at one time and you can still get the source for all of them. There’s nothing like learning from source code for complete, released applications, and I haven’t seen a bigger collection of such for iOS. If you’re interested in the source for games only, ManiacDev has a “just the games” list.

Links’s 200-Episode Android Tutorial Video Series has a video series made up of 200 videos covering Android development. The series starts with downloading and installing the JDK, Eclipse and the Android SDK, covers a lot of ground on writing Android apps, and ends with putting an app on the market and updating it. The presentation style is extremely casual and even made me chuckle a couple of times. I think it’s a pretty good launching point: use these videos as your launching point, back them up with the Android docs, and you’ll be on your way.


Making Money in the App Store in “The Next 19%”

Dave Addey does some back-of-the-envelope calculations and says that while it’s increasingly unlikely for you to get your app in the top 1% of Apple’s App Store, you’ve got decent odds for getting your app into the sweet spot of what he calls “The Next 19%”.  He says that if the numbers he’s using are representative, the iOS App Store breaks down this way:

Tier How many apps? %age of Revenue Average income per app
Top 1% 6,500 36%, or $1.75 billion $269,230
The “Next 19%” 123,500 61%, or $3.05 billion $24,696
Bottom 80% 520,000 3%, or $150 million $288


He writes:

With the App Store maturing, hitting that top 1% increasingly requires sizeable investment and marketing in addition to app development skills. Successfully launching a 1% app (even with sizeable investment) isn’t something you’d bet your mortgage on, and I’d go as far as to say that this top end of the store is no longer a market that’s available to small independent developers.

The next 19%, however, is definitely a viable aspiration. Most of the paid apps we’ve released have fitted comfortably within the upper bounds of this part of the graph (beating the 19% average mentioned above), and these kinds of apps are definitely within reach of small development teams or sole developers.



Led Down the Garden Path [Updated]

now sending your address book

Update: Path’s CEO has apologized and promised to delete any collected data. See this entry.

It’s the top story on Techmeme at this moment: the socially-networked “lifestreaming” iPhone app known as Path uploads your entire address book to its servers.

This fact was discovered by Denso developer Arun Thampi when he decided that he’d build a Mac OS X client for Path at his company’s hackathon. To do this, he decided to observe the API calls that Path made to its servers only to discover that the data for his Contacts app – names, email addresses, phone numbers – was getting HTTP POSTed to To see the the full story, be sure to read Arun’s blog entry on the matter.

Path CEO Dave Morin sent a reply to Arun, explaining that the data is used only to help users connect to their friends and family and nothing more. He also said that they “proactively rolled out an opt-in for this” on their Android client a few weeks ago and will include the same opt-in feature on the next version of the iOS client. For anyone who has the current version on their iPhone, that feature came a little too late. This is bad, and the fact that Path has recently been working on “proactive” fixes suggests that they know it.

I have Path on my phone because it’s a gorgeous app and a number of my friends and coworkers were on the network and encouraging me to take it for a spin. That means that my contact info resides on Path’s servers. A good chunk of my life is public by my own choice, so I can live with Path having my own address and phone number, but nobody else on my contacts list signed up for that. Furthermore, inclusion in my contacts list doesn’t necessarily imply that they’re someone I want in my social network graph. But Path can’t discern between my friends and family and others like my ex-wife, my local cab company or that client in Australia who just had a couple of questions. You’d think that Path would’ve learned the lessons of “Fuck You Google”, in which a woman wrote about how Gmail overshared her info with her abusive ex-husband.

It’s an even bigger problem in the case of celebrities, who presumably have other celebs’ numbers in their on-phone Rolodexes. Take a look at this tweet from Alyssa Milano:

The response, by the way:

And did it also upload my notes about people? (Yes, I’m one of those people who actually uses the “Notes” field in Contacts. For business contacts, it’s all part of the schmooze; for friends and family, it’s so I remember things like their likes, dislikes, birthdays, anniversaries and other little things.)

In the comments to Arun’s article, iOS developer Matt Gemmell suggests the following to Dave Morin:

Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.

He also points out that sending the entire Contacts database to their servers may be a violation of the App Store’s terms and conditions. In fact, section 17.1 of that T&C states:

17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.

Dave Morin’s been firefighting ever since the news about Path got out. He’s stayed on message with the “we’re not trying to be evil here” line, but with the faith in Google’s “Don’t be evil” mantra pretty much gone, it’s not very reassuring. On the bright side, he has made it clear that if you want your address book and even your Path account deleted from their servers, you have but to send an email to

Update (February 8, 2012): Mike Arrington has put online what I’d been thinking (but didn’t think Path would ever do without a lot of pressure): they should simply delete all the address book data they pulled. It would be an excellent goodwill gesture; let’s see if they take up his suggestion.

(Little hint, Dave: if you keep overusing “proactive” and “proactively” the way you have in your responses and tweets, it becomes a filler word, like “um” and “uh”. Especially when such “proactivity” seems limited to stating that you’re not doing anything wrong.)

There’s been some freaking out over Path in the comments for Arun’s blog entry as well as in other venues online, but it’s time to let cooler heads prevail. Let’s see what Path does in the next 48 hours – as Arun himself puts it, “I hope we can keep calm and continue to discuss this sensibly”.

If you’re developing software that makes use of people’s personal info, let this be a lesson!



Emily Gould

How’d I miss this? Here’s an article – Exposed — from the May 25th, 2008 edition of the New York Times Magazine about one blogger’s experiences and the lines that you can cross while writing blogging, both personally and professionally. It covers some issues to keep in mind when writing in a forum that can be accessed far and wide.


Taking IE8 Beta 2 for a Test Drive, Part 1: “Porn Mode” (a.k.a. InPrivate Browsing)

The IE8 USB key in my computer

Last night, I attended a special sneak preview for Internet Explorer 8 Beta 2 organized by the folks at High Road Communications, who do the PR for Microsoft here in Toronto. Pete LePage, Product Manager of Internet Explorer Developer Division, did the presentation, and also present were Elliot Katz, Senior Product Manager for Microsoft Canada, Daniel Shapiro, Microsoft Canada’s Audience Manager, and my friend and fellow DemoCamp steward David Crow, Tech Evangelist for Microsoft Canada.

Let me get the disclosure part out of the way. Attending this event got me:

  • Free drinks and snacks during the presentation and a free dinner afterwards,
  • One Internet Explorer 8 gym water bottle with a tag inside it saying “BPA Free”,
  • and one 1GB USB key containing installers for IE8 (pictured in my laptop above) and the IE8 Evaluators’ Guide (a Word document that walks you through IE8’s features).

I’ve been to a couple of these Microsoft events before. The one about their “Windows Live” sites didn’t interest me at all, and the Vista one I attended was largely for people who did IT at companies with 1000 or more employees, which really isn’t my area of interest either (and the Vista preview installer they gave me resulted in disaster). This one was a considerably more interesting, as Pete put on a good presentation and it appears that Microsoft is making an effort to match the competing browsers.

Over the next little while, I’ll post articles covering my experiences as I take IE8 for a spin. In this article, I’ll mostly be talking about InPrivate Browsing, which is colloquially known as “Porn Mode”.

“Porn Mode”, a.k.a. “InPrivate Browsing”

The implementation of a browser session in which history, cache and other “trails of breadcrumbs” are deleted as soon as the session is over isn’t new: Apple’s Safari has a “Private Browsing” feature and there’s a Firefox extension that provides the same utility. However, for those not using Macs and especially those who aren’t the type to download and install Firefox and then install a plugin — and there are lots of these people out there — IE8 may be their first opportunity to try out such a feature.

Banking, Not Wanking

In his presentation, Pete was careful to take the “Banking, not wanking” approach when covering InPrivate Browsing, suggesting all sorts of non-saucy uses for the feature, including doing online banking, shopping for surprise presents for your spouse, surfing from a public terminal and so on. The Microsoft people present took my constant referring to it as “Porn Mode” in great stride, and I thank them for having a sense of humor about it.

The Problem

Convenience features like history, cache, automatic username and password field-filling are handy, but they sometimes have unintended consequences. For instance, suppose you, as a healthy, open-minded adult, like to look at videos featuring ladies without pants sitting on cakes at Let’s also suppose that a friend asks to borrow your computer for a moment to see a funny cat video at As your friend types in the letters for “” in the address bar, this happens:

Screen capture: A user starts to type in "" and as "you" is formed, my "" history appears.

This sort of browser-assisted embarrassment takes place more often than you might think. I’ve seen it happen firsthand, and it’s done everything from causing a little red-facedness to actually thwarting romantic possibilities. And you thought computers were supposed to make our lives easier!

The IE8 solution, InPrivate Browsing, is accessible through the Safety menu (shown below) or through the control-shift-P key combo:

Screen Shot: IE8's "Safety" menu, with "InPrivate Browsing" selected

This opens up a new, separate browser window for InPrivate Browsing, which does not keep “breadcrumbs” like history, cache data, cookies and so on. The address bar for InPrivate Browsing windows has the InPrivate logo as a visual cue that this particular session won’t leave a trail that will embarrass you or give away your secrets:

Screen Shot: A new "InPrivate Browsing" window appears

Maybe it’s me, but I think the “InPrivate” graphic in the address bar is a bit too subtle. Then again, a more obvious visual indicator (say, giving the InPrivate browser window a different color) might be an invitation to shoulder-surf.

Hey man, I had to see if it works, right?

Screen Shot: YouPorn's title page

I swear, I had to poke about the site a little bit in order to test if my History was being saved. It’s all in the name of application testing!

Screen Shot: Blurred-out YouPorn video page

After a little “research”, I closed not just the InPrivate Browsing window, but the whole browser, then started it up again. Then I proceeded to type “You” into the address bar. Under normal circumstances, my history would be there for all to see. But it wasn’t!

Screen shot: None of my InPrivate browsing history shows up

For those of you who need to clear the cache, cookies, history or other data for any reason, there’s also the Delete Browsing History item in the Safety menu:

"Safety" menu with "Delete Browsing History" item selected

And it provides a number of deletion options:

The "Delete Browsing History" dialog box

And there you have it: a quick tour of IE8’s much-snickered-about “Porn Mode”.

Keep watching the blog for more posts about IE8 as I use it more and cover its features. Perhaps I’ll cover the development tools next.


Unwitting Facebook Spokesmodels

If you’re going to become a fan of a business on Facebook, you’d better make sure that your profile photo is a good one — you might end up as that company’s unwitting spokesmodel!


Your Boss Has “Friended” You. Confirm or Ignore?

Would You Like to Confirm Your Boss as Your Friend?

Facebook friend request from “your boss” (played by transgender Jakon Nielsen)
Transgender Jakob Nielsen isn’t my boss, but he thinks he is.

If it’s not one boss, it’s another. If you’re not freaking out because your mom “friended” you on Facebook, there’s still the chance that your boss might, meaning that he or she may be privy to your extracurricular indiscretions. The Wall Street Journal looks at this dilemma in OMG — My Boss Wants to ‘Friend’ Me On My Online Profile.

What you may want to keep in mind if faced with the decision of whether or not to “friend” your boss is that the openness works both ways:

Paul Dyer was always able to hold off his boss’s invitations to party by employing that arms-length response: “We’ll have to do that sometime,” he’d say.

But when his boss, in his 30s, invited Mr. Dyer, 24 years old, to be friends on the social-networking sites MySpace and Facebook, dodging wasn’t so easy. On the one hand, accepting a person’s request to be friends online grants them access to the kind of intimacy never meant for office consumption, such as recent photos of keggers and jibes from friends. (“Still wearing that lampshade?”)

But declining a “friend” request from a colleague or a boss is a slight. So, Mr. Dyer accepted the invitation, then removed any inappropriate or incriminating photos of himself — “I’d rather speak vaguely about them,” he says — and accepted the boss’s invitation.

Mr. Dyer, it turns out, wasn’t the one who had to be embarrassed. His boss had photos of himself attempting to imbibe two drinks at once, ostensibly, Mr. Dyer ventures, to send the message: “I’m a crazy, young party guy.” The boss also wore a denim suit (“I’d never seen anything like it,” Mr. Dyer says) and posed in a photo flashing a hip-hop backhand peace sign.

It was painful to watch. “I hurt for him,” says Mr. Dyer.

My Own Situation

My boss, Leona Hobbs, is my friend on a number of social networks, as is my old boss Ross Rader. The powers that be at Tucows are aware of my blog and read it every now and again; in fact, a lot of the credit to my getting hired has to go to a number of personal blog entries of mine at The Adventures of Accordion Guy in the 21st Century. Everyone here is aware of my blogs and the goofy stuff I sometimes put in them.

I’m reminded of what someone at the DefCon conference back in 2000 told me. He was a guy who worked at a U.S. military site but whose major was in Marxist Studies. I asked if having how he managed to get a job like his with a degree like his, and he replied by saying that they hired him because he was open about it. Had he tried to keep it a secret, someone could use that secret to blackmail him. I suppose the moral of the story is that if you’ve got a reasonably open-minded boss (and proclivities that aren’t too far out there), openness might be the best policy.