Where’s the Big Privacy Brouhaha Over Serial Numbers in EXIF Data?

On August 4, 2006, AOL published a text file containing 20 million searches done by 650,000 users over a 3-month period for research purposes. Although the company anonymized the data by showing the users as numerical IDs, people soon realized that many people searched for personally identifiable information (e.g. their names), allowing real names to be put to unique IDs, thus revealing the search history of that individual. After the media caught wind of this, the whole thing was known as the AOL search data scandal.

A few months ago, we reported on a new website called the Stolen Camera Finder. It’s an image search engine that relies on that fact that camera serial numbers are often baked into the EXIF data of photos — a fact that most camera users probably don’t know. By providing a camera’s serial number, the website attempts to find all the other images on the Internet taken with the same camera, thereby helping you find your stolen camera.

If you think about it, there are major similarities between this serial number search engine and the AOL scandal — namely the fact that anonymized IDs (unique IDs vs. serial numbers) can be easily linked to real identities. Even more so than search queries, photographs often contain information that can help identify the person behind them (a Facebook profile picture, for example).

What’s interesting is that there doesn’t appear to be any backlash over the fact that serial numbers can be easily searched for now. Virtually all of the articles covering the Stolen Camera Finder focused on how useful it is for finding stolen cameras, rather than how big of a privacy concern it poses for people who might not want all of the photographs taken by their cameras to be tied to their name.

Perhaps if this became a bigger deal, camera makers would offer the option to keep this kind of information from being stored in the EXIF data of photos. What do you think?

Image credit: Protests in Skopje (11.06.2011) by Olivermk

  • Sam Cornwell


    What exactly is the protest picture at the top of the page all about?

  • Kyle

    Thetwo situations are very different. Users knowingly put their name in copyright or author EXIF alongside serial numbers: in so doing, they linked the data, not the search engine, and then they share this when they post the picture.

  • HappyTinfoil Cat

    I think it’s useful to find stolen cameras. People can strip their EXIF data quite easily though and I know many that do. I’d prefer that the default would be to leave the EXIF in unless specifically removed (but the SN could be optional).

    Almost everything has embedded serial numbers and most people haven’t a clue.

  • Hal Lee

    I think this is a non-issue.

    If there are photos that a photographer doesn’t want to be accredited with, it is their job to remove the EXIF info from the photograph.

    The AOL scandal wasn’t a comparable situation, as AOL posted the data, not the searchers. The searchers didn’t choose to include personally identifiable information. Sure, there’s a serial number searcher now, but it’s a photographer’s decision to upload a photo to the internet with whatever identifiable information is included.

  • Khürt L. Williams

    I don’t understand how the camera serial number is tied to my identity. Please explain.

  • Khürt L. Williams

    I don’t understand how the camera serial number is tied to my identity. Please explain.

  • Anonymous

    If I wanted to find images taken by a person, I would need to know the serial number of the camera, right? Also, that person might not have taken the picture, they might have sold the camera, or the camera might have been stolen.
    So really, only evil regimes could find a camera and try to connect it, say to a young protester who took a picture they did not like. Otherwise, it would be a stretch to legally connect the dots in most democracies.
    If you live in a dictatorship or corrupt regime and are working to overthrow the leader for a democratic government, it might be a good idea to strip EXIF data before sending protest images out and in storing the originals, hide them.
    The flip side is that news outfits should compare EXIF data on previous bogus images to new images submitted by evil governments. It might save them some embarrassment by not publishing fake rocket launches, etc.

  • Anonymous

    Not all cameras write the serial number to EXIF data. Canon, Nikon, Leica, and many do. 

    But Sony, is not one of them. So protest photographers of the world in hiding, USE SONY GEAR!List here:

  • Bolkey

    In such countries you soon learn how to remove any metadata form the image. Kind of natural selection it is.

  • Bolkey

    Publish one picture under yor own name and lik all the others to it.

  • Bolkey

    The info could easily be encoded and be useless unless you’ve got the secet key.

  • Khürt L. Williams

    I rent a lot of camera equipment. So do a lot of professionals. This doesn’t seem reliable.

  • Bolkey

    Check. Produce as much random data as you can to pollute their databases.