The smartphone’s role in the defense of human rights has thus become ever-more clear. How can we make it clearer? Our latest project, InformaCam, tackles this issue head-on. In collaboration with Witness.ORG and the International Bar Association, we’re building a powerful tool to create iron-clad digital images and video that could, should the occasion arise, be used in courts of law to bring justice. This is no small feat– with this project we are helping create the first evidentiary standards for digital media in the social networking age. So, there’s been a lot of excitement these past few weeks about InformaCam, as well as a lot of mystery. It’s time to give the project a proper unveiling.

InformaCam is a plugin for ObscuraCam that allows the user, without much intervention on their own part, to inflate image and video with extra points of data, or metadata. The metadata includes information like the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and wifi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken. Some users will already be familiar with ObscuraCam, which allows for capturing and digitally manipulating media. With InformaCam included, the app starts to behave almost like Adobe Photoshop or GIMP, supporting non-destructive, layer-based edits to media. This means that a version of an image can be created with any sensitive image data and metadata preserved and encrypted to trusted entities, along with a redacted version that has its metadata stripped which can be easily shared to Facebook, Twitter, Flickr, or any public service the user wishes to use.

How InformaCam Works

The workflow is similar to that of ObscuraCam, but with a few key differences. Notice that on start-up, the app triggers the on-board sensors. (Notifications in the top right corner clearly indicate the GPS and Bluetooth modules have been turned on.) This allows the app to register sensory and atmospheric data throughout the session. These “bundles” of data contain the following:

• Current timestamp
• Device’s identification
• User’s public (PGP) key
• Image Regions created in the image/video
• Current latitude & longitude
• Current cell ID (if available)
• Altitude
• Compass bearing

Whether the user is taking a picture, or editing an existing piece of media, the app registers the goings-on, and signs each bundle of data with the user’s public key. This mean that all actions taken on a piece of media (from capture to editing) are attributed to the user.

As with ObscuraCam, the user can perform image filtering and obfuscation on image regions. InformaCam also adds the “Identify” filter, which prompts the user for the subject’s name (or pseudonym) and to fill in whether or not the subject has given his or her consent to be filmed. This checklist of subject permissions can be further developed to match the needs of any organization to provide further protection to the people in front of the camera. Notice again the sensor notifications: the context surrounding each edit to the image is recorded and will be inserted into the media as metadata once the media is saved.

When the user saves the image or video, a dialog appears prompting her to choose one or more “trusted destinations.” This could be an organization, a news outlet, or any friend whose PGP key is known to you. A copy of the unredacted, data-rich image will be created and encrypted to those parties. At the same time, a redacted and data-stripped version is made available to share with anyone, anywhere.

Using the InformaCam “Identify” filter.	Select a Trusted Destination for your encrypted media.

The Informa Metadata Schematic

The metadata is organized in four categories: intent, consent, geneaology, and data. Here’s a rundown of what these categories mean.

Intent

This expresses information about the media’s creator, and the rules governing how this particular media object can be shared, and to whom.

Consent

This bucket of information regards the subjects contained in the image. Each subject is identified (by a name or pseudonym selected by the user) along with their stated preferences regarding treatment of their likeness. For example, if Bobby insists that he wants his face to be fully redacted (rather than blurred) this preference should be registered in metadata.

Genealogy

This information regards chain-of-custody, and represents how the media was acquired, and if a particular image or video is a duplicate of another.

Data

This category includes all standard metadata (timestamp, acquired sensory data, location and movement data) that have been collected during the lifetime of the image, from the moment it was opened to the instant it was saved.

A sample metadata bundle for an image taken with InformaCam looks like this in JSON notation:


{
"data":{
"device":{
"bluetoothInformation":{
"selfOrNeighbor":-1,
"deviceBTAddress":"00:25:36:79:EC:6C",
"deviceBTName":"nexxxie"
},
"imei":"363289131048142"
},
"sourceType":101,
"imageRegions":[
{
"regionDimensions":{
"height":256,
"width":256.00006103515625
},
"regionCoordinates":{
"left":527.705078125,
"top":196.15255737304688
},
"obfuscationType":"Identify",
"location":{
"locationType":11,
"locationData":{
"gpsCoords":"[40.7085011,-73.9668647]",
"cellId":"36789325"
}
},
"captureTimestamp":{
"timestamp":1326216508313,
"timestampType":7
},
"subject":{
"consentGiven":"general_consent",
"informedConsentGiven":true,
"subjectName":"Harlo!"
},
"unredactedRegion":"I@4070cf30"
}
],
"imageHash":"f18e7510faaad0d942db68b5c75f219a",
},
"geneaology":{
"dateAcquired":0,
"localMediaPath":"\/mnt\/sdcard\/DCIM\/Camera\/1326216520426.jpg",
"dateCreated":1326216527629
},
"intent":{
"owner":{
"ownershipType":25,
"ownerKey":"MY-IDENTITY-IS-HERE"
},
"securityLevel":1,
"intendedDestination":"[\"harlo.holmes@gmail.com\"]"
}


Your Help

InformaCam is a work-in-process, and we’d love help from the community in fleshing out our metadata specification, especially in adding new items to the consent checklist. Feel free to contact us with any suggestions/comments, or just leave some helpful tips in the comments below.

Yubikey is small, light and attaches to a keychain

Our motivation for investigating this device was in finding a way to encourage the use of strong (aka long, mixed-case, etc) passwords on mobile devices, for use with SQLCipher, screenlock passwords, and on boot disk encryption. The issue is that most users rely on short PINs or a visual unlock pattern, which does not provide enough randomness to ensure security of their data. In addition, due to the use of a touchscreen, fingerprint oil smudges on the screen often reveal the numbers entered or the pattern drawn to unlock the device (See the “Smudge Attacks on Smartphone Touch Screens” paper.)

On-screen password entry can leave smudges (Gizmodo)

Even when a user enters a traditional character based pattern, it is often laborious on a mobile device to use symbols and mixed case characters.

Yubikey with inexpensive micro-USB adapter

The Yubikey is a hardware token that plugs into a USB port, and is activated by a short press on the touch sensitive gold-colored disc. It essentially looks and acts like an external hardware keyboard, which is how it works in a drivelress manner. While the primary function of the Yubikey is as a generator for one-time passwords to be verified over a network with a back-end authentication system, it can also be used to store and generate local strong static passwords. It is the static password mode which we have initially worked with for use with Android devices, in order to do local authentication for disk encryption, screen unlock and local encrypted application databases. (We do plan to investigate the other modes of the Yubikey in future posts.)

Yubikey Personalization Tool – simple and free

Android has a limit of 17 characters for its disk encryption and screen unlock password. Using the Yubikey Personalization Tool, we were able to generate a strong password of that limit, as well as a 13 character password, which we combined with a memorized, manually entered 4 digit pin. By combining the long password from the Yubikey with a short memorized version, a certain amount of security is preserved even if the key is physically stolen along with your mobile device.

Yubikey activation via micro-USB on Motorola Xoom

At this point in time, it seems that only Android tablets, such as the Viewsonic GTab, Motorola Xoom and Toshiba Thrive support the necessary USB Human Interface Device mode to enable the Yubikey to work. We have not yet found a smartphone that supports external keyboard hardware, but we are sure they are out there, or else it will not be long. Our initial tests were with the Motorola Xoom, which only includes a micro USB port. Fortunately, using a very simple adapter purchased on Amazon, we were able to make it work. Open the Android settings to the Location & Security screen, and configure your lock screen to be “Secured with password”. When asked to type it in, plug in the Yubikey with adapter, touch the disc, and the pre-configured static password spits out into the password field that is currently in focus on the device.

Yubikey password entry

The Toshiba and Viewsonic tablets offer full-size USB ports, which makes the use of the Yubikey much easier, as seen below. However, as a best practices policy, even if the key can be left plugged in to the device while in use and in motion, it makes most sense to remove the Yubikey immediately, and have it attached to a keychain or other physical item you always keep on your person.

Yubikey also offers an RFID-enabled version of their key which is compatible with the Near Field Communication (NFC) technology found in some newer Android phones. Using this solution, it may be possible to not require actually plugging in the key at all, but instead just having it in the vicinity of your mobile device. You would still need to combine this with a short directly entered password or PIN, in case the NFC signal is somehow wirelessly sniffed by an attacker, though the risk of that is very low for most typical deployments, and NFC itself does provide some amount of security.

All in all, we find the Yubikey to server a useful purpose in improving the base level of local device security on compatible Android devices. While one could type in a 17 character, mixed-case, number and symbol password directly into a device, it would grow old quickly, especially with typical, end-users. The act of plugging in a Yubikey takes very little effort, and combined with a short manually entered PIN, provides the maximum amount of password security for disk encryption, screen locking, and application-based security on Android.

Look for future posts on the use of the Yubikey and other hardware token devices, specifically investigating their use in one-time password, challenge-response, and RFID/NFC modes.

Activists all over the world have turned to mobile phones to organize, coordinate and document their struggle.  Images and videos shot on mobile phones have been the standard for what revolution looks like in the public imagination.  We have seen iconic moments, captured in low resolution on mobile phones, captivate global audiences. We have moved from a handful of grainy clips uploaded hours or days after events unfold, to multiple livestreams, showing different angles on something happening right now. The Arab Spring, the #Occupy Movement, as well less politicized events like the London and Vancouver riots have shown us that the mobile phone is the recording device used to document the next breaking news story, especially if that story involves any sort of protest or activism.

Read on here: http://blog.witness.org/2011/12/mobile-workflow-human-rights-video/

Team GP along with the good folks at Zetetic, are happy to announce that we have reached FINAL on our first release (“v1″ 0.0.6 build) of SQLCipher for Android. This means we consider this a production release, ready for shipping with your apps to provide for reliable, open-source, secure application data encryption.

If you need a refresher, here is what the cross-platform, open-source SQLCipher provides:

SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. Pages are encrypted before being written to disk and are decrypted when read back. Due to the small footprint and great performance it’s ideal for protecting embedded application databases and is well suited for mobile development.

• Blazing fast performance with as little as 5-15% overhead for encryption on many operations
• 100% of data in the database file is encrypted
• Uses good security practices (CBC mode, key derivation)
• Zero-configuration and application level cryptography
• Broad platform support: works with C/C++, Obj-C, QT, Win32/.NET, Java, Python, Ruby, etc on Windows, Linux, iPhone/iOS…
• Algorithms provided by the peer reviewed OpenSSL crypto library.

In addition to our work porting the core codebase, the work done on Android also provides near exact API compatibility with the default Android Database API. This means that developers can drop in SQLCipher, and add data encryption to their application, with very little changes to their existing codebase.

Finally, while full disk encryption is offered newer Android devices from Motorola, and those running Android 3.x Honeycomb or 4.x Ice Cream Sandwich, that only provides encryption of the entire internal or external storage, which must be unlocked and decrypted when the device is booted. The SQLCipher model ensures only a limited amount of data from your app is accessible at anytime, and allows the user or the app to lock itself down, whether or not the device itself is locked or encryption.

Download the Software Development Kit here for integration with your Android apps: https://github.com/downloads/guardianproject/android-database-sqlcipher/SQLCipherForAndroid-SDK-0.0.6-FINAL.zip

You can see all the closed issues addressed in this release.

If you want to build from source, you will need the Android NDK, as well as the SDK. Pull the repo, and run ‘make all’ with the included SQLCipher Makefile.

Our partners at Zetetic have published a step-by-step application integration tutorial.

You can also get started by working with our sample ‘NoteCipher’ project available on Github.

If you happen to encounter them, please report any unexpected behaviours, bugs, typos or other abnormalities, as soon as you can. We know there are still some outstanding issues faced in some cases, but we did not consider them blockers.

SQLCipher for Android Home: https://guardianproject.info/code/sqlcipher/

This provides a nice counterpoint to some of the earlier privacy concerns about the Amazon Silk browser, which proxies all your http connections through their data center. In addition, the fact that our very complex apps work without modification on Amazon’s stripped down flavor of Android, shows that the reports of fragmentation have been greatly exaggerated. From our perspective, the power of Android comes from the compatibility of the underlying platform APIs and Linux-based foundation, and not about having a one size fits all user interface or a single-point of control app marketplace.

Installation Instructions

1) Under the settings section labeled “Device,” there is an option that says “Allow Installation of Applications From Unknown Sources.” Enable this!

2) Then download these files directly via the Fire’s browser, or side-load them from the desktop using the Android SDK “adb” tool.

Orbot: https://www.torproject.org/dist/android/Orbot-1.0.6-Tor-0.2.3.7-alpha-FINAL.apk

Orweb: https://github.com/downloads/guardianproject/Orweb/Orwebv2-20010809-0.2.2.apk

3) Start Orbot, follow the wizard, and press the power up button to connect to Tor.

4) Start Orweb to connect to the Tor Check page to verify your connection, then browse away to your (private) heart’s content.

5) Do a happy dance because your Kindle Fire just got way more l33t and slightly less p0wn3d.

I am about to head into the first ever Silicon Valley Human Rights Conference, aka #RightsCon, and though I would post some thoughts about the state of the Guardian Project, and the world in which we operate. RightsCon looks to be an amazing event (live streaming here: https://www.rightscon.org/), by an amazing organization (Access), and it comes at an interesting time in the world, and for our project.

One year ago, I was invited to attend the first Liberation Technology held at Stanford University, a forebearer of sorts, to the RightsCon event today. It was a novel event, being that is was so forthright about the possibility of liberation from oppressors through ones and zeros. It was also quite informative, in that brought together a wide array of participants, including from Egypt, Syria and Yemen, and allowed them to speak directly about the variety of tactics they were using to defeat censors, route around filters, connect diasporas to their homeland and ultimately find fissures in the system that could slowly be mined and widened.

I gave a short talk as part of a panel I was asked to be on, which covered the history of my sometimes bi-polar work as an activist and a technologist. In this talk, I discussed how the human-need focused brilliance of Steve Jobs, should be combined with the deep understanding of movements by Gene Sharp. I talked about how the icon of Android has some things to learn from OTPOR! if it wants people to join in liberating their mobiles. I proposed that the ideas of free culture and code held by Stallman and Lessig need to be studied, spread and embodied by activist communities, such as the Tibetan independence groups, with home I work closely.

While it is better in person with my arm waving, you can view the visual portion of this presentation here:
http://prezi.com/ttsj526jjlsi/libtech/

Since that event, so much has happened, both in the world and within our work here at the Guardian Project. The recent events in the Middle East and North Africa, have shown, that now more then ever, social, mobile technology, combined with non-violent direct action, is a central solution for helping citizens of this planet defend their rights to live, study, pray, commune, transact and organise. I think my words and presentation at that event were less about foreseeing the near future, and more about just sensing all the components in the air, and hoping that someone, somewhere, would put them all together in service of a good cause.

This same analogy can be used for the state of the Guardian Project itself. It was two years ago, we had our first breakthrough with the port of Tor to Android:
http://openideals.com/2009/10/22/orbot-proxy/

This was about as raw as it gets – source code, a user interface made up of a few grey buttons and a console log output, and very complex set of steps to actually get proxying working. However, it was a start – “Day 0″ if you will – and where I mark the public entry of our project into the world.

Now, today, October 25, 2011, two years since Tor port, and one year since the LibTech event, we are quite a bit further than that. We have real, polished apps, and perhaps, some of the best user experience design in mobile security solutions. There have been over 100,000 downloads of Orbot, both from the Android Market and through direct distribution:
https://www.torproject.org/docs/android.html.en

Beyond Orbot, we have an entire suite of (literally “award-winning”) apps in the Android Market, covering the range of capabilities expected from anonymous, circumventing web browsing, encrypted chat, secure file storage, to our more original projects, such as ObscuraCam, a privacy-aware camera app.

View all of our apps in the Android Market:
https://market.android.com/search?q=guardianproject&so=1&c=apps

We have stayed true to our open-source, grant-funded goals, and have built a vibrant project for all to share, learn and take from:
https://github.com/guardianproject

We have also collaborated with many other human rights and activist organizations, to ensure our tools and technology are directly informed by their tangible day-to-day needs. ObscuraCam is a project with WITNESS, the leading human-rights video organization, and is part of a larger effort called the SecureSmartCam, which we aim to one day power international human rights evidence gathering.
https://guardianproject.info/2011/09/10/progress-on-mobile-video-privacy-tools/

We also joined MobileActive, in the development of the SaferMobile project’s InTheClear app for Blackberry, Nokia and Android phones, a mobile panic button for quickly erasing sensitive data and sending emergency distress calls, via SMS:
https://lab.safermobile.org/wiki/InTheClear

Finally, SQLCipher for Android, our port of an existing, tested, trusted open-source encrypted database solution by Zetetic, is gathering a lot of support quickly, because we consciously made it easy for developers to implement. We have a number of major partners who will be using it in their solutions, and we hope we can talk about them more soon.

Encrypted your mobile app data:
https://guardianproject.info/code/sqlcipher/

There is so much more to share, and I am already running long (and late for the #RightsCon!). I also know we have quite a bit more work to do in getting our apps to be more reliable, more stable and more functional in all of the places where people are depending upon their mobile phones to defend their rights, and in many cases, their lives. We are two years into our five year mission, and we have so many good things to announce in the coming weeks and months. Stay tuned, get your mobiles ready to power-up.

Best,
n8fr8 and the entire amazing @guardianproject crew

Last October at the Open Video Conference 2010, the idea of a camera application that could be designed to understand the needs and requirements of the human rights community was born. During a hackday hosted with WITNESS, we proved that is was possible to take a feature like “Face Detection” which is built into the Android operating system, and turn it into a capability that could be used to protect people, by blurring, pixelating or removing faces that unintentionally appeared in a video filmed on a mobile phone. In the last year, through our partnership with WITNESS Labs, we have built on that concept, designing, developing and releasing apps and source code which move the state of the art in mobile video privacy and anonymity capabilities forward.

Here is a short video of where we were a year ago.

The idea was that using a combination of approaches, we might be able to take the human rights video workflow, and ideas of consent and intent, that WITNESS has developed for over twenty years, and encode that into best practices and features in a software application. This was the catalyst for the launch of our joint Secure Smart Cam Project, which just a three months ago resulted in the launch of our first public app, ObscuraCam v1. Available in the Android Market, this app allows a user to quickly process a still photo taken on an Android smartphone, empowering them to remove unwanted identifying visual elements (faces, logos, signs, places) and remove unwanted digital metadata attached to the photo (GPS data, camera make and model, timestamps, etc). The app assists the user in this process by using Android’s built-in face detection technology to automatically identify and pixelize faces found in photos.

We continue to develop ObscuraCam in order to add new features, filters and privacy-enhancing capabilities. In addition, we exploring the “Informa” mode of this application, which uses the same technologies developed to assist in removing information, and instead uses them to add layers of extra verification, subject consent and intent tracking, and full media encryption. The idea is that in many cases people want to use visual media as evidence, or at least as reliable sources for journalistic use, and the more data that can be securely and safely captured and associated with a mediafile, the better. This is still in the research and design phase, but we expect to have some concepts of this ready for public play in the next few months.

While ObscuraCam is exciting, it only supports photos at this time. This is a fundamental issue, because WITNESS is a human-rights video organization, and the type of compelling content people are creating on their mobile phones are moving pictures not still. A year out from when the idea was first prototyped, I am happy to say that we have addresses the major challenges necessary to achieve mobile video processing of high-resolution video on the Android phone itself. The prototype last year was faking it in a sense, as it couldn’t actual record anything, and just showed the idea that you could detect faces. Our new SSCVideoProto project, utilizes the open-source FFMPEG video processing library, to redact regions from recorded video files. Below is a short video that demonstrates the current state of the work.

In summary, this means we can now remove, pixelize or otherwise modify any identifying content in a high-resolution video recorded on a mobile phone, before that video is uploaded to YouTube, Facebook or elsewhere. Faces can be removed, screens blacked out or any other element that shouldn’t be shown, as it would increase some risk to the subjects of the video. Beyond redaction, we can now process any video, using open-source software, on an Android phone, including trimming, splitting, adjusting color, balance, brightness or any other common ffmpeg feature.

Thanks to Shawn, Andrew and Hans for the collective work on getting us to this milestone

FFMPEG on Android project
SSCVideoProto Project

It was brought up to the contribs of CyanogenMOD that they should probably remove the DigiNotar CA cert from the built-in Android OS keystore (located at /system/etc/security/cacerts.bks). Since they have 500k+ users, and can be more nimble than other ROM/device distributors, it was seen as a way to quickly address the problem, at least within their community. It turns out that it wasn’t as easy to convince them to do this (even though Mozilla, Google Chrome, IE, etc already had). You can read the thread, but it is still an open issue:
http://code.google.com/p/cyanogenmod/issues/detail?id=4260

In the meantime, I decided to do something proactive about this, and took two approaches:

1) Create our own curated cacerts.bks file which rooted users could install using ‘adb’ from their desktop and/or the ‘Root Explorer’ app available in the market and elsewhere. Our version of the CACert file removes DigiNotar, as well as CNNIC, a Chinese gov’t-managed cert authority who we have reason not to trust. Our goal is to continue to audit, update and distribute our own cacerts file for users who trust us.

Install info: https://raw.github.com/guardianproject/cacert/master/INSTALLATION

Guardian’s CACert: https://github.com/downloads/guardianproject/cacert/cacerts.bks

2) We also wanted to create an app that let the user decided which certs they wanted available, and which they didn’t. Beyond this one CA problem, there are potentially many more, and every handset manufacturer or carrier can also place their own CA certs into the system. We need an app to address today’s and future CA threats.

I have been hacking away on a solution to address this, and an initial test release is available for you. ‘CACertMan’ is a simple app that loads up the system cacert store, allows you to back it up, search for certs, delete them, and then save it back to the system. You can always restore from your initial backup, as well. In the future we may allow for a cert to just be disabled, but for now it is delete and/or restore.

Here is the first alpha build for testing. This does require root, as well as a device that has the ‘grep’ command on it. This is basically CyanogenMOD, but most likely any other custom ROM. If the ‘save’ doesn’t work, then you will need to use ‘RootExplorer’ to make you /system partition read-write.

Download CACertMan v0.0.1-Alpha: https://github.com/guardianproject/cacert/CACertMan-0.0.1-alpha.apk/qr_code

You can find the source project here: https://github.com/guardianproject/cacert

Once we get confirmation that the app works for most people, we’ll place it in the market, and on or site for wider distribution.

Through these two approaches, we hope to mitigate the threats facing Android users who might encounter man-in-the-middle attacks enabled through the DigiNotar exploit. While many of you are presumably in ”free” countries, we do know that may of our users of Orbot, Gibberbot and other software are not, and we hope this message can reach them.

When software developers put privacy first, everybody wins!

Too often, user privacy is an afterthought in the design of computer software and online services.  In recent months, social networks have rolled back changes, cell phone manufacturers have altered the way that location tracking data is stored, and most recently, mobile application developers have been caught inappropriately collecting children’s personal data. For companies, the costs in lost consumer confidence, fines, and corrective measures can be substantial. Everyday users pay a price as well, and for victims of domestic violence, political protesters, whistleblowers, and others whose safety and livelihood could hinge on their privacy, those costs can be devastating.

…

Thankfully, there are developers dedicated to incorporating privacy into their software designs from the start.  On August 5^th, at the DEF CON conference in Las Vegas representatives from the ACLU of Washington, the ACLU of Northern California, the Tor Project, and the Office of the Information and Privacy Commissioner of Ontario presented awards for the top submissions to the Develop for Privacy Challenge, which sought open-source mobile applications that allow users to take advantage of new technology without sacrificing their privacy.

We presented the top prize to Harlo Holmes of the Guardian Project for Gibberbot, a mobile chat application for Android that keeps your conversation and your identity off-the-record.

The goal of the SecureSmartCam project to to design and develop a new type of smartphone camera app that makes it simple for the user to respect the visual privacy, anonymity and consent of the subjects they photograph or record, while also enhancing their own ability to control the personally identifiable data stored inside that photo or video. Also, we think an app that allows you to pixelize your friends, disguise their faces and otherwise defend their privacy just a little bit, is a lot of fun and helps raise awareness about an important issue. In this first release we have focused on ‘obscura’ by optimizing the workflow of identity obfuscation in still images. Future releases will look at ‘informa,’ the process of properly gaining and recording informed consent from subjects, while also moving to video.

Quick Download Links

For those of you who just want to get to it, head over to the Android Market to grab the latest version of the app. You can also scan the QR code to the left, and it will take you in that direction.

For those without access to the Android Market, you can get the ObscuraCam.APK file from our public builds folder. The official signed release binary is also available here. For these options, be sure to check back for updates, because the app will not auto-update itself.

The “Cameras Everywhere” Initiative

In January, WITNESS launched their Cameras Everywhere initiative, in which they ask:

As more and more people film people speaking out and taking a stand against human rights crises, how can we protect victims and witnesses and ensure informed consent as much as possible? As more and more footage circulates from human rights crises around the world, how does powerful footage reach audiences in comprehensible ways that move people to action? And how do we know how to trust that footage?

…

Critical issues to address in this realm include safety and security in the use of video; ethical questions raised by the widespread capacity to shoot and circulate human rights video; challenges around the authenticity of video and the preservation of evidence; and the need for effective documentation around the use of video in advocacy.

Through our collaboration, WITNESS has decided to move beyond just awareness, training and advocacy, and instead help design a next generation of Camera app software that is not just intended to share and capture more, but is meant to allow its operator to stop, think and be empowered to control the media they are capturing.

A Primer on Visual Privacy and Anonymity

Visual Privacy is the relationship between collection and dissemination of visual information, the public expectation of privacy, and the legal issues surrounding them. It relates particularly to the increasing presence of large-scale still- and video-camera networks in everyday life. This not only includes those surveillance-oriented networks under the control of corporations and governments, but also applies to the vast new network of citizen-controlled media capture devices such as smartphones and handheld cameras that has created a peer-to-peer, social-networking based surveillance. At the same time that these networks have exploded in size, face detection and recognition technologies have also improved considerably while policy regarding the privacy and fair use of such systems and content, as well as the rights of those imaged by such networks, are topics that are not resolved. What results is a situation in which massive amounts of media are being captured every day with little to no protection of individual rights to privacy or anonymity – something that is especially detrimental to human rights efforts.

As Sam Gregory of WITNESS points out, most contemporary discussions around anonymous communication on the Internet focus on the data protection side – for instance options for data encryption or censorship circumvention. In the case of media content, a largely unaddressed question arises: what about the rights to anonymity and privacy for those people who appear, intentionally or not, in visual recordings? Visual privacy and anonymity may sound like a contradiction in terms, but people often wish to speak out and to ‘be seen’ while at the same time concealing their face and identifying surroundings. As human rights documentation and organizing increasingly involves media capture, how are people enabled to make purposeful choices about when they speak out and what degrees of anonymity they hold onto for themselves? Conversely, people caught in the background of a video or still may be unaware that they are even being filmed in that moment and have no option to protect themselves – particularly true in mass protest settings where the wave of group solidarity may overwhelm any sense of personal privacy. For those speaking out from marginalized positions, personal safety is a very real risk.

Some examples where visual privacy and anonymity is being diluted in the name of features or security:

• The persecution later faced by bystanders and people who stepped in to film or assist Neda Agha-Soltan as she lay dying during the 2009 Iranian election protests.
• Facebook’s opt-out feature for auto-detection and tagging of faces
• British Columbia’s privacy watchdog OKs the use of facial recognition technology to identify rioters from video and still images of Vancouver’s 2011 hockey riots.
• Viewdle’s Social Camera automatically tags your friends in photos based on the social networking profile pictures they have published

While some of these examples might seem harmless, or even a useful feature for law enforcement, the main issue is that the subjects of these photos and videos are never asked if they wish to participate in them, not to mention whether they want their photo published online in the first place. The permanence of media on the Web means that any uploaded content can be poured over again and again to identify individuals – either by old-fashioned investigative techniques, but crowd-sourcing, or by face detection /recognition software.

How ObscuraCam Helps

Part of the problem currently surrounding visual privacy and anonymity is the fact that many of the tools and applications that people use on an everyday basis do not have features built in to protect privacy. As a result, everyone with a smartphone, tablet or laptop – not to mention an actual video camera! – captures raw, unedited content that exposes the identities of participants and bystanders present at sensitive events or activities.

ObscuraCam is a mobile application for Android that makes it easy for anyone to protect the identity of individuals or groups represented in their photos by building obfuscation and redaction directly into the app. It can be used on photos taken directly from the app itself, or on any photo that your mobile device has access to, including local memory card images or linked Picasa albums. By moving a usually cumbersome post-production process into the daily workflow of those capturing sensitive images, it’s our hope that visual privacy will be respected when it really matters.

Using ObscuraCam

ObscuraCam features a simple, touch-based user interface for easy manipulation and redaction of images, as well as an automated removal of identifying metadata stored in the photo itself. The following steps walk through the process of capturing and sharing an obscured photo using ObscuraCam.

1. From the application home page, choose to either capture a new image or choose an existing image from your existing collections. These options just launch your standard Camera and Gallery application. When the photo is imported, identifying EXIF metadata stored in the file itself, such as GPS location, camera make and model or timestamp, will be removed.
2. After you capture or open an image with ObscuraCam, it is automatically scanned to detect faces. Any faces detected are marked as tagged regions in an image, and the user is able to create as many additional tagged regions as they wish – either via the menu or by long-pressing the desired region. By default, tagged regions are set to be obscured via pixelation.
3. Once a tagged region has been created, the user can interact with that region by simply touching it to bring up a contextual menu.
4. Options available from the contextual tagging menu include:
   • Edit – select to scale and move tagged regions
   • Redact – select to fully redact tagged region and replace with black space
   • Pixelate – select to selectively obfuscate identities of persons or situations
   • bgPixelate – select to easily obfuscate everything BUT the tagged region
   • Mask – select to pin a set of ‘groucho marks’ glasses on the tagged region – not only a bit of fun, but useful for quickly defeating facial recognition schemes.
   • Delete – delete the current tagged region
5. Once you’re done selecting and obfuscating tagged regions, you can use the options from the main application menu to see a preview of the finished image, save it to your local memory, or share the picture with any application on your handset that is configured to accept images. This includes applications like Facebook, Twitter, or the default Messaging app. 

Share With Us and “Save Your Face”!

As impediments of visual privacy continue to expand, help us get the word out that we can take back control over our online identities with ObscuraCam! We’ve set up a Facebook Page where you can share your creations with us, and with eachother!

Source Code & Issue Reporting

We’re big fans of open source and living in public. As consistent with all our projects, source code for the SecureSmartCam project, along with the ObscuraCam release, is available online at GitHub.

We also use GitHub to manage our development milestones and active bugs / issues. If you encounter any bugs or issues when testing out this beta build, please report them directly to us in the comments below or by filing directly on the Issues page.