These are interesting times, if you go by Times Magazine as an indicator. The magazine’s person of the year for 2011 was The Protester, preceded in 2010 by Facebook founder Mark Zuckerberg. Both entities partners with equal stake in freely sharing the digital content that shows the world what’s going on in it, at any time, from behind any pair of eyes.
Also casting in their lot with the others is Time Magazine’s 2006 person of the year, You: the You that puts the “you” in “user-generated content;” the You whose miasma of bits, bytes, and the powerful images they express are becoming increasingly problematic. Problematic and exciting. As governments, police forces, and other power players here and abroad crack down on voices of dissent, it is only You, The Protester, armed not with a press pass, but with a smartphone and a Twitter account, who brings the rest of the world its news. You do it mainly without either the support or permission of those in power, and this makes you a very important person in the world.
The smartphone’s role in the defense of human rights has thus become ever-more clear. How can we make it clearer? Our latest project, InformaCam, tackles this issue head-on. In collaboration with Witness.ORG and the International Bar Association, we’re building a powerful tool to create iron-clad digital images and video that could, should the occasion arise, be used in courts of law to bring justice. This is no small feat– with this project we are helping create the first evidentiary standards for digital media in the social networking age. So, there’s been a lot of excitement these past few weeks about InformaCam, as well as a lot of mystery. It’s time to give the project a proper unveiling.
InformaCam is a plugin for ObscuraCam that allows the user, without much intervention on their own part, to inflate image and video with extra points of data, or metadata. The metadata includes information like the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and wifi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken. Some users will already be familiar with ObscuraCam, which allows for capturing and digitally manipulating media. With InformaCam included, the app starts to behave almost like Adobe Photoshop or GIMP, supporting non-destructive, layer-based edits to media. This means that a version of an image can be created with any sensitive image data and metadata preserved and encrypted to trusted entities, along with a redacted version that has its metadata stripped which can be easily shared to Facebook, Twitter, Flickr, or any public service the user wishes to use.
How InformaCam Works
The workflow is similar to that of ObscuraCam, but with a few key differences. Notice that on start-up, the app triggers the on-board sensors. (Notifications in the top right corner clearly indicate the GPS and Bluetooth modules have been turned on.) This allows the app to register sensory and atmospheric data throughout the session. These “bundles” of data contain the following:
- Current timestamp
- Device’s identification
- User’s public (PGP) key
- Image Regions created in the image/video
- Current latitude & longitude
- Current cell ID (if available)
- Altitude
- Compass bearing
Whether the user is taking a picture, or editing an existing piece of media, the app registers the goings-on, and signs each bundle of data with the user’s private key. This mean that all actions taken on a piece of media (from capture to editing) are attributed to the user.
As with ObscuraCam, the user can perform image filtering and obfuscation on image regions. InformaCam also adds the “Identify” filter, which prompts the user for the subject’s name (or pseudonym) and to fill in whether or not the subject has given his or her consent to be filmed. This checklist of subject permissions can be further developed to match the needs of any organization to provide further protection to the people in front of the camera. Notice again the sensor notifications: the context surrounding each edit to the image is recorded and will be inserted into the media as metadata once the media is saved.
When the user saves the image or video, a dialog appears prompting her to choose one or more “trusted destinations.” This could be an organization, a news outlet, or any friend whose PGP key is known to you. A copy of the unredacted, data-rich image will be created and encrypted to those parties. At the same time, a redacted and data-stripped version is made available to share with anyone, anywhere.
 |
 |
| Using the InformaCam “Identify” filter. | Select a Trusted Destination for your encrypted media. |
The Informa Metadata Schematic
The metadata is organized in four categories: intent, consent, geneaology, and data. Here’s a rundown of what these categories mean.
Intent
This expresses information about the media’s creator, and the rules governing how this particular media object can be shared, and to whom.
Consent
This bucket of information regards the subjects contained in the image. Each subject is identified (by a name or pseudonym selected by the user) along with their stated preferences regarding treatment of their likeness. For example, if Bobby insists that he wants his face to be fully redacted (rather than blurred) this preference should be registered in metadata.
Genealogy
This information regards chain-of-custody, and represents how the media was acquired, and if a particular image or video is a duplicate of another.
Data
This category includes all standard metadata (timestamp, acquired sensory data, location and movement data) that have been collected during the lifetime of the image, from the moment it was opened to the instant it was saved.
A sample metadata bundle for an image taken with InformaCam looks like this in JSON notation:
{
"data":{
"device":{
"bluetoothInformation":{
"selfOrNeighbor":-1,
"deviceBTAddress":"00:25:36:79:EC:6C",
"deviceBTName":"nexxxie"
},
"imei":"363289131048142"
},
"sourceType":101,
"imageRegions":[
{
"regionDimensions":{
"height":256,
"width":256.00006103515625
},
"regionCoordinates":{
"left":527.705078125,
"top":196.15255737304688
},
"obfuscationType":"Identify",
"location":{
"locationType":11,
"locationData":{
"gpsCoords":"[40.7085011,-73.9668647]",
"cellId":"36789325"
}
},
"captureTimestamp":{
"timestamp":1326216508313,
"timestampType":7
},
"subject":{
"consentGiven":"general_consent",
"informedConsentGiven":true,
"subjectName":"Harlo!"
},
"unredactedRegion":"I@4070cf30"
}
],
"imageHash":"f18e7510faaad0d942db68b5c75f219a",
},
"geneaology":{
"dateAcquired":0,
"localMediaPath":"\/mnt\/sdcard\/DCIM\/Camera\/1326216520426.jpg",
"dateCreated":1326216527629
},
"intent":{
"owner":{
"ownershipType":25,
"ownerKey":"MY-IDENTITY-IS-HERE"
},
"securityLevel":1,
"intendedDestination":"[\"harlo.holmes@gmail.com\"]"
}
Your Help
InformaCam is a work-in-process, and we’d love help from the community in fleshing out our metadata specification, especially in adding new items to the consent checklist. Feel free to contact us with any suggestions/comments, or just leave some helpful tips in the comments below.
This is a great idea, but there should be two things made sure:
– Obfuscation of the app itself, because investigators may get warned if they find this app on a users device.
– Security for the sender. There should be no way to forward the image with the full metadata unencrypted, as this would be dangerous for the photographer. In the hurry of a editorial office a copy may be published online with all data. There could be a second app which shows both data, but will not export them together.
Thank you for the feedback, Werner. Those are both excellent points. We are generally working on App Obfuscation for all of the apps we developed, and that will extend to InformaCam. As for the second point, there is currently no point where we create a version of the photo or video with the unencrypted data in it. We have a tool for analysis and visualization of the data once it is extracted, but from that point, it has only been received by a trusted party.
“signs each bundle of data with the user’s public key.”
This should read “private key”. The public key is – as the name implies – available to everyone, so that would not work as an authentication of the original source.
Ah, yes Kai. Thanks for finding the mental typo. Will fix it!
Great idea! One thing to keep in mind: It is not particularly difficult for criminals or secret services to falsify location-data (on Android you can even enable fake positions in the developer options, which you can detect in your App though). If a device has been modified with a custom rom (or is connected to a modified bluetooth gps) it is almost impossible to detect if the location is correct or not. Have you thought about aggregating data from different persons in the same location in order to check the trustworthiness of the footage?
We are actually partnering with a project at UC Berkeley called Rashoman, which is working on visualization of aggregated media: http://automation.berkeley.edu/rashomon/
We are also definitely aware of the many ways you can fake input data into an Android device, and are working to defend against them. We appreciate you highlighting a few of these here!
Is there an expected release date for this?
Can’t say enough good things about InformaCam, and the other privacy products at The Guardian Project. Thank you for your efforts and look forward to seeing what App comes next. Keep up the good work!! Darren Chaker