thumbnails privacy violation hazard

That's a tricky bug, regenerating thumbnails again every time you browse a directory would not be a nice user experience, asking user if they want to store them every time you open a directory would not be usuable. Any idea on what could be changed?

Sebastien Bacher writes ("[Bug 94230] Re: thumbnails privacy violation hazard"):
> That's a tricky bug, regenerating thumbnails again every time you browse
> a directory would not be a nice user experience, asking user if they
> want to store them every time you open a directory would not be usuable.
> Any idea on what could be changed?

Possibiltiies which occur to me include:

* Store the thumbnails in a tmpfs. If we had encrypted swap (which we
  really ought to have anyway) then that would pretty much solve the
  privacy problem with not too much loss of performance.

* Store the thumbnails in the same directory as the images themselves
  (and automatically prune old thumbnails). This has much better
  privacy properties but it may not be trivial to do on non-sane
  filesystems. Another problem is that removeable flash media (often
  used for image storage) tend to be rather slow and also wear out
  faster if you make `unnecessary' writes.

* Encrypt each thumbnail with a key derived from the full file
  contents. This would need some careful design (of both crypto and
  surrounding machinery).

Ian.

The .thumbnail/normal file is also problematic if you work with large quantities of images. The file can become huge and take up a great deal of disk space. Not everyone needs to save a thumbnail of every image they look at. I recently discoverd my .thumbnail/normal file size is 375mb.

What's the difference with a browser cache?

Loïc Minier writes ("[Bug 94230] Re: thumbnails privacy violation hazard"):
> What's the difference with a browser cache?

The browser cache contains images you've viewed on websites, ie
probably not images that you took and that are probably not of you.

(Also browser cache privacy problems are more widely publicised and
there are some options available for mitigating the risks.)

Ian.

Hmm I think you can also browse private photos on the web; the browser might also have stored passwords etc.

As you said, browsers provide some options to e.g. cleanup after a web session. I think a similar option might make sense at the desktop level: "erase my traces for this deskop session". Doing it at the desktop level could even affect the browser session. :)

I think a new package specialized in cleaning stuff on logout could achieve such a task.

I just encountered this issue. Perhaps you could

- shorten the period thumbnails are kept on the disk
- only cache pictures on devices listed in /etc/fstab

I would prefer the thumbnail cache getting cleaned on logout, as Loic Minier suggested. Perhaps this could be optional.

Just my two cents:

Shortening the period thumbnails are kept on the disk is the best idea so far. While not perfect, it's simple and effective.

I like both the idea of having a logout cleanup and /etc/fstab as well, however I see a few issues that may arise:

- As Sebastien said, regenerating the thumbnails would drive users every time they reboot and access a folder with a tons of pictures
- The fstab fix would affect external USB hard drives resulting in the same regeneration issue.

Whatever solution is found should DEFINITELY be made an optional one. I regularly work with a lot of image files, and I would HATE it if thumbnails constantly had to be regenerated. .thumbnails is essentially a cache for the file browser.

What RISK is associated with the .thumbnails directory? Only someone with access to your computer can see the files. At that point, I think you have bigger worries than some thumbnails.

The in 12.04 introduced privacy tool, which claims to delete the "history" should also delete the thumbnails created during that period.