thumbnails privacy violation hazard

Bug #94230 reported by Ian Jackson on 2007-03-20
34
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libgnomeui
New
Undecided
Unassigned
libgnomeui (Ubuntu)
Medium
Ubuntu Desktop Bugs

Bug Description

Binary package hint: eog

Using a fresh feisty beta 20070302.1 desktop install, I did the following:
 1. Took a photo with my digital camera using an otherwise empty memory card
 2. Removed the memory card from the camera and inserted it (via a USB flash adaptor) into one of the USB slots on the computer.
 3. When offered the choice whether to "import" the photos, declined saying "ignore".
 4. Browsed the contents of the memory card using the Nautilus file manager
 5. Observed the image thumbnail which was visible in Nautilus
 6. Opened the image in eog
 7. Closed eog and the relevant nautilus windows
 8. Selected "unmount volume"
 9. Rebooted with the "Restart" option from the top-right-hand Quit button
10. While the computer was rebooting, removed the flash card
11. Observed that when the computer was rebooted and I had logged in, .thumbnails/normal/<long string of hex>.png was a thumbnail of my image.

Note that the computer here has silently made a record of what was on the flash card. Knowledgeable users can easily find this information and this poses a hazard to naive users of digital cameras.

Arrangements should be made for these thumbnails to be in encrypted swap. Failing that, the thumbnail cache should be disabled or frequently cleared.

Sebastien Bacher (seb128) wrote :

That's a tricky bug, regenerating thumbnails again every time you browse a directory would not be a nice user experience, asking user if they want to store them every time you open a directory would not be usuable. Any idea on what could be changed?

Changed in eog:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
status: Unconfirmed → Confirmed

Sebastien Bacher writes ("[Bug 94230] Re: thumbnails privacy violation hazard"):
> That's a tricky bug, regenerating thumbnails again every time you browse
> a directory would not be a nice user experience, asking user if they
> want to store them every time you open a directory would not be usuable.
> Any idea on what could be changed?

Possibiltiies which occur to me include:

* Store the thumbnails in a tmpfs. If we had encrypted swap (which we
  really ought to have anyway) then that would pretty much solve the
  privacy problem with not too much loss of performance.

* Store the thumbnails in the same directory as the images themselves
  (and automatically prune old thumbnails). This has much better
  privacy properties but it may not be trivial to do on non-sane
  filesystems. Another problem is that removeable flash media (often
  used for image storage) tend to be rather slow and also wear out
  faster if you make `unnecessary' writes.

* Encrypt each thumbnail with a key derived from the full file
  contents. This would need some careful design (of both crypto and
  surrounding machinery).

Ian.

cb474 (cb474) wrote :

The .thumbnail/normal file is also problematic if you work with large quantities of images. The file can become huge and take up a great deal of disk space. Not everyone needs to save a thumbnail of every image they look at. I recently discoverd my .thumbnail/normal file size is 375mb.

Loïc Minier (lool) wrote :

What's the difference with a browser cache?

Ian Jackson (ijackson) wrote :

Loïc Minier writes ("[Bug 94230] Re: thumbnails privacy violation hazard"):
> What's the difference with a browser cache?

The browser cache contains images you've viewed on websites, ie
probably not images that you took and that are probably not of you.

(Also browser cache privacy problems are more widely publicised and
there are some options available for mitigating the risks.)

Ian.

Loïc Minier (lool) wrote :

Hmm I think you can also browse private photos on the web; the browser might also have stored passwords etc.

As you said, browsers provide some options to e.g. cleanup after a web session. I think a similar option might make sense at the desktop level: "erase my traces for this deskop session". Doing it at the desktop level could even affect the browser session. :)

I think a new package specialized in cleaning stuff on logout could achieve such a task.

Hannes_S (x-hannesstruss) wrote :

I just encountered this issue. Perhaps you could

- shorten the period thumbnails are kept on the disk
- only cache pictures on devices listed in /etc/fstab

I would prefer the thumbnail cache getting cleaned on logout, as Loic Minier suggested. Perhaps this could be optional.

Dave (david-ayres3) wrote :

Just my two cents:

Shortening the period thumbnails are kept on the disk is the best idea so far. While not perfect, it's simple and effective.

I like both the idea of having a logout cleanup and /etc/fstab as well, however I see a few issues that may arise:

- As Sebastien said, regenerating the thumbnails would drive users every time they reboot and access a folder with a tons of pictures
- The fstab fix would affect external USB hard drives resulting in the same regeneration issue.

David Tomaschik (matir) wrote :

Whatever solution is found should DEFINITELY be made an optional one. I regularly work with a lot of image files, and I would HATE it if thumbnails constantly had to be regenerated. .thumbnails is essentially a cache for the file browser.

What RISK is associated with the .thumbnails directory? Only someone with access to your computer can see the files. At that point, I think you have bigger worries than some thumbnails.

tags: added: privacy
Jouke (digigram) wrote :

The in 12.04 introduced privacy tool, which claims to delete the "history" should also delete the thumbnails created during that period.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers