Image metadata stripping should be disable-able

[RedAuburn]

Your use case

What would you like to do?

I need to send photos with the geotag preserved

How would you like to achieve it?

Ideally, a switch to enable or disable metadata stripping when uploading an image.

Additional context

see also: https://github.com/vector-im/element-android/issues/3539#issuecomment-1140045291

Are you willing to provide a PR?

I'll try

[basings]

@endim8 thanks for opening the issue, I should've probably done that myself!

I should add that it's not only about the geo location but other exif data like when the image was created originally.

An example why exif data is actually important:

Today, Alice takes a photo of Bob and sends that image to Bob via matrix/ element. Bob has the photo but all information about it is gone. One year later, he is going to look at the photo and increases saturation in order to enhance the photo. What he does not know is that there is no DateTimeOriginal in the photo and now he has to use another tool to restore the date from the file name. This is only possible if he did not modify the filename. If there was exif data, this wouldn't be an issue in the first place.

Above example shows why sending photos over e.g. Whatsapp is a dumb idea. Until a couple of weeks ago, I actually thought that element wouldn't remove the data, and element doesn't remove the original time but the geo location. I was really confused and had to look into old photos and exif data was not removed back then. When I found matrix, I had a test flight and then ditched whatsapp completely. It was super easy to convert people back then because always when someone wanted to send me an image I told them about above problem with whatsapp and everyone loved matrix/ element because of this "feature". It took me one or two months to convert everyone. I must have missed the release note that exif data is removed and now I have a similar problem with matrix that I had with whatsapp. And although I knew about the exif problem, we were happily sending photos back and forth because element was supposed to solve this problem. It's only after a while that you actually face consequences when dealing with this kind of information.

Removing geo location is a different problem than removing the time. Time is oftentimes included in the filename but geo location isn't. The technically inclined person may restore the time and although it's incredibly cumbersome, you can add geo location back to images. I did it, and it takes a lot of time.

People should not be mothered, but educated. When sending an image to a person you don't know or don't want to have the exif data, remove it beforehand. It should not be the case that I have to zip photos in order to send them. I should be able to quickly send a photo of Bob to Bob without needing to use another form of communication like email or upload the file to a cloud and then send the link or an invitation to Bob. I should be able to just send the image without facing consequences in the future.

Why is geo location in images incredibly useful?

Over the weekend, Alice and Bob are on vacation in Neverland. Alice takes photos of Bob and sends them to him via matrix. Ten years later, Bob wants to look at those images and looks for them in his image folder. He searches for a long time and can't find them because there are too many other images and he doesn't remember the exact date. Luckily Alice send Bob the image in 2020 and he can open his favorite image gallery (.e.g. aves) and look for the image on a map. He finds the image immediately because there are no other images in Neverland. In 2022, they went on a trip in Amsterdam but Bob can't find the images because the images contain no location information.

Proposal

I understand that there is a need for privacy against (unknown) threats from people you may (not) know. Nobody needs to know where I took the picture from my lasagna when I post it to facebook. But Bob needs to (or may) know the location where I took the lasagna.

There are people who know about the exif problem and there are people that do not know anything about exif at all. So far, I could determine following four threat models:

• one on one private chats between close friends (trusted people) where it is no problem (desired) if exif data is shared.

• one on one private chats between strangers (untrusted people) where it can be a problem when sending exif.

• (large) group chats where all are strangers

• group chats with friends where you sometimes want to share exif (family group) and sometimes you don't. In one group, there are only very close friends and in another there are some people you don't know (larger friends group chat).

• some people never want to share exif and some always want to share it (e.g. because they only send images to known, trusted people)

There are currently two possibilities to send a photo but no possibility to send an image with geo location:

• compressed with all exif data removed
• original size with location data removed

The default case should be to send a compressed image. But it should not default to removing exif. So far, I could be on a limited data plan, and only want to send a compressed image, then the other Person would have the image but no information about it. If I want the other person to have the information, there's no other possibility than to send the original file size. But as we already learned, geo location is removed as well.

There should be following options for sending images:

1. compressed and removal of exif data
2. compressed
3. uncompressed and removal of exif data
4. uncompressed

Example use cases for the above bullet points:

1. Lasagna photo send to a stranger
2. Lasagna photo send to a close friend
3. Photo of a contract send to a stranger
4. Any Photo send to a close friend

Element should introduce the option to remove exif data for both, compressed and uncompressed images in the form of a checkbox. The first time you send an image in a room, you'll be prompted how to handle exif data

• keep exif data in this room only
• remove exif data in this room only
• always keep exif data
• always remove exif data
• ask every time how to handle exif data

If the user checks in this room only, the prompt should appear in the next room as well when sending an image. Do not prompt again, when the user selects always

Further, there should be an option in the general settings to reset, remove or keep exif handling. And an option per room for exif handling, which is also reset when resetting the general setting.

Moreover, an additional checkbox may appear below the image. It could also only appear when "ask every time" is checked.

Optimally, it includes a clickable link to the exif data wikipedia site for further research about exif or a short description what exif is, such that the user does not need to leave element. The interested reader searches for exif anyway.

I can not think of a situation where removing geo location ONLY makes sense. Either I send an image to a trusted person and send exif or an untrusted person and don't send exif.

Final words

I hope this makes sense and the users of element get the ability to handle exif according to their needs.

[basings]

In addition to that, There was a proposal for signal to handle this with icons instead of a checkbox which is also very neat. https://community.signalusers.org/t/add-option-to-keep-or-strip-meta-data/3005/6