Facebook Images To Get Expiration Date 306
Pickens writes "BBC reports that researchers have created software that gives images an expiration date by tagging them with an encrypted key so that once this date has passed the key stops the images being viewed and copied. Professor Michael Backes, who led development of the X-Pire system, says development work began about 18 months ago as potentially risky patterns of activity on social networks, such as Facebook, showed a pressing need for such a system. 'More and more people are publishing private data to the internet and it's clear that some things can go wrong if it stays there too long,' says Backes. The X-Pire software creates encrypted copies of images and asks those uploading them to give each one an expiration date. Viewing these images requires the free X-Pire browser add-on. When the viewer encounters an encrypted image it sends off a request for a key to unlock it. This key will only be sent, and the image become viewable, if the expiration date has not been passed."
Debunked (Score:5, Insightful)
Slashdot users debunk this scheme as stupid in 5... 4... 3...
Re: (Score:2)
Bravo!
Re:Debunked (Score:5, Insightful)
Oh yes, and your friends will not be able to see your pictures unless they download a plugin ("huh...what's that??"), and possibly use a specific browser ("huh? why?").
So yeah, pretty stupid overall. This is another sad attempt at a form of DRM.
Re:Debunked (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
No, only the first time you view the image. Then your hacked version of the plugin saves the key and publishes it to the "people have tried this before and failed" memorial server.
Plus, odds are they've screwed up the method of encryption and someone will be able to use information like the layout of standard image file formats as cribs to brute-force decrypt t
Re: (Score:2)
Because if Facebook added that service, this third-party wouldn't be able to tell which pictures you're looking at. I mean, did you think they wouldn't keep track of which IP addresses and which browsers request which image keys?
Re: (Score:3)
This all seems like a lot of work to protect people too stupid to not upload pictures to the Internet that they think might cause them problems later...
Re: (Score:2)
I should also add: why not just have a service to delete the image automatically from facebook after N days? Encryption is absolutely not needed here and achieves nothing.
It probably gives them something they can file a patent for that doesn't have prior art existing as a chron job.
What would make more sense is people deleting images off Facebook themselves after a few days of them being online so all their friends have a chance to see them, or not uploading potentially embarrassing photos to start with?
Re:Debunked (Score:4, Insightful)
My thought exactly. They needed 18 months to develop this and didn't even come up with the fact that their solution is significantly inferior to the most obvious solution?
So close... :)
Deleting the image from Facebook is forever, if you trust Facebook. If you don't trust Facebook, then you might as well assume they are using a scripting tool to crank through the encrypted images as soon as they are posted and taking an unencrypted copy for themselves.
This allows easy copying until the image is expired, and in a week there'll be a deXPire on every Linux repository that will ensure easy copying after the image is expired. Deleting the image makes it unavailable for everyone who hasn't already made a copy. "X-Piring" the image makes it and all other "expired" images available to anyone who wants to go to the trouble of "apt-get install deXPire-mozilla-plugin".
Re:Debunked (Score:5, Informative)
Even theoretical trust in Facebook is misplaced. Here's a piece of news that you may have forgotten in the multitude of fucked up things Facebook has done over the past few years:
Deleted' images are never deleted. [arstechnica.com]
In my experience, they are de-linked, but remain at the exact same URL. Also, they remain there even though my account has been "closed" for almost two years. Personally tested with dozens of images.
The fact is, "Deleting the image from Facebook is not done."
Re: (Score:2)
Re: (Score:2)
"Every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends’ social media sites."
-- Eric Schmidt
Re: (Score:2)
As a thinking being I think it may have been a good idea for all those pictures of Britney Spears' diseased clam to have an expiration date. Or goatse... or..... shudder ...... two girls one cup.
Re: (Score:2)
*printscreen* *paste*
Re: (Score:2)
In fact, someone should create, say, a Greasemonkey script that will look for such postings of "encrypted" images and automatically post the key as a comment (and to your wall as well, so they can't just delete the comment).
This is just stupid in so, so many ways.
Re:Debunked (Score:5, Interesting)
We would need to wait till HTML5 is here; its built-in magic might suffice to implement a viewer. But then how do they inject that code into facebook so that nobody has to grab the viewer on their own?
Their Auto-tagger scans faces and asks users for the names of every face it has already framed in your pictures, and FB also does resizing and thumbnailing that clearly know when picture data is *not* what they're parsing after the upload. Facebook also isn't going to let you upload something that's clearly a noisy and corrupted JPEG file.
They already changed their uploader so it compresses your images before they go out, and all I need is a slashdotter with an FB account to confirm that they can't even start to upload a binary disguised as a JPEG.
Re: (Score:3)
Unfortunately, due to that compression/resizing Facebook performs, the data did not survive (even with OutGuess' ECC option enabled and using Facebook's "download in high resolution" link).
Two real solutions ... (Score:3)
(2) Have facebook allow a user to subcategorize friends, subcategories would just be a configuration item not a publicly displayed state. Perhaps family, friends and coworkers. You can then tag photos to be only shown to particular subcategories.
Re: (Score:2)
Re: (Score:2)
Agreed.
Completely idiotic.
What does this system do that couldn't be solved with an alter table statement to add an expiration date field on photos and a cron job to delete expired ones?
Who the hell wants to install a browser plugin.
Hey... 1995 called, it wants its browser plugins back.
Facebook runs on hundreds (?) of platforms besides a browser.... completely idiotic.
What the hell does it take to be called a "researcher" these days?
Re: (Score:2)
Hey... 1995 called, it wants its browser plugins back.
This, a million times over.
people need to stop thinking of web apps in terms of "Internet explorer users". people FINALLY moved into the idea that you MIGHT have to support Firefox+IE, but need to stop thinking of the browser as a single platform.
Re: (Score:3)
But - guess what else the browser plugin will be doing...
Re: (Score:2)
It is a ridiculous idea that will never work. But, it might be fun to use just to piss off Facebook.
Re: (Score:2)
I refuse to even click on a link to an article with that much derp in it.
The funny thing is that the non-Slashdot crowd will think this is a great idea.
Re: (Score:2)
Until... (Score:5, Insightful)
Re: (Score:3)
Time for an army of people with screwdrivers to rove the world and steal all the Prnt Scrn keys?
Re: (Score:2)
Of course, this turns the service into a trusted third party, and I strongly doubt that the keys wi
Re:Until... (Score:5, Insightful)
More to the point, it can be solved just as easily if Facebook would:
More importantly, it fails because:
The decision about how long I should be tagged in a photo must be my decision, not the decision of the person who posts the photo. Any scheme that does not achieve this goal is completely missing the point.
Re: (Score:2)
2. You make bad decisions. (This is based on your choice of "Friends" not the image itself.)
Re: (Score:2)
that may be the point, but the reality is that it doesn't' work.
Re: (Score:2)
Re:Until... (Score:5, Insightful)
Re:Until... (Score:5, Insightful)
I think this misses the point somewhat. Don't we all hate DRM because those schemes are a real bitch for data portability and long term archives? Which is it, then?
The reason you put a timed kill switch on an archive is not because people in the present will use it in ways you dislike -- if that were true, why create or share it at all? The point is rather to piss off and disrupt the people in the far future who are post-facto digging through archives on you. Internet research hinges on how easy it is to find things. This would probably make it harder to find things that have expired.
Security exists in an ecosystem. Everything can be broken. But the only questions that matters is will it actually happen most of the time?
Cracked! (Score:4, Insightful)
I can't quite figure out how they'll stop me from taking a screenshot of the encrypted image.
Re: (Score:2)
This is the internet where the honor system reigns supreme!
I kind of like it here in the tubes, and I think I'll stay a while.
Re:Cracked! (Score:5, Insightful)
It's not useless, and it's not perfect. Not a terrible idea though.
Re: (Score:2)
It's not useless, and it's not perfect. Not a terrible idea though.
It is a terrible idea.
Here's the need: I'm in college. I post crazy college pics for my friends to see while I'm in college. Next year, when I'm graduated and interviewing for jobs, I don't want those pictures available.
Here's the solution:
Make the pics private. Make them only available to friends on facebook. Or use some other hosting service with password protection.
Or even easier--rather than have a service host the keys and promise t
Re: (Score:2)
You have failed to understand him. He DOES trust his friends with the pictures. He wants to prevent his FUTURE EMPLOYER from seeing them. Therefore he makes the pictures available only to his friends, not to everyone on Facebook. XPire Not Required.
Re: (Score:2)
Theoretically, if they are true friends, you should feel secure in leaving those pictures there. However, by virtue of your desire to take those pictures offline after college, you have exposed your distrust in your friends.
No, I think the suggestion was posting it as public when in college, and making it for his friends only after graduating. Your friends always have access to them.
Re: (Score:2)
If we're not counting a Print Screen or some kind of exported copy as a crack then a much simpler solution would be for Facebook to include a "Expire Image On" feature. Leave the date blank and the image stays forever (or until Facebook is shut down, whichever comes first). But enter a date there and, once that date is reached, the image would be no longer accessible.
Like the X-Pire service, this would be vulnerable to a Print Screen or some other export system. However, an Expire Image On feature wouldn
Re: (Score:2)
On windows I know it can happen. I remember some kind of 'secure' image thing a long time ago ('97?) that could only be viewed inside a plug in, and if you tried to do a print screen, you just got an empty box. I don't know how of course, because even at the time I didn't care enough.
Perhaps something through Direct3D, since I know you can't do a screen capture of that kind of stuff.
Anyway, probaby still easy to circumvent, but not necessarily by print screen.
Re: (Score:3)
One of the satellite photo systems prior to googleEarth wanted to keep their images controlled and did something similar to this. You had to have their plugin to see the images and you had to run javascript to load them, and the javascript did something to disable the print-screen button -- on windows -- and the "save image" option. As I recall, the plugin didn't work on unix/linux so they were protected there.
Un
alt-prtscn (Score:3, Funny)
your feeble encryption is no match for my clipboard.
Re: (Score:2)
your feeble encryption is no match for my clipboard.
I came to post the exact same thing.
Further, why take the photo at all if you're not going to keep it for more than a limited time?
Re: (Score:2)
It's easy enough to create a loop that checks if the content of the clipboard changes and if so detect if it is a screenshot of the "protected" image and if so change the clipboard to be storing something else.
Obviously there are other methods that anyone on here could think of but this is facebook we are talking about. I'm not sure some of these people even know what printscreen does.
Re: (Score:2)
My print screen goes right to a file.
Re: (Score:2)
no pictures for linux users... (Score:5, Insightful)
because you can't lock the print screen out, right?
Re: (Score:2)
Oh come on, goatse was not that bad, go watch "A Serbian Film" :)
Hmm... (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Hmm... (Score:4, Interesting)
Re: (Score:2)
Hey it ain't an illegal drug, it's Salvia [thehollywoodgossip.com]!
Re: (Score:2)
I've worked for a number of people in my life: and I've told the ones who would reject an employee based on their youth that happen to be available on the internet to go fuck themselves.
I'm happy to take a pay cut if it'll change somebodies bad habits. I'm sick and tired of the constant attempts to prevent kids from having fun. Just because you never got to go to parties and get drunk with friends is not a valid reason to not hire people that did.
Re: (Score:3)
If the employer is that anal about off hours activities, it may well be better to not work there in the first place.
Re: (Score:2)
Re: (Score:2)
A simple screen shot means that the picture itself can go viral, even if the person's name is lost in the process. The internet has been kind enough to let most of these people remain anonymous so far. We don't care about the names of drunken college girls, we just like to laugh at and/or ogle them.
If you have the presence of mind to know that you don't want a future employer seeing the picture, you have the presence of mind not to post it, right? So long as things like this are optional (and they damn well
Re: (Score:2)
But you have no control over whether that is encrypted or not, as it's their picture.
Interesting, but implementation is false (Score:2)
Don't make clients install a plugin. The client is in an unknown state, and most people will just ignore it anyway.
Instead, target the individual companies ( like facebook, google, shutterfly, ect... ) with this technology.
Re: (Score:2)
Re: (Score:2)
Instead, target the individual companies ( like facebook, google, shutterfly, ect... ) with this technology.
Except they don't need this silly thing to have an expiration date, they could simply remove the picture. The theory here is that anyone who saves the image will save their encrypted format instead of a normal JPG. The outcome is as expected, people that think they've "backed up" their files from Facebook will lose their pictures and anyone that really wants a copy will take a screenshot and save as PNG. It's like a lock that inconveniences the residents but doesn't keep a single crook out, I'm sure this wi
I wish Facebook would expire (Score:5, Insightful)
Re:I wish Facebook would expire (Score:5, Funny)
Anonymous Coward likes this
Re: (Score:2)
Mod this up and consider it "Prior Art!" +1 I think MySpace would also like to subscribe to your newsletter! :)
More great science/tech reporting. . . (Score:3)
"tagging" something with an "encryption key" is something which doesn't make a lot of sense. I guess maybe someone would want to search for the file based on the key it was encrypted with? *grin*
You know an article is quality when stupid crap like that shows up in the very first paragraph. Who do these big media outlets hire to do their sci/tech articles anyhow? Apparently people who haven't got the faintest clue how things work, or how to explain to others how they work. Somehow, they seem to consistently find the absolutely *least qualified* people to write such articles.
X-Pire-copy-to-imgur browser add-on (Score:5, Insightful)
Which will result in something like the "X-Pire-copy-to-imgur browser add-on" which automatically decrypts the image and then posts a decrypted copy to imgur or whatever sharing site you want to use.
Not to mention all the large companies trolling facebook for photos and storing them for later use to provide background check style services/etc.
Once you post it, a copy has been made, once someone views it, a copy has been made. Those copies are outside your control. Even if you encrypt it, once someone views it, an unencrypted copy has been made, and it's once more out of your control.
Re: (Score:2)
CMD-SHIFT-4 *yoink*
Sadly, it's a total waste of time (Score:2)
...researchers have created software that gives images an expiration date by tagging them with an encrypted key so that once this date has passed the key stops the images being viewed and copied.
How long shell we wait before some fella creates a tool that copies those photos, backs them up somewhere after removing the so called encryption?
If they doubt this is possible, they need not look very far. The RIAA [riaa.com] knows a thing or two about this.
Flaw #2 (Score:2)
Flaw #1 that seems to be the focus so far is that you can capture the screen image an make an unencrypted copy. This will only prevent copying by unsophisticated users. (But isn't that exactly who it is for?)
Flaw #2 concerns me more. It is (one of) the same problem(s) as with most DRM - what happens when this key server goes poof? Now all your images are unreadable.
Re: (Score:2)
1) It's to remove them from specific facebook users. You know, the 18 year old dumb ass that is now out of college and looking for a job? WHen he is 18 it didn't amtter,m now it does. So looking for a Job interview and those pictures are gone when the potential employer is doing 'research'
2) Yes, thats a problem, but you could beuild this into facebook as a feature.
Idea? good.
implementation? bad
Re: (Score:2)
Flaw #2 concerns me more. It is (one of) the same problem(s) as with most DRM - what happens when this key server goes poof? Now all your images are unreadable.
So long as they hang around for more than a few months, that's not a flaw, its a feature!
I can't see it being that much of a problem, it just means its not available online, assuming the user has the original (or a back up) on their computer/phone/etc. so can be re-uploaded if necessary. And if they don't have a back up, worse that will happen is their picture gets removed from internet viewing a bit earlier than they expected, but they were planning on having it removed anyway
New Business Ideas (Score:2)
Crawl facebook and other sites which use this technology, grab and decrypt all such images, save them and sell a subscription to them.
Second Business Model:
Sell a hacked version of the plugin which allows you to save the image easily.
Hey, a good percentage of the public seems to think that DRM works, it's no wonder they keep coming up with stupid ideas like this....
Not a bad idea, but probably won't work anyways (Score:2)
Now the fact that this requires a 3rd party plugin to work is problematic. It creates a bottleneck, an extra poin
At least the plugin is free (Score:2)
Because you know....I install every free plugin that I come across just to view pictures and stuff.
LOL LOL (Score:2)
Okay... because i can never hit the print screen key or take a picture of whats on the screen with my camera and repost it.
*facepalm* (Score:4, Insightful)
*facepalm*
This whole concept should be on The Daily WTF.
Needless DRM. Expire things server-side. (Score:2)
This is just another form of DRM. Instead of keying on payments, it is based on a date, but the premise is the same; it is an unnecessary locking of a file which is trivially defeated (worst case scenario: take a screenshot!) and therefore not worth the annoyance. How about just adding the expiration date to the EXIF [wikipedia.org] (or other meta-) data in existing media formats? Any site (specifically Facebook, MySpace, etc) would then be able to revoke the media based on the expiration date. Adding an expiration fie
Or, you know (Score:2)
Just tag an expiration date when you upload the photo, and have a default date.
Un-X-Pire (Score:4, Insightful)
Also, I bet mine takes a lot less time to code than theirs.
the fbi will have the unlock key and will be able (Score:2)
the fbi will have the unlock key and will be able to bypass this.
Well this is certainly going to be adopted... (Score:3)
Facebook haven't done this, so I'm guessing they're either a bit short of development cash - or don't want this.
So, how might this work?
Well I'm guessing that either it's:
a brand new file format and the browser requests an external key when the photo display plugin kicks in - so so unlikely to take off, I'll just leave it there.
OR
it's encrypts the image and embeds in tags so the 'plugin' can detect it's a 'special image' and goes off to find a key to decrypt it.
Assuming it's the second, it has my interest. Sounds a little bit interesting - but then I start thinking.
If it's encrypted it's going to have 'look random' - so that's ballsed up the compression ratios of the jpg you uploaded.. and then well most sites tend to compress/thumbnail/crop or a combination of the above... well I don't quite see that working - no it couldn't
I guess maybe we're onto option C, I've just thought of. You don't upload the image, you upload a QR style pointer to the image - and the browser just inserts that in-line?
Well, maybe that would work.. but then these researchers just seem to have come up with a way of replacing an <img src= with a graphical pointer..
Oh and as everybody else has undoubtedly posted whilst I typed this, printsrn.
Maybe there's a market somewhere for pushing the whole public key encryption seamlessly into "stuff we upload" - to restrict or monitor view - but the problem that's never going to go away is that if one person can open it and wants to share it, then there's no security.
18 months, seriously? (Score:3)
development work began about 18 months ago
18 months to build this seems an awful lot, doesn't it? Ubuntu has released 3 versions in such a period!
I have a better idea (Score:3)
Solution to the wrong problem. (Score:2)
The problem isn't that people need a way to clear embarrassing information off of the internet, the problem is that they put it up there in the first place. From the time the kindergartener learns his first dirty word and proceeds to tell it to as many people as he possibly can, he will (hopefully) get chastised severely in short order, and learn, from that experience and many more, that there are certain things you simply don't do in polite society if you want to be treated kindly by those you care about.
Re: (Score:2)
I see a completely different problem with this (Score:2)
Think that the average FB User is not really the most technical or even security conscious person. He will hear "FB now keeps your pictures from circulating". And their reaction will probably be "Ok, then I can upload that pic that I didn't dare to because someone might download it. Now they can't download it and if someone gets it that shouldn't, I'll just retract it".
I foresee a lot of interesting fallout from this. Hopefully enough to get people aware of the privacy threat FB is.
NEWS! Slashdot Title Wrong (Score:5, Insightful)
identity of viewer (Score:2)
I am unimpressed... (Score:5, Interesting)
For the sake of charity, we will ignore obvious fuckuperry like "the project runs out of money in three months, and the keyservers go dark, millions of people's pictures(which, being users, they won't have backups of...) get hosed 15 months early" or "the keyserver gets rooted, a relatively small file called 'facebook_camwhores_dont_want_u_to_have_this.zip' appears on every torrent tracker on the wrong side of the tracks and the whole scheme collapses"...
First, the same psychological biases(excessive time discounting, poor inhibition triggering models, bad stability assumptions) and social processes(booze, peer pressure, etc.) that cause people to post pictures and stuff that they will later come to regret will, almost certainly, cause them to assign incorrect 'blackout dates' to the material they do post. 18 months is like, what, 3 failed attempts at "serious" relationships, a number of booze fueled rebounds, and an ill-advised make-up or two? It is also plenty of time for what you did last summer to appear before school officials, what you did a few semesters back to make the HR snoop's radar, etc. Even in a world of purely human, purely manual, threats, this scheme is going to be minimally effective in protecting the people who need it most(while, at the same time, managing to scotch a bunch of happily-married-high-school-sweethearts who have lousy backup practices).
Now, where this scheme really falls flat: This is the internet. It is more full of bots and spiders than is sci-fi written for the arachnid audience. Whatever tag or code is used to clue the plug-in in to the need for a decryption key is going to become a de-facto signal for "High probability of being juicy and/or embarassing". Now the bottom-feeding amateur porn sites won't even need humans or machine vision to find cheap filler content... Hell, facebook, and virtually all even slightly shady crawlers will likely fully support this scheme long before Apple approves iPhone support for it(Hey guys, now you can post your pictures to Facebook in a format your friends can't even see! Hooray!)...
That's the basic problem, right there. If the internet's long memory were confined to some specific location, the simple solution would just be to lean on them legally to provide twilighting tools. Trouble is, the internet's memory is long. And it is distributed across countless entities and jurisdictions. And much of the copying between memory stores is automatic. And records may not exist of a copy operation having occurred. And, with cheaper HDDs, even individual users on cheap laptops are now a formidable chunk of storage. If this scheme ever takes off(doubtful), how long do you think it will be before there exists the following: An OSX application called "iCrawl" that has an excellent UI, costs $20, and crawls and archives the facebook profiles of friends, friends of friends, out up to N levels, 3 competing win32 applications(one trialware, $19.99, with a totally custom widget set, one free, that crashes all the damn time and doesn't work, and one free and more or less functional; but installs a trojan), and a set of python wrappers for unixlike operating systems that make crawling your friends and fetching decryption keys as easy as writing a few scripts?
Barring the full-blown emergence of the dystopian trusted-computing future, with end-to-end DRM and hunter-seeker drones with worldwide lethal force authorization doing 24/7 traitor tracing, you don't get to time-limit stuff you put in widely accessible places on the internet. Sorry about that.
There may conceivably be an easier way (Score:3)
If this could ever actually work - which it can't - I wouldn't want my digital photos to expire anyway. BUT if anybody actually does want this, why doesn't facebook just delete them after the expiry date?
Re: (Score:2)
Yeah, exactly what took 18 months to develop a system that encrypts a picture and sends out encryption keys upon request? That sounds like something that could be set up in a matter of weeks at most.
Re: (Score:2)
Well, maybe you and I could, but you're not a "researcher" now are you? So what good would it be?
Seriously, does the "researcher" job come with a pay raise? If so how does one become a "researcher" so that any random coding/QA stint counts as "research" and is thus both news and (probably) patent worthy?
Re: (Score:2)
HEY, that research grant money is for actual research, not for taking pictures of your friend smoking a bong with their anus and trying to hide it later. Thorough research takes lots of time, even though this could have been implemented in a week or so. At that pace the grant money would dry up. Like with IT budgets; you HAVE to spend every cent, and spending less means you get less money the next cycle.
Re: (Score:2)
Re: (Score:2)
Yes, because our society seems to be placing LESS value on embarrassing celebrities or looking perfect.
Re: (Score:2)
A. The people posting the pictures don't care (at least at the time they are posting them)
B. Facebook doesn't want it to work and they have the power to stop it by not allowing encrypted pictures. (If they wanted this feature, they would just provide it themselves by removing the content on a given date.)
C. Even if posters cared enough to use this system, no one would be able to see their pictures because
most people are to stupid to be able to install a plugin
and posters want people to see their pictures (which is why they are pos
Re: (Score:2)