Photo encryptionEncrypting Photos on the Cloud to Keep Them Private
The limited amount of data that smartphones hold, and the way in which they are vulnerable to accidental loss and damage, lead many users to store their images online via cloud photo services. However, these online photo collections are not just valuable to their owners, but to attackers seeking to unearth a gold mine of personal data.
The past decade has witnessed scandal after scandal over private images maliciously or accidentally made public. A new study from computer scientists at Columbia Engineering reveals what may be the first way to encrypt personal images on popular cloud photo services, such as those from Google, Apple, Flickr and others, all without requiring any changes to—or trust in—those services.
Smartphones now make it easy for virtually everyone to snap photos, with market research firm InfoTrends estimating that people now take more than a trillion photos each year. The limited amount of data that smartphones hold, and the way in which they are vulnerable to accidental loss and damage, lead many users to store their images online via cloud photo services. Google Photos is especially popular, with more than a billion users.
However, these online photo collections are not just valuable to their owners, but to attackers seeking to unearth a gold mine of personal data, as the case of the 2014 celebrity nude photo hacks made clear. Unfortunately, security measures such as passwords and two-factor authentication may not be enough to protect these images anymore, as the online services storing these photos can themselves sometimes be the problem.
“There are many cases of employees at online services abusing their insider access to user data, like SnapChat employees looking at people’s private photos,” said John S. Koh, the lead author of the paper, who just finished his Ph.D. with professors of computer science Jason Nieh and Steven M. Bellovin. “There have even been bugs that reveal random users’ data to other users, which actually happened with a bug in Google Photos that revealed users’ private videos to other entirely random users.”
A potential solution to this problem would be to encrypt the photos so no one but the proper users can view them. However, cloud photo services are currently not compatible with existing encryption techniques. For example, Google Photos compresses uploaded files to reduce their sizes, but this would corrupt encrypted images, rendering them garbage.
Even if compression worked on encrypted images, mobile users of cloud photo services typically expect to have a way to quickly browse through identifiable photo thumbnails, something not possible with any existing photo encryption schemes. A number of third-party photo services do promise image encryption and secure photo hosting, but these all require users to abandon existing widely used services such as Google Photos.
