everestpipkin/image-scrubber

More notes on privacy from HN thread

Closed this issue · 8 comments

Absolutely love the work you're doing here! A couple notes (not mine, from this comment on HN - my notes added in italics):

  1. The code, for now, runs locally. This is good. To avoid the possibility of the code being tampered with at a later day (for example, it could be modified to send copies of the image to a server), download the webpage and use the saved copy, not the live copy. (Maybe an update to the instructions would be enough for this? Possibly converting to a PWA, though that might be a longer-term solution?)

  2. Do not use the blur functionality. For maximum privacy, this should be removed from the app entirely. There are a lot of forensic methods to reverse blur techniques. (Happy to submit a PR tomorrow morning (EST) to remove this option!)

  3. Be weary of other things in the photograph that might identify someone: reflections, shadows, so on.

  4. Really a subset of 2 and 3, but be aware that blocking out faces is often times not sufficient to anonymise the subject in the photo. Identifying marks like tattoos, or even something as basic as the shoes they are wearing, can be used to identify the target.

I'd be happy to look into these tomorrow morning (EST) and start by removing the blur and organizing the code - would that or something else be useful @everestpipkin ? Let me know and thanks again for the great work!

Thank you! Re blur: it does a pretty significant noise & pixelization run before the blur (and I'm actively working on a pixel shuffle too) and I think it shouldn't be reversable. That said, I would love an outside audit on this so if you know how to reverse blur please give it a shot.

My goal with this tool is to be used not just by protestors but also by journalists/others who often don't do anonymizing as it will 'ruin their shot'. I'm hoping that providing a secure blur will incentivize people to use the tool who wouldn't otherwise block out faces for (sigh) aesthetic reasons.

I 100% agree about the download option and I'm gonna do a writeup for that ASAP.

EDIT: Pixel shuffling is in, as well as a random noise walk per color channel per pixel - I don't anticipate it being reversible in any capacity at this point, the original data is gone, not obfuscated.

@everestpipkin Would you like me to work on a writeup for the download option? I can also add a link that will download the project as a zip file from github for offline usage, so that users can download it quickly and easily.

@aninuth Sure, if you still have some time that would be great! I'm stuck in other things for probably the rest of the night. I think Github has an automatic 'download as zip' option under 'clone or download' but if you're able to provide a direct link that'd probably save some confusion for people. Thanks!

My goal with this tool is to be used not just by protestors but also by journalists/others who often don't do anonymizing as it will 'ruin their shot'. I'm hoping that providing a secure blur will incentivize people to use the tool who wouldn't otherwise block out faces for (sigh) aesthetic reasons.

Great point, that makes sense! The added noise and pixelization is a great idea - I'll take a look at it in action and include a couple screenshots of the process for the readme as well.

Do you mind if I also start some code cleanup by splitting into separate CSS/JS files and adding some comments? Will hold off on this till I hear from you - let me know if there's any formatting you prefer or if there's anywhere else you'd rather see effort directed. Thanks!

Would love to see this cleaned up a bit! I should do a pass first and take out commented-out code and legacy functions, which I should probably have done in a few hours?

Just a note: Please remember to add any new split files into the service worker's (sw.js) filesToCache list so that the app continues to work offline

@wheany Thank you! Can you verify I updated those paths correctly?

@everestpipkin move the sw.js file to the same level as index.html. The service worker's scope is limited to the same level as its own location, it can't go "up" the directory tree. Otherwise it looks all right.

Alternatively you can use Service-Worker-Allowed HTTP header on the server