• Subscribe

    Subscribe to This Week In Panospace by eMail.
    Subscribe in a reader
  • License

    Creative Commons License
    This work is © 2008-2012
    by Yuval Levy
    and licensed under a
    Creative Commons License.
  • Entries

    March 2008
    M T W T F S S
    « Feb   Apr »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • Archives

I want my privacy back!


Thumbnail cache are a trade-off. On the upside, they speed up image browsing. On the downside, they use storage space and add clutter. By design, Windows Explorer caches them inside the same folder where the images are located, in a single system file, Thumbs.db. It also has a simple option to disable caching.

Today I found out that in Ubuntu there is a ~/.thumbnails folder in each user’s home folder. This is in my opinion a very bad design decision. Consider the following scenario:

I have some sensitive images on media. I am on the road and I use a guest account on a third party’s computer to access a file on that media. Thumbnails are generated and left behind on the third party computer to be harvested! I wonder how many users are aware of this potential security risk, and if there is a way to prevent it.

10 Responses

  1. I don’t think there’s a way (as a portable media owner) to disable it, but I think you can avoid it by not using Nautilus (the default filebrowser) to browse the media. Alternatively, you might be able to disable thumbnailing in Nautilus preferences before navigating to the media.

    Disclaimer: I haven’t verified any of this as fact.

  2. As soon as you plug your media into a 3rd party’s computer, you might as well have copied the contents onto their computer.

    Assuming the person with the other computer has malicious intent, then why wouldn’t they just set up their computer to copy the entire contents of anything that gets plugged in?

    The only instance I can think of where this might be a bit of extra information leakage is when the non-malicious third party gives you access to their machine under the same account as they give a malicious user access. In which case, yes, the thumbnail cache is shared without you wanting it shared.

    But from a protecting privacy point of view, you can’t really trust another computer.

    (I don’t like to be the person who says “your bug is not a bug”, and maybe I’m not seeing the bigger picture, so if I’ve misunderstood then give a concrete example of how this particular feature allows a malicious user to break your privacy more)

  3. @Andy: and what if the computer concerned is my laptop and it is stolen? the point of this post is not about intentions, is about consequences, and the consequences of this bad design is an avoidable leakage. If even Microsoft can avoid it, why can’t the Free world?

  4. @panospace
    For laptops, you should use encrypted drives. Don’t forget you can also always lose the media that has the sensitive information.

  5. @Markku: all valid points but not relevant to the issue: ~/.thumbnails is IMO a very bad design decision when compared to Microsoft’s Thumbs.db. You can address it, or you can point fingers in all other directions.

  6. You don’t solve the problem of stolen laptops by not storing thumbnails in your home directory.

    ~/.thumbnails has some good points to it:
    1) You can trust the person who created them
    2) When you copy the folder, you don’t end up copying the database (which some would call a bad point)

    Personally, I think the correct place for the thumbnail is inside the filesystem as metadata. So your filesystem is responsible for generating the thumbnails. I don’t know how possible this is with the current crop of filesystems. It means:
    1) Permissions for thumbnails are equivalent to the permissions for the images
    2) Copying within the filesystem can reuse the same thumbnail.
    3) Copying to other filesystems doesn’t copy junk that they might not be interested in.

    Unfortunately, I don’t think this will happen for a while (you can’t ignore all the other filesystems that exist).

  7. @Andy: It’s not the person who create the thumbs, it’s the system. Can’t transfer trust from the person to the system.

    Inside the filesystem as metadata has its merits and is very similar to what I precognize. You list some practical limits yourself.

    Copying to other file systems is indeed an issue, thank you for raising it. My preference would be for the .thumbnails directories not to be copied.

    I’ve started a request for proposal on the xdg mailing list.

  8. Problems with the Thumbs.db approach:

    1. Media can be read-only (CDROM or shared network resources).

    2. I don’t want my camera or mobile phone filled-up with useless and space-consuming thumbnails.

    3. On a shared drive what permissions should these files have? If the folder is initially only writeable by user A, then the thumbnail cache would naturally only be writeable by user A too. If the folder permissions are later changed to allow write access for user B how are you going to change the cache subdirectory permissions to suit?

  9. @Bruno:

    1. right – it’s up to the author of the CDROM or shared resources to decide if they want to provide thumbs for their content, or trade-off against space.

    2. neither do I – hence in my request for amendment of the standard I suggest that a single file in the root of the file system determines if thumbnails are written or not. No file? no thumbs.

    3. keeping the permission of the thumbs folder in sync with the actual files and folder is a real issue. Have to think more about that. I admit that my approach is memory-card centric. I have much less privacy issues with files on shared drives, because the sharing is much less prone to promiscuity than the plugging of a memory-card.

  10. Yet another reason why linux doesn’t succeed.

    A perfectly valid point from the blogger. Then… some Aspergers Andy defending the status quo, Using irrelevant ideologies “as soon as you use media on…”.

    Well, other people live in the real world. This world has events such as:
    1. Drunken night out, dirty photos taken. Use these on a linux computer… trouble.
    2. Download porn to encrypted drive, girlfriend looks in .thumbnails… trouble.

    Folder specific makes things easier to clean up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s