Title: Metadata on an escort website
Date: 2019-11-25 19:00

Last year, during my holidays, I had the sempiternal conversation about the "I have nothing to
hide" argument; but this time, it was with a [feminist](https://en.wikipedia.org/wiki/Feminism),
and while there is a [vast diversity of views](https://en.wikipedia.org/wiki/Feminist_views_on_prostitution)
on prostitution, everyone agrees that escorts deserve the same rights as
anyone else, including privacy. Why prostitution? Because someone had linked me
a couple of days ago a *community-run* escort website, that of course had
*media* on it. Also, it was the _perfect_ example of why privacy matters.

I had a super-old C++ binary lying around, that I used to threw against 
<a href="https://www.torproject.org/docs/onion-services"><s>hidden</s> onion services</a>,
to show picture's metadata with the help of [`QtLocation`](https://doc-snapshots.qt.io/qt5-5.9/qtlocation-index.html)
on a nice globe map. Unfortunately, the website had *special* url for pictures,
and since I didn't manage to find the source code of my binary (also, C++,
eww.), I rewrote something from scratch:
I whipped up a ghetto python script glueing together
[requests](http://docs.python-requests.org/en/master/)
[exiftool](https://sno.phy.queensu.ca/~phil/exiftool/), and
[leaflet](https://leafletjs.com/), and got a nice interactive map precise up to
the [second](https://en.wikipedia.org/wiki/Geographic_coordinate_system), looking like
this (yes, I censored the pictures), for the Canada alone:

[![map of the USA with geolocalized pictures]({static}/images/metadata_escort.jpg)]({static}/images/metadata_escort.jpg)

I sent an email to the website with a screenshot and a short description of the
issue, they've replied, been super friendly, and <s>fixed the issue in roughly one
week, which is pretty impressive!</s> they fixed it wrongly, and aren't
replying to my emails anymore. But since this was a bit more than one year ago,
I don't feel bad writing about it.

Because my steaming pile of Python is ugly beyond reasonable, I don't plan to
open-sauce it. Beside it's trivial to rewrite it in less than one hours. So what
is the point of this article like this, beside the clickbait title?

Mostly to show that files can and do contain metadata, that you should care
about this, because everybody needs privacy even if it's not obvious for
everyone. Also to help websites and service providers realizing that they
__need__ to expunges user-uploaded files, especially when they're dealing with
_sensitive_ pictures.  I'm also secretly hoping that they'll use
[mat2]({filename}/metadata/mat2.md) to do it, battle-testing it on a large
corpus of different files, and give me back useful bug reports (or
congratulations, who knows), so that I can make it even more reliable.