As Edin Jusupovic has discovered, Facebook automatically adds a series of metadata to images downloaded from the platform. These metadata are IPTC instructions that allow an image or file to be identified by a unique code.
This part of the code is added by Facebook and allows the image to be uniquely identified.
#facebook is embedding tracking data inside photos you download.
I noticed a structural abnormality when looking at a hex dump of an image file from an unknown origin only to discover it contained what I now understand is an IPTC special instruction. Shocking level of tracking.. pic.twitter.com/WC1u7Zh5gN
— Edin Jusupovic (@oasace) 11 de julio de 2019
The reason why photos downloaded from Facebook contain their own metadata is not entirely clear. But of course, it would serve for example so that if the image is uploaded back to Facebook by another person Facebook can associate the possible relationship between the two people.
How Facebook adds tracking code to photos
The insertion of metadata by Facebook is not really something new. The social network has been adding over the years different ways to identify the images that are hosted in their servers. For example, even before 2012 the images were automatically renamed with a series of numbers and letters that represented the user and the album of the image.
In 2014 Facebook began to insert an IPTC block in the image metadata. At a glance is a long and hidden code for the user that only appears if the image is examined with a metadata inspector. The sequence of numbers and letters seems random, the only thing that is always repeated is the start “FBMD” that probably corresponds to “Facebook Member Data”. The rest of the numbers and letters are hexadecimal characters that are transformed into bytes of information readabale only for Facebook employees.
What can you do to prevent it? Something as simple as deleting metadata from images. In Windows it is done by right clicking on an image and then ‘Properties’. There we will see the metadata in the ‘Details’ tab. Clicking on “Remove properties and personal information” you can remove the data you select, the Facebook identifier for example.