To stop our images from being compromised, researchers developed photo encryption technology compatible with major cloud storage services.
Cloud services for storing photos have a serious security role. Google Photos, for instance, must safeguard more than 1bn users alongside their weekly uploads of 28bn photos and videos.
Many of these photos will intentionally end up on our Facebook, Instagram or Twitter feeds, but others we would prefer not to share.
Now, a team of researchers has developed technology in an effort to protect our images and make sure that what we consider private stays private.
“There are many cases of employees at online services abusing their insider access to user data, like SnapChat employees looking at people’s private photos,” said John S Koh, the lead author of the paper.
“There have even been bugs that reveal random users’ data to other users, which actually happened with a bug in Google Photos that revealed users’ private videos to other entirely random users.”
While this presents an obvious problem, that doesn’t mean it’s time to switch back to polaroids just yet. Koh’s intended solution was photo encryption.
Unfortunately, many services such as Google Photos don’t allow for encryption. These systems often incorporate compression to reduce file size, but this would corrupt any encrypted images.
Another issue would be thumbnails. These miniature snapshots are great for browsing your gallery but aren’t currently compatible with encryption techniques.
Some third-party services have managed photo encryption in their hosting, but all of these require migrating from the bigger services such as Google.
Solving this problem was the focus of the research team. Its system, dubbed Easy Secure Photos (ESP), encrypts images uploaded to cloud services so only the original user can view the images.
ESP employs a photo-encryption algorithm where the resulting files can be compressed and can still be recognised as images. To anyone who isn’t the authorised user, these images will just look like static.
Encrypting each image results in three black-and-white files, each one encoding details about the original image’s red, green, or blue data. Impressively, ESP also creates and uploads encrypted thumbnail images to cloud photo services. That way, the authorised user can browse thumbnail galleries by incorporating ESP.
“Our system adds an extra layer of protection beyond your password-based account security,” said Koh, who designed and implemented ESP.
“The goal is to make it so that only your devices can see your sensitive photos, and no one else unless you specifically share it with them.”
The researchers wanted to make sure that each user could use multiple devices to access their online photos if desired.
The problem is the same digital code or ‘key’ used to encrypt a photo has to be the same one used to decrypt the image, making multi-device functionality a research riddle.
“Lots of work has shown that users do not understand keys and requiring them to move them around from one device to another is a recipe for disaster, either because the scheme is too complicated for users to use, or because they copy the key the wrong way and inadvertently give everyone access to their encrypted data,” explained Koh.
On this system, all a user has to do in order to bypass the photo encryption is to verify their new device with one that has previously logged into an ESP-enabled app.
To prove the efficacy of their technology, the researchers implemented ESP in Simple Gallery, a popular photo gallery app on Android.
It could successfully encrypt images from Google Photos, Flickr and Imgur without changes needed to any of these cloud photo services and showed only minor increases in download and upload time.
“We are experiencing the beginning of a major technological boom where even average users move towards moving all their data into the cloud. This comes with great privacy concerns that have only recently started rearing their ugly heads, such as the increasing number of discovered cases of cloud service employees looking at private user data,” Koh said.
“Users should have an option to protect their data that they think is really important in these popular services, and we explore just one practical solution for this.”