Is there a spy in my pic?

Can image hosters (is that a word?) such as photobucket or tinypic imbed a “spy” in an image that I post on a message board, or anywhere else I put it?
I was reading a post on another board, and there was a image in that reply that said “Oops, there used to be a photobucket image here”. What was that all about, and how did it know the image was no longer there?

I forgot to subscribe!

Image hosters don’t imbed any sort of spy in images, it’s just that when you use a service like photobucket, they’re the ones hosting the image file on their server. So when you post in a message board and add an image to a post, you’re actually sort of posting a link of sorts to the location on photobucket’s server where that image is (since most message boards wont host images you upload, they need to be externally hosted.)

I imagine photobucket keeps track of all the images that have been uploaded to their server, and if images are removed either by them or their users, photobucket replaces the image file they have hosted on their server with a stock “there used to be a photobucket image here” image which is then what comes up instead of the original image when a message board page loads and is looking for the image that was posted.

Okay, that makes sense. I guess I’m getting jumpy about all these people after my personal information.

Now to be clear about spying, any time your browser displays an image (or page or video or audio or any other web artifact …), some server provided it to you and so the owner of that server knows that at time X artifact Y was provided to IP address Z.

With artful choice of what to serve & what to do with the logs, a sufficiently Big-Brotherish entity can learn a lot about what you do online.

Imagine that you do a Google search for a product. Google knows your IP address did that & they know what they showed you as results. Now imagine you click on one of the vendors’ advertising links. For paid links Google now knows which link you followed since it’s really a link back to Google with a forward to the vendor’s site. AFAIK, they don’t currently do that for unpaid results links, but they easily could.

Now imagine Google happens to provide ads on the vendor’s pages too. Or the vendor has contracted with Google to help track their site’s usage, so Google embeds their stuff (perhaps invisibly) on the vendor’s pages. Given that the vendor has paid Google for search links to their site, the idea of this more complete integration is not far-fetched; in fact it’s common.

Now Google knows not only what you searched for, but which vendor you went to, and what page(s) you looked at on the vendor’s site. If you buy something, maybe Google knows that too depending on whether they have tracking on the shopping cart & checkout pages too.

Now imagine you visit 3 other vendors from the original search before deciding to buy something. Google knows all that too.

Clearly the power of this is boggling, but it depends critically on having wide reaach. A would-be Data Overlord that has only 2% of the major web retailers connected to it will only have 2% of the jigsaw puzzle of your online purchasing. But if they have 50% or 75% of the online world connected to them, well now we have a different picture.

Now consider the rapid growth of advertiser-supported non-retail content. If lots of blogs or community sites (ie SDMB, Live Journal, MySpace) have Google-based ads, then Google also knows which of those pages you view. Ditto news sites like CNN or Fox or …

Coupled with just a little more sleuthing to connect an IP address to an email address and a physical address & a credit card number and … . pretty soon you;ve got a spy-novel-quality dossier on the user.
Note that I’m not trying to make an anti-Google diatribe here; they’re simply a convenient name to use as an example. Maybe Yahoo! will turn out to be the evil (or benign?) overlord here in a few years.
Note also that this isn’t limited to web browsing. EMail has the same tracking capability.

If I spam 1 million random addresses with email, each containing a slightly different image file name, then when the live users at real addresses view my spam, my server gets a hit from their email program to download the image. I can correlate the filename requested back to the email address I sent that name to & now I know which email addresses are a) live, b) un-spam-filtered and c) willing to view spam. That knowledge might be worth a buck or two.
Bottom line:
The Net is absolutely, positively, NOT anonymous in any sense even though it appears so to the casual human user. The increasing use of more-or-less centrally sourced advertising & other content is ensuring that various Big Brothers are watching, and recording, an ever increasing share of your on-line activities.

Your post is very reassuring. :eek:
mangeorge, toting his computer to the incinerator.

The replies above address the situation you described.

However, since you’ve brought up the issue of embedding things in images, it’s worth noting that many professional stock photo companies (e.g. Comstock, Corbis) embed invisible watermarks in their preview images. The watermark doesn’t do anything, but it makes it easy for a computer to recognize the image, even if it’s been cropped or otherwise altered. This lets these companies crawl the web to find images they own and threaten/sue the people using them.

For more info, google steganography .

LSLGuy, that was a great post - it makes perfect sense but I never thought of that before. Anything else one should be careful about? I never thought that just opening a spam email would give them any information.

It would be all but impossible to do with without knowledge and consent from the vendor. If your willing to go that far into your creepy big brotherish police state, then sure. Otherwise, the entire scenario falls down.

I agree completely that it would be with the knowledge & cooperation of the vendor. I never intended to suggest otherwise.

My point was that vendor behavior liek that is not uncommon and is becoming more common as Google’s (and their competors’) tie in business models become more pervasive.

Nobody is doing this just to be evil, they’re simply doing it to make a buck. The collective outcome might not be very nice, but that’s a value judgement. I was simply discussing technological & business practice.

If you have the latest version of Outlook, by default it refuses to download pictures embedded in emails until/unless you give explicit approval. That feature was added precisely to offset the spam behavior I described.

To respond to you question, I don’t see it as “things to be careful about”. I see it as remembering, at a very deep level and every time you sit at the keyboard, that in effect, somebody is standing behind your shoulder videotaping your online activiites. He’s always there, or at least almost always there, and you can’t tell when he is or isn’t taping.

Right now it’s hundreds of different somebodies, each with a copy of a small sliver of your activity. But they do talk to each other a bit, and slowly they are combining, to where perhaps 20 or 30% of your activity will be accessible to somebody someplace soon.

Much like the giant warehouse at the end of Raiders of the Lost Ark, odds are your info will simply sit there, ignored, or be aggregated with thousands of other people’s data to prove some conclusion like “your zip code prefers thick-crust over thin-crust pizza.”

There is a somehwat nastier possibility than the posters so far have mentioned. The link could actually be running a script, control, applet, or other piece of “active” program. As long as, when it’s finished, the linked content delivers or displays an image, you probably would not notice.

Now, in and of itself, anything you can run from a simple link or image tab should be pretty safe. But once someone has identified a security hole in a common application, they may be able to put the URL to a code that would exploit that hole in some otherwise innocuous web content.

With the vendor example stated in your post (that I snipped out), the only ways the email address, physical address and credit card number could come out are:

a) a disreputable merchant that would give out that information;
b) on submission of purchasing info having someone intercept the information;
c) someone installing a keylogger or other trojan on your machine and retrieving your info.

These can all be circumvented by dealing with reputable merchants only, making sure whoever you are buying from is using SSL on a secure server and running regular virus scans. I’m sure most Dopers know all of this, especially with the sticky in this forum.

I’m not a big fan of the random scare tactics. Every time someone throws out a story like this it scares people away and makes it harder for those of us who do know how to protect ourselves from online fraud and such to do what we want to do. I’ve been trying to tell my mom for the last 6 years that with reasonable precautions you can have perfectly safe online transactions.