25
votes
A data breach at Christie’s revealed exact GPS coordinates of collectors’ artworks
Link information
This data is scraped automatically and may be incorrect.
- Title
- How a Christie's website revealed where people kept their art
- Published
- Aug 21 2023
- Word count
- 882 words
Should Christie's be obligated to modify the images uploaded by users?
This seems to me like a pretty simple case of:
Calling this a "data breach" is a bit of a stretch to me.
To take this one step more abstract, to what extent is anyone hosting photos obligated to protect uploaders from themselves? If there was a window in a picture with a mailbox outside showing the street address, should the hosting site be obligated put a black box over the window?
If you're hosting user-uploaded media content then yes, the onus should be on you to protect the users from exposing personal information to your platform for public view by stripping the GPS from EXIF data. Offer an option to keep it stored if it's considered applicable with consent of the user.
Discord had this issue early on in their history, and I'm assuming it lead to interesting scenarios for them to discover that wasn't a good idea.
Absolutely disagree. Hosting data should not come with the requirement to modify the data being hosted. You should disclose to the users that you choose to make arbitrary modifications to whatever bits they send you, but you should not be obligated to modify user data.
Well, theoretically maybe not. In practice they have competitors in the art auction business and the wealthy collectors who supply their stock in trade expect to be taken care of. If Christies lack of data protection leads directly to the theft of a multimillion dollar art work, that trashes Christies' reputation and harms their business.
Expectations differ depending on context. Programmers don't expect files to be modified when putting them on a web server, but on social media sites, there's no expectation that image or video files will be served as-is. They're going to be transcoded and resized to make sure people visiting web pages don't have a bad experience from downloading huge files.
So it would be entirely reasonable to remove EXIF information too. I don't know about "obligated" but people will complain if you don't do it.
For comparison: I believe images downloaded from Google Photos have their locations stripped? I imagine this is pretty annoying when you want to migrate to a different photo service, but it probably has protected many users from inadvertently doxing themselves via casual sharing.
(I think there should be a way to say "I know what I'm doing," though.)
It seems ambiguous how Christie's thinks of their service, or how other people think of them. They'll probably fix it though.
The submitted article is mostly just quotes from the original WaPo source article, so I have changed the link to that.
p.s. Originally submitted article, and a mirror for those hit by the WaPo soft paywall:
https://news.artnet.com/art-world/christies-data-breach-gps-2352936
https://archive.is/mj9VP
Please label this comment as offtopic so as not to distract from the on-topic discussion.