Christie’s Erroneously Retained GPS Metadata in Private Photos of Auction Items

Max Hoppenstedt, Washington Post:

On a recent Wednesday evening, a university professor in a large town in western Germany was preparing several paintings to be sold through the British auction house Christie’s. Using his iPhone, he took pictures of the inherited works at his home to upload to the company’s website. Within a few weeks, the site promised, Christie’s would give him an estimate of their value and tell him if it was interested in auctioning them.

But by uploading the images, he not only sent pictures of the pieces to Christie’s, he also revealed their exact location for anyone to see online, according to two German cybersecurity researchers. Hundreds of other would-be Christie’s clients, including Americans, were exposed to the same vulnerability, the two researchers, Martin Tschirsich and André Zilch, told The Washington Post.

Linking to that exploration of EXIF metadata reminded me of this story from last month.

The reaction from Christie’s’ representatives seems like it should raise questions about the organization’s trustworthiness. Stripping metadata is a common practice when photo uploads are permitted, if for no other reason than to save a little server space. Sure, everybody makes mistakes, but denying assistance from researchers and neglecting to inform potential clients of their exposure is poor.