Slack now strips location data from uploaded images

Slack has started to strip uploaded photos of their metadata.

What may seem like an inconsequential change to how the tech giant handles storing files on its servers, it will make it far more difficult to trace photos back to their original owners.

Almost every digital file — from documents on your computer to photos taken on your phone — contains metadata. That’s data about the file itself, such as how big the file is, when it was created, and by whom. Photos and videos often include the precise coordinates of where they were taken.

But that can be a problem for higher-risk Slack users, like journalists and activists, who have to take greater security precautions to keep their sources safe. The metadata inside photos can out sources, de-anonymize whistleblowers, or otherwise make it easier for unfriendly governments to target individuals. Even if a journalist removes the metadata from a photo before publishing, a copy of the photo — with its metadata — may remain on Slack’s servers. Whether a hacker breaks in or a government demands the data, it can put sources at risk.

Slack confirmed to TechCrunch that it has now started to strip photo metadata, including locations.

“We can confirm that we recently began stripping EXIF (exchangeable image file) metadata from images uploaded to Slack, including GPS coordinates,” said a Slack spokesperson.

TechCrunch tested this by uploading to Slack a photo containing location data, then pulling a copy of that uploaded image from the server. The copy from the server, when checked again, no longer had location data embedded in the document. Some metadata remains, like the make and model of the device that took the photo.

Slack did not say what prompted the change.