Boost photo security in the cloud

Sheila Zabeu -

September 29, 2021

Taking a photo and storing it in the cloud is these days, an almost automatic procedure for anyone with a mobile phone in their pocket or purse. Good evidence of this is that the volume of photos worldwide is expected to reach the 1.35 trillion mark by 2021. However, not everyone is concerned about the security and privacy that storage services offer to photos uploaded to the cloud – often too revealing, right?

To cite a recent case, not exactly with photos, but with videos, we can talk about Google Takeout, which allows you to transfer data from Google apps as a backup. A bug in this tool caused, in November 2019, videos stored in Google Photos to be mistakenly shared with strange users. When requesting a backup, some of the videos were visible to random users who were also downloading files via Google Takeout. According to Google, less than 0.01% of Photos app users using Takeout were affected.

To help the more careful and, why not, the unwary, a team of computer scientists from Columbia University in the US have developed the Easy Secure Photos (ESP) tool that encrypts photos stored on many of the most popular cloud services without putting obstacles in the way of displaying them.

According to the developers, the solution overcomes the challenge of having to deal with popular cloud photo services that are not compatible with current encryption techniques. For example, Google Photos compresses files to reduce their size, but this would eventually corrupt encrypted images. And even if compression and encryption worked in harmony, you’d have to wait for decompression/encryption before you could view the photos. And, let’s face it, slowness doesn’t match today’s expectations, even for those who want to view a sample photo on their mobile phone.

Some photo services even promise to encrypt images to store them securely but require users to give up the most widely used tools, such as Google Photos.

The new technique from researchers at Columbia University makes it possible to work with popular photo services in the cloud, guaranteeing protection and ease of browsing through images, as if they were not encrypted. The ESP system’s image encryption algorithm, capable of working with lossy and lossless formats such as JPEG and PNG, means that the compressed files will still be recognized as images, although they will appear as static black and white to anyone but authorized users. The encryption of each image results in three black and white files, each with codes over the red, green, and blue color information of the original image.

In addition, ESP creates and uploads encrypted thumbnail images to cloud photo services. This way, authorized users can easily browse thumbnail galleries using image browsers that incorporate the ESP standard.

“Our system adds an extra layer of protection on top of the password-based security of photo service accounts. “The goal is to make it so that only your devices can see your private photos, and no one else unless you specifically share them with other people,” says John S. Koh, a researcher who designed and implemented the ESP system.

The proposed solution also allows access to photos from multiple devices. The researchers developed a technique so that each device has its own unique pair of keys, unlike usual encryption systems that use a single pair of keys across multiple devices. In the case of ESP, all that needs to be done for a given device to access ESP-encrypted photos is to authenticate it using another device on which an ESP-compliant application is already installed. This process will inform the already authorized device that it can share one of its keys with the new device in the form of a QR code. This allows trusted devices to view the encrypted photos, without having to manipulate keys that Columbia developers say are the bane of almost all encryption systems.

The ESP solution was implemented in Simple Gallery, an app for Android system, to encrypt images from Google Photos, Flickr, and Imgur, without any changes to these cloud photo services.