In a web application, should “private” user images be protected with authentication/authorization?

  softwareengineering

When creating a web application that will allow users to upload images and mark them as private, should those images be protected by authentication and authorization mechanisms against access by other users?

The answer seems like an obvious “YES”. However, this does not seem to be the general practice. I have played with media privacy settings on different sites and some will actually block unauthorized access, others seem to just use security by obscurity and still allow access to those who have a link.

For example, if I upload an image to Facebook, and set the audience to “Only me”, I can copy the link address and access the image in an unauthenticated session.

  • web-applications
  • authorization
  • image

6

I’ve come back to this question a number of times. To be honest, my expectation as a user is if I mark it private, then I wouldn’t expect a direct link to work. But I’m a technologist. I have a different perspective than many end users. And my perspective isn’t authoritative by any means.

There is no general answer. You will need to assess the benefits and drawbacks of checking authentication on each request for an image.

Things to consider:

  • Which country are you operating the site out of? Which countries do your end users live in? Privacy laws and legal frameworks vary a great deal.

  • What is the content of those images, and what is the main function of your site? Legal frameworks, like HIPPA in the USA, mandate certain kinds of organizations protect data. Financial, medical, and personally identifiable information is often protected by laws which might require you to authenticate every request for an image.

  • What performance metrics do you need to hit? Serving cat pictures to 100,000,000 people is a much bigger problem than serving those same images to 1,000 people. Scale matters here.

    • Not just your expected scale, but actual scale.

  • Privacy agreements and terms of use can also direct your technical implementation. How is “private” defined in your terms of use?

  • User expectations matter here as well. If you advertise the site as safe and secure, what would your users think of they found out direct links still work?

  • The intended audience matters, too. People might be more forgiving if the site is some general social network open to all ages. If your site targets children, people might not be so forgiving. Spin up a site geared towards security professionals, and they will rake you over the coals before suing you in court. Or simply quit after publishing a podcast or blog post or two.

  • What are the legal, financial, and social ramifications of allowing anonymous access to images by direct link? Perhaps it is legal to leave direct links unauthenticated, but if a celebrity uploads a “private” picture depicting them in a “private” moment, and the paparazzi discover these images are unauthenticated, you might get dragged into court.

    • This goes back to jurisdiction again. Which country are you operating out of and where are your end users?

Conclusion

If I have any general advice to give on this topic, then authenticate images if:

  • There is a reasonable expectation of privacy by an end user.
    • Especially if the images are displayed on pages requiring authentication.
  • The law says so.
  • You think the law might say so.
  • You haven’t observed any concrete, unresolvable problems with authenticating these requests.
  • You are paranoid about being sued.

A more specific answer would require an order of magnitude more information, and would require too much time to assemble for free. There are legal, financial, social, and technical things to consider, but authenticate user uploaded images until you have a compelling reason otherwise.

1

LEAVE A COMMENT