Katharina presented our P3F user study at the Usable Security (USEC) Workshop at NDSS 2017

After our first P3F concepts and prototypes, we decided to get feedback in a user study. We conducted at different places in Vienna and offered the participants three (hypothetical) picture privacy systems that have been proposed. The study was finally accepted at USEC 2017 and presented in San Diego. The study was a major reason why we shifted towards a more interactive system (as in our app solution).

See our paper for further details:

Exploring Design Directions for Wearable Privacy
Katharina Krombholz, Adrian Dabrowski, Matthew Smith, and Edgar Weippl
In Proceedings of USEC Mini Conference 2017 co-located with NDSS Symposium 2017.
[ pre-print PDF ] [ BibTex ]


P3F (Picture Privacy Policy Framework) started as a passive way of informing a photographer about oneself wishes on usage restriction on pictures. This concept bridged the analogue gap by unobtrusively encoding the privacy policy into the pattern of the wardrobe. However, we also explored active solutions based on user studies. Finally, our mobile phone based project graduated into a real app. We are proud to launch SnapShh…!, (Snapshot + Shhh!) our privacy mediator solution.

How does it work?

While professionals know, that they need to get permission from each pictured person, even considerate private people often do not have the possibilities to ask all people incl. bystanders for permission. Our app automates this process.


Everyone having this app installed will receive small thumbnails potentially containing him/herself and is asked about their opinion. The system works in the most privacy preserving fashion: It does not use GPS (just direct peer discovery based on WiFi Direct), it does not report back anything to a central server (it communicates Peer-to-Peer using GCM), it does not require any login or user account (not even a Google account), and thumbnails sent are of such low quality that there is hardly any useful purpose other than identifying him/herself.

Notifications are shown on screen and on smart watches. You can agree or disprove on a picture without leaving the current app. If too much picture are arriving in a short period of time, the app stops nagging you and you can use the picture list to review the photographs at any later time. The picture list shows your photos (right) with the current results from the other users, and your received thumbnails from other users in your vicinity. White entries need your attention (e.g., they not answered yet). You can change your opinion at a later time, and they will override your previous vote.


We don’t believe in compulsory DRM (Digital Rights Management). History has shown, that this simply does not work. Even a screenshot would circumvent this.

We believe, if we give a photographer the right tools for an informed decision he or she will think twice before uploading a photo to social network that someone is opposing.

The App is currently available for Android 4.0+ upwards. We are still investigating if we can perform a similar background vicinity detection on iOS as well.

The source code can be found in our Download-Section. To install the app, visit the Google Play Store.

New app to appear soon for Android – call for public beta

We are proud to start a limited beta of our new App that also features a new concept for our picture privacy project.

The new concept features a real-time central-server-free communication between the photographer and a depicted person. We implemented this system as an alternative to the computational heavyweight picture recognition system, after realizing that the vast majority of pictures in social networks are made by smart phones and after user studies shown that most users wish for an situational case-by-case solution for their pictures. Our system so far only produced a generic policy that had to be changed by changing wardrobe.

The new system works as follows:

An app on the smartphone of the photographer sends an small thumbnail to people in vicinity of the taken picture to ask if the receiver is depicted here and if she or he consents with a possible publication of the picture. A photographed person receives an notification on his/her phone or smart watch and is able to send an response to the photographer.

This communication is done in the least privacy invading method generally available on such phones and smart watches: We facilitate WiFi-direct – a method for building ad-hoc networks – and Google Cloud Messaging. (No, Bluetooth does not work without pairing first.)

If you wish to participate in the beta program, please write us at p3f@sba-research.org. We will start sending out invitations in about two weeks. The beta app will have an additional logging module included for allowing us to measure the performance and possible problems with the app.  This logging is not included in the final version.

Requirements: Android 4.2 or higher. If you have multiple device for testing, that’s even better.


A robots.txt for your face

The Daycon 9 “Hiding from Robots” presentation went exceptionally well. I also talked a little bit about our upcoming software we will present here on the blog shortly. The discussion was very fruitful and provided me with interesting details about the views on privacy in the States and some fresh ideas.

Daycon9 Dabrowski Presentation (PDF)


Let’s face it: Most countries have privacy laws to protect the citizen’s rights on his own image – but they are ineffective and unenforceable. Even the most careful photographer might not have the chance to ask all bystanders and unintentionally imaged people for their consent. The reality is, that almost no amateur photographer cares, and most professional photographer lives in constant fears of lawsuits. Maybe it is time to create a machine-readable privacy policy for everyone: a robots.txt for your own appearance, bridging the analogue gap between the pictured individual and the photographer. A method that would allow anyone who cares to know what permissions you gave for photographs of you. And court proof arguments for anyone who did not care.


P3F at Future Innovators Summit – developing the POST-CITY Kit at Ars Electronica Festival 2015

Adrian Dabrowski will be part of the Future Innovators Summit at the Ars Electronica Festival in Linz. This “Future Catalyst Program for the Development of the POST CITY Kit” will bring together entrepreneurs, activists, artists, technicians, and scientists from all around the world. The conclave (or workshop) is split into 3 different groups, that will discuss issues of life in future cities.

P3F clearly covers socio-technical privacy problems, that will intensify with the increasing population density. We look forward to get inspired and inspire other attendees.

The event runs from Thursday Sept 3rd to Sunday Sept 6th 2015. The final presentations will be held on Sunday 3:30pm at the conference square in the “POST CITY” next to the Linz central railway station. In the last years, most Ars Electronica Festival exhibitions were free (Hauptplatz, Kunstuni, Street installations,…) or required only a low entrance fee (e.g. OK Centre, ARS Electronica Building). If you just visit for a single day, there is no need to buy a full festival pass. You will not run out of free/cheap attractions.

Hope to see you there.

P3F @ Linuxwochen 2015

Katharina successfully presented the P3F project at Linuxwochen 2015 in Vienna. Many people showed interest in our project. We are very happy to have raised awareness for picture privacy.


CC BY-NC-ND 4.0 Sebastian Wagner