 = Cam Anti Theft Tool =

 == Rationale ==
During the last decade, Digital Still Cameras have evolved from an amateur toy to a tool for professionals. Every Year brings cheaper, smaller cameras with improved photo quality. Especially Digital Single Lens Reflex cameras (DSLR) have contributed to this evolution.

But as professional-grade cameras get more and more portable, also the risk of thievery has increased. If the camera was stolen, the owner has little chance to get back his device: online services like *bay makes it easy for the thief to trade stolen goods, while the police often investigates only locally.

So, there is a clear need for a world-wide online anti-theft tool that allows users to:
 - register their cameras/add-ons in an easy, but "authentic" way (i.e. minimizing the risk of abuse)
 - report thievery of their stolen devices
 - find out about the origin of used add-ons/devices they intend to buy (i.e. is the seller really the legitimate owner of that lens?)

 == Technical Possibilities ==
The easiest implementation of such a service is a web form, in which the user enters brand, model and serial number of his camera and his contact data. But unfortunately this approach is error- and abuse-prone:
 - there are a lot of IDs/Numbers printed on the camera or its packaging: e.g. [http://de.wikipedia.org/wiki/Ean EAN-Codes] or revision numbers. Even for a normally-skilled user it can be difficult to pick the right number.
 - [http://images.digitalcamerainfo.com/images/upload/Image/Fuji%20S9000/HTML/S9000-Bottom.jpg Printed serial numbers] are hard to find on the camera: they have no standard location on the camera
 - if the serial number was found, it still has to be typed correctly - not so easy with the usually small digits.
 - but of course the severest argument is the '''danger of abuse''': everybody can enter the serial numbers she wants and register a deliberate number of devices.

 === Capabilities of Exiftool ===

Luckily, many manufactures also store the cam serial number in the EXIF metadata of the pictures. Because this information is stored in a proprietary EXIF Makernote, nearly all EXIF readers "overlook" this information (actually they are unable to interpret the data). As always, there is one exception: [http://www.sno.phy.queensu.ca/~phil/exiftool/ ExifTool] decodes everything. Here is a shortened exiftool report of a pic taken with my Olympus E410:

Exiftool sample output:
{{{
nasr@laptop-fb:~$ exiftool -a -u -g1 -w txt SAMPLE.JPG
...
---- Olympus ----
Special Mode                    : Normal, Sequence: 0, Panorama: (none)
Camera ID                       : OLYMPUS DIGITAL CAMERA
Model                           : E410
Equipment Version               : 0100
Camera Type 2                   : S0013
Serial Number                   : D56536763                <- NOTE: as printed on the camera
Internal Serial Number          : 4038708008916001
Focal Plane Diagonal            : 21.6 mm
Body Firmware Version           : 1.200
Lens Type                       : Olympus Zuiko Digital ED 14-42mm F3.5-5.6
Lens Serial Number              : 212267129                <- NOTE: as printed on the lens
Lens Firmware Version           : 1.003
...
}}}

As you can see, Exiftool has not only decoded my camera model, but also the type of my lenses and '''both serial numbers'''.

 == How it works ==
The CATT (Cam Anti Theft Tool) works as follows. The user signs up and logs in. Now he has 3 options:

 1. Register a device and an add-on 

 2. Query the status of a device/add on

 3. Register (Claim) an already stolen device

=== Registering a device ===
Regarding Exiftool's capabilities I pointed out above, the registering of a device could work as follows:

 a. The user logs in or signs up and has his camera ready. The camera is setup up to store photos as low-quality JPEG.
 b. An alphanumeric code in big letters appears on the screen. The user has to take a picture of this code.
 c. The user uploads the '''unmodified''' pic. Because of the low quality, the upload time should be decent.
 d. The antitheft service automatically verifies if the depicted code matches the issued code (step b) using OCR technology.
 e. The antitheft service decodes serial information and stores it.
 f. The user receives an e-mail that his device(s) were sucessfully registered.

I prepared a [http://picurl.org/frontend/picurl-antitheft/register-device.html conceptual demo] of this procedure.

'''Discussion:''' By uploading an unmodified photo we drastically improve the abuse/error risk compared to manual entering of the serial number. However there is still the possibility that a user uploads a photo taken by a different person and registers his/her devices. To circumvent this, we use a "reverse captcha" approach - the user has to take a picture of a presented code and the system verifies it. So we can assure that the user was in possession of the camera at least while the picture was taken.

=== Device status ===
After registering the device, the user can set a device status, which can also be changed later:
 a. Normal (Default)
 b. Stolen: The device was stolen and the owner wants to be contacted anonymously using the picurl antitheft service.
 c. Sold: The owner has sold the device. This allows the buyer to register the device for his own. In case the buyer doesn't register the device with the picurl antitheft service, the "sold" status prevents false alerts (meaning the system returns a different owner).

=== Querying the status of a device/add on ===
This could be done by either entering a serial number or uploading a picture (maybe similar to the approach above).

=== Register (Claim) an already stolen device ===
tbd

== Know Issues/Anti-Fraud Countermeasures ==
=== Exiftool can't decode serial number ===
Serial Numbers are stored in EXIF Makernotes, proprietary, often decrypted data structures. Therefore Exiftool's tag knowledge relies a lot on reverse engineering.  Altough it was tested with about 3500 camera models, we can't rely that exiftool returns serial numbers for all devices (especially new ones). The good news: every 2-3 weeks there is a new exiftool release with better Makernote support.

So if we are unable to extract the serial numbers/device information, we can still keep the exif header (size: 20-100 KBytes) and try an extraction with a future version. We shall notify the owner of this fact.

=== Abuser fakes Serial Numbers in Exiftool or other Metadata Editor ===
With some Exiftool knowledge you can easily modify serial numbers, however this implies that you already have a base image taken with the camera you want to register.
Quoting Exiftool's documentation:
{{{
Note: Information in the MakerNotes may be edited, but not added or deleted. 
The reason for this is to avoid confusing manufacturer-specific software which 
may be very inflexible about the information it expects in the maker notes.
}}}
See [http://www.sno.phy.queensu.ca/~phil/exiftool/#groups ExifTool Docs]

!IMHO this means that you can't create a new !MakerNotes Tag group in a plain JPEG image to make it appear as an e.g. JPEG taken by a Olympus E410 with Serial Number xyz. But further investigation is needed on this.

Furthermore here is an interesting paper on [http://www.cs.dartmouth.edu/farid/publications/sp05a.html Exposing Forgeries in digitally manipulated pictures]