An email similar to the following can be sent to your vendor or service provider initially.
Initially think about whether geographic data is useful of educative purposes in the tool. If it is, you need to weigh up what the vendor can do in relation to this issue. That is, you only want them to strip data from profile images.
In our periodic security and privacy investigations we have uncovered that within profile images that are uploaded to your service, geographic details don’t seem to be removed.
This can be a serious issue for our users as they may inadvertently broadcasting their current or approximate location data to any user that is able to download their profile image. For more information why this is an issue please see this article.
Can you please advise on whether you can and intend to change your service to remove geographic information from profile images?
If the service provider is willing to implement this change be sure to additionally confirm that all existing profile images are processed to remove this information. You should also test this yourself with known issue images before and after their change is made. Using the test image could suffice.
If they are unwilling/unable to remove this information you should consider one of the following.
- Removing the ability to include profile images (if possible) or
- gain a copy of all current profile images to see the extent of the problem by running all existing profile images through a tool such as EXIFTool. Ask the vendor to delete the offending images or strip the exif data manually and provide copies back to them and confirm when they are fixed.