Go back>
decorative bear icon
The world of converter tools is broken, this is why

The world of converter tools is broken, this is why

It's a bold statement. But we really think it's the truth.

In a world where big social media companies are attacked because of their lack of privacy protection and transparency, the small niche of converter tools often gets overlooked. We did some research about their privacy policies and how they handle our data. The results were surprising!

How a (traditional) converter works
⁠Before we begin with showing you the results of our research, you have to know how a traditional converter tool works. When we say traditional we mean the tools that are currently having a dominant position on the internet, we will not name these but a simple google search will get you far enough. These converters handle your file following these steps:

  1. You upload your file to their site.
  2. The site now takes your file and sends it to a server for processing.
  3. The server, probably Google Cloud or Amazon Web Services, does the desired convertion of your file.
  4. The server sends your file back to the site.
  5. The site either triggers an automatic download or shows a download button for you to click.

Nothing wrong with this, you would say. But the thing is, your file is processed by another server! You have no idea what this server does with your file.

The convertion could also be done by your browser itsself without sending the file to another server. But this takes some more work and time to setup, and that's probably the reason these sites won't do it.

For the end user, they don't see a real difference between both techniques and that is the danger.

Traditional converters and privacy
First of all, we are not here to bash and expose websites currently using the above techniques for their services. We just want you to think twice about using traditional converters.

We looked at one of the biggest file converter site and their privacy statement.

You might think we found a statement full of scary file sharing and data collections. But it couldn't be more different.

All the privacy statements we read were very politically correct. Sentences like "We remove files and all temporary files after any file conversion." could be seen everywhere. But the danger here is that they have no idea what happens with their file after they send it to an images processing server. And that is probably not even their fault, the image processing server company probably promises this in their privacy policy and the convertion tools just copy this.

The cloud
A fancy way of naming the images processing servers is by using the term 'Cloud'. You have heared of it no doubt.

Using the cloud is defined by the cynic as "doing your job on someone else's computer," with all the dangers it entails. In fact, using a cloud service that requires you to upload your own private data to remotely manipulate it, qualifies as "doing your work on someone else's computer."

If that person is dishonest, they may purposefully keep a copy of your personal files after you have finished working with them. Or while you're working on them, if they're incompetent, they might unintentionally allow thieves to access your personal files.

In other words converting files in the cloud is all about trust.

Trust has to be earned ofcourse as ZDNet reminded us a few years back when they wrote about a file converter server in France that was allegedly hackable in over a year due to the Image Tragick vulnerability.

ImageTragick was a security hole in a popular open source image conversion utility called ImageMagick, a toolkit used on many websites to handle the low-level file manipulation needed to convert, resize and tweak images. The bug allowed a crook to upload booby-trapped fake images that would trick the ImageMagick software into running system commands chosen by the attacker, leading to what’s known as a remote code execution (RCE) bug. A patch for the bug, known as CVE-2016–3714, was published in May 2016.

According to ZDNet, the French servers in the story hosted close to 50 different online conversion services.

So what to do now?
Well in short, whatever you want. It is up to you if you trust the many cloud converters, or if you just don't care what happens with your files.

You could also switch to the new local converters. These do not send your files to a server, the convertion is happening in the browser. The files never leave your own network.

It is easier said then done though. You can't really figure out if a converter is a cloud one or not. We at RunningWombat promise that our converters are all locally, and if we come across limitations and have not choice but to use a cloud server, we will let you know on that page.

In conclusion, even our promises are based on trust. You have your own choice in using a cloud converter or not. We just hope this article makes sure people take a few thoughts before blindly uploading their files to every website they come across.

Want to know more about RunningWombat and how we process your files? Take a look at our website, or contact me directly at rowan@runningwombat.com

You can find all our other tools at https://runningwombat.com/image

Cheers, Rowan