eWEEK.com has posted a story that recounts how the IPTC metadata in photos published on the Washington Post's website may have inadvertently compromised a (criminal) source to whom the paper had promised confidentiality.
The photos, which do not show the subject's face, were shot by Washington Post staff photographer Sarah L. Voisin to accompany an article about a "botmaster", a computer geek who uses the Internet to infect personal computers with viruses that allow him to control the infected computers in certain ways. Some of his activities are illegal, and he agreed to speak to the Post only if the paper concealed his name and location.
Not long after it was published, the Post article was linked on Slashdot where enterprising denizens of that self-described site for nerds downloaded the photos and found metadata in the images.
As best we can tell from the complicated Slashdot thread, it appears the photos contained the name of a small Oklahoma town in their IPTC "location" field(s). The assumption of the Slashdotters is that Voisin entered this caption information when she first downloaded/processed the pictures of the botmaster (as would be normal in most newspaper workflows), and it was preserved in the small JPEGs that were presumably made from Voisin's originals and then published on the website.
By cross-referencing descriptive details in the Washington Post's story with information from Google maps and Google's local business directory, some Slashdotters were able to pinpoint what they believe to be the particular stretch of road on which the botmaster lives.