TL;DR: Every photo from a modern phone or camera carries an EXIF (Exchangeable Image File Format) block — a structured directory of tags written into the file header. The GPS Info IFD at offset 0x8825 stores latitude, longitude, altitude, accuracy, and direction. The 0th IFD stores camera make, model, lens, and a device-unique BodySerialNumber. The Exif IFD stores DateTimeOriginal to the second, SubSecTimeOriginal to the millisecond, and Software naming the editing app. The Maker Note carries phone-specific data: shutter count, internal serial, Face ID hashes on some iPhones. Anyone the file reaches — recipients, leak destinations, OSINT investigators, social platforms, abusers — can extract every tag with exiftool -G1 -a -u photo.jpg in under thirty seconds. Stripping EXIF before sharing closes the read surface on your end. Pixels stay identical. The paper trail goes away.
Every file you share is also a small document about you. The people who read those for a living are the reason this post is here.
What follows: what EXIF records, who reads it, the thirty-second extraction every adversary uses, what stripping does and doesn't fix, and the browser-only workflow we use before a file leaves the device.
What EXIF Actually Records About You
EXIF is a structured metadata format maintained by JEITA as standard CP-3451. Every JPEG, HEIC, TIFF, and WebP file your phone or camera produces carries an EXIF block in its header — alongside the pixel data but separate from it. The block is a tree of Image File Directories (IFDs), each holding a list of tagged values.
The directories that matter for privacy:
The 0th IFD holds device basics. Make and Model name the manufacturer and camera model (iPhone 15 Pro Max, Pixel 9, Sony A7 IV). BodySerialNumber is a device-unique identifier on DSLRs and mirrorless cameras; on phones it's less consistent but newer iPhones write a hashed-but-stable device ID. Software names the app that last wrote the file (Camera 17.5.1, Adobe Photoshop 25.1, Halide 2.7.0).
The Exif IFD holds capture context. DateTimeOriginal is the local clock when the shutter fired, accurate to the second. SubSecTimeOriginal adds milliseconds. OffsetTimeOriginal records the time-zone offset (iOS 14+). ExposureTime, FNumber, ISOSpeedRatings, FocalLength, and LensModel describe the optical setup — useful for matching photos to a specific camera body and lens combination across files.
The GPS Info IFD sits at offset 0x8825. Latitude, longitude, altitude, GPSDateStamp, GPSTimeStamp, direction, speed, and accuracy. (We covered the GPS block in depth in a separate post.) The fix is accurate to 3–10 meters on a modern smartphone.
The Maker Note is where the format goes from descriptive to forensic. It's a manufacturer-defined binary blob — Apple, Samsung, Canon, Nikon, and Sony each write their own. Apple's includes the camera mode used (Portrait, Night, Cinematic), motion data captured before the shutter for Live Photos, and an AccelerationVector showing how the phone was being held. Canon's includes the body's lifetime shutter count.
The Thumbnail IFD stores a small embedded copy of the image with its own EXIF block — meaning the GPS coordinates and device serial are written twice in every file, and a strip that only touches the top-level IFD leaves the thumbnail's copy intact. This is a recurring source of "I removed metadata and it's still showing the location" complaints.
A typical iPhone JPEG carries 60–90 EXIF tags. Most people who share that JPEG read maybe two.
Photo by Tima Miroshnichenko on Pexels.
Six Real-World EXIF Privacy Risks
The risks aren't theoretical. Each of these is a documented pattern, not a hypothetical:
1. Home address leaked from a "neutral" post — and stalker tracking after estrangement. A photo of your coffee, a sketch on your desk, a pet on a couch — anything posted from inside your home — carries the latitude and longitude of that home in the GPS block. The 3–10 meter accuracy is more than enough to identify the building. Doxxing campaigns on Reddit, X, and Discord routinely use this; domestic-violence organisations document the same pattern with abusers pulling an estranged partner's new address out of a single posted photo. (iPhone metadata carries more than just GPS.)
2. Schedule and routine inferred from timestamps. A month of photos posted to a public Instagram with DateTimeOriginal and OffsetTimeOriginal intact lets a reader reconstruct where you were and when. The platform might strip the timestamps from the public view, but a recipient who got the original file (DM, AirDrop, email attachment) has them. Pattern-of-life analysis is exactly this.
3. Device fingerprinting across accounts. BodySerialNumber, the Maker Note's internal device ID, and the unique combination of Make + Model + LensModel + Software create a fingerprint that's nearly unique per device. Post on a "real-name" account and an anonymous account from the same phone and the EXIF on both reveals the same device. This has been used to deanonymise journalists, whistleblowers, and online personas.
4. Sensitive-location confirmation. A photo taken at a protest, an abortion clinic, an addiction recovery meeting, a domestic-violence shelter, a religious site — any location whose presence the photographer wants kept private — that location is in the GPS block. The Electronic Frontier Foundation has documented how location metadata has been used in court and in immigration enforcement for exactly these scenarios.
5. OSINT and journalist source identification. Bellingcat-style investigators and intelligence services both treat EXIF as a primary signal. A leaked document photo, a battlefield photo, a witness photo — the device fingerprint plus the timestamp plus the GPS block, cross-referenced against known travel patterns, has identified sources in published cases. Insurance investigators and HR teams use the same pattern on damage claims, expense reports, and remote-work proof-of-life photos.
6. Platform retention for ads, recommendations, and model training. Major social platforms strip EXIF from the public-facing version of an uploaded photo but read and retain the metadata server-side. The IPTC, which maintains adjacent photo-metadata standards, has published guidance on the asymmetry between what users assume gets stripped and what platforms actually keep. The retention is used for ad targeting, recommendation graphs, abuse-investigation tools, and increasingly model training corpora.
The risks are not evenly distributed. Someone with a public-facing job, a contentious ex, an immigration concern, or any reason to keep a location private has more exposure than someone posting from a generic suburb. The asymmetry is the reason the choice should be the photographer's, not the platform's.
Photo by Mikhail Nilov on Pexels.
How Anyone Reads EXIF in Thirty Seconds
The barrier is essentially zero. EXIF is plain structured data — not encrypted, not obfuscated, parseable by every imaging library on every platform. Standard methods used by adversaries and journalists alike:
- macOS Preview — ⌘I opens the Inspector. The EXIF tab lists capture time, camera, lens, and an exposure summary. The GPS tab shows a map with a clickable Apple Maps link.
- Windows File Explorer — right-click → Properties → Details. Origin, Camera, GPS, and a partial EXIF dump.
- iOS Photos app — swipe up on any photo. Camera info on top, location pinned on a map below.
- Online tools —
metadata2go.com,exif.tools, andjimpl.comall accept a drag-and-drop and return the full tag list within seconds. No login required. - ExifTool — Phil Harvey's
exiftool. The one-liner that dumps everything:exiftool -G1 -a -u photo.jpg. The-G1flag prints the IFD each tag came from. The-aflag includes duplicates. The-uflag forces unknown/proprietary tags to print as hex. The output runs to 60–90 lines on a typical iPhone photo. - Python in three lines —
from PIL import Image; img = Image.open('photo.jpg'); from PIL.ExifTags import TAGS; print({TAGS.get(k,k): v for k,v in img._getexif().items()}). Returns a dictionary with every tag.
None of these require permissions, accounts, or specialised knowledge. A teenager with a Chromebook can pull a photo's full metadata in under thirty seconds. The asymmetry between how invisible the EXIF block feels to the photographer and how trivial it is to read for the recipient is the entire problem this post is meant to address.
Photo by Markus Spiske on Pexels.
What Platforms Do With EXIF You Upload
Different platforms handle EXIF differently, and the differences matter:
- Instagram, Facebook, X, TikTok, LinkedIn, Reddit — strip EXIF from the public version of uploaded photos. The server-side copy retains the metadata. Public scrapes won't find your GPS; the platform's internal systems will.
- WhatsApp, iMessage, Signal, Telegram — preserve EXIF for chat-attachment photos. (WhatsApp specifics here.)
- Google Photos, iCloud Photos, Dropbox — preserve everything by design; metadata is part of the file's organisational backbone.
- AirDrop, email attachments, Slack DMs, file-share links — preserve original bytes byte-for-byte. The recipient gets the EXIF.
Public posts on the big platforms feel safer than they are because the visible EXIF is gone — but the underlying retention and the original-file copies floating outside the platform are not. The only reliable control is stripping before the file leaves your device.
Where Stripping Helps — And Where It Doesn't (Honest Limits)
Removing EXIF is not a privacy silver bullet. Three things stripping does not do:
It doesn't undo what's already been shared. If you posted a photo six months ago with EXIF intact and a stranger downloaded it, the original-with-metadata is in their possession. Stripping the local copy today only affects future shares. (Old uploads remain extractable.)
It doesn't remove location signals in the image itself. A recognisable storefront, a unique tree, a specific intersection sign, a reflection in a window — these are visible signals any reverse-image search or trained eye can extract. Removing EXIF removes the machine-readable coordinates; it doesn't remove the image content that points to a location.
It doesn't change the photo's hash. Trust-and-safety hashing (PhotoDNA, perceptual hashes) is computed on the pixel data, not on the EXIF. A platform that built a hash record when you first uploaded the original still has that linkage to your account regardless of whether your next share has EXIF stripped. Relevant for narrow threat models, worth naming so the picture is honest.
The Browser-Only Workflow
The clean way to neutralise EXIF before a file leaves your device:
- Open Metadata Cleaner in any browser — Safari on iPhone, Chrome on Android, anything on desktop. No login, no account, no upload.
- Drag the photo into the drop zone (or tap to pick it on mobile). The file loads into the browser tab's memory.
- Click Clean. JavaScript in the tab walks the EXIF tree, deletes the GPS IFD, neutralises the embedded thumbnail's metadata copy, strips the Maker Note, normalises the remaining structure, and writes a fresh file. Pixels are unchanged.
- Click Download. The cleaned photo lands back on your camera roll or filesystem.
The bytes pass through your browser's memory and back to disk; they don't touch a server. We don't see the file; nobody logs the coordinates. (Same browser-only architecture as our video tool.) The clean takes about half a second for a typical 4 MB photo.
Verify with any of the read methods above: drop the cleaned file into metadata2go.com, run exiftool -G1 -a photo.jpg, or open Preview's Inspector. The EXIF section should be absent — not zeroed out, missing entirely.
FAQ
Does removing EXIF data change how the photo looks?
No. The pixels are byte-identical before and after. EXIF lives in the file header, separate from the pixel data. Image quality, dimensions, colour profile, and orientation are preserved.
Will the cleaned photo still upload to every platform?
Yes. Every major platform handles JPEG, HEIC, PNG, and WebP regardless of whether they carry EXIF. The cleaned photo behaves like any other at upload — just a few KB smaller.
What's the difference between EXIF, IPTC, and XMP?
Three metadata standards that often coexist in the same file. EXIF (JEITA CP-3451) covers capture context — camera, lens, GPS, timestamps. IPTC covers descriptive metadata — caption, headline, copyright, keywords — and is what news photographers fill in. XMP (Adobe's Extensible Metadata Platform) is an XML wrapper that can hold both EXIF and IPTC fields plus editing history from Lightroom, Photoshop, and Capture One. A complete strip removes all three.
Does iOS's "Remove Location" share-sheet option do the same thing?
Partially. Since iOS 13, the share sheet exposes a "Remove Location" toggle. It strips the top-level GPS block — but doesn't always strip the embedded thumbnail's GPS copy, doesn't touch GPSDateStamp/GPSTimeStamp consistently across iOS versions, and doesn't remove the device serial, Maker Note, or capture timestamp. Better than nothing. A full browser-only strip is more thorough and works on Android too.
Can I do this from my phone?
Yes. The tool is browser-only and runs on mobile Safari, Chrome on Android, and Firefox mobile. Drag-and-drop becomes tap-to-pick; the cleaned download lands in Files or Photos depending on the browser.
Is removing EXIF legal?
Yes. EXIF is metadata the photographer controls; no jurisdiction requires civilians to preserve it. There are narrow professional contexts (journalism with chain-of-custody requirements, court-admissible photography) where preserving metadata matters; outside those, stripping is your right.
Does this also remove C2PA / Content Credentials?
EXIF stripping doesn't automatically remove C2PA. C2PA writes provenance into a JUMBF box that lives alongside but separate from the EXIF block. To remove both, use the full-clean mode that walks both structures. (Full C2PA explainer here.)
If you've posted photos before reading this, strip the local copies so future shares are clean. Try Metadata Cleaner free — drop a photo, hit Clean, done. The pixels are yours; the paper trail doesn't have to be.