A modern smartphone photo carries 30-80 metadata fields the photographer never sees. GPS coordinates accurate to 5 meters. The phone's serial number. The camera's lens model and aperture setting. The exact moment the shutter fired, down to the second, in the device's local timezone. The software that last edited the file (which leaks not just "Photoshop" but the specific version and OS). For a long time, nobody outside law enforcement and forensics cared. Then in 2012 the founder of an anti-virus company was located by Vice on the run in Guatemala from a single iPhone-tagged photo, and "strip your EXIF" entered the mainstream privacy playbook. This post walks what EXIF actually contains, what social platforms preserve vs strip, the practical de-anonymization cases, and the difference between removing EXIF and blanking it (the latter is still detectable).
What EXIF Actually Is
EXIF (Exchangeable Image File Format) is a metadata standard published by JEITA in 1998. It sits inside JPEG, TIFF, HEIF, and increasingly inside PNG via a separate eXIf chunk. Every modern camera and phone writes EXIF by default; nothing in the spec mandates that anything be written, but in practice manufacturers fill it aggressively.
The canonical fields fall into three buckets:
Camera / capture parameters
Make,Model— e.g., "Apple", "iPhone 15 Pro Max"LensModel— for cameras with detachable lensesFNumber,ExposureTime,ISOSpeedRatings,FocalLengthFlash,WhiteBalance,MeteringModeOrientation— the EXIF flag that tells viewers to rotate
Date / time
DateTimeOriginal— when the photo was takenOffsetTimeOriginal(newer phones) — the timezone offset, which combined with the time gives you the photographer's local time and timezoneSubSecTimeOriginal— fractional seconds
Location and device identity — the privacy-sensitive set
GPSLatitude,GPSLongitude,GPSAltitude— coordinates, typically to 5-10m accuracy on phonesGPSDateStamp,GPSTimeStamp— UTC timestamp from the GPS receiverGPSHPositioningError— the phone's own estimate of GPS uncertaintyBodySerialNumber(DSLRs, mirrorless) — the camera's serial number, unique per bodyLensSerialNumber— same for the lens
Beyond standard EXIF, JPEGs often carry additional metadata containers:
- IPTC — captions, copyright, keywords (added by news photographers and agencies)
- XMP — Adobe's extensible metadata, used by Lightroom/Photoshop edit history
- Maker Notes — manufacturer-specific binary blobs that often contain everything from the AF point used to the camera's internal temperature
- MPF — Multi-Picture Format, the container for the burst of frames that an iPhone Live Photo or Apple's "Smart HDR" actually stores
The EXIF Viewer parses all of these and shows them in a flat list. The point of viewing them first — before stripping — is realizing how much is there.
The De-anonymization Cases That Made This Mainstream
John McAfee, 2012 — The Vice reporters traveling with John McAfee while he was on the run in Guatemala posted a photo to their blog with the title "We Are With John McAfee Right Now, Suckers." The iPhone EXIF contained GPS coordinates that put him at a specific hotel in Río Dulce. Guatemalan authorities had him in custody within 48 hours. Vice published a follow-up apologizing for "the most embarrassing journalistic mistake of our careers."
Higinio O. Ochoa III, 2012 — A LulzSec-affiliated hacker known as w0rmer posted a photo to his Twitter showing a woman holding a sign mocking the FBI. The photo's EXIF placed it at an address in Wantirna, a suburb of Melbourne. The FBI matched the location to the social profile of a woman who was Ochoa's girlfriend. He was arrested in Texas; she was the link.
Catfishing detection — Less dramatic but more common: people who say they live in city A but whose phone photos consistently EXIF-tag to city B. Reverse image search + EXIF GPS is now the standard sanity check on dating apps for users who suspect they're being lied to.
Drone strike intelligence (ISIS, 2015) — The US Air Force publicly stated that a tweeted photo of an ISIS command center, with GPS-tagged metadata, was used to plan an air strike within 22 hours. The photo was posted by an ISIS fighter showing the building exterior; the EXIF gave away the structure's exact coordinates.
The pattern is consistent: people post photos thinking the image content is what they're sharing. The metadata is invisible in any normal viewer (Preview.app, Photos, Instagram, Twitter) and the leak comes from the metadata, not the pixels.
What Social Platforms Do
Not all platforms preserve EXIF. The behavior varies and changes over time. Current state (as of early 2026):
| Platform | EXIF on upload | Notes |
|---|---|---|
| Stripped | All EXIF removed including GPS. Has been the policy since ~2013. | |
| Stripped (mostly) | Removes GPS and most camera metadata. Has occasionally been caught preserving partial fields in older legacy paths. | |
| Twitter / X | Stripped | EXIF including GPS removed on upload. (Was not stripped before 2012; the change came after several news stories.) |
| Reddit (i.redd.it) | Stripped | Reddit re-encodes images and drops EXIF. |
| Discord | Mostly preserved | The image attachment CDN serves the original file with EXIF intact. Has resulted in real de-anonymization cases. |
| Slack | Preserved | Files are served as-uploaded, including all EXIF. |
| Google Photos | Preserved | EXIF is what powers the location search; it's intentional. Sharing a photo via Google Photos preserves EXIF unless you toggle the "Hide photo location" setting. |
| Imgur | Stripped | Re-encodes on upload. |
| iCloud Photo Library / iMessage | Preserved | iMessage attachments and shared albums preserve EXIF; this is how AirDrop'd images keep their geotag. |
| Personal websites / S3 buckets | As-uploaded | Whatever your upload pipeline does. Most do nothing. |
| Email attachments | Preserved | SMTP doesn't touch payloads. |
The "stripped" platforms aren't 100% reliable. There have been multiple cases where Facebook preserved a single field accidentally, or Twitter changed its CDN behavior on a specific image type for a period of weeks. The safe assumption is: strip locally before upload if you care.
Strip vs Blank — They're Not the Same
Two operations look identical to a human but are detectably different to a forensic analyst:
Stripping — remove the EXIF segment from the file entirely. The JPEG no longer contains an APP1 marker. A photo straight from a camera has 30+ EXIF fields; this photo has zero. That asymmetry itself is a signal: "this photo was edited to remove EXIF, but I don't know what was there."
Blanking — keep the EXIF segment but replace sensitive fields with empty values (GPS = 0,0; serial number = ""; software = "Camera"). The structure looks photo-fresh but the content is sanitized.
For most privacy use cases — Instagram post, dating profile, professional headshot — both achieve the same goal. The difference matters when you're trying to blend in rather than opt out:
- Stripped photo on a random forum: looks like the user took the photo with a tool that strips EXIF (could be conspicuous).
- Blanked photo with realistic-but-non-identifying values (random consumer camera model, plausible aperture, no GPS): looks like the user took the photo with a basic camera that doesn't write GPS (much less conspicuous).
Forensic analysts can also detect editing via JPEG quantization tables: a photo that was edited and re-exported has different quantization characteristics than a camera-original. If you strip EXIF without re-encoding the image data, the quantization tables still match the camera's native pattern, which is consistent with "untouched". If you re-encode (e.g., open in Photoshop, Save As JPEG), you get Adobe quantization tables and analysts can tell.
The EXIF Viewer strips by removing the metadata segment without touching image pixels, which preserves the quantization tables. This is the right behavior for the privacy-strip use case.
The Hidden Thumbnails Problem
EXIF includes a ThumbnailImage field — a small JPEG embedded inside the EXIF block, typically 160x120 pixels, that cameras include for fast preview. The notorious 2003 case: a user "redacted" parts of a sensitive photo by drawing black boxes in Photoshop, exported as JPEG, and posted. The redactions worked on the main image. But the embedded thumbnail was the original pre-redaction version of the photo, because nobody had thought to regenerate it. Investigators pulled the thumbnail straight out of EXIF and recovered the unredacted image.
This bug bit enough times — including a 2008 case where a redacted-photo evidence submission had recoverable thumbnails — that modern image editors generally regenerate the thumbnail on export. But the EXIF spec doesn't require it, and many tools (including some command-line image manipulators) still preserve the old thumbnail unless told otherwise. If you've redacted parts of a photo and the thumbnail is still in EXIF, you've leaked your redaction.
Stripping EXIF removes the thumbnail along with everything else. Blanking does not unless you specifically zero out ThumbnailImage and ThumbnailLength. The viewer shows the thumbnail when it exists so you can confirm it matches the visible image.
What HEIC Adds (and What That Means for iPhone Photos)
iPhones since 2017 store photos as HEIC by default. HEIC carries EXIF the same way JPEG does, but adds two more things:
- HDR gain map — a second image plane describing how the HDR-mapped highlights differ from the standard-dynamic-range base. This isn't a privacy concern in itself but the gain map's encoding parameters can sometimes leak the iPhone model.
- Multiple coded frames — Live Photos store a 3-second video around the still. The video has its own EXIF with its own timestamps. If you strip the still's EXIF but the file still contains the Live Photo video segment, the video's metadata is still there.
iOS's "Share" sheet has an option called Privacy → Location that strips the GPS field specifically before sharing. It does not strip the other EXIF fields (camera model, date, settings). The "Options" menu in Share also includes "Format: Most Compatible" which re-encodes HEIC to JPEG and strips the Live Photo video — that's the right toggle for "share this photo flatly with no metadata or video."
Privacy by Default — What You Should Actually Do
For most users:
- Turn off "Save Location" / "Geotag photos" in your phone's camera settings if you don't need it. Apple, Google, and Samsung all expose this toggle. Photos taken with location off don't get a GPS field at all.
- Before sharing a photo on any platform you don't explicitly trust to strip (Discord, Slack, email, personal site, AirDrop), strip EXIF first. The EXIF Viewer does this entirely in the browser; the file never leaves your device.
- If you're a journalist or activist, never trust a platform's stripping unless you've verified it on the specific file type and specific upload path. Strip locally, then upload.
- For redaction (drawing boxes over faces/license plates), use a tool that regenerates the thumbnail. ImageOptim, ExifTool with
-thumbnailimage=, and most modern editors do; some quick tools (Preview.app's markup) don't.
For OS-level defaults that surprise people:
- macOS's Preview shows GPS coordinates under Tools → Show Inspector → ⓘ → GPS tab. Open any photo, check. If GPS is there, the file has it.
- macOS Finder's "Get Info" doesn't show GPS by default but exposes "Add Tags" — those tags are stored in extended attributes, not in EXIF, and don't travel with the file when shared via non-Apple paths.
- iOS Photos shows location at the bottom of each photo's info panel. Tap the map to see the exact coordinates. This is from EXIF.
The Honest Limitations
The EXIF Viewer reads JPEG, PNG (with eXIf chunks), TIFF, HEIC, and WebP metadata; it strips EXIF, IPTC, XMP, and embedded thumbnails. It does not modify the pixel data, so quantization analysis would still reveal "this is a camera-original JPEG with EXIF removed" rather than "this is a completely different camera." It also does not modify the file's Last Modified filesystem timestamp — that's the OS, not the file. If you need to scrub filesystem timestamps as well, do that with touch or your OS's equivalent after stripping.
Some manufacturers store identifying information in the proprietary Maker Notes binary blob (Canon, Nikon, Sony all do this). Stripping EXIF removes the entire APP1 segment including Maker Notes. Blanking only known fields would leave Maker Notes intact — which can include things like the camera's actuation count, internal serial numbers, and AF performance counters. The viewer's "Strip All" option removes the whole segment; "Strip GPS Only" leaves everything else, including Maker Notes.
ICC color profiles and Adobe's XMP edit history are stored in separate APP segments (APP2 and APP1-XMP respectively), not the EXIF APP1. Stripping EXIF doesn't remove them. The viewer flags their presence so you know if you've stripped everything you intended to.
Related Tools
- EXIF Viewer — view, search, and strip EXIF/IPTC/XMP/thumbnails
- Image Compressor — re-encode + strip in one pass
- Image Resizer — also re-encodes, which incidentally strips most metadata
- Watermark Remover — for visible identifiers in the image plane
- Hash Generator — verify two files are bit-identical after a strip operation
- HEIC to JPG Converter — re-encode iPhone photos to the more universally-stripped JPEG format
TL;DR
EXIF carries 30-80 fields most users never see, including GPS coordinates accurate to 5-10 meters, camera serial numbers, exact local timestamps with timezone offsets, and an embedded thumbnail that can survive image redaction. McAfee, Ochoa, and several drone-strike targets were located via this metadata. Instagram/Facebook/Twitter/Reddit/Imgur strip on upload; Discord, Slack, Google Photos, iMessage, and email do not. Strip (remove the metadata segment) is more thorough than blank (zero out fields) but more conspicuous. Embedded EXIF thumbnails are the most common privacy footgun — they can preserve pre-redaction image data unless the editor regenerates them. iPhone HEIC adds Live Photo video segments with their own metadata. Use the EXIF Viewer to see what's actually in your photos and strip what you don't want shared, all in-browser.