Take a photo on a phone you bought in the last decade. Drag the photo from your camera roll into any free EXIF viewer (there are hundreds of them). Look at what comes back. The list is long, and most of it is hostile to your privacy in the wrong context.
What's inside a default phone photo
- GPS coordinates — typically accurate to within a few meters. This is exactly where the photo was taken.
- GPS altitude — your elevation above sea level.
- GPS timestamp — separate from the file-system timestamp, this is the UTC time the GPS receiver had when the shutter fired.
- Camera make and model — "Apple iPhone 15 Pro" or whatever you have.
- Software version — "iOS 17.4.1" or similar.
- Date and time taken — to the second, in your local time zone.
- Exposure settings — aperture, shutter speed, ISO. Mostly harmless but identifying when combined with other data.
- A small embedded thumbnail — usually 160×120 pixels. Useful for fast preview, but it preserves a snapshot of the original frame even if you later crop the photo.
The thumbnail problem
Phones and cameras embed a JPEG thumbnail of the photo inside the photo's own metadata. When you edit a photo — say, crop out the corner of a room — the visible image is updated, but the thumbnail often is not.
The result: someone who downloads your edited photo and looks at the embedded thumbnail can see the uncropped original. This has caught out many people who carefully cropped a sensitive detail out of a photo before sharing it.
The serial number problem
Mirrorless and DSLR cameras embed their body serial number in every photo. Some lenses embed their own serial. If you sell a photo to a stock site, post it on Flickr, or upload it to a forum, anyone can read those serials. If your camera is later stolen, the serial in your forum post can be used to identify the camera in a later thief-posted photo. If you intentionally use a different identity online vs offline, the serial is a hard link between them.
The AI-signature problem
A newer wrinkle: AI-generated images carry C2PA Content Credentials — a cryptographically signed manifest identifying the image as AI-generated. Major social platforms increasingly read these and label AI content automatically. If you use Adobe Firefly, Photoshop's Generative Fill, DALL·E, or Midjourney to make or modify an image, the resulting file may carry this signature.
Whether you should strip C2PA signatures is a judgment call. They serve a legitimate purpose (helping platforms label AI content for users). But they also identify the source of your edit even when you don't want that.
What platforms do automatically
Some major platforms strip EXIF before publishing. Twitter/X, Instagram, and Facebook all strip GPS data from uploaded photos by default (though they may keep it server-side). LinkedIn, Reddit, and most Discord servers do not consistently strip metadata. Email attachments preserve metadata as-is. Direct file shares (Dropbox, Google Drive, AirDrop) preserve everything.
Don't rely on the platform. Strip metadata at the source, before you share.
The fix
Use our image EXIF removal tool to strip metadata from JPGs, PNGs, and WebP files entirely in your browser. Drop multiple files at once, see what's in them before stripping, pick a preset, get cleaned files back. No upload, no signup.