daftei logo daftei
privacydeep-dive

What Your Photo Metadata Reveals — and Who's Collecting It

Every photo hides GPS coordinates, timestamps, and device details. Here's what EXIF data reveals about your life and who collects it.

8 min read

Most people assume the privacy risk in a photo is what you can see. The face in the frame. The location in the background. The document on the desk.

They’re partially right. But embedded invisibly in almost every photo you’ve taken in the last decade is a layer of data most people never think about — and it tells a far more complete story about your life than the image itself.

That hidden data is called EXIF metadata. Understanding it is the first step toward understanding why “I have nothing to hide” is not a privacy strategy.

What EXIF Metadata Is

EXIF stands for Exchangeable Image File Format. It’s a standard that encodes technical information about a photograph directly into the image file itself.

When your phone’s camera app takes a photo, it writes a block of structured data alongside the image. That data typically includes:

  • GPS coordinates — the exact latitude, longitude, and often altitude where the photo was taken, accurate to within a few meters
  • Timestamp — the precise date and time the shutter was pressed, down to the second
  • Device identity — the make and model of your phone or camera, and often unique hardware identifiers
  • Software version — the operating system version and camera app in use at capture time
  • Camera settings — aperture, shutter speed, ISO, focal length, flash status
  • Editing history — whether the image was modified, and in some cases which app was used

Individually, none of these data points seems alarming. Collectively, they form something quite different: a precise, timestamped, geolocated record of your movements, habits, and devices — generated automatically, on every single photo you take.

The Location Problem

GPS coordinates are the most sensitive piece of EXIF data by a considerable margin.

When location services are enabled on your phone’s camera — which is the default on most devices — every photo is tagged with where you were when you took it. That single piece of data, replicated across thousands of photos over years, builds something close to a complete picture of your daily life.

Consider what your photo library actually encodes:

  • Every morning routine, captured in kitchen and bathroom photos
  • Every workplace you’ve visited, from office photos and conference selfies
  • Every medical appointment, from waiting room photos taken out of boredom
  • Every family visit, friend gathering, and private event
  • Your home address, with sub-10-meter precision, from literally the first photo you took indoors after buying the phone

This isn’t theoretical. In 2010, a stalker located a celebrity’s home address using GPS coordinates embedded in publicly shared photos. The technique required no hacking, no social engineering, and no special software — just a free EXIF reader applied to images the celebrity had shared on social media.

That story is old. The exposure has only grown since.

What Social Media Platforms Do With EXIF Data

The common assumption is that uploading a photo to Instagram or Twitter strips the EXIF data, which is partially true — and significantly incomplete.

Most platforms remove GPS coordinates from the publicly downloadable version of your photo. This is sometimes presented as a privacy protection. It’s better understood as liability reduction.

What platforms actually do with your EXIF data varies, but typically includes:

Retaining it on their servers. Stripping GPS from the public-facing download does not mean the platform hasn’t already read and stored that data. Instagram, for example, retains the original file with full EXIF intact — what gets scrubbed is the download other users can access, not what Meta holds internally.

Using it to build location profiles. Google Photos explicitly keeps all EXIF data and uses it to power features like location-based album generation, map views, and memory cards. This is disclosed, though buried. The consequence is that Google has a timestamped GPS log of your physical movements, derived entirely from your photo library.

Factoring it into advertising targeting. If a platform knows — from your photos’ metadata — that you’ve visited a particular hospital, gym, or place of worship dozens of times, that information is highly valuable to advertisers. The connection between your EXIF data and your ad experience is rarely made explicit.

Feeding it into AI training pipelines. As more platforms train AI models on user content, EXIF metadata travels with image files as a high-quality training signal. Location, time of day, and device model all help systems learn correlations across massive datasets.

The Aggregation Problem

One GPS coordinate is a data point. Ten thousand of them are a surveillance record.

This is the aggregation problem in its clearest form: individually innocuous pieces of metadata combine to reveal things you never intended to disclose. A photo library covering three years of a person’s life, with GPS intact, is functionally equivalent to continuous location tracking. It reveals:

  • Where you live and work, with high certainty
  • Your travel frequency and destinations
  • Your social patterns — who you photograph, where, how often
  • Your health-related movements — recurring visits to specific medical facilities
  • Your religious practice, political activity, and other protected categories of behaviour

None of this requires any content analysis. It’s all in the metadata. And it persists indefinitely, in a form that’s invisible to anyone casually flipping through your album.

How to Check and Remove EXIF Data

You don’t need special software to see what your photos contain. On most desktop operating systems, right-clicking a photo and viewing its properties will show at least some EXIF fields. Free tools like ExifTool (command-line) and ExifPurge (GUI) let you view and strip EXIF data in bulk.

On mobile:

  • iOS: The Photos app shows EXIF data in the photo’s “Info” panel. You can remove location data from an individual photo from the same panel. Third-party apps offer bulk removal.
  • Android: Google Photos shows location data in the photo’s detail view. The cleanest solution is to disable GPS tagging in your camera app settings at capture time rather than removing it after the fact.

Before sharing any photo publicly — on social media, in a news article, as evidence in a dispute, or in any context where you don’t fully control the audience — stripping EXIF data should be a default step.

The More Fundamental Question: Where Do Your Photos Live?

Removing EXIF data before sharing is a tactic. The more important question is structural: where does your unmodified photo library sit, and what happens to the metadata while it’s there?

If your photos sync automatically to Google Photos, Apple iCloud, or a Meta-connected service, the full EXIF data — including GPS coordinates for every photo — is being read, stored, and processed by that platform. What they do with it is governed by terms of service that most users have never read and that change without prominent notice.

This is distinct from what a storage provider does with the content of your photos. Metadata is cheaper to process, easier to aggregate, and often more revealing than the images themselves. A provider that claims “we don’t look at your photos” may still be running comprehensive analysis on your EXIF metadata — and disclosing this in a footnote that doesn’t count as a headline claim.

How daftei Handles Metadata

When you store photos in daftei, EXIF metadata travels with your files — as it should. Your GPS data, timestamps, and device information are part of your record. They help you find photos by location, reconstruct timelines, and search your archive.

The difference is who that data works for.

daftei does not analyse your metadata to build advertising profiles. We don’t sell location data derived from your EXIF records to third parties. We don’t use your movement patterns as input for AI training pipelines that serve anyone other than you.

Your photo metadata is stored encrypted at rest using AES-256 and transmitted using TLS 1.3. If you delete your account, your data — including all metadata — is permanently erased after a 30-day grace window. No exceptions.

The practical implication: the GPS record of your life that lives in your photo library remains yours. It’s there for you to search, to navigate, to revisit. It’s not there to be sold.

A Practical Checklist

If you want to take immediate steps to reduce your EXIF exposure:

  1. Disable GPS tagging in your camera app for any photos you intend to share publicly. This is the most effective upstream intervention.
  2. Strip EXIF before sharing — especially before posting to social media or sending in contexts outside your control.
  3. Audit where your photo library syncs. If it auto-syncs to a platform you haven’t consciously chosen, change that default.
  4. Read the data handling section of any photo storage service you use — specifically looking for how they handle metadata versus content.
  5. Choose a storage provider whose business model doesn’t depend on what it can learn from your files.

Metadata privacy isn’t a specialist concern. It’s the baseline you should expect from any service that holds your photos.

Your memories deserve better than an ad platform.

Try daftei free →
← All posts