EXIF Metadata: What's In Your Photos, Why It Matters, and How to Strip It

Every time you take a photo with a modern camera or phone, the file saves alongside a small bundle of information about the shot: the camera model, the lens and aperture, the exact GPS coordinates, the time and timezone, and a dozen other fields. This is EXIF metadata. It’s genuinely useful for photographers, quietly risky for anyone else, and worth understanding regardless of which camp you’re in.

I spent years arguing with a dev team about whether we should strip EXIF from uploaded profile photos. We should have. Every team I’ve worked with since has started out thinking they’ll review metadata “when they have time,” and none of them have. The default should be: strip it, unless you have a specific reason to keep it.

What’s actually inside an EXIF block

EXIF (Exchangeable Image File Format) is a standard that defines a set of metadata fields embedded in JPEG and TIFF files. Most modern cameras, phones, and editing tools support it, and most of them add more than they need to.

A typical iPhone photo carries:

Camera make and model: “Apple” and “iPhone 15 Pro Max”.
Lens info: focal length, aperture.
Exposure settings: shutter speed, ISO, exposure compensation.
Date and time: down to the second, including timezone.
GPS coordinates: latitude, longitude, and altitude, accurate to roughly 5–10 meters.
Orientation: which way is up.
Color profile: the color space the image was captured in.
A thumbnail preview: a small embedded copy of the image.
Software used: iOS version, or any editor that saved the file.

Full-frame DSLRs tend to include even more, like the serial number of the camera body. Smartphones from Samsung, Google, and Xiaomi all add their own fields too, often including device serial numbers or hardware IDs.

You can see all of this yourself. On macOS, open a photo in Preview and choose Tools → Show Inspector → (i). On Windows, right-click the file → Properties → Details. On Linux, exiftool photo.jpg dumps everything.

Why the GPS field matters (more than anything else)

The single most important field for privacy is GPS. A photo taken at your home carries the coordinates of your home. A photo taken at your kid’s school carries the coordinates of their school. If you share that photo on social media without stripping metadata, anyone with basic tools can pull the coordinates out and paste them into Google Maps.

Most mainstream social platforms — Facebook, Instagram, Twitter/X, TikTok — strip EXIF on upload. So do most image hosts (Imgur, Flickr by default). But several common channels don’t:

Emailing a photo directly: EXIF intact.
Attaching in Slack, Teams, or Discord as a file rather than an image paste: EXIF often intact.
Uploading to your own blog or website: EXIF intact unless your CMS strips it (WordPress does, Ghost does, static sites usually don’t).
Sharing via cloud storage links (Google Drive, Dropbox): EXIF intact.
Sending through WhatsApp: EXIF stripped.
Sending through Signal or Telegram: Signal strips, Telegram depends on how you send it.

If you ever share photos outside the mainstream social apps, you should assume EXIF rides along unless you’ve explicitly stripped it.

The three cases where EXIF actively helps

Before I argue for stripping, let me note three legitimate reasons to keep metadata:

You’re a photographer sharing work with other photographers. Stored camera settings are the technical equivalent of a shared recipe.
You’re submitting to a stock-photo platform, competition, or news outlet that requires metadata for verification or licensing.
You’re archiving personal memories and want the date and location preserved for future reference.

In each case, you want EXIF in the master file. What you publish to the web is a different question. The master and the publish copy can and should be different.

How to strip EXIF: the practical options

Browser-based (no software to install)

Our PNG compressor, JPG compressor, and PNG-to-WebP converter all strip non-essential metadata by default as part of the re-encoding process. The output images won’t carry GPS, camera model, timestamps, or anything else you didn’t put in them.

This is the easiest path for occasional use. Drop in a photo, re-save, done.

macOS

Preview (built in): Tools → Show Inspector → (i) tab → Remove Location Info button. Works for one photo at a time.
Image Capture (also built in): has a “Don’t download location” option.
ImageOptim (free third-party app): drag-and-drop to strip metadata and optimize in one step.

Windows

File Explorer: right-click a file → Properties → Details → Remove Properties and Personal Information → Create a copy with all possible properties removed.
ExifTool (command-line, free): exiftool -all= photo.jpg strips everything.

Linux

exiftool -all= photo.jpg via ExifTool is the canonical approach.

Batch / automated

For publishing pipelines, the right answer is to strip at build time. sharp in Node, mogrify -strip via ImageMagick, and cwebp’s -metadata none flag all handle this cleanly. If you run a photography or e-commerce site, stripping in your image pipeline is a one-time fix with permanent privacy benefit.

What does “strip” actually remove?

Different tools strip different things. The most aggressive tools (exiftool -all=) remove every metadata chunk, including color profiles. That’s sometimes too much — if the image has a non-sRGB color profile and you strip it, the colors may shift when rendered.

Sensible defaults:

Always strip: GPS coordinates, camera model, lens info, software fingerprint, timestamps, thumbnail previews.
Sometimes strip: color profile (keep if the image isn’t sRGB).
Rarely strip: orientation flag (you probably want the image to display right-side up).

Good online compressors — including ours — make these sensible choices automatically. You don’t need to manually decide what stays.

A quick privacy audit you can do right now

Pick a handful of photos you’ve shared online recently: blog posts, forum profile images, email signatures, Slack avatars.
Download each one again from the place you posted it.
Check EXIF with the methods above.
If you see GPS coordinates or device serial numbers in images you shared on a personal site or via email, you’ve been leaking location data without knowing it.

This is a surprisingly common discovery. A few years back there was a news story about a fitness app that had been publishing heat maps of user runs. The heat maps revealed the exact layout of then-secret military installations, because off-duty personnel had been running laps around the perimeter. Nothing that dramatic will happen to most of us, but the underlying issue — the assumption that “metadata is invisible” — is the same.

Common misconceptions

“Cropping removes metadata.” It doesn’t. Most editors preserve EXIF through crop operations unless you explicitly export without metadata.
“Converting to PNG removes metadata.” PNG has its own metadata container. Converting JPEG to PNG can carry much of the original EXIF across.
“Social media strips metadata, so I’m fine.” Most major platforms do, but re-uploads, original files shared outside the platform, and direct DMs often don’t.
“Screenshots don’t have location data.” True, but they do have the OS version, the screenshot tool, and sometimes the window dimensions. Usually not a privacy concern, but not zero either.

The bottom line

EXIF metadata is useful when you want it and dangerous when you forget it exists. The pragmatic rule:

Keep full metadata in your masters.
Strip aggressively on anything you publish.
Build stripping into your workflow so you don’t rely on remembering.

Our image tools all strip non-essential metadata automatically when they re-encode. For ad hoc stripping without installing anything, drop your images into our JPG compressor or PNG compressor, save the result, and publish that.