How a Photo's Hidden 'Exif' Data Exposes Your Personal Information

Share a family photo and you could be revealing where you live, work, and vacation

By Thomas Germain

Updated December 6, 2019

Digital privacy

There’s a particularly arresting black-and-white image of a boy on Flickr, the photo-sharing site. The boy stands at home plate in his Little League uniform, bat poised above his shoulder. It’s early evening. The boy seems to be 8 or 9 years old. The lighting is dramatic. He is partly in shadow, but his face is outlined in sharp silhouette against the sky.

There is no caption, and few visual cues as to where or when the picture was captured. But download the file and click through some menus, and you can learn a lot.

We can see that the picture is about a year and a half old; the boy’s game took place on June 6, 2018. As the shutter clicked, the time was 7:15 p.m. Call up some GPS data, and you can learn where the boy was playing. He was on a dirt baseball diamond behind a church in a small town in Ohio—a location we won’t name.

You can learn more. For instance, the photographer shot with an iPhone X and had left the camera settings on auto.

One thing we don’t know is whether he realized how much personal information he was posting online.

Details about when, where, and how a photo was taken are captured automatically by smartphones and digital cameras, and stored as Exif (Exchangeable Image File Format) data. Information on everything from exposure settings to altitude may be included. And the Exif data travels with the photo—from the camera to your hard drive or a website.

“People should be aware that when they upload a photo there is more to it than just the pixels that they can see,” says Hany Farid, a professor of computer science at the University of California, Berkeley, and a leading researcher on digital forensics. “A lot of people don’t even know there’s this thing called Exif data that gets shoved along.”

Storing Photos Online

Exif data can be very useful. It enables photo-storage services to sort your pictures by date and location, so you can find an album of your family’s trips to Disney World or a grandparent’s home in another state. If you look back at an old picture on your hard drive, you can learn precisely where you shot it.

As with many aspects of digital privacy, security experts say, the important thing is for consumers to make informed choices about what they share.

“There are some situations where you need to be careful,” says Bobby Richter, the leader of privacy and security testing at Consumer Reports. “If you’re sharing images with people you don’t know or trust, you should be wary of whether or not you’re revealing sensitive information, like location data.”

If you email or text a photo, the Exif data will typically travel with it. That matters to individuals—from college students to anyone selling things online—who communicate with people they don’t know well on the internet.

Exif data “can be a gold mine of information” that people don’t realize they’re sharing, says Jonathan Rajewski, a digital forensics expert and vice president at cybersecurity firm Stroz Friedberg, an Aon Company.

A seller from Craigslist once emailed Rajewski photos of an item he was thinking of buying—with the Exif data still attached. “I’m like, ‘I now know where you live, but I don’t really want to know where you live,’” Rajewski says. “When I met that person, I kind of educated them, saying, ‘Hey, maybe it’s a privacy concern for you,’ so they can make better decisions moving forward.”

When you store your photos in Google Photos or Apple Photos, the Exif data is preserved. That allows you to search for photos later by date and location. Both services have a feature that lets you share photos without that information attached.

If you post photos online, the details vary by site. Flickr preserves Exif data by default, but users can change their account settings to control whether Exif data is available when others download their photos. The service also has a setting that will strip out location data automatically when photos are uploaded.

Many other sites that let you display photos to friends or the public remove the Exif data before the images are shown to others. If you upload pictures to Craigslist, Facebook, Imgur, Instagram, Twitter, or WhatsApp, the Exif data won’t be available to the people who see them.

That doesn’t mean social media companies don’t find any use for it, however. “You can almost certainly be assured they are not throwing it away, given that they’re basically big data vacuum cleaners,” Farid says.

Representatives from companies Consumer Reports spoke to—including Apple, Google, Imgur, and Facebook, which owns Instagram and WhatsApp—said that Exif data is not used to target you with advertising messages.

However, a Facebook representative said via email that Facebook does collect and process Exif data, including “information like the make and model of the device used to take the photo, the camera settings, and the date the photo was taken . . . to make your experience better and to keep people safe.”

If you don’t want to provide such data to Facebook and other companies at all, you can remove it yourself before uploading a photo.

How to Remove Exif Data Yourself

Exif data isn’t hard to find or to remove, but the steps vary a bit, depending on which device you are using. There are three options to consider: preventing the data from being captured with your photos in the first place, wiping out Exif data from a photo you've already shot, and using tools that strip out sensitive details when you’re sharing a photo.

On smartphones, Apple Photos and Google Photos now have features that let you see if photos include location data and share photos without sending it along. On an iPhone running the latest operating system, you can see if a photo has location data by swiping up when you're viewing the picture in the photos app. If it does have location data, you’ll see a map with the location. You can send the photo without those details by hitting the share button, tapping Options near the top of the screen, and switching off the toggle for Location. Keep in mind you’ll need to do that again every time you send the picture.

Just as in Apple Photos, you can check for location data using Google Photos by swiping up on any picture. You can update your settings to exclude that data if you share photos with a link: Open the menu by tapping the icon in the top left of the app’s home screen, select Settings, and switch on Remove geo location. However, this won’t protect you if you send photos through other means, such as text or email.

You can take similar steps on a computer. Using Windows, you can see whether a photo has Exif data attached to it by right-clicking on the file, selecting Properties, and checking under the Details tab. You can also use this menu to remove most Exif data, including location information, by clicking Remove Properties and Personal Information. Then save the file, and you’ve got a GPS-free photo.

On a Mac, open a photo in Preview and select Show Inspector under the Tools menu. If a photo has Exif data, you’ll find a tab labeled Exif. When location information is present, Preview breaks it out into its own tab, labeled GPS. There you’ll also find a Remove Location Info button that will delete those details.

Most smartphones don’t have a built-in tool to remove Exif data completely from photos that already have it attached, but there are free apps for both Android and iOS devices that will do it for you.

There’s an even easier route. “One technique is to just take a screenshot of the photo and share that instead,” CR’s Richter says. “Screenshots typically don’t include the same kind of sensitive metadata as a camera.”

For many users, the only Exif information that will feel especially personal is where their photos are taken. “That’s a pretty serious privacy issue for some people—you know, where they are in a given time of day,” Berkeley’s Farid says. And it's easy to change your settings so location data won’t be captured with your pictures going forward. All you have to do is revoke the camera app’s access to your device’s GPS function.

In iOS, go to Settings, open the Privacy tab, and select Location Services. Tap Camera and select Never.

Instructions for Android devices vary with the model, but typically you need to open Settings, then Privacy, and select Permissions manager. Next, tap Location, open Camera, and choose Deny. On some Android devices, camera apps have their own GPS setting.

Do all that and it may be harder to find your vacation pictures. But you won’t inadvertently tell the world where you’ve been shooting photos—or where your child plays ball after school.

Concerned about who's watching you? CR shares easy and effective ways to take more control of your digital privacy.

What Is Exif Data?

Attached to the photos you take on your phone are bits of information, such as when and where they were taken. On the "Consumer 101" TV show, host Jack Rico explains what you need to know about protecting your privacy.

Thomas Germain

Thomas Germain was previously a technology reporter at Consumer Reports, covering several product categories and reporting on digital privacy and security issues. He investigated the sharing of sensitive personal data by health-related websites and the prevalence of dark patterns online, among other topics. During his tenure, Germain’s work was cited in multiple actions by the Federal Trade Commission.

SHOW COMMENTS commenting powered by Facebook

Be the first to comment