The Hidden Diary in Every Photo: A Plain-English Guide to EXIF Privacy

In December 2012, the antivirus pioneer John McAfee was hiding from Belizean authorities and apparently enjoying it. He had given a small team from Vice an exclusive interview, and Vice's editor-in-chief posted a photo of the two of them together under the headline "We Are with John McAfee Right Now, Suckers". Within minutes, hobbyists on Twitter pulled the photo into desktop tools, read the embedded GPS coordinates, and put McAfee on a map: a specific marina in Río Dulce, Guatemala. Guatemalan police picked him up shortly after. The Guardian and CNET covered the rest.

The photo itself was unremarkable — two men, a beard, a smile. The detail that ended the chase was invisible to everyone who looked at it on a screen. That hidden detail is the subject of this post. It is called EXIF data, and your phone has been writing it into every photo you have ever taken.

Three formats, one file

When people say "the metadata in a photo", they almost always mean one of three overlapping standards. They live in the same file, written by different tools at different moments.

EXIF is the part most people would care about if they could see it. It is written passively, with no consent dialog, and it is meant for tools — not for humans. Anyone with a free desktop app, the right-click "Properties" panel on Windows, or a small browser viewer can read it in a few seconds.

Five times metadata changed someone's day

1. A torso photo and the hacker who got caught by it

In early 2012, the FBI was tracking a hacker who went by w0rmer, affiliated with the Anonymous-adjacent group CabinCr3w. He had defaced several US law enforcement sites and posted the stolen data on a server, decorated with a photo of a woman holding a piece of paper that read "PwNd by w0rmer & CabinCr3w". Her face was cropped out. Her phone's GPS coordinates were not.

The FBI pulled the photo, read the EXIF, and got a residential address in suburban Melbourne, Australia. Cross-referenced with social media, the trail led to Higinio O. Ochoa III, an American whose then-girlfriend lived at that exact address. Belkasoft has a clean writeup of how the chain of evidence held together. Ochoa pleaded guilty later that year.

2. John McAfee on the run

Same year, end of 2012. McAfee was wanted for questioning in Belize over the death of his neighbour. He fled, then granted a hidden-location interview to Vice. The team published quickly. The shot of McAfee and Vice's then-editor was a high-resolution iPhone photo, location services on, EXIF intact. Within hours, Twitter sleuths had triangulated him to the Guatemalan border.

Vice later swapped the image for a scrubbed copy. McAfee himself claimed the leak was an intentional misdirection, which fooled nobody. The case became a staple of OPSEC slide decks for years afterwards.

3. The mortar attack OPSEC briefings will not stop citing

In 2012, the US Army told a number of outlets that, in 2007, soldiers at a forward operating base in Iraq had uploaded geotagged photos of newly arrived AH-64 Apache helicopters. According to that statement, insurgents pulled the GPS coordinates from the photos and used them to direct a mortar strike that destroyed four of the helicopters.

The incident is sourced primarily to a single 2012 Army public-affairs statement, and the precise chain of evidence has not been independently published. It is worth treating as a teaching anecdote rather than a forensic fact. Even with that caveat, it is the version of the story military OPSEC training keeps citing — and the mechanism it describes is technically straightforward. Geotagged photos of a sensitive location are, on their face, an intelligence product you have published for free.

4. Adam Savage tweets from his driveway

Adam Savage of MythBusters posted a photo of his Toyota parked outside his home in 2010, captioned "Now it's off to work." The photo came straight off his iPhone with GPS on. As Wisconsin Lawyer and other outlets have noted, that tweet broadcast both his exact home coordinates and the fact that he was about to leave. The vehicle was broken into shortly after.

Savage is a famously technical guy. The reason this happened is not that he is uninformed — it is that EXIF is written in a place nobody thinks to look, by a process nobody opted into.

5. Three Burger King employees and a bin of lettuce

In 2012, a photo appeared on an anonymous forum showing three employees standing in bins of restaurant lettuce. The image had no recognisable storefront. It also had GPS coordinates. Internet sleuths matched the coordinates to a specific franchise within hours, and the employees were dismissed. It is a small story, but a useful one: location data does not just identify your home. It identifies any room you have ever been in.

The platform paradox

A common piece of folk wisdom is that "the big social networks strip this stuff anyway." This is partly true and partly dangerous. The platforms do strip EXIF from the public file your followers can re-download — and the gap between the platforms that do this and the ones that do not is wider than most people realise.

Even careful platforms can leak through edge cases. A 2020 HackerOne report against Reddit documented a bug where uploaded HEIC files — the default format on modern iPhones — were converted server-side to PNG with their EXIF still embedded in the PNG text chunks. Users who assumed their photos were stripped on upload had GPS coordinates sitting in the publicly served file. Reddit fixed it; the lesson generalised. "The platform handles it" is not a security model — it is a hope that a specific code path in a specific image library did the right thing on this specific format on this specific day.

What 'turning off location' actually does

Toggling off Location Services for the camera is a good idea, and it is necessary, but it is not the whole story. Disabling location stops the GPS field from being written. It does not stop EXIF itself. The file you take with location off still includes a substantial portrait of the device and the moment of capture.

• Make and model of your camera or phone ("iPhone 15 Pro", "Pixel 8", "Canon EOS R5")
• Operating system or firmware version, often down to the patch level
• Lens model, focal length, and sometimes lens serial number
• Exposure settings: shutter speed, aperture, ISO, flash state, white balance
• Timestamp down to the second, including the timezone offset
• Editing software and edit history if the file passed through Lightroom, Photoshop, or similar
• Owner name or device name if you set one in your camera

On its own, none of this points at your house. Combined with anything elseyou have posted publicly — a photo of a coffee shop, a face in a group photo, an IP address — it is excellent device fingerprinting material. Privacy is rarely lost in one big leak. It is lost a field at a time.

The defense

Stripping EXIF is not exotic. The hard part is remembering to do it, and knowing which option in which menu does the right thing. Here is what works on each operating system, ordered from "least effort" to "forensic-grade".

iPhone

• Settings → Privacy & Security → Location Services → Camera → set to Never. Prevents GPS being written at capture time.
• When sharing one photo: open the Share Sheet, tap Options at the top, toggle Location off. Strips GPS from the file you send.
• For deeper cleaning (camera model, software, timestamps), use a dedicated app or a Siri Shortcut — iOS does not ship a one-tap "strip everything" option built in.

Android

• In the Camera app's settings, disable "Save location" or "Location tags".
• When sharing through Google Photos, open the image's properties, tap the pencil next to the map, and remove the location.
• Recent Android versions also add a "Remove location data" toggle in the share sheet on a per-share basis.

Windows

• Right-click the file → Properties → Details tab → "Remove Properties and Personal Information" at the bottom.
• Choose "Create a copy with all possible properties removed". Windows writes a sanitised duplicate alongside the original.
• Caveat: this misses some XMP and proprietary maker-note blocks. For sensitive shares, use a dedicated tool.

macOS

• In Photos, click the small (i) info button, click the location, and choose "Revert to Original Location" → "No Location". This drops GPS only.
• For everything else, the command-line tool sips ships with macOS: sips -s format jpeg -s formatOptions 85 in.jpg --out out.jpg will re-encode and drop most metadata.
• The gold standard on every OS is exiftool. exiftool -all= photo.jpg wipes everything. exiftool -gps:all= photo.jpg drops just the GPS and leaves your copyright field intact.

The next thing to worry about

Stripping EXIF was sufficient for about two decades. It is now necessary but no longer sufficient. Modern vision-language models can take an image with zero metadata and infer a strikingly accurate location from the pixels alone — vegetation, road signs, architectural style, light angle, the shape of distant hills. Privacy International's Nowhere to Hide report runs through the implications in detail.

This does not invalidate the EXIF advice. It expands it. EXIF removal blocks the trivial attack — the one a stalker, an ex, an employer, or an opportunist can run with a right-click. The pixel-level attack still needs a motivated adversary with model access and a reason to point it at you. For most threat models, the right play is to make the trivial attack impossible and accept that the sophisticated one exists. For high-risk threat models — journalists protecting sources, dissidents, people fleeing abuse — the answer is not just stripping but also being thoughtful about which photos you publish at all.

What to do today

Three things, in order. First, turn off Location Services for your camera app on whichever phone you use the most. This costs you nothing and removes the single most sensitive field from every photo you take from now on. Second, when sharing a photo that pre-dates that change — a vacation shot from last year, a kid's birthday from 2022 — pass it through a stripper before you post it. Third, when in doubt about a platform, send the photo to yourself first, download it back from the public-facing URL, and look at what is left. If you have ever sent images to friends through Telegram-as-File or iMessage, assume the original metadata went with them.

The story underneath all of this is that the file format that holds your photos was designed for professional photographers in 1995. It assumed photographers wanted every field preserved. It assumed photographers were the only people taking enough photos for it to matter. Twenty billion smartphone shutter clicks a day later, the defaults have aged badly. The fix is not to stop taking pictures. The fix is to look at what your phone has been writing on the back of every photo, and decide which fields you are comfortable sharing — one share at a time.