Every time you take a photo with your smartphone, your device stores invisible information within the image. These so-called EXIF data include the date and time of the shot, the device type, camera settings, and often the exact GPS coordinates of the location. When you share that image online afterward, you may unknowingly reveal all this information. In this article, I explain what risks this poses and how to effectively protect yourself.
What EXIF data can reveal: The amount of information stored in a single photo is astonishing. Beyond the camera model and technical capture data like aperture, exposure time, and ISO value, many smartphones also store GPS coordinates with an accuracy of just a few meters. This means someone who reads the EXIF data of your photo can see exactly on a map where you took the image. Additionally, the data often contains your device's operating system version, the photographer's name (if configured in device settings), copyright information, and even a small thumbnail image. iPhones additionally store the device ID. All this information can be read in seconds using freely available tools.
Which platforms strip EXIF data and which do not: Major social networks like Facebook, Instagram, and Twitter automatically remove EXIF data on upload. This is a deliberate privacy decision by these platforms. But be careful: if you send images via email, publish them on your own website, post them in forums, or send them via messengers like Telegram in original mode, all EXIF data remains intact. Cloud services like Google Drive or Dropbox also do not remove metadata when you upload images and share the link. This means anyone with access to the file can read all embedded information.
What exactly is EXIF data? EXIF stands for Exchangeable Image File Format. It is a standard that allows cameras and smartphones to embed technical and contextual information directly in the image file. This includes the camera model, focal length, aperture, ISO value, exposure time, as well as date, time, and GPS coordinates when location services are enabled. Some devices even store the camera's serial number or the owner's name. This data is not visible in the normal image view but can be read with simple tools. In the image file, EXIF data is stored in the so-called APP1 marker of the JPEG format. The structure follows the TIFF format, meaning the data is organized in defined tags, similar to key-value pairs in a database.
Why is this data dangerous? Imagine you photograph something in your apartment and share the image in a forum or on a classified ads platform. The GPS coordinates in the image reveal your home address to within a few meters. A stalker or burglar could use this information. This sounds dramatic, but there are documented cases where exactly this has happened. Extra caution is also warranted with photos of children. Even seemingly harmless information like the camera model or the time of capture can be combined with other data to build a profile about you. Journalists and activists in authoritarian regimes can even put themselves in serious physical danger by carelessly sharing location data.
GDPR and image rights: In Europe, the General Data Protection Regulation (GDPR) comprehensively protects personal data. Photos of people are considered personal data as soon as the depicted person is identifiable. This means you generally need the consent of every recognizable person in your photo before publishing it. There are some exceptions: people who appear merely as accessories in a landscape or at a public place, participants of public events, demonstrations, or parades, and public figures in the exercise of their office. But even with these exceptions, if the photo shows the person in an unflattering or private situation, publication can be problematic. As an alternative to obtaining consent, blurring faces is an option. The Formidex Face Blur tool automatically detects faces and makes them unrecognizable, allowing you to legally publish photos from events, public spaces, or groups.
How the metadata tool technically works: The Formidex Metadata tool reads the APP1 marker in the JPEG file, which contains the EXIF data in a TIFF-like format. The tool displays all stored tags clearly, from GPS coordinates to camera settings to copyright information. When you want to remove the metadata, the tool uses the browser's Canvas API. The image is decoded and only the pure pixel data is drawn onto a Canvas element. When subsequently exported as JPEG or PNG, only the pixel data is saved, without the original metadata blocks. This produces a clean image without hidden information. The entire process takes place in your browser without image data being sent to any server.
Many people use cloud-based image editing services without thinking about what happens to their images. When you upload an image to a server, you give a third party access to your image and all the data it contains. The terms of service of many services state that uploaded images may be used for training purposes. Some services store images for days even after processing. This is especially problematic with sensitive images such as identity documents, medical records, or private photos. Even seemingly harmless images can reveal patterns in large data sets: where you spend time, when you are active, which devices you use.
Facial recognition and its risks: Another aspect that is often underestimated is automatic facial recognition. Companies like Clearview AI have collected billions of photos from the internet to build a massive facial database. Every photo you post online with recognizable faces can potentially be incorporated into such databases. Once captured, this information is practically impossible to delete. Blurring faces before publication is therefore not just a matter of courtesy but an active protection of privacy.
Formidex takes a fundamentally different approach. All image processing happens exclusively in your browser. Your images are never uploaded to any server. There is no database where your images are stored. There is no tracking, no cookies, and no registration required. This means your images stay 100 percent with you. With the Metadata tool, you can view the EXIF data in your images and selectively remove it before sharing. With the Face Blur tool, you can automatically pixelate faces. Both tools work entirely locally.
Special care with children's photos: Photos of children deserve special protection. Many parents share images of their children on social media without considering the long-term consequences. Children cannot decide for themselves about publication. Images that seem harmless today can be embarrassing or distressing for the then-teenage persons in ten years. If you want to share children's photos, at least remove the EXIF data and consider whether blurring faces is appropriate. In school and organizational contexts, parental consent is even legally required.
Practical tips for better privacy: Disable the GPS function of your camera app when you do not need it. Remove EXIF data before sharing images online. Blur faces in images you post publicly if the depicted persons have not given consent. Use tools that work locally and do not upload your images to external servers. Review the privacy policies of online services before uploading images. Be especially careful with images that show your home, workplace, or regular locations. Check before sending via email whether the EXIF data has been removed. With these simple measures, you effectively protect your privacy and that of the people around you.