Skip to content
Spellkit

What's Actually Hiding in Your Photo's EXIF Data

Every photo a camera or phone takes carries metadata beyond the pixels — including, by default, the exact GPS coordinates where it was taken.

A JPEG isn't just pixels. Tucked into the file alongside the image data is an EXIF (Exchangeable Image File Format) block — metadata the camera wrote automatically, without you ever choosing to include it.

What's actually in there

  • Camera/device info — make, model, sometimes the exact lens and firmware version.
  • Shot settings — aperture, shutter speed, ISO, focal length, flash state.
  • Timestamp — the exact date and time the photo was taken, to the second.
  • GPS coordinates — if location services were on, the precise latitude/longitude (and sometimes altitude) of where the photo was taken, accurate to a few meters.
  • Orientation — which way the camera was physically held, used to auto-rotate the image on display.
  • Thumbnail — many JPEGs embed a small preview thumbnail separately from the main image, generated at the time of the original shot.

Why the thumbnail is the sneaky one

Photo editors often modify the main image (crop, blur, redact something) but don't always touch the embedded EXIF thumbnail, since it's stored as a separate, smaller data block. There are real cases of a supposedly-cropped or redacted photo still containing an unmodified thumbnail of the original, unedited image — meaning whatever was cropped out is still recoverable from the file. If you're removing something from a photo before sharing it, the edit isn't complete until the metadata is stripped too.

Why this matters more than people expect

Post a photo taken on your phone straight to a forum or marketplace listing, and if GPS metadata is intact, anyone who downloads the original file (not a re-compressed version — see below) can extract the exact coordinates where it was taken. This has been used to deanonymize people who believed they'd only shared a picture, not a location.

Why some platforms are "safe" and others aren't

Major social platforms (Instagram, Twitter/X, Facebook) strip EXIF data automatically when you upload, because they re-encode every image on their end anyway. That's a side effect of their processing pipeline, not a deliberate privacy feature — which is exactly why it's inconsistent. Sending the original file directly — via email, AirDrop, a messaging app that preserves originals, or a direct file upload to a site that doesn't re-process images — usually keeps every field intact, because nothing re-encoded it.

How to actually check and remove it

The only reliable way to know is to inspect the file directly rather than assume based on where you got it. Spellkit's EXIF Remover reads and displays what metadata a photo actually contains, then strips it, entirely in your browser — the file never leaves your device, which matters here specifically, since the whole point is not sending your location to yet another server in the process of trying to remove it from a photo.