How a Photo's Hidden 'Exif' Data Exposes Your Personal Information
Share a family photo and you could be revealing where you live, work, and vacation
There’s a particularly arresting black-and-white image of a boy on Flickr, the photo-sharing site. The boy stands at home plate in his Little League uniform, bat poised above his shoulder. It’s early evening. The boy seems to be 8 or 9 years old. The lighting is dramatic. He is partly in shadow, but his face is outlined in sharp silhouette against the sky.
There is no caption, and few visual cues as to where or when the picture was captured. But download the file and click through some menus, and you can learn a lot.
We can see that the picture is about a year and a half old; the boy’s game took place on June 6, 2018. As the shutter clicked, the time was 7:15 p.m. Call up some GPS data, and you can learn where the boy was playing. He was on a dirt baseball diamond behind a church in a small town in Ohio—a location we won’t name.
You can learn more. For instance, the photographer shot with an iPhone X and had left the camera settings on auto.
One thing we don’t know is whether he realized how much personal information he was posting online.
Details about when, where, and how a photo was taken are captured automatically by smartphones and digital cameras, and stored as Exif (Exchangeable Image File Format) data. Information on everything from exposure settings to altitude may be included. And the Exif data travels with the photo—from the camera to your hard drive or a website.
“People should be aware that when they upload a photo there is more to it than just the pixels that they can see,” says Hany Farid, a professor of computer science at the University of California, Berkeley, and a leading researcher on digital forensics. “A lot of people don’t even know there’s this thing called Exif data that gets shoved along.”
Storing Photos Online
Exif data can be very useful. It enables photo-storage services to sort your pictures by date and location, so you can find an album of your family’s trips to Disney World or a grandparent’s home in another state. If you look back at an old picture on your hard drive, you can learn precisely where you shot it.
As with many aspects of digital privacy, security experts say, the important thing is for consumers to make informed choices about what they share.
How to Remove Exif Data Yourself
Exif data isn’t hard to find or to remove, but the steps vary a bit, depending on which device you are using. There are three options to consider: preventing the data from being captured with your photos in the first place, wiping out Exif data from a photo you've already shot, and using tools that strip out sensitive details when you’re sharing a photo.
On smartphones, Apple Photos and Google Photos now have features that let you see if photos include location data and share photos without sending it along. On an iPhone running the latest operating system, you can see if a photo has location data by swiping up when you're viewing the picture in the photos app. If it does have location data, you’ll see a map with the location. You can send the photo without those details by hitting the share button, tapping Options near the top of the screen, and switching off the toggle for Location. Keep in mind you’ll need to do that again every time you send the picture.
Just as in Apple Photos, you can check for location data using Google Photos by swiping up on any picture. You can update your settings to exclude that data if you share photos with a link: Open the menu by tapping the icon in the top left of the app’s home screen, select Settings, and switch on Remove geo location. However, this won’t protect you if you send photos through other means, such as text or email.
You can take similar steps on a computer. Using Windows, you can see whether a photo has Exif data attached to it by right-clicking on the file, selecting Properties, and checking under the Details tab. You can also use this menu to remove most Exif data, including location information, by clicking Remove Properties and Personal Information. Then save the file, and you’ve got a GPS-free photo.
On a Mac, open a photo in Preview and select Show Inspector under the Tools menu. If a photo has Exif data, you’ll find a tab labeled Exif. When location information is present, Preview breaks it out into its own tab, labeled GPS. There you’ll also find a Remove Location Info button that will delete those details.
Most smartphones don’t have a built-in tool to remove Exif data completely from photos that already have it attached, but there are free apps for both Android and iOS devices that will do it for you.
There’s an even easier route. “One technique is to just take a screenshot of the photo and share that instead,” CR’s Richter says. “Screenshots typically don’t include the same kind of sensitive metadata as a camera.”
For many users, the only Exif information that will feel especially personal is where their photos are taken. “That’s a pretty serious privacy issue for some people—you know, where they are in a given time of day,” Berkeley’s Farid says. And it's easy to change your settings so location data won’t be captured with your pictures going forward. All you have to do is revoke the camera app’s access to your device’s GPS function.
In iOS, go to Settings, open the Privacy tab, and select Location Services. Tap Camera and select Never.
Instructions for Android devices vary with the model, but typically you need to open Settings, then Privacy, and select Permissions manager. Next, tap Location, open Camera, and choose Deny. On some Android devices, camera apps have their own GPS setting.
Do all that and it may be harder to find your vacation pictures. But you won’t inadvertently tell the world where you’ve been shooting photos—or where your child plays ball after school.
What Is Exif Data?
Attached to the photos you take on your phone are bits of information, such as when and where they were taken. On the "Consumer 101" TV show, host Jack Rico explains what you need to know about protecting your privacy.