A family with a magnifying glass and a compass overlayed, hinting at the location information housed in the photo's Exif data.

There’s a particularly arresting black-and-white image of a boy on Flickr, the photo-sharing site. The boy stands at home plate in his Little League uniform, bat poised above his shoulder. It’s early evening. The boy seems to be 8 or 9 years old. The lighting is dramatic. He is partly in shadow, but his face is outlined in sharp silhouette against the sky.

There is no caption, and few visual cues as to where or when the picture was captured. But download the file and click through some menus, and you can learn a lot.

The boy’s game took place June 6, 2018. As the shutter clicked, the time was 7:15 p.m. Call up some GPS data, and you can learn where the boy was playing. He was on a dirt baseball diamond behind a church in a small town in Ohio—a location we won’t name.

You can learn more. For instance, the photographer shot with an iPhone X and had left the camera settings on auto. One thing we don’t know is whether he realized how much information he posted online.

Details about when, where, and how a photo was taken are captured automatically by smartphones and digital cameras, and stored as Exif (Exchangeable Image File Format) data. Information on everything from exposure settings to altitude may be included. And the Exif data travels with the photo—from the camera to your hard drive or a website.

“People should be aware that when they upload a photo there is more to it than just the pixels that they can see,” says Hany Farid, a professor of computer science at the University of California, Berkeley, and a leading researcher on digital forensics. “A lot of people don’t even know there’s this thing called Exif data that gets shoved along.”

Storing Photos Online

Exif data can be very useful. It enables photo-storage services to sort your pictures by date and location, so you can find an album of your family’s trips to Disney World or a grandparent’s home in another state. If you look back at an old picture on your hard drive, you can learn precisely where you shot it.

Like many aspects of digital privacy, security experts say, the important thing for consumers is to make informed choices about what you share.

More on Digital Privacy

“There are some situations where you need to be careful,” says Bobby Richter, who heads privacy and security testing at Consumer Reports. “If you’re sharing images with people you don’t know or trust, you should be wary of whether or not you’re revealing sensitive information, like location data.”

Let’s start with photos that you post online. Many sites that let you display photos to friends or the public remove the Exif data before the images are shown to others. If you upload pictures to Craigslist, Facebook, Imgur, Instagram, Twitter, or WhatsApp, the Exif data won’t be available to the people who see them.

That doesn’t mean social media companies don’t find any use for it, however. “You can almost certainly be assured they are not throwing it away, given that they’re basically big data vacuum cleaners,” Farid says.

Representatives from companies Consumer Reports spoke to—including Apple, Google, Imgur, and Facebook, which owns Instagram and WhatsApp—said that Exif data is not used to target you with advertising messages.

However, a Facebook representative said via email that Facebook does process Exif data, including “information like the make and model of the device used to take the photo, the camera settings, and the date the photo was taken . . . to make your experience better and to keep people safe.”

If you don’t want to provide such data to Facebook and other companies at all, you can remove it yourself before uploading a photo—we’ll get to the directions in a moment.

When you store your photos in Google Photos or iCloud Photos, the Exif data is preserved. That allows you to search for photos later by date and location. Both services allow you remove location data from individual photos, which can be useful if you want to share them with other people.

Flickr preserves Exif data by default, but users can change their account settings to control whether Exif data is available when others download their photos. The service also has a setting that will strip out location data automatically when photos are uploaded.

Finally, if you email or text a photo, the Exif data will typically travel with it. That’s a fact that should matter to individuals—from college students to anyone selling things online—who communicate with people they don’t know well on the internet.

Exif data “can be a gold mine of information” that people don’t realize they’re sharing, says Jonathan Rajewski, who teaches digital forensics at Champlain College in Burlington, Vt., and works with the Vermont Internet Crimes Against Children Task Force.

A seller from Craigslist recently emailed Rajewski photos of an item he was thinking of buying—with the Exif data still attached. “I’m like, ‘I now know where you live, but I don’t really want to know where you live,’” Rajewski says. “When I met that person, I kind of educated them, saying, ‘Hey, maybe it’s a privacy concern for you,’ so they can make better decisions moving forward.”

How to Remove Exif Data Yourself

Exif data isn’t hard to find or to remove, but the steps vary a bit, depending on which device you are using.

On a Windows computer, you can see whether a photo has Exif data attached to it by right-clicking on the file, selecting Properties, and checking under the Details tab. You can also use this menu to remove most Exif data, including location information, by clicking “Remove Properties and Personal Information.”

On a Mac, open a photo in Preview and select Show Inspector under the Tools menu. If a photo has Exif data, you’ll find a tab labeled Exif. When location information is present, Preview breaks it out into its own tab, labeled GPS. There you’ll also find a Remove Location Info button that will delete those details.

Both of those methods will erase location information, but neither will get rid of Exif data entirely. You’ll still be able to see information such as the exposure settings and when the image was captured.

However, there are some easy ways to remove that information before sharing a photo. “One technique is to just take a screenshot of the photo and share that instead,” CR’s Richter says. “Screenshots typically don’t include the same kind of sensitive metadata as a camera.”

Most smartphones don’t have a built-in tool to remove Exif data. There are free apps for both Android and iOS devices that will do it for you, but for many users, the only Exif information that feels very personal is where their photos are taken. “That’s a pretty serious privacy issue for some people—you know, where they are in a given time of day,” Berkeley’s Farid says. If you simply want to avoid capturing location information with your pictures, you can revoke the camera app’s access to your device’s GPS function.

In iOS, go to Settings, open the Privacy tab, and select Location Services. Tap Camera and select Never.

Instructions for Android devices vary with the model, but typically you need to open Settings, then Lock Screen & Security, and open Location. Next, tap App-Level Permissions and switch the toggle off for Camera. On some Android devices, camera apps have their own GPS setting.

Do all that and you won’t inadvertently tell the world where you’ve been shooting photos—or where your child plays ball after school.