Your photos know exactly where you live
Every photo taken on a modern smartphone embeds hidden data called EXIF — short for Exchangeable Image File Format. This data rides along invisibly inside the image file itself, completely separate from the pixels you see. And by default, it contains your exact GPS coordinates at the moment the photo was taken.
Post that photo to a forum, send it in an email, or upload it to a listing site — and anyone who downloads it and checks the metadata can see precisely where you were. Down to a few meters.
Real scenario: You sell something on Facebook Marketplace and post a photo you took at home. The buyer downloads the photo, reads the EXIF, and now has your home address — before you've said a word to them.
What's actually stored in EXIF
It's more than just GPS. Here's a breakdown of what a typical smartphone photo contains:
| Field | Example value | Risk |
|---|---|---|
| GPS Latitude / Longitude | 45.5017° N, 73.5673° W | HIGH |
| GPS Altitude | 28.4 m above sea level | HIGH |
| Date & Time (original) | 2026:03:15 08:42:11 | MED |
| Camera Make & Model | Apple iPhone 15 Pro | MED |
| Lens Serial Number | 0x00D93F... | MED |
| Software version | iOS 18.3.1 | LOW |
| Exposure, ISO, aperture | 1/120s · f/1.8 · ISO 64 | LOW |
The GPS fields are the obvious threat. But the timestamp lets someone pattern your routines. The device serial number can fingerprint your camera across multiple photos posted under different accounts. The software version can hint at security vulnerabilities.
Who can read EXIF data?
Anyone who can download the file. There's no special software required — any modern browser, phone, or free desktop app can read EXIF in seconds. It's plain data embedded in the file according to a public standard.
Some platforms strip EXIF when you upload (Instagram, Twitter/X). Many don't — including most file-sharing sites, forums, email, direct messaging, and marketplace apps like Craigslist or Kijiji. You cannot rely on the platform to protect you.
When stripping actually matters
You don't need to be paranoid about every photo. But these situations genuinely warrant stripping EXIF before you share:
- Selling items online — photos taken at home reveal your address
- Posting publicly — forums, Reddit, Twitter — especially if you post regularly from one location
- Photos of your kids — your home and school locations are embedded
- Protest or event photos — location and timestamp can be used against people in them
- Rental listings — confirms the exact address you may not want published
- Whistleblowing or sensitive documents — device fingerprinting can identify the source
How stripping works — and why it's safe
Stripping EXIF doesn't touch your actual photo. The pixels are completely untouched. What changes is the metadata container that wraps the image data inside the file.
The cleanest approach — and the one Filesmith uses — is to redraw the image onto a blank HTML canvas and export it fresh. Because the canvas API doesn't know anything about EXIF, the output file contains no metadata at all. The image looks identical. The hidden data is gone.
This is also why doing it client-side matters: your photo never has to travel to a server to be processed. The whole thing happens in your browser tab.
What about turning off location on your phone?
Disabling location in your camera app stops GPS from being recorded in future photos — but it doesn't help with photos you've already taken. And it requires remembering to check the setting. Stripping before sharing is a habit that protects you regardless of your camera settings.