EXIF metadata: what your photos really reveal (and how to erase it)

A single photo can contain: GPS coordinates (to 5-metre precision), camera make, model and firmware, lens serial number, exposure triangle (ISO, aperture, shutter), date/time with timezone, editing software (Photoshop version, Lightroom profile), copyright and author fields, and in some cameras an embedded thumbnail that survives even if you crop the main image.

Software tag. Legitimate cameras never write 'Midjourney' or 'Stable Diffusion' here. A generator tag is a smoking gun.

Make + Model + LensInfo. Must be internally consistent. A Canon body with Nikon lens metadata = red flag.

DateTimeOriginal vs DateTimeDigitized vs ModifyDate. All three should agree within a few seconds for an unedited shot.

GPS. Should match the claimed location. Use SunCalc to verify sun angle against the timestamp and coordinates.

Serial number. Survives through editing in many cameras and can tie multiple photos to the same device.

John McAfee, 2012. Vice published a photo with him 'in hiding'. The GPS tag in the EXIF pinpointed his location in Guatemala within 24 hours.

Higinio O. Ochoa III, 2012. The hacker posted a photo of his girlfriend. The iPhone's GPS tag led the FBI to his door.

Countless domestic violence cases. Victims sharing photos with abusers still receiving notifications — GPS tags in attachments to court documents.

ExifTool (Phil Harvey) — gold standard CLI. Jeffrey's Image Metadata Viewer — web, paste any URL. ScanTrace — reads EXIF as part of the forensic pipeline and flags inconsistencies automatically. IrfanView, Adobe Bridge, digiKam — GUI readers.

Command-line: exiftool -all= -overwrite_original photo.jpg. GUI: Windows Explorer → Properties → 'Remove Properties and Personal Information'. macOS Preview → Tools → Show Inspector → drag GPS out. Online strippers: only use services you trust; your photo is uploaded to their server.

Journalists protecting sources should also strip thumbnails and IPTC fields — ExifTool with -all= handles both.

EXIF is the cheapest, fastest verification signal available. In less than 200ms a detector can: confirm the photo came from a physical camera, cross-check timestamp against reported time of event, validate GPS against geography, and flag editing software. ScanTrace does all four automatically. Open the free EXIF viewer.

For you as a subject: strip it before publishing anything you don't want tied to a location or device. For you as a verifier: read it first, always. The same bytes that doxx a careless user also unmask a forged image. Know the tool; use the tool.

What is EXIF metadata exactly?

EXIF (Exchangeable Image File Format) is a standard from 1995 that embeds technical information inside JPEG, TIFF and HEIC files: camera model, lens, exposure, ISO, timestamps, GPS, software used and sometimes thumbnails and serial numbers.

Does Instagram strip EXIF?

Yes. Instagram, WhatsApp, X (Twitter), Facebook and most messaging apps strip EXIF on upload for privacy. Reddit preserves some fields. The absence of EXIF on a web-found image means little.

Can my home address be extracted from a photo?

If you uploaded a raw photo with GPS enabled and the platform didn't strip EXIF, yes. This is how multiple high-profile doxxing cases happened (including John McAfee in 2012, geolocated from a Vice photo).

How do I remove EXIF before sharing a photo?

On Windows: right-click → Properties → Details → 'Remove Properties'. On macOS: Preview → Tools → Show Inspector → remove GPS. On Linux: exiftool -all= file.jpg. Or use an online stripper — but upload only to services you trust.

Is coherent EXIF proof that a photo is real?

Strong signal, not proof. EXIF can be forged (exiftool -set). Real EXIF combined with pixel analysis and reverse search gives a reliable verdict — ScanTrace's 3-layer pipeline does exactly this.