EXIF Viewer

Every photo your phone or camera takes is shipped with a hidden second file attached: the EXIF block. EXIF (Exchangeable Image File Format) is a standard defined in 1995 that piggybacks structured metadata onto JPEG, HEIC, and TIFF files. The intention was good — give photographers a way to record camera settings, lens, exposure, and timestamp so they could review their craft later. The unintended consequence is significant: by default, modern smartphones also embed the exact GPS coordinates where the photo was taken, the unique serial number of the camera, the software version of the OS, and sometimes even the user's name from device settings. Most people have no idea this is happening.

What's actually inside EXIF

A typical iPhone photo contains 50-100 distinct EXIF tags. Camera make and model. Lens (since iPhones now have multiple lenses, this tells you which one). Aperture, shutter speed, ISO, exposure compensation, white balance. Date and time the photo was taken (down to the second), in the camera's local timezone. GPS latitude, longitude, altitude, and direction the camera was facing. A unique camera/sensor identifier. The software that processed the image (iOS version, app name). Orientation. Colour profile. Pixel dimensions. The list goes on. If the photographer used Lightroom, Photoshop, or any pro editor, even more — keywords, copyright info, edits applied, raw conversion settings.

In 2012, anti-virus pioneer John McAfee was located by Vice reporters who simply opened an iPhone photo of him in EXIF Viewer — the GPS coordinates pointed to a guesthouse in Guatemala.

Where EXIF leaks happen — and where it's stripped

Major social platforms strip EXIF on upload: Facebook, Instagram, Twitter/X, LinkedIn, Reddit. WhatsApp strips it when you share as a "photo" but preserves it when you share as a "document". Telegram strips it on photo uploads, preserves on document send. iMessage preserves EXIF including GPS — full metadata travels with the image. Email attachments preserve everything — including the BCC list if you send to multiple people and they reply-all (different attack, but same family). Most blogging platforms (WordPress, Ghost, Substack) preserve EXIF by default unless you change the setting. Direct file shares via Dropbox, Google Drive, or any cloud-link preserve EXIF — the file is unchanged.

The APAC EXIF-privacy landscape

EXIF privacy awareness varies sharply across APAC. South Korea has the strongest cultural awareness — molka (illicit camera) controversies have made the average user wary of any metadata that might reveal location. Japan follows close behind, with most camera apps offering one-tap EXIF stripping. Singapore, Hong Kong, Australia have professional photography communities who routinely strip metadata for client work. India, Indonesia, Philippines, Thailand, Vietnam have rapidly growing creator economies on TikTok, YouTube, Instagram — most creators are unaware that EXIF survives on direct messaging and cloud sharing. China has its own metadata layer: WeChat strips EXIF on transfers between users but adds its own provenance tags (which platform, which account posted first); the LBS-driven culture (location-based services in Meituan, Dianping) means many Chinese users actively want some location tags preserved for tagging restaurants and venues. Malaysia sits in the middle — heavy WhatsApp use means metadata gets stripped on default photo shares, but the "as document" shortcut quietly preserves everything. Universal rule: never assume your platform strips EXIF — check.

Why GPS metadata matters more than the other fields

Most EXIF fields are harmless. Aperture and ISO can't dox you. The make and model of your camera might link photos to other photos you've taken, but on its own it's not identifying. GPS is different — a single photo's lat/long can pinpoint your home, your office, your school, your child's school, your favourite running route. Real-estate scammers regularly use EXIF GPS data to confirm a property listing photo was actually taken at the address claimed (or, conversely, to spot fraudulent listings). Dating-app users have been doxxed via GPS in profile pics. Domestic-abuse victims have been tracked by an abuser they thought they'd escaped, because they posted a photo to social media without realising the platform preserved the location stamp. Always strip GPS before public posting unless you specifically want the location to be known.

What this tool's "stripped JPG" actually does

The stripped download re-encodes your photo through a browser canvas. The Canvas API has no concept of EXIF, IPTC, or XMP — when it writes a JPEG, it writes the pixel data only. Every tag, every GPS coordinate, every timestamp is gone. The trade-off is slight: re-encoding is a lossy round-trip (the file is decoded to pixels then re-encoded to JPEG at quality 94), so you lose a tiny amount of image quality. For social posting this is invisible; for archival or print work, strip EXIF using a dedicated tool that preserves the original encoding (exiftool from the command line).