The invisible half of the file
A modern smartphone photo consists of two layers: the visible pixel content and an invisible metadata bundle of 100–500 KB. On a 1 MB JPG that's often 10–30% of the file size — information the user can neither see nor consciously consent to while shooting.
What's in it is a technically highly detailed dossier: capture time to the second, GPS coordinates accurate to the meter, altitude, camera model, lens, ISO, exposure time, aperture, focal length, white balance, embedded preview thumbnails, sometimes depth maps and Apple Live Photo sequences.
The three metadata standards
- EXIF (Exchangeable Image File Format) is the technical standard since 1995. It stores camera settings, capture time, GPS. See our glossary entry.
- IPTC (International Press Telecommunications Council, since 1990) stores editorial metadata: caption, author, license, keywords. Press photos are practically anonymous without IPTC.
- XMP (Adobe Extensible Metadata Platform, since 2001) is the most modern variant — XML-based, extensible, combining EXIF and IPTC in extended form. Adobe tools, Lightroom edit history, and many modern apps write XMP.
What smartphones actually write
Samples from current smartphone photos:
- iPhone 15 Pro (iOS 18, HEIC): EXIF with GPS (latitude, longitude, altitude, accuracy, speed, heading), camera model, lens, ISO, exposure, capture time incl. time zone. Embedded Apple maker-note with a Live Photo reference. Depth map as an auxiliary image.
- Google Pixel 9 (Android 15, Ultra HDR JPG): EXIF with GPS, lens, exposure. XMP block with lens ID and Ultra-HDR gain-map pointer. Optional BurstID tag on burst shots.
- Samsung Galaxy S24 Ultra (One UI 6.1): EXIF with GPS, plus a Samsung maker-note with its own lens tracking. On Pro-mode shots an XMP block with color-grading parameters.
To see what's in your own photo, load it into our metadata viewer — it shows everything browser-local, no upload.
Who reads the metadata?
An incomplete list of the actors that parse EXIF data:
- Social media platforms. Instagram, Facebook, Twitter have stripped most EXIF data on upload since around 2017 (privacy pressure after the Snowden era). But: WhatsApp and Telegram often pass original files through unchanged. Slack keeps EXIF in many workspace configurations.
- Email clients. Gmail, Outlook etc. pass attachments through unchanged. Share a photo by email and you share all the metadata.
- Web servers on direct upload. WordPress, custom CMSes and many photo galleries store originals unchanged until a plugin strips them.
- Photo licensing platforms. Adobe Stock, Shutterstock actively parse IPTC for search and license tracking.
- Forensics and law enforcement. EXIF data is standard evidence for image verification.
The GPS location: the biggest risk
Of all metadata, GPS is the most privacy-critical. Two clicks show the capture location on a map. Share a photo from home — even a snapshot of the dog on the sofa — and you potentially reveal your exact address.
The iOS Photos app has asked explicitly since iOS 13 whether location data should be included when sharing. That was an important step. But: with AirDrop, when saving to a NAS, or uploading to third-party software, GPS often stays in.
Embedded thumbnails — the forgotten trap
Many EXIF blocks contain an embedded preview JPG of 160×120 pixels. It was originally written for camera-display purposes. The problem: when a user edits a photo (e.g. cropping in iOS Photos), the embedded thumbnail is often not updated. It still shows the original.
Forensic tools like exiftool have extracted the original thumbnails routinely for years. If you cropped a photo before sharing to hide a person or a detail, make sure the thumbnail was updated too.
Edit history in XMP
Adobe tools (Photoshop, Lightroom) and some modern editors write edit history as an XMP block into the image. Which tools were used, which filters, which crops — all parseable. For press and commercial images this is maintained deliberately; for private photos it's often unintended data spread.
Clean pipelines: three strategies
To share metadata in a controlled way, there are three routes:
- Blanket stripping before upload. With tools like our metadata editor or
exiftool -all=on the command line. It also saves bytes (often 100–300 KB per image). - Selective stripping. Remove only GPS and maker-notes, keep EXIF basics (capture time, camera model). Sensible for photo portfolios that want to communicate technical data.
- Server-side stripping in the pipeline. Sharp's
.keepIptc()option, or an image-CDN filter that removes everything but a whitelist. Scales for e-commerce and photo platforms.
GDPR and EXIF
GDPR treats GPS coordinates as personal data once they relate to an identifiable person. Publishing photos with GPS EXIF on a website without consent formally risks processing personal data. In practice this has rarely led to fines, but: a photo blog with GPS EXIF on images of private individuals is GDPR-compliant only with documented consent.
Pragmatic consequence: for photo blogs, e-commerce, and all publicly hosted photo content, remove EXIF wholesale — except where photo metadata is editorially important (photo workshops, photo-contest platforms).
The browser-first recommendation
If you inspect metadata, never do it in the cloud. A tool that says "upload your photo and we'll show you the EXIF data" holds in its own hands exactly the data you actually want to control. Our metadata tools run browser-local via the Web Crypto and ExifReader APIs; nothing is uploaded.
Recommendation matrix
- Private photo on Instagram: the platform strips — usually fine. For sensitive content, strip it yourself anyway.
- Photo attachment by email to an unknown recipient: always strip.
- Press photo to an editorial desk: maintain IPTC (author, caption), GPS optional.
- Photo on your own website (blog, portfolio): remove everything but the author.
- Photo in an e-commerce shop: strip completely, saves bytes.
- Photo in a family cloud (iCloud, Google Photos): keep everything — it's your own cloud, EXIF is helpful here (search by date/location).
Sources
CIPA DC-008 — Exif Specification · IPTC Photo Metadata Standard · Adobe XMP Specification · exiftool · GDPR Art. 4 — Personal data · Apple — Location in shared photos · sharp — withMetadata API.