In 2012, the antivirus pioneer John McAfee was on the run from authorities in Belize. Vice magazine tracked him down for an exclusive interview. They published a photo of the journalist with McAfee. It was a great scoop — until someone checked the EXIF data embedded in the image file.
The photo contained GPS coordinates. Latitude and longitude, accurate to within a few metres. McAfee’s location was exposed not by surveillance, not by an informant, but by the default behaviour of a smartphone camera.
Every photo taken on a modern phone embeds metadata automatically. It’s called EXIF data — Exchangeable Image File Format — and it records far more than most people realise. GPS coordinates. Date and time. Device model. Lens settings. Sometimes the serial number of the camera itself. Some phones record altitude. Some record which direction you were facing.
This metadata travels with the image. When you text someone a photo, it’s there. When you email an attachment, it’s there. When you upload to some platforms, they strip it — but not all of them, and not consistently. Auction sites, forums, messaging apps, cloud storage links — the data often survives.
For most people, this is a privacy issue they’ve never considered. You send a photo of something you’re selling online — your home coordinates are in the file. You send a photo to someone you’ve just met — your daily locations are in the file. You share pictures of your children — the school’s GPS coordinates are in the file.
It’s not that this data is secret. It’s that most people don’t know it’s there.
Removing EXIF data is straightforward. The file itself doesn’t change visually — the image looks identical. What changes is the invisible payload attached to it. Strip the metadata and the photo becomes just a photo. No coordinates. No timestamps. No device fingerprint.
The reason this isn’t standard behaviour is the same reason most software inconveniences exist: it was never in anyone’s commercial interest to make it easy. The data is valuable. To advertising platforms, to analytics systems, to anyone building a profile of where you go and what you do. Making it simple to remove would work against that.
So it stays. Quietly. In every photo you send.