A few years ago, a fitness influencer in the Netherlands posted her usual Thursday morning workout photo. Tight lighting, good pump, water bottle placed artfully to the left. Her followers loved it. What her followers did not love, presumably, was that a persistent stranger was able to use the GPS coordinates embedded in that single image to figure out not just which gym she used, but which neighborhood she lived in, based on the pattern of locations embedded across six months of posts. The story made the news. The influencer deleted her account for two weeks. The water bottle remained blameless throughout.
Here is the part that should unsettle you: she did nothing technically wrong. She posted a photo. That is all. The problem was invisible, baked into the file itself before she ever opened Instagram.
What Is Actually Hiding Inside Your Photos
Every digital photo is two things at once. There is the image you can see, and then there is a chunk of data you cannot see, called EXIF metadata. EXIF stands for Exchangeable Image File Format, which is a name clearly invented by someone who did not care about branding. This data layer records details that your camera or phone thought would be helpful to log. Spoiler: some of those details are wildly personal.
A typical smartphone photo can contain:
- GPS coordinates - latitude and longitude, often accurate to within a few meters
- Timestamp - the exact date and time the photo was taken, down to the second
- Device information - the make and model of your phone or camera
- Camera settings - aperture, shutter speed, ISO, focal length
- Software version - which operating system or app processed the image
- Altitude - yes, some photos include how high above sea level you were standing
That last one is, genuinely, a lot. Nobody posting a latte photo on a Tuesday needed to broadcast their elevation to the internet. And yet, here we are.
The Gym Selfie Is Just the Beginning
The fitness influencer example is the dramatic one, the kind that gets written up in articles. But the mundane version of this problem happens every day to people who have never heard the word EXIF.
Consider the parent who photographs their child at a school event and shares it in a neighborhood Facebook group. The photo contains the school's GPS coordinates, the time of day (useful for anyone mapping a child's schedule), and the parent's phone model. None of that was intended to be shared. All of it was.
Or the person selling furniture on a local marketplace app, taking photos in their living room. The GPS data says: this is the exact address where this person lives and where the furniture currently is. Combined with the listing itself, you now have a map to a stranger's home and a list of their possessions. Brilliant.
Or the freelancer sending portfolio images to a potential client. Every photo quietly announces which coffee shop they use as an office, what time they typically work, and what kind of phone they own. That is a strangely intimate amount of information for a job application.
"But Doesn't Instagram Strip Metadata Automatically?"
Some platforms do strip metadata during upload. Instagram, Facebook, and Twitter have done this for years, which has given a lot of people false confidence. The issue is that "some platforms, sometimes" is not a privacy strategy.
Direct messages, email attachments, file-sharing services, portfolio sites, press kits, client deliverables, Discord servers, and Slack channels often pass the original file along completely intact. The moment you send a photo directly rather than through a metadata-stripping social platform, everything is on the table.
And even on platforms that strip data on upload, the original file sitting on your device or in your cloud backup still carries everything. If that file ends up somewhere else, it goes with its full biography attached.
The Fix Takes About Four Seconds
This is one of those rare situations where the solution is so much simpler than the problem description would suggest. Before you share any photo, run it through COMBb2's metadata stripper. Drop in the image, it cleans out the EXIF data, GPS coordinates, camera details, and timestamps, and you get back a visually identical file that simply no longer has anything to say about you.
The entire process happens in your browser. The photo does not travel to a server, does not get uploaded to a cloud queue, does not pass through anyone else's infrastructure. It is processed locally on your device, which is a satisfying irony: the tool that protects your location data does not need to know your location to work.
For photographers sending work to clients, this is also worth building into your standard workflow. A clean portfolio image looks identical to one with metadata, but it does not tell the recipient which city you live in, which studio you rent, or what time you prefer to shoot. That kind of information is yours to share when and how you choose, not embedded silently in every JPEG you send.
A Short List of When You Should Absolutely Strip Metadata
- Any photo taken at or near your home - This includes indoor shots taken near windows. GPS is surprisingly accurate about exterior positions even from inside.
- Photos of children - Schools, playgrounds, sports events, and similar locations should not be broadcasting their coordinates across group chats.
- Marketplace and classified listings - You are already sharing your general area. There is no reason to also share your exact address.
- Press releases and media kits - Journalists and bloggers can extract metadata. Most will not, but some will.
- Any image sent by email or direct message - These channels almost never strip data on your behalf.
If you want to go further down the rabbit hole of what your photos reveal before you start stripping them, the manual adjustment tools are there once the image is clean, and if you are dealing with photos that have already been shared and you are feeling retrospectively anxious about it, it is worth noting that most platforms allow you to delete and re-upload a cleaned version.
The Bigger Picture (No Pun Intended)
Privacy conversations tend to focus on passwords, app permissions, and data breaches. The photo metadata problem does not get enough attention, possibly because it is invisible, and because the damage it does tends to be slow and ambient rather than sudden and obvious.
Nobody gets notified when someone extracts GPS data from a photo. There is no alert, no audit trail, no warning. The information just sits there, available to anyone who knows to look, for as long as the file exists.
The Dutch fitness influencer eventually came back to social media. She now strips her metadata before every post. Her photos look exactly the same as they did before. Her follower count recovered. The water bottle is still in every shot.
The only thing that changed is that her Thursday morning gym is no longer common knowledge among strangers on the internet, which seems like a reasonable outcome for everyone involved.
Before your next post, your next email attachment, your next portfolio send, take four seconds and use the metadata stripper. Your photos will look identical. They will just stop telling stories you never meant to tell.
Conclusion
EXIF metadata is one of the most overlooked privacy risks in everyday digital life. It is not dramatic, it is not a hack, and it requires no technical skill to exploit. The solution is equally simple: strip the data before sharing. A photo without metadata is still a perfect photo. It is just one that knows when to keep quiet.
Try it yourself
Free, private, runs in your browser. No sign-up required.
