Exif data is an hidden metadata (data about data) that is automatically added to photos taken by digital cameras and mobile phones. Exif data can pose a serious privacy and security dangers, as illustrated by many stories published in the media, some of them are described in this page.

Exif data often includes generally harmless information such as exposure time, focal length, and flash usage, but also often includes the following potentially privacy and security compromising information:
  • Geotag - coordinates of the exact location where the photo was taken. Can allow strangers to learn where you live and hangout, and to identify you. Can be added by a GPS-enabled camera or mobile phone.
  • Thumbnail - a small version of the photo, created by cameras for fast viewing of the photo on the camera's screen. Some image manipulation programs do not update this thumbnail. This can cause parts of the photo which were censored to still be visible in the thumbnail.
  • Camera and lens unique serial numbers - can allow people to trace two photos to the same photographer, and can help identify the photographer.
  • Exact date and time - can allow people to know where you've been at a particular time.
Since Exif data is not visible to the casual viewer, people may not realize it is embedded in photos they take. If they share the photos with others (e.g. by posting them on the web), they can compromise their privacy and security.

Table of Contents

    1. Exif data notable privacy and security incidents
    2. Photo metadata beyond Exif data
    3. How to avoid Exif data dangers

        Exif data notable privacy and security incidents

        Cat Schwartz accidentally exposed her breasts

        In 2003, American television personality Cat Schwartz posted two cropped photos of herself on her personal blog. The original uncropped photos were still visible in the thumbnails in the Exif data, showing her bared breasts. (Source)

        Geotag reveled that John McAfee is hiding in Guatemala

        In December 2012, Vice Magazine published a photo of John McAfee, the founder of McAfee, an anti-virus software company. Geotag inside the Exif data of the photo inadvertently reveled that McAfee is in Guatemala, where he was escaping from Belize authorities, who wanted him for questioning on his neighbor murder case. (Source)

        Geotag reveled the home address of Adam Savage

        In 2010, host of the popular science TV program “MythBusters”, Adam Savage, posted a photo on Twitter of his auto parked in front of his house. Since the photo contained geotag inside its Exif data, strangers could learn exactly where he lives. (Source)

        Geotag led to the destruction of American Apache helicopters

        In 2007, a new fleet of Apache helicopters arrived at an American base in Iraq. Some soldiers took photos of the flightline and uploaded them to the Internet. The enemy found geotags inside the Exif data of the photos, and conducted a mortar attack that destroyed four helicopters. (Source)

        Geotag led to the arrest of a hacker

        In 2012, there was a series of attack on American government websites by the Anonymous group. The hackers published photos of a women in bikini holding written taunts, not showing her face. The hackers were unaware that the photos contained geotags in their Exif data. The geotags led investigators to that women's house in Australia. Further investigation reveled that the women is a girlfriend of one of the hackers, Higinio O. Ochoa III from Texas. He was arrested, charged, and convicted. (Source)

        Photo metadata beyond Exif data

        Other than Exif data, photos may contain other types of hidden metadata. Most common are the following:
        • XMP
        • IPTC data
        • JPEG comment
          Such metadata is usually added by users using a photo management software to better describe the content of the photo, the circumstances in which it was taken, as well as detailed information about the identity of the photographer and the people photographed.

          How to avoid Exif data dangers

          Removing Exif data and other photo metadata

          Specialized tools for removing Exif data and other photo metadata exist for every operating system. Examples are the following freewares:

          Beware: Windows' properties removal feature is not enough

          In Windows Vista, Microsoft has introduced a feature to remove properties and personal information. This feature is very limited though, and can give a false sense of privacy protection. It can remove only some Exif data fields, NOT including the thumbnail and the camera and lens unique serial numbers. Also, it cannot remove at all other types of photo metadata such as XMP, IPTC data, and JPEG comment. Therefore, specialized photo metadata removers, such as the ones mentioned above, are recommended for removing Exif data and other photo metadata, as they are more thorough.


          Disabling photo geotagging

          You can turn off photo geotagging in your mobile phone to prevent the automatic embedding of geotags in photos you take. There are different ways to do that, depending on your mobile phone type.