What's hidden in the images you post?
most of this was writtten on 2024-03-31 but was shelved, and is now being released in October with the migration to personal blogs following the closure of Cohost
Huh?
A lot of this was covered extensively during protests over the last few years. I wanted to bring it up again because I’ve seen several cases of content creators inadvertently posting sensitive information recently. In all cases of this that I’ve seen, I have informed the creator and deleted all files with leaky metadata from my machine.
In many images, your camera will store Exif metadata. Depending on what camera you use, this could contain a wide variety of things:
- the kind of camera you use
- the date and time
- color profile information
- the shutter speed, aperture, ISO
- geotag information
They’re all pretty mundane things. Helpful, even. But there’s a scary one (and potentially dangerous, if you’re posting content online!): the geotagging information.
It can consist of a bunch of things, depending on what your camera supports. My iPhone 13 Pro, for example, records:
- the GPS latitude and longitude
- the date and time, as received from the GPS satellites
- the GPS altitude
- a compass bearing
- the GPS margin of error
- how fast the camera was going in kilometers per hour
Good news, though! For most people, there’s nothing to worry about. Almost all the sites you upload images to are probably removing that information for you. Unfortunately, there’s a few cases where some of this information can stick around.
Who’s sanitizing your uploads?
I’ve compiled a list of services that do and don’t remove geolocation data, based on some basic testing (uploading an image and downloading it again). The photo used is a photo of the “Welcome to the United States” sign in Seattle Tacoma International Airport, with real geotag coordinates. I chose this image because it’s months old, and has geotag information I don’t mind posting to the world (it’s literally in an International Airport!). As such, I have not manually sanitized the Exif data in any of the “exiftool output” links.
I checked the metadata at all stages using exiftool, a utility for viewing and modifying image metadata (https://github.com/exiftool/exiftool).
The original file’s Exif data as seen by Exiftool can be found at https://en0.sh/wihaqojofo.txt, in case you’d like to diff it against the ones below.
If there’s something not on this list that you think should be, reach out to me at [email protected] and I’ll review it and get it added.
Site | Removes geotags: | Exiftool output |
---|---|---|
Patreon | Yes | https://en0.sh/gaxizaluda.txt |
Ko-fi | Yes | https://en0.sh/amavikuqax.txt |
Yes | https://en0.sh/otujemoher.txt | |
Yes | https://en0.sh/oromajacon.txt | |
Telegram (“quick”) | Yes | https://en0.sh/gepibowizo.txt |
Telegram (“uncompressed”) | No | https://en0.sh/etujigibok.txt |
Slack | Yes | https://en0.sh/cufesuwugu.txt |
Flickr | No | https://en0.sh/guyepoxili.txt |
Cohost | Yes | https://en0.sh/abeqesizon.txt |
Bluesky | Yes | https://en0.sh/cufuvusupu.txt |
Hugo static site generator | No | https://en0.sh/imeqatuzag.txt |
Wordpress.com | No | https://en0.sh/efokagigeq.txt |
Staying safe
No .zips
You should avoid uploading images anywhere as .zip
files or other compressed archives. I’m unaware of any platforms
that unpack archives, scrub metadata, and repack them.
Everest’s Image Scrubber
Everest Pipkin put together an excellent easy-to-use utility to remove Exif data from images for the Black Lives Matter protests in 2020, which can be found at https://everestpipkin.github.io/image-scrubber/. It runs entirely in your browser, and does not upload the original image.
Exiftool
If you’re more technically inclined, you can use Exiftool yourself to clean up images. On all test images I’ve tried, the following commands(source) work to remove all identifiable geotag metadata in my test files:
exiftool -gps:all= FILE.jpg
exiftool "-gps*=" FILE.jpg
The easy one
Just disable geotags on your phone’s camera app.
On Apple iOS, Apple has provided a support guide here: https://support.apple.com/guide/personal-safety/stop-and-remove-location-metadata-in-photos-ips0d7a5df82/web. It’s under the “Stop location metadata collection in Camera on iPhone or iPad” section.
Android phones may vary depending on what phone you have and what camera app they use, but usually it’ll be somewhere in the camera app’s settings menu.
Most mirrorless, DSLR and point-and-shoot cameras do not include a built-in GPS module to record geotags, but you may want to check the information for your specific camera.
The needlessly hard one
Have you considered film photography? It’s fun and records no GPS metadata.
End
That’s all I got.