Media Den logo

Media Den

← Blog

The Data Hiding in Your Photos

May 2026 · Practical Privacy

In early February 2012, the West Virginia Chiefs of Police Association learned that its own website had been turned against it. Someone had reached the database behind the site and pulled out the home addresses and personal phone numbers of more than 150 current and retired police chiefs, then posted them online for anyone to read. "It's a tragedy someone was able to hack our website and obtain information that is useful to our members," the association's president, William Roper, told reporters. The break-in was one of a string aimed at police departments around the country, a campaign the hackers called Operation Pig Roast.[1]

The attacks came with a signature. On the defaced pages, alongside the leaked files, a hacker who went by w0rmer left a photo of his girlfriend holding a handwritten sign that read "PwNd by w0rmer & CabinCr3w <3 u BiTch's," and pointed followers to it from a Twitter account in the same name. It was a taunt, aimed at the agencies the group had just embarrassed.[2]

The taunt was what undid him. The photo had been taken on an iPhone with location services switched on, and the file still held the GPS coordinates of the spot where the shutter was pressed. Those coordinates led to a house in Wantirna South, a suburb of Melbourne, Australia. Police traced the address to a woman, found her on Facebook, and saw that she had named w0rmer as her partner. He was arrested in Texas that March and later sent to federal prison.[3][4]

He had taken care to cover his tracks and overlooked one thing. The image he chose as a trophy carried a layer of data he never saw, written automatically by the camera, recording exactly where the photo was taken. That layer is called EXIF data, short for Exchangeable Image File Format, and nearly every photo a phone takes contains it.

This data is useful while it stays on your device. It is what lets your photo library sort pictures by date and show them on a map. The problem begins when a file leaves your device with that layer still attached. Whoever receives it can read every field, including the exact location where you stood when you pressed the shutter. None of this requires you to do anything wrong. It is the default behavior of most cameras and phones.

What EXIF Data Contains

The fields fall into a few broad categories. Location is the most sensitive: many phones record GPS coordinates accurate to within a few meters. Timestamps record when the photo was taken. Device information identifies the make, model, and software version of the camera or phone, along with the lens. Camera settings cover values like aperture, exposure, and ISO, which carry little personal risk on their own.

What a single photo file holds
The visible imageWhat everyone sees
+
GPS locationWhere it was taken
Date & timeWhen
DeviceMake, model, software
Camera settingsAperture, ISO, exposure
The hidden fields travel with the file unless you remove them

A Recurring Pattern

w0rmer was not the first person to be located this way, nor the most famous. In December 2012, the technology magazine Vice published a story about the fugitive software founder John McAfee, who was avoiding authorities at the time. The story included a photo of McAfee taken on an iPhone. The file still carried its GPS coordinates, which placed him at a specific location in Guatemala. McAfee initially claimed the data was falsified, then acknowledged that the photo had given away his position.[5]

These cases are well known because of who they involved, but the underlying mistake is common. The Electronic Frontier Foundation has documented how the location stored in a photo can reveal a home or workplace,[4] and law enforcement agencies have noted the same risk for the public.[6] A picture of something ordinary, taken at home and posted online, can carry the address of the home along with it.

Where the Data Goes When You Share

What happens to the metadata depends on how you share the file. Major social platforms, including Instagram, Facebook, and X, remove EXIF data from the copy that other people can download. A stranger saving your public post will generally not find GPS coordinates in it. The platform still receives the original file with everything intact when you upload, so it is the platform, not the public, that you are trusting with that data.

Posting to a platform
Original photoFull metadata
PlatformReceives the original
Public copyMetadata stripped
Other viewers see a clean copy, but the platform received the full file

Sharing a file directly is different. When you send a photo by email, by message, or over AirDrop, or when you hand someone the original file, the metadata usually goes with it untouched. The same is true of a cloud link that points to the original. These paths do not strip anything on their own, so the recipient can read every field.

Sharing the file directly
Original photoFull metadata
Email, message, AirDrop
RecipientSees every field
Direct transfers usually keep the metadata intact

How to Remove It

On an iPhone or iPad, you can drop the location when you share. In the Photos app, select the photos, tap Options at the top of the share sheet, and turn off Location before you send. The Photos app removes the location only from the copy it sends; the originals in your library keep their location, so you repeat this each time you share. There is also no location toggle when you share through an iCloud link.[7]

On a Mac, Preview can show and remove location data through the Inspector under the Tools menu. For other fields, or to clear everything in one step, dedicated metadata tools remove all EXIF fields at once. Whichever method you use, the safest habit is to strip the data before the file leaves your device, because once a copy is out you cannot recall it.

Metadata in Media Den

Media Den can strip identifying metadata from photos as they are imported into the vault, so the cleaned version is what gets stored and backed up. Location, timestamps, device information, and camera settings are each a separate option, and all four are on by default. Your photos are also encrypted on your device before they reach your cloud storage.

Learn more about Media Den →

Download on the App Store Download on the App Store

References

  1. Associated Press, "Hackers post W.Va. police officers' personal info," February 2012. phys.org
  2. The Register, "FBI track alleged Anon from unsanitised photo," April 2012. theregister.com
  3. eSecurity Planet, "FBI Used Metadata to Catch CabinCr3w Hacker," April 2012. esecurityplanet.com
  4. Electronic Frontier Foundation, "A Picture is Worth a Thousand Words, Including Your Location," April 2012. eff.org
  5. NPR, "Betrayed By Metadata: John McAfee Admits He's Really In Guatemala," December 2012. npr.org
  6. FBI Portland, "Tech Tuesday: Building a Digital Defense Against the Dangers of EXIF Data." fbi.gov
  7. Apple, "Manage location metadata in Photos." support.apple.com