Skip navigation
Security Blog

How Facebook Handles Image EXIF Data

Over the last decade or so, the ability of cameras and smartphones to record additional data about digital photos using the EXIF (exchangeable image file format) standard has been a boon for photographers and users of mapping applications. EXIF stores all sorts of information about the picture you take, including shutter speed, ISO speed, aperture, and also the date, time, and -- if the device taking the photo has a GPS receiver -- location details about where the image was taken. (See also, "Get Ready for for Imaging with Sysprep" and " iOS and Windows Phone: Let the Games Begin ").

You can view most of this information in Windows 7 by right-clicking on a digital photo in Windows Explorer, selecting properties, and then clicking on the details tab. (See screenshot below.)

Windows 7 file properties displaying image EXIF data

For even more detailed EXIF data information, you can use a web service like Jeffrey Friedl's online EXIF viewer, which allows you to upload digital photos and see an eye-opening amount of information about what EXIF data your images contain. EXIF provides a wealth of data for photography and image buffs, but also raises some serious privacy and security concerns. If you're working with confidential subject matter, or taking pictures of your own children, providing complete strangers with the exact details of where and when you took your pictures is something you'd want to avoid.

Over the past few years a variety of mass media outlets have reported on the dangers of location information stored in EXIF data, yet many get the information wrong, particularly when it comes to how social media platforms like Facebook treat EXIF information on uploaded images. When you upload a photo to Facebook, the EXIF data is stripped from the image when it is uploaded.

You can test this yourself: Take a photo with a smartphone (with GPS and location services enabled), then use the aforementioned online EXIF viewer to see all the data from the EXIF data recorded for the image. Upload that same image to Facebook, then download the image from Facebook by clicking on the "download" link underneath the picture. Load the downloaded copy of the image into the same image viewer and compare the data you see. There's a huge difference: The image that has been uploaded to Facebook, processed by Facebook, and then downloaded again only contains a fraction of the information that the original image did.

You can see the changes clearly in a sample photo I took with my iPhone 4S just outside our editorial offices in Fort Collins, CO earlier this year. I've posted "before" and "after" pictures in the photo gallery embedded below.



I reached out to Facebook for additional details about how they handle EXIF image data, and received this somewhat nebulous reply from a Facebook spokesperson. "We make limited use of camera EXIF/IPTC data. EXIF rotation information is no longer ignored. Photo comments are automatically populated with the IPTC title and caption," the spokesperson said. "We're looking into more deeply integrating other EXIF/IPTC data into the product, but want to do so in a way that's reliable and respects the privacy of people on Facebook."

So in the interest of separating fact from fiction, photos taken with a smartphone and uploaded to Facebook won't retain EXIF data, so that's currently not a privacy concern. (Although Facebook's response to my query opens up the possibility that EXIF data will be used more significantly in the future.) A more realistic issue is over how Facebook handles access to the images you've uploaded, with recent news about glitches in Facebook's photo handling process allowing private images to be exposed to people you don't intend to share them with, such as Mark Zuckerberg's own private photos.

So what's the best way to handle Facebook security and privacy concerns? Keeping abreast of all the latest news and updates from the Facebook privacy center is a good start, as well as keeping up on all the latest Facebook news and analysis from independent sources like this blog.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.