EXIF — the Exchangeable Image File Format — is older than Google. It is older than Wi-Fi. It is older than most of the people who now write articles about deleting it. The standard was published in October 1995 by JEIDA, the Japan Electronic Industry Development Association, as a small technical convenience for early digital cameras. The privacy implications were not discussed because there were no privacy implications. There was no internet to share the photos on, no GPS to embed coordinates from, and no smartphones to make the problem universal.
Thirty years later, EXIF sits inside roughly every photo ever taken with a digital camera and is the single most common piece of personal data accidentally published on the public internet. Understanding how it got here is the easiest way to understand why every modern privacy tool treats it as the default thing to remove.
1985–1994: The pre-history
Before EXIF, there was TIFF — the Tagged Image File Format, designed at Aldus in 1986, which established the basic idea that an image file should contain not only pixels but also a tag-value dictionary describing those pixels. JPEG arrived in 1992 but carried no metadata of its own; to attach descriptive information you used the JPEG file's optional application markers, slots labeled APP0 through APP15 reserved for arbitrary application-specific data.
By 1994, Japanese camera manufacturers were preparing the first consumer digital cameras, and each was writing its own private metadata into APP markers in a format that no other brand could read. The industry needed a common dictionary.
1995: EXIF 1.0
JEIDA published EXIF version 1.0 in October 1995. The specification did one job: it defined a standard way for digital cameras to write technical capture information into the APP1 marker of a JPEG, using TIFF-style tag-value structures. The original tag list was small. Shutter speed. Aperture. ISO. White balance. Camera make and model. Date and time. Image orientation. A few colour-management fields.
The motivation was practical, not nefarious. Early digital cameras produced thousands of JPEGs that all looked alike on a desktop. Without metadata, a photographer could not tell from the file alone which lens was used, what exposure was set, or when the picture was taken. EXIF was the digital equivalent of writing the f-stop on the back of a print.
EXIF 1.0 did not include GPS tags. They were added in EXIF 2.1 in 1998, almost as an afterthought. The GPS section was modelled on the Navy's standard for geographic coordinates and was originally intended for professional cameras that might be paired with external GPS units. The idea that a phone would record GPS to every consumer photo was not even theoretical in 1998 — the first GPS-equipped phone, the Benefon Esc!, shipped that same year and was a niche product.
1997–2002: EXIF becomes the de facto standard
EXIF 2.0 arrived in 1997, and 2.1 in 1998 — the revision that added the GPS information IFD, the thumbnail format, and audio attachments. By 2002, every major Japanese camera manufacturer had standardized on EXIF, and JEIDA was reorganized into CIPA (the Camera & Imaging Products Association), which has owned the specification ever since. The current revision, EXIF 2.32, was finalized in 2019.
2007: The iPhone changes everything
The iPhone shipped in June 2007 with a camera, GPS hardware (added properly the following year in the 3G), and a software stack that wrote EXIF metadata to every photo by default. This was the inflection point. Every smartphone on earth quietly became an EXIF-writing device, and by 2010 three things were true simultaneously: roughly a billion smartphones existed, Facebook and the early Instagram hosted billions of photos, and almost none had been stripped before upload. The privacy problem was now structural.
2012: The McAfee turning point
The case that brought EXIF into mainstream awareness was the John McAfee story. In November 2012, McAfee, founder of the antivirus company that bears his name, was on the run from Belizean authorities. Vice magazine published a profile of McAfee accompanied by a photo taken on an iPhone 4S by reporter Robert King. The photo was uploaded with full EXIF metadata, including GPS coordinates. Within hours, public investigators using free EXIF readers extracted the coordinates and located McAfee at a resort in the Río Dulce region of Guatemala.
The McAfee story was not the first time EXIF leaked someone's location, but it was the first time the leak made the front page. After 2012, journalists, activists, dissidents, and abuse survivors had a concrete reason to know that the photos they shared could betray them. The platforms paid attention too, slowly.
2013–2018: Platforms start stripping (some of) it
Facebook began stripping most EXIF data on public posts as early as 2012, partly for bandwidth and partly for privacy. Twitter followed for timeline images. Instagram strips GPS but keeps camera information. WhatsApp, iMessage, and email do not strip anything. The pattern is uneven: public broadcast platforms strip because the cost of a viral privacy incident is high, while private messaging platforms assume you trust the recipient — an assumption that fails the moment a photo is forwarded or screenshotted.
2018: GDPR and the legal turn
The EU's General Data Protection Regulation took effect in May 2018 and defined personal data broadly enough to comfortably include the GPS coordinates of a person's home embedded in a phone photo. The dominant legal reading since has been that platforms processing EXIF GPS data are processing personal data and must apply the standard data-protection obligations. California's CCPA (2020) and several state laws have echoed the framing.
2020–2024: The privacy-tool ecosystem matures
The current generation of EXIF removal tools — desktop scripts like ExifTool (Phil Harvey's open-source utility, in continuous development since 2003 and still the reference implementation), OS-level toggles like macOS's "Remove Location Info," and mobile apps that strip on share — emerged in response to a privacy-aware userbase that did not exist in 2002. iOS 13 (2019) added a system-wide "Hide Location" option on shared photos; Android added similar toggles through 2020–2021. Both implementations strip GPS but leave camera make, model, serial number, and timestamps intact — useful, but not sufficient.
What EXIF looks like in 2026
The current EXIF specification, version 2.32, defines around 280 standardized tags. The exact set written into any given photo depends on the manufacturer; a modern iPhone writes roughly 40–50 tags per photo, a high-end DSLR can write 200 or more. The most common categories are:
The MakerNote section is the dark corner of EXIF — every manufacturer defines its own private format, and some encode data well beyond the published spec, including embedded thumbnail copies that survive cropping in naive editors. This is one reason "remove all metadata" is generally safer than "remove only GPS."
The future of EXIF
CIPA has not announced a successor. EXIF 2.32 will likely remain the spec for the foreseeable future because the replacement cost is enormous. The interesting movement is at the container layer: HEIF, HEIC, and AVIF all define their own metadata containers that hold EXIF alongside more modern alternatives like XMP. The portability problem is solved; the privacy problem is not.
The trend in privacy-conscious operating systems is toward removing metadata at the share boundary rather than at the capture boundary. The on-device library keeps the full record; the outbound share strips it. Slowly, because the share path is everywhere and the platforms do not coordinate.
Three decades of metadata, one tap to remove
StripIt removes GPS, camera serials, timestamps, MakerNote, and the rest of the EXIF stack before your photo leaves your phone.
Download StripItThe lesson of the history
EXIF is a 1995 standard for a 1995 problem. Nobody designed it to broadcast home addresses to the internet — that is an emergent consequence of universal GPS, universal smartphone cameras, and universal photo sharing, three things that did not exist when the spec was drafted. The right response is not to throw out a thirty-year-old standard. It is to learn what it contains, decide what each user actually needs, and strip the rest at the moment of sharing.