How Facebook Handles Image EXIF Data


Over the last decade or so, the ability of cameras and smartphones to record additional data about digital photos using the EXIF (exchangeable image file format) standard has been a boon for photographers and users of mapping applications. EXIF stores all sorts of information about the picture you take, including shutter speed, ISO speed, aperture, and also the date, time, and -- if the device taking the photo has a GPS receiver -- location details about where the image was taken. (See also, "Get Ready for for Imaging with Sysprep" and " iOS and Windows Phone: Let the Games Begin ").

You can view most of this information in Windows 7 by right-clicking on a digital photo in Windows Explorer, selecting properties, and then clicking on the details tab. (See screenshot below.)

Windows 7 file properties displaying image EXIF data

For even more detailed EXIF data information, you can use a web service like Jeffrey Friedl's online EXIF viewer, which allows you to upload digital photos and see an eye-opening amount of information about what EXIF data your images contain. EXIF provides a wealth of data for photography and image buffs, but also raises some serious privacy and security concerns. If you're working with confidential subject matter, or taking pictures of your own children, providing complete strangers with the exact details of where and when you took your pictures is something you'd want to avoid.

Over the past few years a variety of mass media outlets have reported on the dangers of location information stored in EXIF data, yet many get the information wrong, particularly when it comes to how social media platforms like Facebook treat EXIF information on uploaded images. When you upload a photo to Facebook, the EXIF data is stripped from the image when it is uploaded.

You can test this yourself: Take a photo with a smartphone (with GPS and location services enabled), then use the aforementioned online EXIF viewer to see all the data from the EXIF data recorded for the image. Upload that same image to Facebook, then download the image from Facebook by clicking on the "download" link underneath the picture. Load the downloaded copy of the image into the same image viewer and compare the data you see. There's a huge difference: The image that has been uploaded to Facebook, processed by Facebook, and then downloaded again only contains a fraction of the information that the original image did.

You can see the changes clearly in a sample photo I took with my iPhone 4S just outside our editorial offices in Fort Collins, CO earlier this year. I've posted "before" and "after" pictures in the photo gallery embedded below.



I reached out to Facebook for additional details about how they handle EXIF image data, and received this somewhat nebulous reply from a Facebook spokesperson. "We make limited use of camera EXIF/IPTC data. EXIF rotation information is no longer ignored. Photo comments are automatically populated with the IPTC title and caption," the spokesperson said. "We're looking into more deeply integrating other EXIF/IPTC data into the product, but want to do so in a way that's reliable and respects the privacy of people on Facebook."

So in the interest of separating fact from fiction, photos taken with a smartphone and uploaded to Facebook won't retain EXIF data, so that's currently not a privacy concern. (Although Facebook's response to my query opens up the possibility that EXIF data will be used more significantly in the future.) A more realistic issue is over how Facebook handles access to the images you've uploaded, with recent news about glitches in Facebook's photo handling process allowing private images to be exposed to people you don't intend to share them with, such as Mark Zuckerberg's own private photos.

So what's the best way to handle Facebook security and privacy concerns? Keeping abreast of all the latest news and updates from the Facebook privacy center is a good start, as well as keeping up on all the latest Facebook news and analysis from independent sources like this blog.


Discuss this Blog Entry 2

on Jan 3, 2012
No offense but it would seem that you really have no idea if FaceBook is collecting EXIF data. They quite clearly made reference to the fact that they "make limited use of EXIF/PTC data". Very vague if you ask me. They obviously dodged the question by not saying Yes or No. They could be allowing photos to be uploaded with the EXIF data, to be used for their own purposes, and they decide not to allow it be downloaded. I have to question if you have more information that's not being presented here.
on May 8, 2013

By any chance have you tested photos sent through chat/messaging?

Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×