Blog Privacy 5 min read

How to Share Photos Safely as a Journalist or Source

Photo metadata can expose your sources, reveal your location, and identify your device. Here's how to share images without leaving a trail.

How to Share Photos Safely as a Journalist or Source

The Metadata Problem

A single photo can contain enough data to identify who took it, where they were standing, what device they used, and when they pressed the shutter. For most people, this is a minor privacy inconvenience. For journalists working with sensitive sources, it can be dangerous. A photo meant to document a story can accidentally reveal a whistleblower's location or a reporter's movements.

Try it free: EXIF Remover — Strip metadata from photos before publishing. Runs in your browser, no signup needed.

The good news: with the right workflow, metadata is easy to control. The bad news: most people skip this step entirely.

What Metadata Exposes

GPS coordinates — precise enough to identify a building. A photo taken inside a government office, hospital, or private meeting can be traced to the exact room. Even "safe" outdoor photos can narrow a source's routine — photographing the same park at the same time creates a pattern.

Camera serial numbers — unique per device. Multiple photos with the same serial number can be linked to a single person. If one of those photos is publicly attributed, all of them are compromised. Check for serial numbers using the EXIF Checker.

Timestamps — combined with location, timestamps create a precise timeline. Even without GPS, a series of timestamped photos can reveal travel patterns and schedules.

Software signatures — the editing software field records what processed the file. "Adobe Lightroom 6.2 on MacBook Pro" narrows the equipment profile significantly.

The Workflow: Before You Share

Step 1: Check what's there. Upload the photo to the Privacy Score tool. It flags GPS, serial numbers, timestamps, and software — everything that could identify someone. If the score is below 80, don't share it yet.

Working with sensitive photos? Check what metadata they expose before publishing.

Check Privacy Score →

Step 2: Strip everything. Run the file through the EXIF Remover. This removes all metadata while preserving image quality. Download the clean version and verify it's clean by running it through the checker again.

Step 3: Consider the image itself. Metadata isn't the only identifier. Reflections in windows or glasses, visible screens showing identifiable content, distinctive clothing, badges, and background details can all reveal identity or location. No tool can fix this — it requires human judgment before hitting send.

Receiving Photos from Sources

When a source sends you a photo, the metadata is intelligence. Check the GPS location. Verify authenticity. Read the camera settings to understand the conditions. But then — before publishing — strip everything. You don't want to accidentally publish your source's camera serial number or home coordinates in the file available for download on your website.

Platform Choices Matter

Not all communication channels handle photos equally. Signal strips EXIF from sent photos. WhatsApp strips in photo mode but preserves everything when sent as a document. Email preserves everything. Cloud storage links serve the original file. Read our full platform comparison before choosing how to transmit sensitive images.

Secure Transfer Practices

Even on a safe platform, handling matters. Strip metadata before sending — don't rely on the platform to do it. If you must send via email or cloud link, create a clean copy first. Never send original camera files when the source's identity is at stake.

For large photo sets, process everything through the EXIF Remover in batches before distribution. Rename files too — camera-generated filenames like "IMG_4521.jpg" can be cross-referenced with other photos from the same device to establish a timeline.

What an Adversary Can Do With One Photo

OSINT (open source intelligence) analysts can extract a surprising amount from a single photo with metadata intact. GPS coordinates confirm a location. A camera serial number links all photos ever taken on that device. The timestamp narrows when someone was at a specific place. Even the lens focal length and exposure settings can tell an analyst whether the photo was taken indoors or outdoors, at what time of day, and from roughly what distance.

Cross-referencing multiple photos with the same serial number builds a movement profile. If even one photo from that camera is publicly linked to a name, the entire archive becomes attributed. The EXIF Compare tool shows exactly which fields match between two images — the same tool an investigator would use.

The Verification Angle

Metadata works both ways. While you strip it for privacy, you also use it for verification. A photo claiming to be from a specific location should have GPS coordinates that match. A photo claiming to be unedited should have no Photoshop in the software field. A photo claiming to be recent should have a matching timestamp. Our Authenticity Checker and stock photo detection guide cover these verification techniques.

Quick Reference

Check: Privacy Score. Strip: EXIF Remover. Verify: EXIF Checker. Locate: GPS Map. Compare: EXIF Compare. For the broader privacy picture, visit our Photo Privacy Center.

Common Questions

What metadata should journalists remove before publishing photos? At minimum: GPS coordinates, camera serial numbers, device model, and timestamps. These can identify the photographer, their location, and when they were there. Use an EXIF remover to strip all metadata fields — it takes seconds and protects both you and your sources.

Do messaging apps strip photo metadata automatically? It depends. Signal and WhatsApp strip EXIF on send. Telegram preserves it unless you send as a file. Email preserves everything. Never assume a platform protects you — verify with an EXIF checker before sharing sensitive photos through any channel.

Can metadata reveal a journalist's source? Yes. Camera serial numbers, device identifiers, GPS coordinates, and timestamps can all be traced back to a specific person and location. If a source sends you a photo taken on their personal phone, the metadata creates a direct link to them.

Is it safe to publish photos with metadata stripped? Stripping metadata removes the technical identifiers, but visual content can still reveal locations through landmarks, signs, or reflections. After removing metadata, also review the image itself for visual clues that could compromise safety.

Tools used in this guide

Privacy Score

Check risks

EXIF Remover

Strip metadata

EXIF Checker

View metadata

EXIF Compare

Side by side
Check Privacy Score
Share:
S

Scanly.co — 80 free image analysis tools

Photo forensics, metadata, privacy, OCR, and utilities. All client-side.

Related Articles