What happens to your photo metadata when you upload to social media

← Blog

Every public-facing social platform claims to "protect your privacy". Most strip GPS coordinates from photos on upload. Almost none strip the rest of the EXIF data, and almost all leak something — the camera model, the timestamp, the editing app, sometimes the lens serial number. The exact behaviour depends on the upload path, the file type, and whether the platform re-encodes the image at all.

How to test it yourself

Take a photo that has GPS, a camera body, a recent timestamp, and (ideally) a serial number.
Run it through our viewer to confirm what's there.
Upload to the platform under test.
Download the public copy back — open the post in an incognito browser, save the image.
Run the downloaded file through our viewer again.
Diff the two metadata dumps: anything in the original that's gone in the copy was stripped; anything that survived was preserved.

Re-encoding is detectable: the copy's Software tag, if present, names the platform's image pipeline; the JPEG quantisation tables differ from the original; file size and pixel dimensions usually shrink.

Instagram

Strips everything. Re-encodes every uploaded photo to a Meta-flavoured JPEG with their own quantisation tables, fixed maximum dimension (currently around 1080 px on the long side for feed posts), and adds a Software tag identifying the pipeline. Results in a small (~150–500 KB) file with essentially no useful EXIF.

Facebook

Strips GPS and most identifying tags but leaves several technical EXIF fields in place — DateTime, WhiteBalance, sometimes Make/Model. XMP edit-history blocks have been observed surviving on timeline posts. Re-encodes for size; final dimensions depend on upload size and Facebook's "high quality" toggle in account settings.

Twitter / X

The public path (image attached to a tweet, served from pbs.twimg.com) strips everything. The Direct Message path is different: large media attachments may pass through with EXIF intact, especially for photos sent from desktop clients to other desktop clients. Don't assume DMs are stripped.

Telegram — depends on the toggle

Telegram's "compress photo" option (the default for the camera-roll picker) re-encodes and strips. Sending the same image with "Send as File" keeps the original bytes — full EXIF, full GPS, full XMP. The behaviour is consistent across iOS, Android, and Telegram Desktop.

This is the single most common cause of "I thought Telegram strips metadata but the GPS coordinates leaked" — the user (or the sender) chose Send as File for higher quality and forgot the trade-off.

Strips on every image upload, both private and group chats. Re-encodes to ~1600 px max dimension JPEG with WhatsApp's own quantisation tables. End-to-end encrypted but EXIF is gone before encryption.

Reddit and Discord

Reddit's image hosting at i.redd.it re-encodes and strips. Imgur (used by some old Reddit posts) historically did not strip; modern Imgur does for public uploads but may keep EXIF on direct API uploads.

Discord's cdn.discordapp.com strips on standard image uploads. Files attached as "Files" rather than embedded images may pass through unmodified — same trade-off as Telegram.

Email — no stripping anywhere

SMTP doesn't touch attachments. Whatever metadata is in the file when you attach it goes out to the recipient. Some webmail clients strip on download, but the network path itself is transparent. Treat email as fully transparent.

Why this still leaks

"Most platforms strip GPS" sounds reassuring until you realise that:

One photo on one platform that doesn't strip is enough to deanonymise an account.
"Send as File" / DM / email paths bypass the strip even on platforms that normally strip.
Surviving fields like Make/Model/Software/DateTime are enough to fingerprint a user across multiple anonymous accounts.
The platform's strip happens server-side after upload — anyone running a packet capture between you and the platform sees the original.

The reliable path is to strip before upload, not after.