How to strip gps from photos to protect a source's location
- Step 1Open the tool, then optionally go offline — The GPS / Geotag Remover is a cross-suite shortcut that redirects to the EXIF Scrubber at /image-tools/exif-scrubber. Once the page has loaded, you can disconnect from the network — all processing is client-side. If you see 'GPS / Geotag Remover is a cross-suite tool', a file hit the security processor directly; open the EXIF Scrubber page instead.
- Step 2Confirm what the file is exposing — Before scrubbing, drop the photo into the EXIF Map Previewer (also local-only). If it plots a marker, the file carries GPS that would expose the location. This is the proof step — know exactly what you're removing before you act.
- Step 3Prepare the file as a standard image — Use JPEG or PNG. If the source sent an iPhone HEIC or Galaxy HEIF, convert it to JPEG first with /image-tools/heic-to-jpg — browsers can't decode those onto a Canvas. Keep the untouched original in a secure store if you may need it for verification.
- Step 4Scrub the file — Drop the image onto the EXIF Scrubber. It paints the decoded photo onto an HTML Canvas at native dimensions and exports a fresh blob — the result has no metadata block to carry coordinates, timestamp, or device tags. There is no per-tag toggle and no options panel; the scrubber takes no settings.
- Step 5Download the clean copy — Save it. A single image downloads as
clean.png; JPEG input is still real JPEG (the.pngname is cosmetic — rename to.jpgif needed). This is the version to publish, forward, or archive in place of the original. The original (with metadata) should be handled per your security policy. - Step 6Verify before it leaves your control — Re-open the cleaned file in the EXIF Map Previewer — it must report 'no location data'. For a full audit, load it in /image-tools/exif-viewer to confirm no GPS, no timestamp, and no device tags survive. Only then publish or hand it on.
What a sensitive photo can leak, and what survives scrubbing
Metadata that risks exposing a source and whether a Canvas re-encode keeps it. The whole container is dropped, so every field is removed in one pass — there is no GPS-only mode.
| Metadata field | Risk to the source | After scrubbing |
|---|---|---|
| GPS Latitude / Longitude | Pinpoints where the source is (~5 m) | Removed |
| GPS Altitude / Img Direction | Floor / heading — narrows a building | Removed |
| Date/Time + SubSec | When the source was at that place | Removed |
| Make / Model / Serial / Software | Fingerprints the source's device | Removed |
| IPTC / XMP (author, captions, edits) | May name the photographer or app | Removed |
| Pixel data (the image) | Visible scene — NOT metadata | Preserved (re-encoded for JPEG); review visually too |
Threat coverage: what this does and does not protect against
Metadata scrubbing closes the EXIF-leak vector. Other exposure paths need other steps. Know the boundary before relying on it.
| Exposure vector | Covered by the EXIF Scrubber? | What to do otherwise |
|---|---|---|
| GPS / device metadata in the file | Yes — removed entirely on re-encode | Verify with the EXIF Map Previewer |
| Upload exposure to a third party | Yes — 100% local, nothing uploaded | Optionally go offline after the page loads |
| Visible clues in the photo (signs, faces) | No — pixels are preserved | Crop/blur; faces need a dedicated pixelate tool |
| Data hidden in pixels (steganography) | Not reliably (PNG re-encode is lossless) | Scan with the Steganography Decoder |
Tier limits for the image-tools EXIF Scrubber
The scrubber lives in the image tool family, so it uses image-family limits. All processing is local; limits guard browser memory, not privacy — the file never leaves your device on any tier.
| Tier | Max file size | Files per batch |
|---|---|---|
| Free | 10 MB | 1 |
| Pro | 100 MB | 10 |
| Pro-media | 2 GB | 50 |
| Developer | 2 GB | Unlimited |
Cookbook
Source-protection scenarios with what goes in and what comes out. 'before' rows are the metadata an EXIF reader shows on the original; 'after' rows are what it shows on the cleaned file.
Scrub a sensitive photo entirely offline
Load the EXIF Scrubber page, then disconnect the network. Because all processing is client-side, the scrub still works and the file provably never leaves the machine.
1. Open /image-tools/exif-scrubber (page loads) 2. Disconnect Wi-Fi / pull the cable 3. Drop the sensitive JPEG -> download clean.png 4. Network tab: zero requests during processing Before: GPS + timestamp + device serial present After : (no EXIF / IPTC / XMP tags found)
Prove the leak, scrub, then prove it's gone
The verify-scrub-verify loop is the discipline for sensitive material: confirm the original exposes a location, remove it, confirm the cleaned copy does not — all locally.
Step 1 EXIF Map Previewer on the source's photo
-> marker drops on the safehouse street
Step 2 EXIF Scrubber on the same file
-> download clean.png
Step 3 EXIF Map Previewer on clean.png
-> 'no location data' (location protected)Full metadata audit after scrubbing
Beyond the map, list every tag to be certain nothing identifying survives — no device serial, no author, no timestamp.
exiftool clean.jpg (after rename from clean.png) -> no GPS* -> no Make / Model / SerialNumber / Software -> no DateTimeOriginal / SubSecTime -> no XMP author / IPTC byline = nothing to fingerprint the source
Don't forget the pixels — steganography check
Scrubbing metadata doesn't touch a payload hidden in the image's least-significant bits. For a high-stakes file, also scan the pixels.
EXIF Scrubber -> metadata gone BUT a PNG re-encode is lossless, so LSB-hidden data in pixels can survive. -> Run /security-tools/steganography-decoder to detect any embedded payload before trusting it.
HEIC from a source's iPhone
Sources often shoot HEIC. It won't decode on a Canvas, so convert first, then scrub — and keep both steps local.
Drop IMG_8801.HEIC onto EXIF Scrubber -> fails to load (no output) Local fix: 1. /image-tools/heic-to-jpg -> IMG_8801.jpg 2. EXIF Scrubber on the .jpg -> clean.png (both tools run in-browser; nothing uploaded)
Edge cases and what actually happens
The file never leaves your machine
By designThe redirect target runs entirely in the browser via HTML Canvas — there is no server round-trip. You can load the page, disconnect from the network, and the scrub still completes. For sensitive material this is the point: the file is never uploaded, logged, or stored remotely on any tier.
It strips everything, not just GPS
By designThere is no 'GPS only' switch. The Canvas re-encode yields a file with no metadata container, so coordinates, timestamp, device make/model/serial, software, IPTC author, and XMP all go in one pass. For source protection that's ideal — the device fingerprint and timestamp are as dangerous as the coordinates. It can't keep some tags while dropping others; it is all-or-nothing.
Visible clues in the image are not removed
Out of scopeScrubbing touches metadata, not pixels. A street sign, building, document text, or face visible in the photo stays visible and can expose the location or identity just as effectively as GPS. Review the image itself and crop or redact those before publishing — this tool only closes the metadata vector.
Data hidden in pixels can survive
Out of scopeA PNG re-encode is lossless, so a payload embedded via LSB steganography in the pixels is not reliably destroyed. Don't assume scrubbing 'cleans' a file of everything. Scan high-stakes images with the Steganography Decoder. (A JPEG re-encode, being lossy, does tend to disrupt LSB data.)
JPEG output is re-compressed, not a byte-copy
ExpectedJPEG input re-encodes at quality 0.95, a second lossy pass — visually identical but not byte-for-byte the original. If you need an unaltered forensic master, keep the original securely and use the scrubbed copy only for distribution. PNG and other inputs re-encode losslessly to PNG.
HEIC / HEIF input fails to load
Unsupported inputSources shooting iPhone High Efficiency or Galaxy HEIF send HEIC/HEIF, which most browsers can't decode onto a Canvas, so they don't load. Convert to JPEG first with /image-tools/heic-to-jpg — that tool is also fully local — then scrub.
Output is named clean.png even for a JPEG
Cosmetic mismatchA single-file run downloads as clean.png. For JPEG input the bytes are real JPEG despite the name; rename to .jpg for a strict viewer. A naming quirk, not corruption — but verify the cleaned file in an EXIF viewer regardless before trusting it.
Reached the security processor directly
ErrorThe GPS / Geotag Remover is a cross-suite tool that redirects to the EXIF Scrubber. If a file hits the security processor for this slug, it throws: 'GPS / Geotag Remover is a cross-suite tool. Open it at /image-tools/exif-scrubber to process files.' Use the EXIF Scrubber page.
File over the tier size limit
RejectedThe free tier caps a single file at 10 MB. A high-resolution or RAW-derived export can exceed it — Pro raises the cap to 100 MB and Pro-media/Developer to 2 GB. Very large dimensions can also hit browser Canvas size ceilings independent of the byte limit. The privacy guarantee is identical on every tier; only size and batch differ.
Always verify, don't assume
RecommendedFor sensitive material, never publish on faith. Re-check every cleaned file in the EXIF Map Previewer or a full EXIF viewer to confirm 'no location data' and no device/timestamp tags. The scrub is reliable, but verification is the discipline that protects the source.
Frequently asked questions
Does the sensitive file get uploaded anywhere?
No. The GPS / Geotag Remover redirects to the EXIF Scrubber, which runs entirely in your browser using an HTML Canvas. The file is read into memory, decoded, and re-encoded locally — no bytes leave your device. You can even disconnect from the network after the page loads and the scrub still works. Confirm via the Network tab: no requests.
Can I run this fully offline / air-gapped?
Yes. Once the /image-tools/exif-scrubber page has loaded, all processing is client-side, so you can disconnect from the network before dropping in the file. The same is true of the EXIF Map Previewer you use to verify, and /image-tools/heic-to-jpg for conversion.
Does it remove the device fingerprint, not just location?
Yes. The Canvas re-encode produces a file with no metadata container, so the device make, model, serial, and software version are removed along with the GPS and timestamp. For source protection that matters — a device fingerprint can be as identifying as coordinates. There is no GPS-only mode.
Does this protect against clues visible in the photo itself?
No. It removes file metadata, not pixels. A street sign, building, document, reflection, or face shown in the image stays visible and can expose the location or identity. Review the image and crop or redact those separately — this tool only closes the EXIF-metadata vector.
Could there still be data hidden in the pixels?
Possibly. Scrubbing doesn't touch the pixels' least-significant bits, and a PNG re-encode is lossless, so LSB-hidden steganographic data can survive. For a high-stakes file, scan it with the Steganography Decoder. A JPEG re-encode, being lossy, tends to disrupt such data — but don't rely on that alone.
How do I prove the location is actually gone?
Re-check the cleaned file. Drop it into the EXIF Map Previewer — it should report 'no location data'. For a full audit, open it in /image-tools/exif-viewer and confirm no GPS, no device serial, no author, and no timestamp tags remain.
Should I keep the original file?
That's your call per your security policy. The scrub produces a clean copy; the original still contains the metadata. If you may need the unaltered file for verification or chain-of-custody, store it securely. If the original itself is a liability, dispose of it according to your procedures — this tool doesn't delete your source files.
The source sent a HEIC — can I scrub it?
Not directly. Most browsers can't decode HEIC/HEIF onto a Canvas, so it won't load. Convert to JPEG first with /image-tools/heic-to-jpg (also fully local), then scrub the JPEG. Keep both steps offline if the material is sensitive.
Is the JPEG re-compression a problem for evidence?
It can be. JPEG input is re-encoded at quality 0.95, so the scrubbed copy is not a byte-for-byte original — fine for publication, but not a forensic master. If you need an unaltered original for evidence, preserve it securely and distribute only the scrubbed copy. PNG inputs re-encode losslessly.
Why is the download named clean.png when I gave it a JPEG?
A single-file run is always named clean.png. For JPEG input the bytes are real JPEG — the name is cosmetic. Rename to .jpg for a strict viewer. Regardless of the name, verify the cleaned file in an EXIF viewer before you trust it with sensitive material.
Can I scrub several photos from a source at once?
Yes, on a paid tier. The EXIF Scrubber accepts multiple files: up to 10 on Pro, 50 on Pro-media, unlimited on Developer. The free tier is one file per run. Every file gets the same full-metadata removal locally, regardless of tier.
What about location metadata in documents or video from a source?
This tool handles images. For documents, the Office Doc Property Wiper strips author and comments from .docx/.xlsx/.pptx. To find redundant embedded preview thumbnails that may carry an older version of an image, use the Hidden Thumbnail Extractor. Video metadata is handled in the video suite's tools.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.