Do Social Media Platforms Actually Strip Metadata? A 2026 Audit

"Don't worry, social media strips metadata." That advice gets repeated in every privacy thread, and it's mostly true — but the gaps matter. We took a JPEG with full EXIF, XMP, IPTC, GPS, and an embedded thumbnail and pushed it through every major platform's upload pipeline. Here is what came back out the other side, as of April 2026.

How We Tested

Source image: a 4032×3024 photo from a Pixel 8, with GPS coordinates, camera serial number, MakerNotes, an XMP block from Lightroom, and an embedded 160px thumbnail. We uploaded the same file to each platform, then re-downloaded what the recipient saw and inspected it with ExifTool. Where a platform offered both "original" and "compressed" modes (Telegram, WhatsApp), we tested both.

Instagram, Facebook, Threads

Meta's pipeline is the most aggressive. Uploaded images are re-encoded server-side at lower resolution, and almost all metadata is dropped — EXIF, XMP, IPTC, GPS, thumbnail. What remains is a minimal block including the new Meta-assigned image ID and a copyright field they sometimes inject.

Verdict: clean. If your only concern is camera GPS leaking, Meta will save you. But assume the image has been recompressed enough to destroy any forensic value, and Meta itself retains the original on its servers.

Twitter/X

X strips EXIF on JPEG and PNG uploads, including GPS. XMP is also stripped. However, when you upload via the "original quality" toggle (now under media settings), the file is preserved at higher resolution but EXIF is still removed. We saw no leaked GPS in any test.

One caveat: animated GIFs and some PNGs retain non-EXIF chunks like tEXt and iTXt. If you embed comments in PNG metadata, those can survive.

WhatsApp

WhatsApp has two paths. The default "Photo" upload re-encodes aggressively and strips everything. The "Document" upload (sending the image as a file attachment) preserves the original byte-for-byte — full EXIF, GPS, thumbnail, the lot. This is the single biggest source of accidental metadata leaks we see in the wild: someone sends a photo "as a document" to preserve quality and ships their home address with it.

Verdict: safe in default mode, dangerous as document. Treat WhatsApp document mode like email — the file is exactly what you uploaded.

Discord

Discord does not strip metadata. Files are passed through largely intact, with only minor server-side handling. We confirmed full EXIF including GPS coordinates surviving on both desktop and mobile uploads. Discord re-hosts the image on its CDN but does not re-encode it for uploads under the size limit.

Verdict: dangerous by default. If you're sharing photos in a Discord server, strip metadata client-side first. The platform will not do it for you.

Reddit

Reddit's native image hosting (i.redd.it) strips EXIF including GPS. XMP is also stripped. Direct links to external hosts (Imgur, etc.) are obviously not Reddit's problem — they pass through unchanged.

Verdict: clean for native uploads. But old Reddit posts linking to pre-2018 i.redd.it or out.reddit images are inconsistent — some retain EXIF.

Telegram

Telegram mirrors WhatsApp's split: "Photo" uploads are recompressed and stripped of metadata. "File" uploads preserve the original completely. The fork in the road is even more obvious in Telegram's UI, which arguably makes accidental leaks less common — but they still happen.

Signal

Signal strips metadata client-side before upload, regardless of mode. This is the only major messenger that does the right thing by default, and it's consistent with the rest of Signal's threat model. Sending an image "as file" in Signal still strips EXIF.

Email and Direct Sharing

Worth stating explicitly: email, AirDrop, Google Drive, Dropbox, iCloud Photos sharing, and SMS/MMS do not strip metadata. The file you send is the file the recipient gets. iMessage on iOS will downscale very large images but preserves EXIF on the resized version.

Where the Defaults Bite

• Sending a photo as "document" or "file" on WhatsApp/Telegram
• Posting to Discord (no stripping at all)
• Emailing a photo from your phone
• Uploading to a personal blog, GitHub repo, or random forum
• Sharing via cloud storage links (Drive, Dropbox, OneDrive)

The Pattern

Platforms that re-encode images for delivery (Instagram, Facebook, WhatsApp default, Telegram default, Reddit, X) tend to strip metadata as a side effect — they're running images through a JPEG re-encoder that doesn't copy metadata blocks. Platforms that store-and-forward without re-encoding (Discord, WhatsApp document mode, email) preserve everything.

The safe assumption: strip metadata client-side before uploading, regardless of platform.It costs you nothing, it's reversible (the original on your phone is untouched), and it removes any uncertainty about what the receiving platform did or didn't do.