A photo of your morning coffee, posted from your kitchen. A selfie in front of a familiar building near your home. A holiday shot with a distinctive landscape in the background. To you, they are pleasant memories shared with friends. To someone with the right tools, they can amount to a precise map of where you are, when you are there, and what your daily routines look like.
Geotagging is the process of attaching location data to digital photographs. Almost everyone does it, and most people know very little about it. The risks are real, and they are growing as AI geolocation technology becomes more widely accessible.
What geotagging is and how it works
Modern smartphones, tablets, and an increasing number of cameras automatically add location data to every photo you take. That data is stored in the EXIF metadata of the file: a layer of technical information that is invisible to most users but can be read by any standard tool.
An EXIF tag can contain:
- GPS coordinates accurate to within a few metres
- The make and model of the device used to take the photo
- The exact time of capture, including timezone
- In some cases, altitude above sea level
This means that a photo you share, as long as its metadata remains intact, can literally reveal your home address, your office, or your regular cafe to anyone who downloads the file and runs it through the right software.
What social media platforms do with your metadata
Most major platforms, including Instagram, Facebook, Twitter, and TikTok, have been stripping EXIF metadata from uploaded photos for years. They do this partly to save storage space, and partly for privacy reasons. When you upload a photo to Instagram, the GPS coordinates are removed before the file becomes visible to others.
That sounds reassuring, and for direct metadata risks, it is. But it does not solve the underlying problem.
The image itself contains information.
Visual geolocation: the invisible risk factor
An AI image geolocation system does not need EXIF metadata to determine where a photo was taken. It works from visual features: the architecture of buildings, the layout of streets, the specific shape of a bridge, the way plantings line a road, the type of street furniture.
The Dutch landscape is particularly distinctive in this respect. Canal houses in Amsterdam, the characteristic farmhouses along Zeeland dykes, the specific concrete sound barriers along motorways, the width and placement of cycle lanes: all of these elements form a visual fingerprint of locations that a well-trained geolocation model can identify with high accuracy.
GeoPin does exactly this. Using the open Mapillary database and models such as CosPlace, GeoPin can match a photo to a location even when all metadata has been removed. That capability is useful for verification work and investigative journalism, but it also illustrates the broader challenge: if a system like GeoPin can do this, so can others.
For more background on how geolocation systems handle privacy and what legal frameworks apply, see our post on GDPR and privacy-first geolocation.
Concrete risks in practice
Burglary from “we are on holiday” posts
This is the most commonly cited example, and it remains relevant. A publicly visible series of holiday photos is not just an announcement that you are away: it also reveals your home address through the locations you normally post from. Anyone who has seen your regular location posts knows where you live and when you are absent.
Stalking and unwanted attention
For public figures, journalists, and activists, visual geolocation presents a specific risk. Even when they deliberately avoid adding location tags, background details in a photo can reveal their regular residence or place of work. A window with a recognisable view, a distinctive street corner, a specific combination of buildings in the distance: that is sufficient for a geolocation model to work with.
Reconnaissance for targeted fraud
In targeted phishing or social engineering attacks, contextual information is valuable. If an attacker knows which office you use, which neighbourhood you live in, and what your daily pattern looks like, they can construct credible, tailored attack vectors.
The Dutch and European legal context
Location data is classified as personal data under the General Data Protection Regulation (GDPR) when it is traceable to a specific individual. Processing that data requires a legal basis, and for commercial use or surveillance without consent, that basis is typically absent.
For users in the Netherlands, this means that platforms and apps collecting or processing location data are subject to strict requirements. But the GDPR does not govern what someone does with photos you have posted publicly. If you publish a photo on a public profile and someone uses that photo to determine your location through visual recognition, that activity falls outside the scope of the legislation that governed your act of posting.
This is a legal grey area that becomes increasingly relevant as geolocation tools become more widely available.
How to protect yourself
Being fully protected is not realistic if you actively share photos on social media. But you can significantly reduce your exposure.
Disable geotagging on your smartphone. On both iOS and Android, you can restrict or fully disable location access for the camera app. This prevents GPS coordinates from being stored in the EXIF data of new photos.
Be aware of visual context. Think about what is visible in the background of your photos. Recognisable facade details, street signs, distinctive architecture, or characteristic street furniture are as informative as a GPS pin.
Use privacy settings actively. Restrict the visibility of historical photos to friends rather than leaving them public. For platforms that retain metadata in the original file, use a metadata-stripping tool before sharing.
Do not distribute your location pattern. The combination of multiple photos is more dangerous than a single image. Anyone who can reconstruct your regular locations from a series of posts knows more than someone viewing a single photo.
What this means for verification work
The other side of geotagging risks is that the same technology is valuable for legitimate verification work. Journalists, fact-checkers, and investigative reporters use visual geolocation to verify the authenticity of images and rebut misleading claims.
If a photo claims to have been taken at a specific location in the Netherlands, a system like GeoPin can quickly verify or disprove that claim. Our OSINT guide to geolocation tools describes how verification professionals use this technology in practice.
For verifying images circulating on social media in a news context, the combination of visual recognition and metadata analysis is also relevant, as we describe in our post on social media image verification.
The balance: useful tool, real risk
AI geolocation is a neutral technology. The same capability that makes it possible to expose misleading photos also makes it possible to reconstruct the privacy-sensitive location patterns of individuals. The difference lies in use and intent.
For users in the Netherlands, who are on average more privacy-aware than the European mean, this kind of awareness is already present around EXIF metadata. But awareness of EXIF metadata is not the same as awareness of visual geolocation risks. The second is less visible and less straightforward to mitigate.
The practical conclusion is simple: treat every publicly posted photo as potentially geolocatable, regardless of whether you deliberately added a location tag. The background of your photo tells its own story.
Want to understand how powerful visual geolocation really is? Try the GeoPin API and see firsthand how accurately AI geolocation works for the Dutch landscape, fully privacy-first and GDPR-compliant.