Skip to main content

What AI Geolocation Can Find in One Photo (2026)

·3167 words·15 mins
Cora Aegis
Author
Cora Aegis
Privacy is the right; the tools are how we exercise it.
Table of Contents
AI-Age OPSEC - This article is part of a series.
Part : This Article
A woman with short silver hair and calm red eyes studying a single street photo as overlaid lines trace its rooftops, shadows, and a distant shop sign toward a map pin

A note on funding: CypherpunkGuide carries no surveillance advertising — no ad networks, tracking pixels, or sponsored content. It is funded by transparent streams: reader donations now; subscription and editorially-aligned affiliate later. We answer to our readers, not to advertisers.

I publish under a pseudonym and an AI-generated portrait, so “just keep your face out of frame” was never going to be my whole answer to location privacy. The uncomfortable part is what stands behind the face. In April 2025, a developer sat OpenAI’s o3 model against a GeoGuessr Master — a top-ranked human at the game of naming a place from a single street view — and the model won, 23,179 points to 22,054, correctly naming the country in all five rounds and landing within a few hundred meters twice. In the same tests, o3 ignored fake GPS coordinates planted in the file’s metadata and reasoned its way to the real location from the pixels alone.

That last detail is the whole story. For twenty years, the standard advice for photo privacy was “strip the EXIF” — remove the hidden GPS tag your phone writes into the file. It was good advice against what is now the easy half of the problem. The hard half is that a machine can read the rooftops, the plants, the road paint, the angle of the sun, and the script on a shop sign, and place you with no metadata at all. A Stanford model called PIGEON identifies the country of an ordinary photo 91.96% of the time and beat a world-champion GeoGuessr player across six straight games. On one 2025 benchmark, a general-purpose Gemini model pinned the correct city 64.3% of the time; the humans it was measured against managed 1.7%.

So the question here is not “can AI find your location” — it can — but what actually changes your exposure once it can. Working through the public benchmarks and Bellingcat’s own field guides, I traced how a locator narrows a photo, then ran that chain backward into a defense. The short version: location now leaks in two layers, and they have different fixes. The metadata layer you can clean. The visible layer you can only manage — by controlling what is in the frame and when it goes out, the same way an open-source investigator would work the problem in reverse.

What One Photo Gives Away, Now That AI Reads It
#

AI geolocation is the inference of where a photo was taken from its visible content — buildings, vegetation, road markings, sun angle, signage — rather than from any GPS tag. This is the shift that matters: the capability recently crossed from “a skilled human hobby” to “a cheap, fast, automated guess,” and it did so against expert players, not novices. The numbers below come from peer-reviewed benchmarks and one widely reproduced head-to-head, not from vendor marketing.

The scale of the gap between machine and human is the part most people underestimate. On a 2025 academic benchmark, a Gemini model reached 83.7% country-level and 64.3% city-level accuracy, while human testers on the same images scored 9.5% and 1.7%. A human who is good at this — a ranked GeoGuessr player — is still competitive, which is exactly why o3 beating a Master, and PIGEON sweeping a champion, are the alarming results: the ceiling, not the average, is what an adversary rents.

SystemCountry-levelCity-levelNote
PIGEON (Stanford, 2024)91.96%median error ~44 kmBeat a GeoGuessr champion 6 games to 0
Gemini (2025 benchmark)83.7%64.3%Same benchmark, humans: 9.5% / 1.7%
GPT-4o (2025 benchmark)74.0%63.3%Consumer-facing model, same human-comparison set
o3 (2025, head-to-head)all 5 roundswithin a few hundred m ×2Beat a human Master; ignored fake EXIF

Two caveats keep this honest. First, accuracy is uneven: models do markedly better on North America and Western Europe than on under-represented regions, so “AI can’t place my town” is sometimes true and never something to rely on. Second, specialized tools go further than general chatbots. GeoSpy, a commercial system from Graylark Technologies, was trained on tens of millions of street-level images; the company claims street-level precision on good inputs. Its trajectory is its own warning: after launch, users posted videos asking it to locate specific women, and the company pulled public access and restricted the tool to law-enforcement, enterprise, and government customers. The capability is real enough that its makers decided the public could not be trusted with it.

How an Investigator Locates a Photo — and Why That Helps You
#

An open-source investigator does not need AI to place a photo; the discipline of geolocation — confirming where an image was taken from visible evidence — predates the models by a decade. Understanding their method matters because a good defense is their method run backward: the clues they hunt for are exactly the ones you want out of your frame. Bellingcat, the investigative outlet that formalized much of this practice, teaches it as a checklist of layers.

The layers stack from coarse to fine. Chronolocation uses shadows: the length and direction of a shadow, matched against a sun-position calculator for a candidate date, narrows both the time of day and the latitude. Architecture and infrastructure narrow the country — utility-pole design, traffic-signal shape, curb and bollard styles differ by jurisdiction, and reference databases catalog those differences. Vegetation distinguishes climates and regions. Signage and script often hand over a city or a single street outright. And reflections — a shopfront window, a car mirror, sunglasses — can expose what the camera was pointed away from. Bellingcat’s confirmation of the MH17 convoy route — tracing the transporter that carried the missile which downed a passenger airliner over Ukraine in 2014 — was built from exactly this kind of stacking: shadow analysis plus landmark matching, pinned to an exact stretch of road.

What AI changed is not the method but the cost. A human investigator spends hours per image; a model runs the same inference in seconds for cents, and can be pointed at thousands of images at once. The defensive takeaway is precise and slightly liberating: you do not have to defeat a genius, you have to remove the stackable clues. Every layer you deny — no signage, no distinctive skyline, no reflective surface, no unobstructed shadow — is a layer the locator, human or machine, no longer gets to use.

The Two Layers of Location Leakage
#

Here is the frame that reorganizes everything else, and the one most guides blur: a photo leaks location on two independent layers, and only one of them is a solved problem. Conflating them is why “I stripped the metadata” gives people a confidence they have not earned.

Layer 1 is metadata — the EXIF block your camera writes into the file, including, if location services were on, exact GPS coordinates. This layer is solvable. The data is discrete, it sits in a known place in the file, and you can remove it completely before the photo ever leaves your device. Strip it and that coordinate is simply gone.

Layer 2 is content — the visible scene itself. This is what vision models read, and it is not strippable, because it is not attached to the photo; it is the photo. You cannot delete the architecture without deleting the picture. When o3 ignored the fake GPS tag and located the image from its pixels, it was demonstrating that Layer 2 now stands on its own — an adversary who gets nothing from Layer 1 still has the whole visible frame to work with.

That reframes the entire defense. Layer 1 is a cleaning problem: do it once, mechanically, every time. Layer 2 is a composition problem: it is decided when you press the shutter and when you press post, and no after-the-fact tool fixes a skyline you already published. The rest of this article treats them separately, because treating them together is the mistake.

“But I Stripped the Metadata” — What That Actually Fixes
#

Stripping metadata is necessary and no longer sufficient. It closes Layer 1 cleanly and does nothing for Layer 2 — and even within Layer 1, the platform behavior most people rely on is narrower than they think. Two beliefs need dismantling: that social platforms already handle this for you, and that a quick screenshot launders a photo clean.

Most major platforms do re-encode public uploads and drop the EXIF block from the version other users can download — but the guarantees are conditional. Independent metadata-testing services report, as of 2026, that the exception is consistent across apps: “send as document” or “send as file” modes bypass the re-encode and preserve everything, one tap away from the safe path and with no warning. And stripping the public copy is not the same as deletion — Meta’s own privacy policy describes retaining original image data server-side for its own purposes. The table below is a synthesis of tested behavior and official policy; treat it as “where the traps are,” not as a promise about any single upload.

PathPublic EXIFThe trap
Instagram / Facebook (public post)Stripped on the downloadable copyOriginal retained server-side; higher-quality DM sends can differ
X (public post)StrippedInternal retention; scheduling and third-party API clients are unverified
Reddit (native i.redd.it)Stripped on re-encodeExternal image hosts (e.g. imgur links) may preserve GPS
TikTok (post)StrippedApp collects location by other means; strip ≠ untracked
WhatsApp / Signal / Telegram (photo mode)Stripped by compression“Document / send as file” preserves full EXIF, no warning

The screenshot myth deserves its own line, because search engines keep recommending it. Taking a screenshot does produce a new file without the original GPS tag — it is a real Layer 1 fix. It does nothing whatsoever for Layer 2: the screenshot still shows the same street, the same skyline, the same shop sign, and a model reads those exactly as well from a screenshot as from the original. A screenshot changes the file; it does not change the frame.

A Defense Protocol That Matches Your Threat Model
#

There is no single correct amount of caution here — the right protocol depends on who might be looking and what they could do with a hit. Blanket rules like “never post outdoors” are unlivable and, for most people, unnecessary; the useful move is to match effort to threat — the same threat-modeling logic EFF’s Surveillance Self-Defense is built around. The tiers below escalate: everyone should do the baseline, and each higher tier adds to the one before it rather than replacing it.

The dividing line between tiers is consequence. For a casual sharer, a located photo is a privacy nick. For a public creator or a woman already facing harassment, it is a step toward a real-world encounter — and this is not hypothetical, given that AI geolocation feeds the same stalking and intimate-partner violence (IPV) threats Privacy International catalogs in its risk taxonomy, and given why GeoSpy’s makers shut the public door. For an activist, journalist, or abuse survivor, a single geolocated frame can be a physical-safety event. Locate yourself on that ladder first, then apply the matching row.

TierWhoAdd these habits
Baseline (everyone)Casual sharerStrip EXIF locally before upload (don’t rely on the platform); never post home, work, or your child’s school in real time; remember a screenshot is not safe
ElevatedPublic persona, creators, anyone facing harassmentDelay posting so “here now” becomes “here last week”; scrub backgrounds — windows, reflections, license plates, distinctive skylines; avoid recurring, routine locations
HighActivist, journalist, IPV survivor, whistleblowerAssume any published photo is permanently geolocatable; run a “what does this frame reveal” review before posting, not after; keep a device and account compartment that never carries location-bearing images

Three techniques need honest labels so you don’t over-trust them. Stripping EXIF is best done locally and mechanically — the command-line tool ExifTool removes everything in one pass (exiftool -all= photo.jpg), and because it runs on your machine, the photo never leaves it. Delayed posting defeats real-time leakage — an adversary learning where you are right now — but does nothing against retrospective analysis, because the background still resolves to a place whenever it is examined. And blurring the background is weaker than it looks: a light blur can be partially reversed by deblurring, so the honest options are heavy pixelation or simply not including the thing. Name each technique by the layer it addresses, and you stop confusing “I did something” with “I am covered.”

Bottom Line — How Much Should You Actually Do?
#

For most people, the whole protocol collapses to two habits: strip metadata locally as a reflex, and stop posting the places you return to — home, work, the school run — in real time. That closes Layer 1 completely and denies Layer 2 its most valuable clue, which is a routine location an adversary can act on. Everything above that is threat-model-dependent, and the people who need the high tier usually already know who they are.

The mental shift is the durable part. The old question — “did I remember to turn off geotagging?” — is a Layer 1 question, and Layer 1 is nearly automatic once ExifTool is a habit. The question that protects you now is a Layer 2 question: what does this frame say about where I am, and would I hand that to a stranger who wanted to find me? When I audit a photo before it goes out, that is the only question I ask, because it is the only one the machines can no longer be stopped from answering for me.

Frequently Asked Questions
#

Does stripping the EXIF data hide my location?
#

It solves half the problem. Removing EXIF deletes the exact GPS coordinate your camera embedded — a real and worthwhile fix. But modern vision models infer location from the visible scene — architecture, vegetation, sun angle, signage — with no metadata at all. In documented tests, OpenAI’s o3 located photos even after their GPS tags were replaced with fakes. Strip metadata as a baseline, then treat the picture’s actual content as the harder, unsolved layer.

Is posting a screenshot instead of the original photo safe?
#

A screenshot removes the original EXIF, so it closes the metadata layer — but it changes nothing about the image itself. The street, skyline, and any readable signs are still in frame, and an AI reads them from a screenshot exactly as well as from the original file. A screenshot changes the file, not the frame; it is not a geolocation defense.

Can AI really locate a photo better than a person?
#

Yes, and against skilled people, not just novices. A Stanford model, PIGEON, identifies a photo’s country 91.96% of the time and beat a world-champion GeoGuessr player across six games. On a 2025 benchmark, a Gemini model reached 64.3% city-level accuracy where human testers scored 1.7%. Accuracy is uneven by region, but the ceiling — what a determined adversary can rent — is very high.

Does blurring the background protect me?
#

Only if it is heavy enough. A light blur or low-strength pixelation can be partially reversed by deblurring techniques, recovering text and detail. If a background element would give away your location — a street sign, a distinctive building, a reflection — the reliable options are heavy pixelation or excluding it from the shot entirely, not a soft blur.

What is the single highest-value habit?
#

Stop posting your recurring, real-world locations — home, workplace, your child’s school, the gym you go to on a schedule — especially in real time. A one-off vacation photo is a smaller risk than a routine an adversary can act on. Combine that with stripping EXIF locally before upload, and you have closed the metadata layer and denied the content layer its most actionable clue.

#SourceURLArchived
1Privacy International — “Nowhere to Hide? Privacy Risks and Policy Implications of AI Geolocation” (2026)https://privacyinternational.org/report/5736/nowhere-hide-privacy-risks-and-policy-implications-ai-geolocationhttps://web.archive.org/web/*/https://privacyinternational.org/report/5736/nowhere-hide-privacy-risks-and-policy-implications-ai-geolocation
2Haas et al. — “PIGEON: Predicting Image Geolocations” (Stanford, CVPR 2024)https://arxiv.org/abs/2307.05845https://web.archive.org/web/*/https://arxiv.org/abs/2307.05845
3Huang et al. — “AI Sees Your Location, But With A Bias Toward The Wealthy World” (VLMs as GeoGuessr Masters, arXiv, 2025)https://arxiv.org/abs/2502.11163https://web.archive.org/web/*/https://arxiv.org/abs/2502.11163
4Sam Patterson — “Can o3 beat a GeoGuessr Master?” (2025)https://sampatt.com/blog/2025-04-28-can-o3-beat-a-geoguessr-master/https://web.archive.org/web/*/https://sampatt.com/blog/2025-04-28-can-o3-beat-a-geoguessr-master/
5Simon Willison — “o3 beats a GeoGuessr master” (2025)https://simonwillison.net/2025/Apr/28/o3-geoguessr/https://web.archive.org/web/*/https://simonwillison.net/2025/Apr/28/o3-geoguessr/
6Bellingcat — “Using the Sun and the Shadows for Geolocation” (2020)https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the-shadows-for-geolocation/https://web.archive.org/web/*/https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the-shadows-for-geolocation/
7TechNADU — “GeoSpy Sparks Privacy Concerns After Public Misuse” (2025)https://www.technadu.com/ai-powered-tool-geospy-sparks-privacy-concerns-after-public-misuse/570730/https://web.archive.org/web/*/https://www.technadu.com/ai-powered-tool-geospy-sparks-privacy-concerns-after-public-misuse/570730/
8Electronic Frontier Foundation — Surveillance Self-Defensehttps://ssd.eff.org/https://web.archive.org/web/*/https://ssd.eff.org/
9Meta — Privacy Policy (image metadata retention)https://www.facebook.com/privacy/policy/https://web.archive.org/web/*/https://www.facebook.com/privacy/policy/

This article is the photo-specific companion to a wider thread on this site. The same machine inference, applied to your text rather than your images, is mapped in AI Deanonymization: How Inference Undoes Your Anonymity, and the assumptions AI breaks across your whole threat model are laid out in OPSEC in the AI Age: Rebuilding Your Threat Model. Because a located photo, once posted, does not un-post, the audit of what actually survives deletion lives in How Permanent Is Your Social Media Footprint?. For the same threat aimed at your body rather than your background, see Your Voice and Face Are Credentials Now; and for how these techniques converge on a real target, How Streamers Get Doxxed — and the Pseudonym Playbook.

AI-Age OPSEC - This article is part of a series.
Part : This Article

Related