# Metadata Privacy Linter

Scan image metadata for privacy leaks before sharing: GPS, serial numbers, owner names, timestamps, software, descriptions and keywords. Browser-local, no upload.

## Run it

- **CLI:** `gizza tool metadata-privacy-linter "iVBORw0KGgo... or data:image/jpeg;base64,..."`
- **Web:** https://gizza.ai/tools/metadata-privacy-linter/
- **Agents:** machine-readable descriptor (parameters JSON Schema) at https://gizza.ai/tools/metadata-privacy-linter/tool.json

## Inputs

- `image_base64` — Image base64 or data URL _(field)_
- `min_risk` — Minimum risk _(field)_
- `reveal_values` — Reveal concrete metadata values (GPS, serials, names) _(field)_
- `output` — Output _(field)_

## Output

- Privacy report (text)

## Query parameters

Open the tool pre-filled and auto-run via URL:

- `image_base64` — Image base64 or data URL
- `min_risk` — Minimum risk
- `reveal_values` — Reveal concrete metadata values (GPS, serials, names)
- `output` — Output

Example: `https://gizza.ai/tools/metadata-privacy-linter/?image_base64=iVBORw0KGgo...%20or%20data%3Aimage%2Fjpeg%3Bbase64%2C...&min_risk=all&reveal_values=true&output=report`

---

## About this tool

Metadata Privacy Linter checks an image for embedded metadata that can leak private
information when you share a photo or screenshot. Paste base64 image bytes (or a
`data:image/...;base64,...` URL) and it scans the container for EXIF/TIFF, XMP,
and IPTC/IIM fields.

It flags common privacy risks:

- **GPS location** — coordinates, GPS timestamps, and GPS processing hints.
- **Device identifiers** — camera/lens serials, camera owner names, model names.
- **Personal identity** — creator, by-line, copyright, credit, and owner fields.
- **Timestamps** — capture, digitized, created, and modified dates.
- **Software and descriptions** — editing apps, host computer, captions, keywords.

Values are hidden by default so you can share the report without re-leaking the
metadata you are trying to remove. Turn on **Reveal concrete metadata values** to
show field values, decoded GPS coordinates, and an OpenStreetMap link.

### Worked example

A PNG containing XMP creator and serial metadata:

```text
image_base64 = iVBORw0KGgpwcmVmaXg8eDp4bXBtZXRh...
min_risk = all
reveal_values = false
output = report
```

The report lists high-risk creator/device fields without printing the actual name
or serial number. Switch `output` to `json` when you need structured data for a
pipeline.

## FAQ

<details>
<summary>Is the image uploaded?</summary>

No. The scan runs in WebAssembly in your browser. The pasted base64/data URL is
processed locally and never uploaded by this page.

</details>

<details>
<summary>Why does the tool ask for base64 instead of a file picker?</summary>

This gizza page model is text-input based, so base64/data URLs are the portable
way to pass exact image bytes through the CLI, chat tool, and browser page. Use a
local encoder or a previous tool output to provide the bytes.

</details>

<details>
<summary>What metadata formats are scanned?</summary>

The linter detects common image containers (JPEG, PNG, TIFF, WebP, HEIF, GIF) and
scans EXIF/TIFF, XMP packets, and JPEG IPTC/IIM resources when those metadata
blocks are present.

</details>

<details>
<summary>Does it remove the metadata?</summary>

No. It is a linter: it tells you what would leak and how risky each field is. Use
an image metadata stripper or re-export workflow to remove the fields after you
identify them.

</details>

<details>
<summary>Why are values hidden by default?</summary>

A privacy report can itself become sensitive if it prints GPS coordinates, serial
numbers, or names. Hidden values let you share the report safely; reveal values
only when you need exact coordinates or field contents.

</details>

## Related tools

- [Extract Action Items from Meeting Notes](https://gizza.ai/tools/action-item-extractor/): Extract action items, owners, and decisions from meeting notes or daily notes with deterministic rules. Markdown checklist or JSON, private in-browser.
- [Base Decoder](https://gizza.ai/tools/base-decoder/): Auto-detect and decode Base16, Base32, Base45, Base58, Base64, and Base85 text, including nested layers, locally in your browser.
- [cURL Command Parser](https://gizza.ai/tools/curl-command-parser/): Paste a curl command to see its method, URL, query params, headers, body, auth, cookies and flags — or rebuild clean curl. Browser-only.
- [Data Format Converter](https://gizza.ai/tools/data-format-converter/): Convert data between CSV, TSV, JSON, and NDJSON (JSONL) in any direction — auto-detects the source, infers types, unions keys. Free, in-browser, no upload.
- [Dotenv Manager](https://gizza.ai/tools/dotenv-manager/): Parse, validate, merge and secret-mask .env files in your browser: flag duplicate and missing keys, lint names, and export .env.example or JSON. No upload.
