A few months ago I wrote about attaining the developer superpower — how AI agents collapsed the distance between having an idea and shipping it. This is a concrete example of that, and it didn’t come from a planned roadmap. It came from a doomscroll.
The Instagram Post That Started It
I scrolled past a post explaining how people can pin down someone’s exact location from a single photo they share online. Not from the caption — from the file itself.
That stuck with me. It’s the kind of thing that reads as a fun internet trick but is really a genuine security and privacy flaw, and almost nobody knows it’s happening to them. So I looked closer.
Take one photo with your phone and share it. To you it’s a picture. To anyone who downloads it, it can be a dossier. Sitting alongside the pixels is a block of metadata your camera writes automatically — and most sharing habits never touch it. If location services were on, the file carries your GPS position to roughly a meter. The timestamp is accurate to the second. There’s the make, model, lens, and sometimes a device serial number that quietly links photos across accounts. Some files even embed a small thumbnail generated before your edits — crop someone out of a photo and the uncropped version can survive in the preview.
I wanted a tool that just shows you all of this in plain language, and then strips what you don’t want to travel. The catch: doing it honestly is the hard part. A privacy tool that uploads your photo to a server to “clean” it is a privacy hazard wearing a nice coat. The version I actually wanted — one that never sees your photo at all — is the version I built.
What MetaMarshal Does
Drop a photo in and MetaMarshal reads it back to you as an editorial reveal, not a wall of hex:
- Where — the GPS coordinates on a map, with the address and a directions link.
- When — the capture time and timezone, exportable straight to your calendar.
- What shot it — camera, lens, and settings, explained rather than just listed.
- A privacy score — how exposed this particular file is.
Then you strip what you choose and get a clean copy back, with a before/after diff so you can see exactly what was removed instead of trusting a button label. A deeper byte-level scan surfaces the things normal EXIF parsers miss — C2PA Content Credentials, invisible-watermark signals, buried comments, and any data appended after the image ends.
The One Rule: Your Photo Never Leaves Your Device
This is the whole point, so I built the architecture around it rather than a promise in a privacy policy.
Everything runs in your browser. The parsing, the stripping, the re-encoding — all client-side. The file is never uploaded. The only things that ever leave your device are explicit taps you make: reverse-geocoding sends bare coordinates (never the photo), and an optional AI landmark guess sends a downscaled copy, always behind a confirmation. Privacy by architecture, not by policy.
For people who need to clean thousands of files, there’s a developer API — and it holds the same line a different way: it’s zero-retention. Requests are processed in memory, batch outputs auto-delete on a short TTL, and content is never logged. Two trust models, one honest sentence each: nothing leaves your device, and we process and forget.
A Bit of How It Works
Nothing here is exotic — the interesting part is what runs where.
- Reading is client-side. The browser parses the EXIF/XMP/IPTC blocks straight off the file bytes, so the reveal happens without a round trip to any server.
- Two ways to clean. A lossless strip rewrites the file without the metadata segments — pixels untouched. A full re-encode repaints the image onto a fresh canvas, which guarantees nothing survives but costs a little quality. The tool offers both, and either way it bakes the rotation into the pixels first (more on why below).
- A deep pass over the raw bytes. Beyond standard tags, a byte-level scan walks the file’s segments to flag C2PA provenance, watermark signals, and anything appended after the image’s real end-of-file marker.
- The API is boring on purpose. Server-side jobs are processed in memory and handed back as short-lived, signed download URLs whose expiry matches the storage TTL — so the link dying and the file being deleted are the same event. Standard stuff: a Next.js app, TypeScript throughout, ExifTool doing the heavy lifting on the server side.
The Bits That Surprised Me
Building it, a few things turned out to be sharper than expected:
- The orientation trap. Cameras store pixels sideways and record a rotation flag. Strip all metadata naively and that flag goes with it — so every portrait ends up rotated 90°. You have to bake the rotation into the pixels before you strip.
- Blurring a secret out often doesn’t. Pixelation is a reversible, deterministic shuffle; against a guessable target — a card number, a plate — you can brute-force it back. Blur leaves enough signal to half-read. The only redaction that actually holds is a hard blackout baked into the pixels and re-encoded.
- The pre-crop thumbnail. The single most surprising leak. The uncropped version of your photo can live on inside the file after you’ve cropped it. Any stripper that misses it hands back the exact thing you removed.
Built in an Afternoon, with Claude Code
Here’s the part that connects back to the last post. The first working version — drop a photo, see its location and metadata — took me about two to three hours with Claude Code. The version that’s live today, with the deep scan, the redaction, the before/after diff, the API, and the design polish, was maybe five or six hours all in.
A year ago a project like this would have been a couple of weekends minimum — the format-wrangling alone (EXIF, HEIC decoding, byte-level parsing) is the kind of work that quietly eats days. Claude Code was genuinely excellent at exactly that fiddly, well-specified layer: the parsers, the test coverage, the boilerplate around the app. Where I still had to drive was where I expected — the trust model, the honest one-line promises, and the taste calls about what should never leave the device.
That’s the shift I keep coming back to. The constraint has moved from technical to creative. The question stopped being can I build this? and became is this worth building, and have I described it clearly enough? In this case, the whole thing went from a stranger’s Instagram post to a shipped tool in a single afternoon.
Try It — and On Opening the Source
metamarshal.com is free, runs in your browser, and uploads nothing. Drop in a photo you were about to post somewhere public and see what it quietly says about you.
It’ll be MIT-licensed, and the browser engine that reads and strips your photos is built to be open to inspection — the whole promise is only worth anything if you can check it yourself. I’m still polishing things, so the repo is private for now, but I’ll be opening it up soon.
The best ideas don’t always come from a roadmap — sometimes they come from a doomscroll. The difference now is that noticing a problem and shipping a fix can happen on the same afternoon. More experiments to come.