A picture of you standing in front of the Golden Gate Bridge sensibly leads to the conclusion you're in the San Francisco Bay Area when the photo was taken. Smartphones are quickly supplanting traditional digital cameras, and even traditional cameras now have wifi built in, many more pictures are finding their way onto the web, in places like Twitter, Flickr, Google+ and Tumblr. In a span of 10 days, popular photo social network Instagram added 10 million new users as a result of the release of its Android app and its acquisition by Facebook. The location data hidden in these pictures even when your location isn't as obvious as "standing in front of the Golden Gate Bridge" -- is becoming another easy way for anyone, including law enforcement, to figure out where you are.
Take the case of "w0rmer," a member of an Anonymous offshoot called "CabinCr3w," for example. According to the federal government, "w0rmer" broke into a number of different law enforcement databases and obtained a wealth of sensitive information. In a Twitter post, "w0rmer" provided a link to a website that contained the sensitive information as well as a picture of a woman (NSFW) posing with a sign taunting the authorities. Because the picture was taken with an iPhone 4, which contains a GPS device built in, the GPS coordinates of where the picture was taken was embedded into the picture's EXIF metadata. The FBI was able to use the EXIF data to determine that the picture was taken at a house in Wantirna South, Australia.
The FBI tracked down other online references to "w0rmer," with one website containing the name Higinio Ochoa. The feds took a look at Ochoa's Facebook account, which detailed that his girlfriend was Australian. Combined with the EXIF metadata, the government believed they had corroborated the identity of "w0rmer" as Ochoa, and in turn arrested him.
W0rmer pdf: https://www.eff.org/sites/default/files/W0rmer%20complaint.pdf
Even for photos not taken with a smartphone and not embedded with GPS coordinates (for example, point and shoot or SLR cameras that do not geotag), it's still possible for the police to get location information through EXIF metadata. You can upload a picture here and see the metadata stored in a picture for yourself. Contained within that metadata is the camera's serial number. Armed with that information, the police can easily scour the internet for other pictures tagged with the same serial number. In Australia, a man whose camera was stolen was able to track it down using stolencamerafinder.com because the thief had taken a picture with the camera and uploaded it to Flickr, where had had listed his address. But even if the thief's Flickr site didn't contain his address, police could have subpoenaed Flickr - like law enforcement have attempted to do with Twitter - for information concerning a user's temporarily assigned IP address, as well as session times and logs, to eventually determine where a person uploaded a picture from. All of which can be used to piece together a snapshot of not only your movements, but as in the case of "w0rmer," potentially your identity. In the United States, police are being trained about the broader investigative (PDF) potential of this information. https://www.justnet.org/pdf/EXIF.pdf
If you value your privacy, you should take steps to ensure the EXIF metadata in your pictures isn't an easy way for anyone on the Internet to figure out your location. If you're using a smartphone to take pictures, disable geotagging from your pictures. If you're uploading your pictures to a website like Flickr or Twitpic that defaults to automatically include EXIF data and location information, take the steps to turn it off. And if you're using a traditional SLR or point and shoot camera that doesn't geotag, but does contain a breadth of EXIF data, the make sure you scrub its metadata before you upload it on the Internet.
JPEG & PNG stripper: Scrub photos before uploading.