Stop uploading your ID photos to random websites
Think about the images you’ve pushed through “free online image tools”: passport-style photos of your face. Your handwritten signature. Scans of ID cards, mark sheets, address proofs. These are the raw materials of identity theft — and the standard advice, “just use an online compressor”, sends them to servers run by people you know nothing about, under privacy policies nobody reads, in jurisdictions nobody checks.
This isn’t paranoia; it’s just an odd default. Nobody would email their signature scan to a stranger who promised to “make it smaller and send it back”. That’s what an upload-based tool is — minus the email trail.
What actually happens on an upload-based tool
The mechanics are mundane. Your file travels to their server, is processed, and a result comes back. What happens to the copy on the server depends entirely on the operator:
- Best case: deleted promptly, exactly as the policy claims.
- Middle case: retained in logs, backups or caches, unencrypted, indefinitely.
- Worst case: harvested deliberately — a free tool is a very cheap way to collect labelled photos of faces paired with signatures.
The visitor cannot tell these apart from the outside. The privacy policy is a promise, not a mechanism — and breach disclosures from services far more reputable than anonymous tool sites should calibrate how much a promise is worth.
The alternative: tools that never receive your file
Modern browsers can decode, resize and re-encode images natively, on your device. A compressor built this way — including this site’s — has no upload step by architecture. The claim isn’t “we delete your files”; it’s “your files never arrive”. There is nothing to breach, no log to leak, no operator to trust.
The difference between promise and mechanism is the entire point. One is a policy; the other is physics.
How to verify the claim in two minutes
Any site can say “we don’t upload your files”. Here’s how to check — on this site or any other. No technical background needed:
- Watch the network. Press F12 to open your browser’s DevTools and select the Network tab. Use the tool normally. Every request the page makes appears in that list — if your 3 MB photo were being uploaded, you’d see a large outgoing request the moment you dropped the file. On a genuinely local tool, dropping and compressing a file produces nothing at all in that list.
- Unplug the internet. Load the page, then switch on airplane mode or disconnect Wi-Fi. A local tool keeps working — decode, compress, download, all offline. An upload-based tool dies instantly. (This site also works as an installed offline app for the same reason.)
- Check the tab’s size limits. Local tools have no “max file size 5 MB” style limits, because there’s no server bearing the cost. Arbitrary small caps are a hint (not proof) that files are travelling somewhere.
Test one and two together take about two minutes, and they’re conclusive: network traffic either happens or it doesn’t.
”But the site has analytics / could ads see my files?”
Fair question, worth answering precisely. A page can make network requests that aren’t your files — this site loads a cookieless page-view counter, and may someday show ads to fund itself. Requests like that are visible in the same Network tab, and you can inspect them: a page-view beacon is a few hundred bytes; your photo is a few million. The claim that matters is narrow and checkable: the files you drop into the tool produce no network traffic. That’s the invariant this site is built around, and no funding model changes it — an ad on the page can no more read your dropped file than it can read your hard drive.
Habits worth adopting
- Default local. For images tied to identity — face, signature, documents — prefer tools that pass the offline test. There are now local-first options for most common jobs.
- Strip metadata before sharing. Photos carry EXIF data: GPS coordinates, device model, timestamps. Re-encoding (which this tool does inherently) produces a clean file.
- Keep originals off cloud upload folders if your threat model includes account compromise; a local archive plus deliberate sharing beats auto-sync for sensitive scans.
- Be suspicious of “free” that costs a server. Upload-processing costs the operator real money per file. If the tool is free with no visible funding, your files may be the funding. Local tools genuinely cost the operator almost nothing — which is why they can be free without the dark pattern.
The photos that pass through compression tools are, almost by definition, the ones attached to your legal identity — that’s why the forms demanding exact sizes exist in the first place. They deserve the two-minute verification. Do it here first: open the Network tab, drop a photo into the compressor, and watch nothing happen.