You take the photo at 2pm in your own kitchen, crop out anything identifying, and send it to one person you trust. Nothing in the frame gives you away. You feel careful. But tucked invisibly inside that file — riding along in a header you’ve never seen — are your exact GPS coordinates to within a few metres, the make and model of your phone, the camera’s unique serial number, and the second you pressed the shutter. The recipient doesn’t have to be clever or curious. Their software reads it for them, automatically, the moment the image lands. You didn’t share a picture. You shared a location pin with a picture stapled to it.
The short version: Every photo, document, and video you create carries hidden metadata — GPS coordinates, device serial numbers, author names, timestamps — embedded inside the file itself, where private sharing, VPNs, and incognito mode can’t touch it. The fix is to strip it before the file ever leaves your device. Use ExifTool to wipe EXIF data from images in seconds, MAT2 for documents on Linux and Tails, and turn off location tagging in your camera app entirely. On GrapheneOS the camera never embeds GPS in the first place. The reframe that matters: privacy isn’t about who sees your file — it’s about what the file carries, and that travels with it everywhere.
What metadata is hidden in your files? The header you never see
Metadata is the data your files keep about themselves — and it’s far more revealing than the content you actually meant to share.
The 12-point setup for a private, secure, high-output digital life — in one afternoon. No spam, unsubscribe anytime.
Every JPEG and smartphone photo carries a standardised header called EXIF (Exchangeable Image File Format). It was built so photographers could track their camera settings. It has quietly become a portable surveillance profile that ships with every image by default. A single unstripped phone photo typically contains:
- GPS coordinates — latitude, longitude, and altitude, accurate to within about three metres
- Camera make and model — your exact device
- Camera serial number — a unique hardware ID that survives factory resets
- Timestamp — the date, time, and timezone of capture
- Lens focal length and aperture
- Software version — the firmware or app that processed the image
- Orientation — how you were holding the device
The serial number is the field that should worry you most, because it’s a persistent hardware fingerprint that no account change can break. Post one unstripped photo publicly from your main phone, then post an “anonymous” image from the same phone later, and the matching serial number links both to identical hardware — no username, no login, no correlation needed. Investigative journalists have used exactly this technique to unmask sources. Automated scrapers harvest EXIF from public platforms continuously. The pin was always in the file; you just couldn’t see it.
Does sending a photo privately protect your location? Why the audience is the wrong question
Here’s the assumption almost everyone makes, and it’s the one that gets them: share something in a closed group, a direct message, or a password-protected folder, and the location stays private. It doesn’t. Location privacy has nothing to do with who sees the image and everything to do with what the image carries.
A photo sent over Signal to a single trusted contact still holds your GPS coordinates, device model, and exact capture time inside its header. The recipient doesn’t even have to look — their software surfaces it automatically. Privacy of the audience is not privacy of the file. You can lock the door to the room and it changes nothing, because the secret walked in inside the guest’s pocket.
This is why the whole “be careful who you send it to” instinct quietly fails. You were guarding the wrong boundary.
What other files leak metadata besides photos?
Photos are the obvious offender. They’re not the only one — almost everything you produce keeps a diary, and the office files you send for work or admin are some of the loudest.
A Microsoft Word document (the .docx your word processor produces) embeds the author name registered in Windows or Microsoft 365, your company name from the licence, total editing time, revision count, and revision history including deleted text. Submit two documents from the same installation under different names and a Revision ID — a UUID unique to your install — ties both to the same author. The same logic applies to a quick reply in a DM: the photo you drop in still carries its full header to whoever receives it, regardless of the channel.
PDFs carry author, creator, producer, and creation timestamp. Export a Word file to PDF and it inherits all the Word metadata, then adds its own. A PDF saved from macOS embeds the macOS version, your username, and a timestamp to the second.
Email headers record the IP address of each server your message passes through. Send from a desktop client like Outlook or Thunderbird and your client’s IP can appear in the Received chain — on a home connection that maps straight to your ISP account and address. Gmail suppresses the sending IP; ProtonMail strips it; many corporate servers do neither.
Video files carry XMP or MPEG-4 metadata equivalent to EXIF — GPS, device model, software version, creation time, sometimes a unique device ID. YouTube and Instagram strip some of it on upload, but inconsistently, and not every platform does.
Why don’t VPNs, incognito mode, or platform settings protect you?
This is the trap that catches careful people, because they’re using real privacy tools — just aimed at the wrong target.
Incognito mode stops your browser writing local history and cookies. It has zero effect on file metadata. A photo uploaded in a private window carries identical EXIF to one in a normal session, because the metadata lives in the file, not the browser.
VPNs mask your IP from the destination server. They do not inspect or modify the files you upload. EXIF data rides through the encrypted tunnel completely intact; your GPS coordinates arrive at the server unchanged, no matter which country your exit node sits in.
Platform privacy settings are the worst trap of all. Twitter has stripped EXIF since 2012. Facebook strips GPS but historically kept other fields. Instagram’s behaviour shifts between versions. You’re trusting a third party — one with its own commercial interest in your data — to perform privacy-critical processing you can’t audit, that changes without notice. The correct posture is absolute: strip metadata before the file leaves your device, and never delegate that job to a platform.
Screenshot laundering half-works — a screenshot is a new file that doesn’t inherit the original’s GPS — but Windows and macOS screenshots embed their own creation timestamp, and older Android builds embedded the device model. It’s incomplete and unreliable.
How do you strip metadata? The four-layer hygiene you can run today
The relief here is how little skill any of this takes. Metadata hygiene happens at four points in a file’s life, and the first one is a single command.
Capture — stop recording it in the first place. Pre-send — strip what’s already there. Channel — use tools that don’t add identifying metadata. Verify — confirm the file is clean before it goes out. None requires more than clicking a button or running one line. What it requires is consistency: one unstripped photo in a hundred is the one that matters.
For images, ExifTool — written by Phil Harvey, free under the Perl Artistic License at exiftool.org — is the reference tool. Inspect a file with `exiftool photo.jpg` (the output length will surprise you), then wipe it:
“` exiftool -all= -overwrite_original photo.jpg “`
Add `-r` and point it at a folder to clean an entire directory at once. ExifTool handles JPEG, PNG, TIFF, HEIC, MP4, MOV, PDF, and DOCX — the single most useful tool in this stack.
For documents, the lowest-friction method is to print to PDF, then run ExifTool to break the inheritance chain. On Linux or Tails, MAT2 (Metadata Anonymisation Toolkit 2, from the Tor Project) does batch stripping with file-manager integration: `mat2 document.pdf` writes a cleaned copy you can verify before deleting the original.
For mobile capture, kill GPS embedding at the source — the cleanest layer, because a coordinate that was never recorded can never leak. The highest-integrity option is to move your phone’s whole OS to GrapheneOS, a hardened Android build whose camera app strips GPS by default and lets you scope location permission per app. Short of that, you can lock it down on any device: on GrapheneOS, Settings → Apps → Camera → Permissions → Location → Denied; on stock Android, the camera app’s settings → Location tags → Off; on iOS, Settings → Privacy → Location Services → Camera → Never. These stop future captures from carrying a pin, though they don’t strip the photos already on your roll — for those, ExifTool is still the tool.
Before sending anything sensitive over email, mail a test message to yourself and read the raw headers for your IP — if it appears, route sensitive correspondence through ProtonMail or Tutanota, which strip it. And when the file genuinely has to stay private end to end, send the stripped version over Signal: its servers see only ciphertext, so stripping the file and using an encrypted channel are two independent controls that stack.
Run ExifTool on the last five photos you posted publicly tonight, and the case for this stops being abstract.
For the wider picture of how these small habits compound into control, see The Unhacked Network on the logic of social sovereignty — metadata hygiene is one node in the same digital sovereignty stack.
Frequently asked questions about metadata hygiene
Can I use a screenshot instead of stripping metadata?
Partially. Screenshots don’t inherit the original file’s GPS data, but Windows and macOS screenshots embed their own creation timestamp and sometimes software version, and older Android builds embedded the device model. It’s incomplete and unreliable. Strip metadata explicitly with ExifTool instead of trusting a screenshot to do it.
If I strip metadata from a file, can I get it back later?
Only if you kept a copy. ExifTool can leave an `_original` backup by default; if you used `-overwrite_original`, the metadata is permanently gone. For files you might need intact later — say, photos whose timestamps matter for a record — preserve the original in encrypted storage before you strip the copy you intend to share.
Do I have to strip metadata from every single file I send?
Only when you care about linking the file to your device and precise location. For casual sharing with people who already know where you live, it’s low priority. For anonymous correspondence, documents sent to authorities, or anything posted under a pseudonym, it’s essential — and the discipline of stripping by default is easier to keep than deciding case by case.
Is metadata hygiene only for journalists and activists?
No. Journalists and activists need it most acutely, but the same hidden serial number and GPS pin follow anyone — domestic-abuse survivors hiding a new location, people in marginalised communities, anyone who simply prefers not to be tracked. Metadata hygiene is baseline digital sovereignty, not a specialist tool.
You started reading because sending a photo to one trusted person felt safe. Now you know the file was never really private — it carried a location pin and a hardware fingerprint into every inbox it touched, and no VPN or closed group could strip them. The cure costs one command and thirty seconds. Turn off location tagging tonight, run ExifTool on what you’ve already shared, and you stop being a person who leaves a precise trail with every image and become the owner of your own footprint — the one who decides exactly what each file is allowed to say. That control was always yours. You just had to see the header to take it.
Join the Inner Circle
Weekly dispatches. No algorithms. No surveillance. Just sovereign intelligence.