Metadata Hygiene: Stopping Your Digital Footprints Before They Start

You take a photo of your dog in the garden, crop out the house number, and post it. You were careful. But the file you uploaded just told anyone who cared to look the exact latitude and longitude of where you stood — accurate to within three metres — plus your phone’s serial number, the second you pressed the shutter, and the firmware that processed the shot. You cropped the pixels. You never touched the part that actually gives you away.

The short version: Every photo, document, video, and email you create carries hidden metadata — GPS coordinates, device serial numbers, timestamps, author names, revision histories, IP addresses — and it survives “private” shares because it lives inside the file, not in your browser or your VPN tunnel. Platforms that promise to strip it can’t be verified and change behaviour without notice. The fix is to strip metadata yourself before the file leaves your device: inspect with ExifTool, remove with `exiftool -all=`, batch-clean with MAT2, kill GPS at capture with GrapheneOS or your camera’s location setting, and use ProtonMail and Signal for channels that don’t add identifiers. Thirty seconds per file closes the leak.

What metadata is actually embedded in your files

EXIF data is a standardised header attached to every JPEG and many other image formats at the moment of capture. It was designed for photographers to track exposure settings across a shoot. It quietly became a full tracking profile that ships with every photo by default.

A single unstripped smartphone photo contains:

• GPS coordinates — latitude, longitude, and altitude, often accurate to within three metres
• Camera make and model — the exact device used
• Camera serial number — a unique hardware identifier that persists across resets and factory wipes
• Timestamp — date and time of capture, including timezone
• Lens focal length and aperture
• Software version — the firmware or app that processed the image
• Orientation data — how the device was held at capture

The element almost everyone overlooks is the camera serial number — a persistent hardware fingerprint. Post an unstripped photo from your primary device to a public account, then post an “anonymous” photo from the same device months later, and the serial number ties both images to the same hardware. No account correlation required — the file does the linking for them.

This isn’t hypothetical. Investigative journalists have used EXIF data to geolocate individuals from photos posted to social media. Law enforcement uses it routinely. Automated scraping scripts run continuously against public platforms, extracting and archiving EXIF from every photo a platform fails to strip on ingest.

Why this leak extends far beyond your camera roll

Photos are the most visible vector, but metadata bleeds across every file type you create and send.

Document metadata in Word and Office

Microsoft Word documents (.docx) embed the author name registered in Windows or Microsoft 365, the company name from the Office licence, total editing time, revision count, and revision history that can contain deleted text. Draft a document under your real identity and edit it under a pseudonym, and both identities appear in the file properties.

More damaging is the Revision ID — a UUID generated per installation that persists across every document created on that machine. Submit two documents from the same installation to different parties under different names, and the UUID links them to one author.

PDF metadata from every source

PDFs carry an author field, a creator field (the application that generated it), a producer field (the PDF library), and a creation timestamp. When a Word document converts to PDF, it often inherits all the Word metadata and adds its own. A PDF exported from macOS via the system print dialog contains the macOS version, the logged-in account’s username, and the timestamp to the second.

Email headers expose your IP address

Every email carries a header chain recording the IP address of each server the message passed through. Send from a desktop client like Thunderbird or Outlook and your client’s IP appears in the `Received:` header chain. On a home connection, that IP maps directly to your ISP account and physical address. Webmail like Gmail suppresses the sending IP; ProtonMail strips it; most corporate mail servers do not.

Video metadata contains location and device IDs

Video files carry XMP or MPEG-4 metadata equivalent to EXIF. A clip recorded on an iPhone or Android device embeds GPS coordinates, device model, software version, and creation timestamp; some camera apps add a unique device ID. YouTube, TikTok, and Instagram strip some metadata on upload — but not all platforms do, and stripping is not guaranteed across updates.

The reframe: the tools you trust for privacy do nothing about this

Here is the turn that catches almost everyone. The three technologies you reach for to “stay private” have zero effect on metadata leakage — because they protect the session, and the leak is in the file.

Private browsing mode stops your browser writing local history and cookies. It never touches file metadata. A photo uploaded in incognito carries the exact same EXIF message package as one uploaded normally.

A VPN masks your IP from the destination server. It does not inspect or modify the files you upload. EXIF embedded in an image travels through the VPN tunnel intact and arrives unaltered — your GPS coordinates reach the server no matter which country your exit node is in.

Platform privacy settings ask you to trust a commercial third party to perform privacy-critical processing with no verification. Twitter stripped EXIF from images starting in 2012. Facebook strips GPS but has historically retained other EXIF fields. Instagram’s behaviour shifts across versions. You cannot confirm what was stripped, cannot audit the code, and the behaviour changes without notice.

Once that clicks, the whole approach inverts. You stop asking “is this platform private enough?” and start treating every file as guilty until you personally clean it. The only metadata you can trust is the metadata you stripped before the file ever left your device. Never delegate this to anyone downstream of you.

One honest footnote: screenshotting a photo instead of sharing the original does remove GPS, because a screenshot is a new file the OS creates without the original’s EXIF. But screenshots on Windows and macOS embed creation timestamps and sometimes software versions, and older Android builds embedded device-model data. It works partially. It isn’t systematic. Don’t rely on it.

How to build a metadata-stripping workflow

The gap between the risk signal and the defence isn’t technical complexity — every tool below is free, open-source, and runs on Windows, macOS, and Linux. The gap is operational: most people just don’t build stripping into the moment before upload.

Metadata hygiene operates at four points in the lifecycle:

1. Capture — configure devices to record minimal metadata, or none
2. Pre-send processing — strip metadata before files leave your device
3. Communication channel — use channels that don’t add identifying metadata
4. Verification — confirm removal before sharing sensitive files

None of this needs expertise beyond running a command or clicking a button. What it needs is consistency. One unstripped photo in a hundred is the one that matters — so make the strip a habit, not a decision.

ExifTool for images and documents

ExifTool, written by Phil Harvey, is the reference implementation for reading and writing metadata across hundreds of formats. It’s free under the Perl Artistic Licence and available at exiftool.org.

Inspect what a file contains before stripping:

“` exiftool photo.jpg “`

Run that on a photo from your camera roll the first time and the output will likely be longer than you expect. Strip everything from a single file:

“` exiftool -all= photo.jpg “`

This removes every tag and writes the cleaned file in place, keeping a backup with the `_original` suffix. To suppress the backup, or to clean a whole directory recursively:

“` exiftool -all= -overwrite_original photo.jpg exiftool -all= -overwrite_original -r /path/to/folder/ “`

ExifTool handles JPEG, PNG, TIFF, HEIC, MP4, MOV, PDF, DOCX, and dozens more. It is the single most useful tool in this stack.

MAT2 for batch stripping on Linux and Tails

MAT2 (Metadata Anonymisation Toolkit 2) is a Python tool developed by the Tor Project and shipped with Tails OS. It offers both a command line and file-manager integration via Nautilus on Linux. Install on Debian-based systems and clean a file:

“` sudo apt install mat2 mat2 document.pdf “`

MAT2 writes a cleaned copy with `_cleaned` appended rather than touching the original — handy for verification. Check what remains after cleaning:

“` mat2 –show document_cleaned.pdf “`

PDF stripping via print-to-PDF

For documents that must ship as PDFs, the lowest-friction method on any OS is to open the file, print to PDF through the system dialog, then strip the result with ExifTool or MAT2. This breaks the inheritance chain from the original format. macOS Print-to-PDF embeds your username and OS version, so always follow with `exiftool -all= -overwrite_original document.pdf`. LibreOffice’s Export as PDF dialog has an option to omit author and creation date under the General tab — enable it, then verify with ExifTool.

Camera-level control with GrapheneOS

GrapheneOS, the hardened Android operating system, offers granular permission scoping that stock Android lacks: you can grant a camera app permission while blocking access to precise location, even with system location services on elsewhere. Go to Settings > Apps > [Camera App] > Permissions > Location and set it to Denied or approximate-only. GrapheneOS also ships a hardened camera app that doesn’t embed GPS by default — removing the need to remember to strip location from every shot.

On stock Android the nearest equivalent is Camera settings > Location tags > Off. On iOS: Settings > Privacy > Location Services > Camera > Never. Both stop GPS on future captures but don’t address other EXIF fields or clean existing images.

Channels that don’t add identifiers: ProtonMail and Signal

If email IP exposure concerns you, fix it at the service level — ProtonMail and Tutanota both strip the sending IP from outbound headers. To see what yours reveal, email yourself, view the raw headers (a service like mail-tester.com shows the full chain), and check whether your external IP appears in any `Received:` field.

Signal doesn’t strip EXIF from images by default, but its architecture means its servers see only ciphertext and routing metadata — never file content or file metadata. For the highest-confidence approach, strip with ExifTool first, then send via Signal. The two controls are independent and complementary.

How metadata stripping actually closes the leak

The pattern across every vector is identical: files carry information about their origin as a feature, not a bug. Camera makers wanted photographers to track settings. Office vendors wanted document history. Email protocols assumed trusted networks where sender identity was useful. None were designed with adversarial metadata analysis in mind, because back then that analysis was slow, manual, and expensive.

It is now automated, fast, and free. The serial number linking your public post to your anonymous submission isn’t found by a human investigator — it’s surfaced by a script in milliseconds. The counterweight is just as cheap: ExifTool runs in under a second, MAT2 clears a folder in minutes, GrapheneOS removes GPS at the capture layer, and Signal’s encryption blocks server-side analysis even when file metadata survives. Each control is small. Together they close the leak.

What changes isn’t the content you share — it’s the invisible layer of context that used to ride along with it. Strip that layer and you share exactly what you intended: the pixels, the words, the argument. The file arrives with no record of where it was made, on what device, at what time, or by whom.

Your immediate action protocol

1. Install ExifTool on your primary device today. Run it on the last five photos you uploaded publicly. Read the output.
2. Turn off location tagging in the camera app on every device you own.
3. Before sending any document to a party you don’t fully trust, run it through ExifTool or MAT2 and verify the output is clean.
4. If you use a desktop email client, send yourself a test email and inspect the raw headers for your IP. If it appears, consider ProtonMail or Tutanota for sensitive correspondence.
5. If privacy is a serious operational requirement, evaluate GrapheneOS as your mobile operating system.

Verified tool stack: ExifTool (exiftool.org) for any single file or directory before upload; MAT2 (Tor Project, ships with Tails) for batch jobs and high-security Linux workflows; GrapheneOS for removing GPS at capture rather than after; Signal for blocking server-side analysis of transmitted files — used with ExifTool, never instead of it.

Frequently asked questions

Does metadata stripping work on all file types?
ExifTool works on JPEG, PNG, TIFF, HEIC, MP4, MOV, PDF, DOCX, and hundreds of other formats — it’s the broadest single tool available. MAT2 covers most common image, document, and audio formats and is the better choice for batch jobs. No tool catches every conceivable embedded field in every format, so for sensitive files the discipline is to strip and then verify with a second inspection (`exiftool file` or `mat2 –show file`) before you share.

If a platform strips metadata on upload, do I still need to bother?
Yes. Some platforms strip some fields some of the time, and their behaviour changes between versions without notice. You can’t audit their code or confirm what survived. Stripping before the file leaves your device is the only step you can actually verify, so treat any platform-side stripping as an unreliable bonus, not your defence.

Does a VPN or incognito mode hide the GPS in my photos?
No. A VPN masks your IP from the server but never inspects the files you upload — embedded GPS travels through the tunnel intact. Incognito mode only stops your browser saving local history and cookies; the EXIF message package is identical. Both protect the session, not the file. Only stripping the file removes the location.

What’s the single highest-impact change I can make?
Kill location tagging at capture. On GrapheneOS, use the hardened camera app or deny the camera precise-location permission; on stock Android turn off location tags; on iOS set Camera location to Never. That prevents the most sensitive field — your exact coordinates — from ever entering new photos, so you’re not relying on remembering to strip every single one.

You were careful with the pixels and the leak was somewhere you couldn’t see — riding inside the file, telling on you in milliseconds to a script you’ll never meet. Now you know exactly where it lives and exactly how to cut it out: one command, one capture setting, one habit repeated until it’s automatic. Run ExifTool on five photos tonight and read what your phone has been quietly attaching to everything you share. That small jolt of oh is the moment it stops. From here on, the file says only what you decided to say. Nothing trails behind it. You’re the one holding the pen now.