Metadata Hygiene: Stopping Your Digital Footprints Before They Start

Sovereign Audit: This logic was last verified in March 2026. No hacks found.

Every photo you take contains a hidden layer of data: EXIF (Exchangeable Image File Format). This data includes your GPS coordinates, camera serial number, and exact time of day. To be unhacked is to strip this layer before it hits the internet.

You have been told that sharing a photo privately—on a closed group, a DM, or a password-protected folder—keeps your location private. The technical reality is that location privacy has nothing to do with who can see the image and everything to do with what the image carries. A photo sent over Signal to a single trusted contact still contains your GPS coordinates, your device model, and the exact timestamp of capture, embedded directly in its file header. The recipient does not even need to look. Software does it for them.

Metadata hygiene is not a niche concern for journalists in conflict zones. It is a baseline discipline for anyone who moves through the digital world and prefers not to be tracked. This guide explains what is leaking, why common protections do not stop it, and exactly how to fix it.

Stage 1: What Is Actually Embedded in Your Files

EXIF data is a standardized header attached to every JPEG and many other image formats at the moment of capture. It was designed for photographers to track exposure settings across a shoot. It evolved into a comprehensive surveillance profile that ships with every photo by default.

A single unstripped smartphone photo can contain:

• GPS coordinates — latitude, longitude, and altitude, often accurate to within three metres
• Camera make and model — the exact device used to take the photo
• Camera serial number — a unique hardware identifier that persists across resets and factory wipes
• Timestamp — date and time of capture, including timezone offset
• Lens focal length and aperture
• Software version — the firmware or app that processed the image
• Orientation data — how the device was held at capture

The camera serial number is the element most people overlook. It is a persistent hardware fingerprint. If you have ever posted an unstripped photo from your primary device to a public platform, and later post an anonymous photo from the same device, the serial number links both images to the same hardware. No account correlation required.

This is not a hypothetical threat. Investigative journalists have used EXIF data to geolocate individuals from photos posted to social media. Law enforcement uses it routinely. Automated scraping scripts run continuously against public social platforms, extracting and archiving EXIF data from every photo that platforms fail to strip on ingest.

Stage 2: The Scope of the Leak Is Wider Than Your Camera Roll

Photos are the most visible vector, but they are one of several. The metadata problem extends across every file type you create and send.

Document Metadata

Microsoft Word documents (.docx) embed the document author name as registered in Windows or Microsoft 365, the company name from the Office license, total editing time, the number of revision saves, and a revision history that can contain deleted text. If you draft a document under your real identity and then edit it under a pseudonym, both identities appear in the file properties.

Even more damaging is the Revision ID, a UUID generated per installation that persists across documents created on the same machine. Submit two documents from the same installation to different parties under different names, and the UUID links them to the same author.

PDF Metadata

PDFs carry an author field, a creator field (the application that generated the PDF), a producer field (the PDF library used), and a creation timestamp. When a Word document is saved as a PDF, it often inherits all of the Word metadata plus adds its own. A PDF exported from a Mac using the system print dialog will contain the macOS version, the username of the logged-in account, and the timestamp to the second.

Email Headers

Every email you send contains a header chain that records the IP address of each server the message passed through. When you send email from a desktop client such as Thunderbird or Outlook, your client’s IP address may appear in the Received: header chain. If you are on a home connection, that IP maps directly to your ISP account and physical address.

Webmail services such as Gmail suppress the sending IP in the headers, but third-party clients often do not. ProtonMail strips the originating IP. Most corporate mail servers do not.

Video Metadata

Video files carry an equivalent of EXIF called XMP or MPEG-4 metadata. A video recorded on an iPhone or Android device embeds GPS coordinates, device model, software version, and creation timestamp. Some camera apps embed a unique device ID. YouTube, TikTok, and Instagram strip some of this on upload, but not all platforms do, and the stripping is not guaranteed across updates.

Stage 3: Why Your Current Defences Do Not Cover This

Three technologies are commonly believed to provide privacy but have no effect on metadata leakage.

Private Browsing Mode

Private or incognito mode prevents your browser from writing to its local history and cookie store. It has no interaction with file metadata. A photo uploaded in private browsing mode carries exactly the same EXIF payload as one uploaded in a standard session. The metadata travels inside the file, not in the browser session.

VPN

A VPN masks your IP address from the destination server. It does not inspect or modify the files you upload. EXIF data embedded in an image travels through the VPN tunnel intact and arrives at the server unaltered. If the GPS coordinates are in the file, the server receives the GPS coordinates, regardless of which country your VPN exit node is in.

Platform Privacy Settings

Many platforms claim to strip metadata on upload. Some do. Twitter has stripped EXIF from uploaded images since 2012. Facebook strips GPS data but has historically retained other EXIF fields. Instagram’s behaviour has changed across versions. The fundamental problem is that you are trusting a third party—one with its own commercial interests—to perform privacy-critical processing on your behalf, with no verification mechanism. You cannot confirm what was stripped and what was retained. You cannot audit the platform’s code. And platform behaviour changes without notice.

The correct posture is to strip metadata before the file leaves your device. Never delegate this to a third party.

Screenshot Laundering

A common workaround is to screenshot a photo rather than share the original. This works for GPS data, because a screenshot is a new file created by the OS and does not inherit the original’s EXIF. However, screenshots taken on Windows and macOS embed the device’s creation timestamp and sometimes the software version. On older Android builds, screenshot metadata included device model information. The technique partially works but is not systematic.

Stage 4: The Architecture of Systematic Metadata Hygiene

The gap between the threat model and the defence is not technical complexity. Every tool described in this guide is free, open-source, and available on Windows, macOS, and Linux. The gap is operational: people do not build metadata stripping into their workflow before upload. The fix is a small number of habitual steps applied consistently.

Metadata hygiene operates at four points in the data lifecycle:

1. Capture — configure devices to not record metadata, or to record minimal metadata
2. Pre-send processing — strip metadata from files before they leave your device
3. Communication channel — use channels that do not add their own identifying metadata
4. Verification — confirm that metadata has been removed before sharing sensitive files

None of these steps require technical expertise beyond running a command or clicking a button. What they require is consistency. One unstripped photo in a hundred is the one that matters.

Stage 5: The Implementation Blueprint

Step 1: ExifTool for Image and File Metadata

ExifTool, written by Phil Harvey, is the reference implementation for reading and writing metadata across hundreds of file formats. It is available at exiftool.org and is free under the Perl Artistic License.

To inspect what a file contains before stripping:

exiftool photo.jpg

This prints every metadata field to the terminal. Run this on a photo from your camera roll the first time and the output length will likely be unexpected.

To strip all metadata from a single file:

exiftool -all= photo.jpg

This removes every tag and writes the cleaned file in place. ExifTool creates a backup with the _original suffix by default. To suppress the backup:

exiftool -all= -overwrite_original photo.jpg

To strip metadata from every image in a directory recursively:

exiftool -all= -overwrite_original -r /path/to/folder/

ExifTool handles JPEG, PNG, TIFF, HEIC, MP4, MOV, PDF, DOCX, and dozens of other formats. It is the single most useful tool in this stack.

Step 2: MAT2 for Batch Stripping on Linux and Tails

MAT2 (Metadata Anonymisation Toolkit 2) is a Python-based tool developed by the Tor Project and distributed with Tails OS. It provides both a command-line interface and a file manager integration via Nautilus on Linux.

Install on Debian-based systems:

sudo apt install mat2

Strip a single file:

mat2 document.pdf

MAT2 creates a cleaned copy with _cleaned appended to the filename rather than modifying the original. This is useful for verification: you can inspect the cleaned file with ExifTool to confirm the result before deleting the original.

To check remaining metadata after cleaning:

mat2 --show document_cleaned.pdf

Step 3: PDF Metadata—The Print-to-PDF Method

For documents that must be shared as PDFs, the lowest-friction method on any OS is to open the document, print to PDF using the system print dialog, and strip the resulting PDF with ExifTool or MAT2. This breaks the inheritance chain from the original document format.

On macOS, the system Print to PDF function embeds your username and macOS version. Run ExifTool after:

exiftool -all= -overwrite_original document.pdf

For LibreOffice users, the Export as PDF dialog includes an option to omit author and creation date. Enable it under the General tab before exporting. Follow with ExifTool verification.

Step 4: Camera-Level Metadata Control with GrapheneOS

GrapheneOS, the hardened Android operating system, provides granular permission scoping for camera access that stock Android does not. Specifically, it allows you to grant camera permission to an app while blocking access to precise location, even when system location services are enabled for other applications.

On a GrapheneOS device, navigate to Settings > Apps > [Camera App] > Permissions > Location. Set this to Denied or approximate-only. The camera app will still function; it will simply not embed GPS coordinates in captured images.

GrapheneOS also ships a hardened camera app that does not embed GPS data by default, regardless of system location settings. This removes the need to remember to strip location from every photo post-capture.

On stock Android, the nearest equivalent is: Camera app settings > Location tags > Off. On iOS: Settings > Privacy > Location Services > Camera > Never. This removes GPS from future captures but does not address other EXIF fields or strip metadata from existing images.

Step 5: Email Headers—Route Through Privacy-Preserving Services

If email IP exposure is a concern, the fix is at the service level. ProtonMail and Tutanota both strip the sending IP from outbound headers. If you are using a third-party client with Gmail or Outlook, your client IP may appear in the headers depending on configuration.

To inspect what your email headers reveal, send a message to a test address and view the raw headers. Services like mail-tester.com will display the full header chain. Identify whether your external IP appears in any Received: field.

Step 6: Signal for Metadata-Minimal Messaging

Signal does not strip EXIF data from images sent through the app by default. However, Signal’s Note to Self feature and the built-in image editor allow you to process photos before sending. More importantly, Signal’s architecture means that even if metadata is retained in the file sent, Signal’s servers see only ciphertext and routing metadata (sender and recipient public keys, timestamp). They cannot see file content or file metadata.

For the highest-confidence approach: strip metadata with ExifTool before sending, then send via Signal. The two controls are independent and complementary.

Stage 6: The Synthesis

The pattern across every vector described in this guide is the same: files carry information about their origin as a feature, not a bug. Camera manufacturers wanted photographers to track their settings. Office software vendors wanted to track document history. Email protocols were designed for trusted networks where sender identity was useful. None of these systems were designed with adversarial metadata analysis in mind, because when they were designed, that analysis was slow, manual, and expensive.

It is now automated, fast, and free. Scrapers run continuously against public platforms. Correlation is performed at scale. The serial number linking your public post to your anonymous submission is not discovered by a human investigator—it is surfaced by a script in milliseconds.

The counterweight is equally simple. ExifTool runs in under a second. MAT2 processes a folder of documents in minutes. GrapheneOS ships with camera permissions that stock Android lacks. Signal’s encryption prevents server-side metadata analysis even when file metadata is present. Each control is small. Together, they close the leak entirely.

What changes with metadata hygiene is not the content you share—it is the additional layer of context that travels with that content invisibly. Strip that layer and you are sharing exactly what you intended: the pixels, the words, the argument. Nothing more. The file arrives at its destination with no record of where it was created, on what device, at what time, or by whom.

Stage 7: The Authority Verdict and Your Action Stack

Metadata hygiene is one of the few privacy disciplines where the gap between the threat and the defence is almost entirely operational rather than technical. The tools are mature, free, and work across every major operating system. The discipline required is a thirty-second step added to an existing workflow.

Here is the verified tool stack:

• ExifTool (free, open-source, exiftool.org) — the reference tool for reading and stripping metadata from images, video, PDFs, and office documents. Cross-platform. Use this for any single file or directory before upload.
• MAT2 (free, open-source, developed by the Tor Project) — batch metadata stripping with file manager integration on Linux. Ships with Tails OS. Best for Linux users and high-security workflows.
• GrapheneOS (free, open-source) — hardened Android with granular camera permission scoping. Removes GPS embedding at the capture layer rather than requiring post-capture stripping. The highest-integrity solution for mobile metadata control.
• Signal (free, open-source) — end-to-end encrypted messaging that prevents server-side metadata analysis of transmitted files. Use in combination with ExifTool stripping, not as a replacement for it.

Your Immediate Action Protocol

1. Install ExifTool on your primary device today. Run it on the last five photos you uploaded publicly. Read the output.
2. Turn off location tagging in your camera app on every device you own.
3. Before sending any document to a party you do not fully trust, run it through ExifTool or MAT2 and verify the output is clean.
4. If you use a desktop email client, send a test email to yourself and inspect the raw headers for your IP address. If it appears, evaluate switching to ProtonMail or Tutanota for sensitive correspondence.
5. If privacy is a serious operational requirement, evaluate GrapheneOS as your mobile operating system.

The unhacked position on metadata is this: you decide what you share. The default is that your files share more than you intend. Changing that default costs thirty seconds and a single command. The alternative is a continuous, invisible record of where you are, what device you use, and when you created every file you have ever sent.

Strip the layer. Share only the signal.

Related reading: Farcaster Review: The Logic of Sovereign Social Protocol and the Graph Unhack, ProtonMail Review: The Swiss Standard for Sovereign Email and the Identity Unhack, Sovereign Networking: The Logic of the 1% Signal Group and the Communication Unhack, The Unhacked Network: Logic of the 1% Signal Group and Social Sovereignty, Mullvad VPN Review: The Logic of Zero-Trace Privacy and the Anonymous Logic Unhack.