This has happened before
In 2012, Vice journalists accidentally revealed John McAfee's hiding place through GPS data in a published photo. In 2017, a leaked NSA document identified its source partly through printer tracking dots. Metadata failures have real, documented consequences for sources โ we cover these cases in detail in famous metadata leaks.
Where source-identifying metadata hides
Documents from a source
Author name, username, company, printer info, revision history showing who edited what and when
Photos and videos
GPS coordinates of where evidence was captured, device serial data, timestamps that narrow down who was present
PDFs and scans
Creator software tied to one office, scanner model, creation timestamps matching building access logs
Your own published files
Photos you publish can reveal where you met a source, where you live, and what equipment you use
The danger is asymmetric: the person analysing a leaked file โ an employer, a government, an intelligence service โ often has access to internal logs that turn a small metadata detail into a positive identification. A timestamp plus a printer name plus an access log can be enough.
A practical workflow for handling sensitive files
Inspect before you do anything else
Before forwarding a file to an editor or colleague, analyse its metadata so you know what it contains. You can't assess the risk to a source without seeing what the file says about them.
Document, then strip
Metadata can also authenticate a document โ note anything relevant for verification (in a separate secure record), then remove it from the copy that will circulate.
Never publish an original
Anything that goes online โ an embedded document, a photo in an article, a PDF exhibit โ must be a cleaned copy. Recompression by your CMS is not a guarantee.
Clean your own output too
Photos you take in the field carry your GPS trail. Documents you draft carry your name and newsroom. Strip them before they leave your machine.
What metadata removal does not solve
Be honest about the limits. Stripping metadata does not remove identifying details visible in the content itself (a reflection, a badge, a distinctive view from a window). It does not undo watermarks or printer tracking dots baked into the pixels of a scan. And it does not protect the transmission channel โ a clean file sent over a monitored network still exposes the fact of contact.
Metadata hygiene is one necessary layer in a broader operational security practice โ alongside secure drop systems, encrypted messaging, and careful handling of physical documents. It's the cheapest layer to get right, and one of the most common to get wrong.
For newsrooms
RemoveMD offers an API that can be integrated into editorial workflows, so every image and document is automatically cleaned before publication rather than relying on each journalist remembering to do it.
Inspect and clean a file now
Free analyzer & remover ยท Files processed privately.