When you send a photo or a PDF, you're almost always sending more than you think. Files carry hidden metadata — data about the data — that's invisible when you look at the file but trivially readable by anyone who receives it. A single holiday snap can broadcast where you live. A "clean" PDF can name the employee who wrote it and the internal file path it was saved from.
None of this is a hack. It's just how the file formats work — and why checking before you share is worth the ten seconds.
What photos leak: EXIF
Digital photos store EXIF (Exchangeable Image File Format) data alongside the pixels. Depending on the camera or phone, that can include:
- GPS coordinates — the exact latitude and longitude where the photo was taken, often to within a few metres.
- Device make and model — the specific phone or camera.
- Timestamps — when the shot was captured, down to the second.
- Camera settings, and sometimes software, owner name, or a unique device serial.
The GPS field is the dangerous one. Photograph something at home, post it to a forum or a marketplace listing, and you may have published your home address without realizing it. Sell an item online with a photo taken in your living room and the coordinates can ride along with the JPEG. Researchers and stalkers alike have used EXIF GPS to locate people from a single public image.
Social networks usually strip EXIF on upload — but that's their choice, applied after your original reaches their servers, and it doesn't help when you email, message, or share the raw file directly.
What PDFs leak: document metadata
PDFs carry their own set of hidden properties, separate from anything visible on the page:
- Author — often a real name or a corporate username.
- Producer / creator software — which app and version made it.
- Creation and modification timestamps.
- Title and keywords, sometimes left over from a template.
For a document leaving an organization, the author name and internal software fingerprint are exactly the kind of detail you'd rather not attach to a contract, a report, or a resume. And note: metadata is not the same as visible content. Removing document properties doesn't black out text on the page — that's redaction, a different job.
The reasonable response: look, then clean
You don't need to be paranoid — you need to be aware. Two habits cover almost everything:
- Inspect before you share. Use the Inspect tool to see exactly what a photo or PDF is carrying — GPS, device, author, timestamps — read-only, entirely in your browser. What's invisible becomes an informed decision.
- Strip what you don't want to send. For photos, remove EXIF and GPS: FileX re-encodes the image at full quality, keeping every pixel and discarding the hidden fields. For PDFs, clear the document metadata to drop author, software, and timestamps.
Because all of this runs on your device, the sensitive file never leaves it just to be checked or cleaned — which matters, since the whole point is that the file is sensitive.
A quick checklist before you hit send
- Photos of or near your home (marketplace listings, "for sale" pics): strip EXIF first — that's where GPS bites hardest.
- Documents leaving your company or going to strangers: clear PDF metadata to drop author and internal software details.
- Anything you're about to post publicly: inspect it once so there are no surprises.
- Remember the distinction: metadata removal ≠ redaction. To permanently remove visible sensitive content, redact the image or redact the PDF instead.
Curious what your own files are carrying? Drop one into the Inspect tool — it reads the metadata locally and shows you, without uploading anything.