Complete Guide to Anonymous Posting

A comprehensive guide to file sanitization, operational security, and safe public disclosure

If you want to post anonymously, removing metadata is an essential step on top of network and account OPSEC. This guide provides a comprehensive checklist to help you sanitize files and avoid common deanonymization vectors before posting.

Why It Is Important

Anonymous communication is a fundamental component of free speech and democratic society. Whistleblowers expose corruption and wrongdoing that would otherwise remain hidden. Journalists protect sources who risk their careers or lives to bring truth to light. Activists in oppressive regimes speak out against injustice. Researchers share sensitive findings without fear of retaliation. Victims of abuse seek help without revealing their location.

These legitimate uses of anonymity serve the public interest and protect vulnerable individuals. This guide exists to help people exercise their right to privacy and free expression safely and responsibly. It is not intended for breaking laws, evading accountability for illegal actions, or causing harm to others. Anonymous disclosure should be reserved for matters of genuine public interest where transparency serves the greater good.

---

Quick Checklist (High Level)

• Use an anonymous network and account when uploading (Tor + disposable email)

• Strip metadata from images, audio, video, documents, and PDFs

• Remove hidden text/comments/track changes from Office files

• Re-save / re-encode files to remove hidden data

• Verify the file has no metadata before posting

• Disable cloud sync and auto-backups (OneDrive, iCloud, Dropbox)

• Check for device fingerprints (printer dots, camera sensor artifacts)

• Anonymize writing style and timing patterns

• Securely delete originals (SSD: destroy encryption keys, not just overwrite)

• Secure deletion of original files

• Consult legal exposure before publishing

• Verify network isolation (DNS leaks, WebRTC)

• Prepare a post publication OPSEC plan.

---

Practical Steps by File Type

Images (Photos, Screenshots)

Common metadata: EXIF (camera make/model, timestamp, GPS), thumbnail caches, sensor fingerprints.

GUI options:

• macOS: Preview → File → Export → uncheck options that include location (or use “Remove Location Info” in Photos)

• Windows: Right-click → Properties → Details → “Remove Properties and Personal Information”

Reliable tools:

• ExifTool (powerful; cross-platform): Inspect with exiftool image.jpg and strip metadata with exiftool -all= image.jpg

• MAT2 (Metadata Anonymisation Toolkit 2) - handles many file types

• ImageMagick: magick input.jpg -strip output.jpg re-encodes and removes metadata

Additional precautions:

• Printer/scanner tracking dots: Many printers embed nearly invisible yellow dots (Machine Identification Code) that encode serial numbers and timestamps. Research your device or photograph documents instead of scanning

• Camera sensor fingerprints: Specific sensor noise patterns can identify device models even after EXIF removal. Consider re-encoding through multiple formats

• Image backgrounds: Check for reflections, visible surroundings, or objects that could geolocate or identify you

• Resolution and cropping: Original dimensions or specific crops might match only your view/access

• Re-encode to PNG/JPEG and avoid formats that embed thumbnails or maps

• Check backgrounds for reflections or objects that may reveal location

• Test images against reverse image search (Google Lens, TinEye)

Audio / Video

Metadata risks: Timestamps, GPS, device IDs, encoder metadata, waveform watermarks and voice recognition.

Tools:

• FFmpeg to re-mux/re-encode and drop metadata: ffmpeg -i in.mp4 -map_metadata -1 -c copy out.mp4

• MAT2 can handle many audio/video files

• Check for waveform watermarks or steganography if highly concerned

Extra precautions:

• Be aware of voice recognition (stylometry of speech)

• Re-encode with pitch/speed changes if critical

PDFs

Common metadata: Author, application name, creation/modification dates, hidden form fields, embedded XML unique IDs.

GUI: Adobe Acrobat → Tools → Redact → Sanitize Document (removes hidden data)

Workarounds:

• Print-to-PDF from a viewer (creates fresh PDF but still verify)

• Recreate from plaintext: open original, copy visible text into new document, export to PDF

• Verify with exiftool or pdfinfo

• Prefer open-source sanitization

Font considerations: Uncommon fonts or specific font rendering can be identifying. Use common system fonts or convert text to images.

Microsoft Office (Word, Excel, PowerPoint)

Remove: Author, comments, tracked changes, hidden slides, custom XML, personal properties.

Office GUI: File → Info → Check for Issues → Inspect Document → Remove All

Alternative: Copy visible content into plain text editor or fresh document, then save/export as PDF.

Plain Text / Source Code

Remove:

• Metadata in headers/footers

• Embedded identifiers (usernames, email addresses, machine names)

• File history if using version control, never publish .git folders

• Personal naming conventions in variables or comments

---

File System and Storage Security

Filesystem Metadata

• Creation dates and modification times may persist even after content cleaning

• Reset timestamps: touch -t 202001010000 filename (sets to arbitrary date)

• Thumbnail caches (Windows thumbs.db, macOS .DS_Store) can leak info about deleted files

File Naming

• Avoid personal naming conventions that could be identifying

• Use generic names or random strings

Temporary Files

• Many programs create temporary files containing unstripped versions

• Check and clean /tmp, %TEMP%, and application specific temp directories

Secure Deletion

• Securely wipe original files after cleaning

• HDDs: shred -vfz -n 5 filename

• SSDs: use full-disk encryption and destroy encryption keys

• Linux/macOS: shred -vfz -n 5 filename or srm filename

• Windows: Use tools like Eraser or cipher.exe

• Cloud sync: Ensure Dropbox/iCloud/OneDrive aren’t silently uploading files

• Backup systems: Time Machine, Windows Backup may keep originals with metadata

Clipboard Security

• Clipboard data may contain hidden formatting or source information

• Clear clipboard after copy-paste operations

• Disable cross-device sync (Windows Cloud Clipboard, Apple Universal Clipboard)

---

How to Verify a File is Clean

Basic verification:

• ExifTool: exiftool file, look for any remaining tags

• MAT2: Reports what it removed

• PDFs: pdfinfo filename.pdf to inspect metadata

Advanced verification:

• Strings analysis: strings filename reveals hidden embedded text

• Binary inspection: Use hexdump (hexdump -C filename | less) or hex editors to spot watermarks

• Re-download verification: Download what you posted and analyze that version to ensure platform didn’t add metadata

---

Network Security (Beyond Tor)

Tor Configuration

• DNS leaks: Ensure DNS requests go through Tor

• WebRTC leaks: Can expose real IP even over Tor - disable in browser settings

• JavaScript: Use Tor Browser in safest mode; disable JavaScript when possible

• Circuit correlation: Don’t use same Tor circuit for multiple operations; regenerate identity frequently

• Exit node monitoring: Assume exit nodes are watched; use onion services when possible

Browser Fingerprinting

• Use Tor Browser (not regular browser + Tor)

• Keep Tor Browser at default size (don’t maximize window)

• Disable unnecessary browser features and extensions

• Use safest security level in Tor Browser settings

---

Operational Security

Account Management

• Create throwaway accounts that were never linked to your real identity

• Create accounts over Tor or from networks that don’t reveal you

• Never log into personal accounts on the same device/session

• Use disposable email services that don’t require phone verification

Device Hygiene

• Don’t upload from devices with cloud accounts logged in

• Prefer clean environment: VM, fresh live USB, or air-gapped machine

• Avoid screenshots that include visible UI elements (email addresses, names, status bars)

• Physical security: If device is seized, they’ll find original files. Keep originals encrypted or never store them or better yet secure shred them

Timing Patterns

• Posting times can reveal timezone

• Randomize posting times or use scheduled posting

• Avoid consistent posting schedules that create patterns

Purchase Trails

• Buying domains, VPNs, or services leaves payment records

• Use cryptocurrency with proper mixing, or cash-purchased prepaid cards

• Consider that payment processors may log device fingerprints

Physical Location Security

• When posting: Security cameras, cell tower data, WiFi access point logging can reveal location

• Use public WiFi far from home/work, but be aware of cameras

• Never post from locations associated with you

---

Content-Based Deanonymization

Stylometry (Writing Style)

Your writing style, vocabulary, sentence structure, and grammar are highly identifying.

Mitigation strategies:

• Use text anonymization tools

• Deliberately vary writing style (sentence length, vocabulary, punctuation)

• Have someone else rewrite content

• Use translation loops (English → Another Language → English) to neutralize style

• Avoid idioms, regional expressions, or uncommon words you typically use

Unique Knowledge

• The hardest problem: If you’re the only person with access to certain information, posting it reveals you regardless of technical precautions

• Consider whether the content itself identifies you

• Delay posting to create temporal distance from events

• Generalize or redact details that narrow down who could have known

Keyboard Patterns

• Advanced threat: keystroke dynamics and typing speed can identify individuals

• Use copy-paste or on-screen keyboards for sensitive content

---

Platform-Specific Concerns

Upload Platform Behavior

• Platforms may add their own metadata or watermarks

• Social media compression varies, verify the downloaded version of what you posted is still clean

• API metadata: Some platforms embed upload timestamps, IP hashes, or device fingerprints not visible in file properties

• Test with dummy files first

Account Linking

• Platforms correlate accounts by device fingerprints, IP addresses, behavioral patterns

• Disable automatic cloud sync before uploading

• Use separate devices/browsers for different anonymous identities

• Never interact between accounts

---

Advanced Considerations

Compression Patterns

• Specific compression settings and encoding parameters can reveal software used

• Re-encode with common, default settings

Steganography

• Hidden data can be embedded in images, audio, video

• Use steganography detection tools if concerned about incoming files

• Avoid introducing steganographic patterns in your own files

Machine Learning Deanonymization

• Advanced adversaries use ML to correlate:

  • Image composition and framing habits

  • Vocabulary and topic preferences

  • Temporal patterns across platforms

  • Device and software fingerprints

Warnings & Ethics

Limitations of anonymity:

• Absolute anonymity is extremely difficult

• Metadata removal is necessary but not sufficient

• Network identifiers, account linking, writing style, unique knowledge, and other artifacts can deanonymize you

• Law enforcement and sophisticated adversaries have resources beyond these defenses

Appropriate use cases:

• Whistleblowing and exposing wrongdoing

• Sensitive research and journalism

• Personal safety from stalkers or abusers

• Political speech in oppressive environments

• Legitimate privacy protection

I cannot help with:

• Planning, committing, or evading law enforcement for illegal activity

• Content that would harm others

• Circumventing legitimate security measures for malicious purposes

---

Quick Command Reference

Strip image metadata:

exiftool -all= image.jpg

magick input.jpg -strip output.jpg

Strip video metadata:

ffmpeg -i in.mp4 -map_metadata -1 -c copy out.mp4

Check for remaining metadata:

exiftool filename

strings filename | less

pdfinfo document.pdf

Reset file timestamps:

touch -t 202001010000 filename

Secure file deletion:

shred -vfz -n 5 filename

---

Where to Post Publicly Accessible Information

Choosing the right platform depends on your goals, the type of information, and your risk tolerance. Here are the main options, organized by anonymity level:

High Anonymity Platforms

SecureDrop

• Used by major news organizations (NYT, Washington Post, The Guardian, ProPublica, etc.)

• Designed specifically for whistleblowers

• Tor-based, end-to-end encrypted

• Allows direct contact with journalists who can verify and contextualize information

• Find directories at freedom.press/securedrop/directory

• Best for: Whistleblowing, exposing wrongdoing, sensitive documents

Tor-Based Anonymous Forums/Imageboards

• Sites like Dread (Reddit alternative on Tor)

• Various onion forums and communities

• High anonymity but audience may be limited

• Less moderation and verification

• Best for: Discussion, niche communities, when you need maximum anonymity

DDoSecrets (Distributed Denial of Secrets)

• Non-profit that publishes leaked datasets in the public interest

• More curated and verified than WikiLeaks was

• Focuses on materials with journalistic value

• Best for: Large datasets, document collections, structured leaks

Medium Anonymity (Still Public)

Pastebin-Style Sites

• Pastebin.com, Ghostbin, PrivateBin (many have Tor access)

• Text-focused, no account required

• Easy to share via URL

• Less moderation, but also less built-in visibility

• Best for: Text documents, code, logs, structured data

Anonymous File Sharing

• AnonFiles, Mega (with throwaway account), IPFS

• Good for documents, images, datasets

• URLs can be shared anywhere for distribution

• Less discoverability than purpose-built platforms

• Best for: Files that you’ll distribute links to elsewhere

Reddit (with proper OPSEC)

• Throwaway account created and used only over Tor

• Subreddits like r/DataHoarder, r/Whistleblowers, or topic-specific communities

• Large audience and rapid spread potential

• Requires careful account management and OPSEC

• Best for: Reaching specific communities, discussion, moderate visibility

Twitter/X (throwaway account)

• Very public with potential for rapid viral spread

• High risk if OPSEC fails

• Platform cooperation with law enforcement

• Best for: Maximum visibility, real-time information, when viral spread is the goal

Traditional Journalism

Contact Journalists Directly

• Many investigative journalists list secure contact methods on their profiles

• ProtonMail or Tutanota for encrypted email

• Signal for messaging (requires phone number - use burner purchased with cash)

• Journalists can verify information, provide context, and offer legal guidance

• They have legal protections (shield laws) in many jurisdictions

• Best for: Complex stories needing verification, when you need credibility, legal protection concerns

Benefits of journalist mediation:

• Verification and contextualization of information

• Legal advice and protection

• Editorial judgment about what’s truly in public interest

• Wider distribution through established media

• Protection of sources (in many jurisdictions)

Platform Selection by Goal

For whistleblowing or exposing wrongdoing:

• Primary choice: SecureDrop or direct journalist contact

• Provides legal protection advice, verification, and credibility

• Journalists understand whistleblower protections and can advise

• Creates documented public interest justification

For general information or public discussion:

• Reddit, Tor forums, or topic-specific communities

• Balance anonymity needs with audience reach

• Consider whether you need dialogue vs one-way disclosure

For large datasets or document dumps:

• Contact DDoSecrets or journalists first

• They have infrastructure, legal teams, and can handle large volumes

• Can help redact information that might cause harm

For maximum visibility and viral spread:

• Multiple platforms simultaneously (maintain same OPSEC for all)

• Contact journalists who will amplify the story

• Twitter/Reddit for organic viral distribution

• Warning: More visibility = more scrutiny of your OPSEC

For ongoing anonymous communication:

• Establish identity on Tor forums or with journalists via SecureDrop

• Can build credibility over time while maintaining anonymity

• Allows for Q&A and clarification

Critical Platform Considerations

Discovery vs Anonymity Trade-off:

• More public platforms = more eyes = more scrutiny of your OPSEC

• 4chan/8chan get attention but attract adversaries and trolls

• SecureDrop/journalists provide mediation and professional handling

• Consider whether credibility matters for your information

Attribution and Credibility:

• Anonymous posts may be dismissed as unverified

• Journalists add credibility and verification

• Established anonymous identities (maintained over time) can build trust

• Consider providing verifiable details journalists can independently confirm

Legal Considerations:

• Whistleblower protections vary by jurisdiction and information type

• Some disclosures are legally protected, others are prosecutable

• Journalists can provide legal guidance before publication

• Consider consulting a lawyer (anonymously if necessary) before major leaks

After Posting - Critical Security:

• Never acknowledge the post is yours to anyone, ever

• Don’t check on it from personal devices or networks

• Don’t discuss it on personal accounts or with people who know you

• Assume you’re under investigation if the information is significant

• Don’t react to public speculation about the source

• Resist the urge to “correct” misunderstandings or defend yourself

Platform Specific Risks:

• Some platforms cooperate readily with law enforcement

• Others have been compromised or run honeypot operations

• Major platforms (Twitter, Reddit) have substantial logging and forensics

• Tor platforms can be seized (servers/operators still exist somewhere)

• Even “secure” platforms have had operational security failures

Multi-Platform Strategy

For maximum impact and redundancy:

1. Primary disclosure: SecureDrop or journalist contact (credibility + legal protection)

2. Backup/redundancy: Post to IPFS or decentralized storage (can’t be taken down)

3. Distribution: Share links on Reddit/Twitter with throwaway accounts (viral spread)

4. Archive: Ensure copies exist on multiple platforms (Internet Archive, torrent networks)

Warning about multi-platform posting:

• Each platform is a separate OPSEC challenge

• Timing correlation across platforms can be identifying

• Writing style must remain consistent across all posts

• Consider having different anonymous identities post to different platforms with time delays

---

Final Checklist Before Posting

• File stripped of all metadata (verified with exiftool)

• File re-encoded/re-saved through clean process

• Cloud sync disabled

• No printer tracking dots (if scanned/printed)

• Image backgrounds checked for identifying information

• Writing style anonymized or rewritten

• Filesystem timestamps reset

• Original files securely deleted

• Posted through Tor with new circuit

• Disposable account never linked to real identity

• No DNS/WebRTC leaks verified

• Downloaded posted file and re-verified clean

• Posting time randomized

• Content doesn’t reveal unique knowledge/access

• No cross-contamination with personal accounts/devices

• Platform selected appropriate for content and risk level

• Legal implications considered (consult lawyer if major leak)

• Post-publication security plan in place (never acknowledge)

Remember: The content itself is often the biggest identifier. If only you could have known or accessed the information, technical anonymity may not protect you. Consider whether the public interest justifies the personal risk, and whether working with journalists might provide both protection and greater impact.