🕵️♂️ Private by Default: A Journalist’s Guide to Minimizing Your Digital Footprint
One careless click can reveal more than your words ever could
Why It's Important
In response to escalating global threats and increasing hostility toward journalists, I’m pausing my regular content this month to focus on a critical issue: how reporters, investigative journalists, and independent media professionals can better safeguard themselves, their sources, and their work. This is the fourth article in a month-long series published every Wednesday, offering practical security strategies tailored to the unique risks journalists face. While anyone concerned about privacy will benefit, these posts are designed to defend press freedom and protect those on the front lines.
In a world where digital footprints are silently collected in the background, what’s hidden in your messages may be more dangerous than what’s visible. For journalists, activists, and anyone handling sensitive material, metadata can quietly unravel months of careful anonymity.
Consider the case of Reality Winner. She printed a classified document and mailed it to a news outlet. Investigators traced it back to her using tiny yellow tracking dots—automatically embedded by her printer—alongside metadata and IP logs. It led directly to her arrest. And she’s not alone. Everyday tools like Gmail, Word documents, and smartphone cameras can leak location data, device details, and timestamps—without your knowledge.
If your goal is secure, private communication, assuming your tools are "private by default" is not just risky—it’s a myth.
What It Is / How It Works
Metadata is the digital fingerprint hidden inside nearly every file and message. It describes when, where, and how something was created-without saying a word.
Here are a few common types of metadata leaks:
Photos: Contain geotags that can show your exact location.
Documents: Include author names, software versions, and edit history.
Emails: Often include IP addresses, device IDs, and mail routing logs.
Printers: Some embed tracking dots unique to your device and time of printing.
Metadata isn't visible to the human eye-but forensic tools can extract it in seconds. For investigative journalists, that could mean revealing a source's location or identity without even knowing it.
How to Mitigate It
There's no single fix-but with some basic changes, you can seriously reduce your exposure.
🔐 Use Secure Messaging Apps
Signal - Offers end-to-end encryption, disappearing messages, and minimal metadata. Ideal for day-to-day conversations.
Session - Anonymous communication over an onion-routed network, no phone number required.
Element (Matrix) - Suitable for team chats and file sharing with end-to-end encryption.
✉️ Use Burner Emails & Anonymous Accounts
ProtonMail - Encrypted email service based in Switzerland, with strong privacy laws.
SimpleLogin - Lets you create email aliases, protecting your main account.
Always use Tor Browser to create and access accounts, avoiding IP tracking.
🧹 Strip Metadata From Files
MAT2 (Metadata Anonymization Toolkit) - Cleans metadata from files, especially useful for Linux users.
ExifTool - Command-line tool to remove metadata from images, documents, and more.
For Word docs: convert them to PDF via LibreOffice, then run through MAT2 to ensure they're clean.
🖨️ Prevent Printer Tracking Dots
Avoid using new printers from major brands when printing sensitive files.
Check your printer settings for options to disable "tracking dots" or print tracking.
When printing is unavoidable, scan the printed document using a metadata-clean device before sharing.
🌐 General Best Practices
Never contact sources from personal accounts.
Disable geolocation settings across all devices and apps.
Work under the assumption that everything is logged-unless you've explicitly confirmed otherwise.
How to Configure or Use These Tools
Signal: Download from signal.org, register with a number (use a burner SIM if possible), and enable disappearing messages in settings.
Tor Browser: Download from torproject.org, install, and use it to access email services or create anonymous accounts.
MAT2: Install via package manager on Linux (sudo apt install mat2). Run mat2 filename to scrub metadata.
ExifTool: Install on most systems (Linux/macOS/Windows). Run exiftool -all= filename to remove metadata.
A hidden gem in this process is using SimpleLogin aliases-not just for email privacy, but to separate identities across different communications. It's a lightweight, flexible tool that fits naturally into secure workflows.
Build Secure Habits, Not Just Secure Messages
Whether you're protecting a source or just want to keep your private life off the record, secure habits matter more than any one tool. Digital hygiene is a practice, not a product. Don't wait for a breach to rethink your setup.
Start today with our free "Private by Default - Communications Hygiene Checklist"-a printable, 1-page guide with:
Secure messaging app comparisons
Quick steps to check and remove metadata
Burner email setup instructions
Essential do's and don'ts for sending files
🧠 Want the free Communications Hygiene Checklist?
👉 Download here on Gumroad and take control of your privacy.
👉 Support my work with a cup of coffee!
Stay secure. Stay safe. Keep reporting.
🧠 Want the free preview of The Journalist Firewall workbook?
🧠 Ready to purchase the standard edition of The Journalist Firewall workbook?
🧠 Ready to purchase the premium edition of The Journalist Firewall workbook?