PDF security for journalists: protecting sources in metadata

Strip Info-dict, XMP, thumbnails, EXIF, embedded files, and layers before any PDF leaves your laptop — and verify it before you file.

By ScoutMyTool Editorial Team · Last updated: 2026-05-27

Introduction

I have watched a careful editor spend two hours redacting names from a document and then file the PDF with an Author field that read like the source’s actual full name. The body was clean. The Info dictionary was not. That is the recurring shape of the problem: the page content gets the attention, and the parallel metadata channels — Info dict, XMP packet, thumbnails, embedded files, EXIF in images, optional content layers — quietly carry identifying detail past the redaction. Here is the working checklist I use before any sensitive PDF leaves a laptop, with the verification commands that prove the file is actually clean rather than only looking clean in the viewer.

Vocabulary, quickly

TermMeaning
Document metadataAuthor, producer, software, timestamps stored in the PDF Info dictionary
XMP packetXML metadata embedded in the file — often duplicates and outlives Info-dict fields
ThumbnailsCached page previews embedded as raster images; may include redaction overlays
Embedded filesAttachments (originals, audio, images) bundled inside the PDF container
OCG / layersOptional Content Groups — hidden layers that can carry source names or routing
Producer stringIdentifies the software (and often the user account) that exported the file
EXIF in imagesCamera-make, GPS, and serial numbers travel with embedded photos

Step by step

  1. Inventory before you sanitize. Run pdfinfo and exiftool on the source file and write down every populated field. You cannot prove the strip worked if you do not know what was there to begin with.
  2. Clear the Info dictionary. Set Author, Title, Subject, Keywords, Creator, and Producer to empty strings or neutral placeholders. The document-properties dialog covers most of these; some tools require a separate save-as.
  3. Empty the XMP packet. XMP is a separate XML block and tools that only clear the Info dict leave XMP intact. Use a sanitizer that handles both, or strip XMP explicitly with a command-line tool.
  4. Remove embedded files and attachments. Any file attached to the PDF travels with it — including the original source you redacted from. Open the attachments panel and delete every entry.
  5. Drop optional content layers. Hidden layers may carry source names, routing tags, or earlier drafts. Flatten or remove every layer that is not part of the public deliverable.
  6. Strip thumbnails and re-render. Cached page thumbnails can show pre-redaction state. Export through a print-to-PDF or re-render step that regenerates thumbnails from the current page content.
  7. Sanitize embedded images. Drop EXIF, GPS, and ICC metadata from every photo or scan placed in the PDF. EXIF survives most "remove metadata" buttons unless the tool specifically reaches into image streams.
  8. Verify with three independent tools. Run pdfinfo for Info-dict fields, exiftool for XMP and stream metadata, and pdf-parser (or qpdf) for object-level inspection. If anything still names a person, machine, or location, repeat the strip.

Operational checklist before filing

  • Confirm Author, Producer, and Creator no longer name a person or an internal application — the Producer string in particular leaks the OS user account on many exports.
  • Open the PDF in a viewer that exposes Page Thumbnails — they should regenerate from the redacted page content, not show pre-redaction text in miniature.
  • List attachments and embedded files; every entry should be intentional. A surprise XLSX in the attachments panel is a source-protection failure.
  • Run exiftool on every embedded photo before placement — strip GPS, camera serial, and owner fields. Do this BEFORE you embed, not after.
  • For sensitive distribution, transfer the cleaned PDF to a fresh machine via a one-way medium (write-only USB, secure-drop), open it there, and re-verify metadata. Editor caches can re-attach fields you cleared.
  • Document the sanitization in the file handling notes for the story — the audit trail matters if a source ever asks how their identity was protected.

FAQ

Why is the Author field still my source even though I redacted the body?
The Author field lives in the Info dictionary, separate from the page content stream. Redaction tools that draw black boxes over text never touch the Info dict. You have to clear Author, Title, Subject, and Keywords explicitly — and clear the XMP packet too, because most tools mirror those fields into XMP and the XMP value will reappear if a viewer recomputes the Info dict from XMP.
My PDF still shows my source-laptop username under Producer. How?
The Producer string is set by the exporting application and usually includes the OS user. If your source exported the file from Word on a personal laptop, the Producer often reads as the account name. Re-flatten the PDF through a sanitizer (or print-to-PDF on a different machine) to replace the Producer with a neutral string. Verify with pdfinfo — never trust the document properties dialog alone, which omits some fields.
Are thumbnails actually a risk, or am I being paranoid?
Real risk. Many PDF tools cache a thumbnail per page when the document is first opened or saved. If you blacked out a name on page 4 and the file was saved before redaction, the cached thumbnail may still show the original text in low resolution. Strip thumbnails explicitly, or re-export the file fresh from a clean source after redaction — do not assume the editor cleared the cache.
What about EXIF in embedded photos?
Photos placed in a PDF retain EXIF, including GPS coordinates and the camera serial. A source photographed a confidential document at home; the GPS in EXIF identifies their home address. Strip EXIF from every image before placement, or re-export the PDF through a sanitizer that drops embedded image metadata. Spot-check with exiftool on the output.
Does flattening a PDF remove all metadata?
Flattening removes annotations and form-field interactivity, but not the Info dict, XMP, or embedded files. It is a small layer of safety, not a complete sanitizer. Use a dedicated metadata-strip tool (or the print-to-PDF round trip on an air-gapped machine) and verify with pdfinfo, exiftool, and pdf-parser before shipping.
Should I send the file as PDF/A for archive?
PDF/A enforces predictable rendering but does NOT strip identifying metadata — in fact it often requires more metadata, not less. Use PDF/A for long-term archive of already-cleaned documents; do not assume the conversion sanitizes anything. Run a separate strip step after conversion.

Citations

  1. Wikipedia — “Metadata removal tool — categories and limits.” en.wikipedia.org/wiki/Metadata_removal_tool
  2. Wikipedia — “Extensible Metadata Platform (XMP) packet structure.” en.wikipedia.org/wiki/Extensible_Metadata_Platform
  3. Wikipedia — “Exif — fields that travel with images.” en.wikipedia.org/wiki/Exif

Strip PDF metadata in your browser

Run the strip locally — nothing uploaded, nothing logged. ScoutMyTool’s PDF toolkit clears Info dict, XMP, attachments, and thumbnails in a single step, with a side-by-side diff so you can confirm what changed.

Open the PDF toolkit →