Metadata: What It Is and What It Reveals About You

The contextual data surrounding your communications and files is often more revealing than the content itself.

📖 The Basics

What It Is

Metadata is data about data, it's the information that surrounds your content without being the content itself. When you make a phone call, send a message, take a photo, or visit a website, you generate a surrounding layer of data outside of the content itself. It doesn't include what you said to your doctor, but it includes that you called them, when, for how long, and from where.

How It Works

Metadata shows up in a few main places in everyday digital life, and each one has a different profile of what it reveals.

Communication metadata

Every phone call generates a record: who called whom, when, how long the call lasted, and which cell towers the phone connected through during the call. These pieces of data can locate both parties with significant precision. Every email carries a header containing the sender, recipient, subject line, timestamps, and every mail server the message passed through on its way to you. Messaging apps, depending on how they're built, may log who you talk to, how often, and when, even if the message contents are encrypted.

Here's how revealing that can be in practice: You call a suicide prevention hotline at 3am. The call lasts 42 minutes. A week later you call your doctor, then a pharmacy. No one hears a word you said. But the metadata record of those calls tells a story that's difficult to misread. Research has demonstrated that phone metadata alone is sufficient to infer medical conditions, financial crises, relationship breakdowns, and legal situations, all without accessing the content of a single call.

File metadata

This travels with files every time you share them. Photos taken on a smartphone typically contain EXIF data (Exchangeable Image File Format) embedded directly in the image file. This includes things like GPS coordinates of where the photo was taken, the exact time and date, the device model, and camera settings. Send that photo directly to someone via email or an unstripped messaging app, and that location data goes with it.

Documents can carry their own metadata like author name, creation date, modification history, software used, and sometimes tracked changes or comments that the sender thought were hidden. These have caused real embarrassment and legal exposure when documents were shared without being cleaned.

Browsing and network metadata

This is collected continuously and largely invisibly. Your ISP can see every domain you visit. Your DNS provider (the service that translates domain names into IP addresses) sees a similar picture. Website analytics scripts record how long you stay on a page, what you click, where your cursor moves, and which page you came from. This layer of behavioral metadata builds a detailed profile of your interests, concerns, and habits over time.

graph LR
    E["📧 Encrypted Message"] --> PT["✅ What's protected"]
    E --> MT["⚠️ What's exposed"]
    PT --> C["Message content<br/>'I'll see you at 6pm.'"]
    MT --> M1["Sender & recipient info"]
    MT --> M2["Subject line"]
    MT --> M3["Timestamp & time zone"]
    MT --> M4["Your IP address"]
    MT --> M5["Device type & client"]

Diagram: End-to-end encryption protects message content, but metadata — sender, recipient, timestamps, IP address, and device type — remains visible to the platform and anyone who can compel it.

---

How to view and strip file metadata

For photos, the simplest trick is the one I describe in my take below: send the image to yourself in Signal's Note-to-Self chat, then save it back out. Signal strips EXIF on the way through. No extra tool needed. For batch processing, ExifTool is a popular command-line tool; the ExifCleaner GUI wraps it for non-terminal users. On iOS, sharing a photo with the "Options → Location: Off" toggle removes GPS before sending, which Lockdown enables by default. On Android, Scrambled Exif is available on F-Droid.

For documents, Microsoft Word and Google Docs both expose an "inspect document" or "version history" pane that surfaces hidden author/edit data. The cleanest way to publish a "no metadata" PDF is to print to PDF rather than exporting directly.

Metadata awareness doesn't require overhauling your entire digital life, education and finding the right tools are typically enough to mitigate a majority of concerns.

---

🎯 Why It Matters

In 2014, former NSA and CIA Director Michael Hayden said it plainly during a public debate on surveillance at Johns Hopkins University: "We kill people based on metadata." The NSA's bulk metadata collection programs exposed by Edward Snowden in 2013 were built on this logic: gather metadata at scale, analyze the patterns, and surface associations.

For most people, the stakes are less dramatic but no less real. Consider what your metadata actually contains:

• Your phone records over any given month reveal your doctor, your therapist, your lawyer, your employer, your family, your friends, your on-and-off relationships, and anyone you've called during a crisis. The content of those calls doesn't need to exist anywhere. The record of them happening is all someone needs.
• Your photo library, if unstripped of EXIF data, contains a GPS-tagged record of everywhere you've physically been.
• Your browser history, visible to your ISP and DNS provider, shows every topic you've researched.

The most important practical implication: end-to-end encryption and metadata protection are not the same thing. An app can truthfully claim that no one can read your message because it's encrypted, while still logging, retaining, or exposing significant metadata about who you communicate with and when.

Messengers like Signal are specifically designed to minimize metadata. Their architecture is built around retaining as little as possible about who communicates with whom. When subpoenaed, they have been able to produce only basic account creation timestamps, because that is genuinely all they hold. Other messengers like WhatsApp are unable to make the same guarantees, other than the fact they implement encryption.

---

💡 Common Misconceptions

"End-to-end encryption protects everything about my conversation."

It protects content. But metadata includes who you talked to, when, for how long, from where, etc. A platform can be fully end-to-end encrypted and still record and retain detailed metadata about every conversation. WhatsApp is encrypted, but Meta still sees who you message, when, and how often. Compare that to something like Signal which is encrypted and architected to minimize metadata.

"Metadata is harmless, it's just timestamps and headers."

A Stanford research project reconstructed medical conditions, financial crises, and relationship breakdowns from phone metadata alone. No call content, just patterns of who, when, and how long. Former NSA and CIA Director Michael Hayden publicly stated that the agency makes lethal targeting decisions based on metadata. Metadata reveals more than most people assume.

"Only communications carry metadata."

File metadata travels with files. Photos taken on a phone usually have GPS coordinates embedded in them. PDFs and Word documents carry author names, edit history, and the software that made them. Sharing one untouched photo can disclose your home address. Sharing a "redacted" PDF can quietly disclose the original text underneath. The metadata travels with the file unless something explicitly strips it.

"If I care about metadata I have to overhaul everything I use."

A lot of it is reducible with everyday choices. Switching to a messenger architected to minimize metadata cuts what your provider retains. Using encrypted DNS and a VPN reshuffles what your ISP can see. Stripping a photo's EXIF data before forwarding it takes one tap. Metadata awareness is a habit, not a full lifestyle overhaul.

---

🗣️ Henry's Take

The single line that I'd highlight: end-to-end encryption protects content, not metadata. A platform can be fully encrypted and still know precisely who you talk to, when, how often, and for how long—and that contextual record can be just as revealing as the messages themselves. Most people stop thinking about privacy the moment they hear "end-to-end encrypted." And we need to close this gap. Encryption is the floor of digital security in 2026, even RCS is getting E2EE...the real gap that needs to be closed is the metadata surrounding the conversations.

I think for most people: Signal earns its reputation specifically because it's designed not to have metadata in the first place. When subpoenaed, Signal can produce only account-creation timestamps because that's all they know. This makes Signal a very approachable yet powerful tool for many threat models.

Since I opt for Signal for most of my contacts, it also makes it easy for me to use Signal as my go-to metadata tool. When you send a photo through Signal, including to yourself via the Note-to-Self chat, Signal strips the EXIF data on the way out. So when I need to send someone a photo without GPS coordinates before posting it somewhere, I never need a dedicated tool. I just send the photo to myself on Signal then use the clean copy from there.

---

✅ Henry's Picks

Metadata is a property of how every tool you already use handles your data. My picks are the ones designed with metadata minimization as an explicit goal.

• Signal: Architected to retain almost nothing about who talks to whom. Bonus: the Note-to-Self chat is the simplest way to strip EXIF from a photo before sharing it elsewhere. Send the photo to yourself, save the clean version, use that.
• Encrypted DNS: Closes one of the loudest metadata channels in everyday browsing: every domain you visit becoming visible to your ISP.
• A trustworthy VPN: Shifts which network operator can see your traffic metadata. Not anonymity, but a meaningful reshuffle of who sees what. Compare providers at the VPN Finder.
• Email aliasing: Cuts down on the cross-service correlation that builds up when one email address is attached to everything you sign up for.

See the broader recommendation set at Techlore's SPA Tools.

---

🔗 Go Deeper

Related wiki articles:

• Security, Privacy, and Anonymity
• Threat Modeling
• Encrypted Messaging
• Private Search Engines
• Browser Fingerprinting

Techlore content:

• Go Incognito v2, Lesson 1.5—Metadata: The Invisible Trail

External sources:

• EFF—Surveillance Self-Defense: Metadata

---

Found an error? Report it here →