Skip to main content
Tracemute
Menu
Clean a file

Threat model

What Tracemute protects against

Tracemute strips metadata from photos and videos. It is a defence against unintentional disclosure — the GPS coordinates, camera serial numbers, edit history, and cross-asset identifiers that modern devices write into every file you share.

The strip runs in your browser, in a Web Worker, on bytes that never leave the page. Files are read via File.arrayBuffer(), processed in-memory, and written back as a Blob you download. The network meter on every tool page stays at zero by design.

In scope (the strip handles these losslessly)

  • · EXIF / IPTC / XMP / ICC metadata across JPEG, PNG, WebP, GIF, HEIC, AVIF, TIFF, and Adobe DNG (Camera RAW)
  • · TIFF / DNG IFD chains (IFD0 + SubIFDs), with structural and colour-calibration tags kept and identifying tags dropped — including DNG UniqueCameraModel, CameraSerialNumber, OriginalRawFileName
  • · Apple AssetIdentifier (MakerNote tag 17) used to pair Live Photos
  • · Apple iTunes-style com.apple.quicktime.* ilst keys in MP4/MOV
  • · 3GPP loci GPS atoms + 3GPP user-data text atoms (titl, dscp, cprt, perf, auth, kywd) in 3GP / 3G2 files
  • · Samsung Motion Photo trailers appended after the JPEG EOI marker
  • · Google Motion Photo via GCamera:MicroVideoOffset
  • · Facebook FBMD tracking watermarks injected on re-download
  • · C2PA Content Credentials embedding device + firmware fingerprints
  • · udta ©* QuickTime atoms (©xyz GPS, ©mod, ©day, ©too)
  • · uuid XMP packets in MP4 / MOV containers
  • · Matroska / WebM Tags, Attachments, Chapters, plus Info SegmentUID / Title / MuxingApp / WritingApp / DateUTC — replaced in place with EBML Void so SeekHead and Cue offsets stay valid
  • · AVI LIST INFO + camcorder IDIT / ISMP chunks — rewritten to JUNK so idx1 and OpenDML offsets stay valid
  • · GIF Comment Extensions and Adobe XMP Application Extensions, with NETSCAPE2.0 animation loop preserved

Out of scope — what we do not protect against

  • · Pixel-level information. A landmark in the photo, a face, a reflection, the position of the sun — Tracemute does not redact image content. Use a dedicated photo editor.
  • · Fingerprintable encoder choices. The exact JPEG quantisation table, the H.265 GOP structure, or chroma subsampling can identify the camera model even without metadata. Removing these requires a full re-encode and is lossy by definition.
  • · Network-layer leaks. If you upload the cleaned file somewhere, your IP address, browser fingerprint, and platform-injected tracking codes (FBMD, Reddit's ?width= URLs, X's ?name=orig) are between you and the destination.
  • · Decoder-required header timestamps. The mvhd / tkhd creation_time and modification_time fields in MP4 are required for playback. Exiftool's -all= does not remove them either; we surface them in the dossier as informational.
  • · Content provenance the file does not record. If a cloud service stamps your photo with its own metadata after you upload, Tracemute can't undo that — it only sees the file at the moment you give it to us.

Report a vulnerability

Email security@tracemute.com or use the address in /.well-known/security.txt. We acknowledge within 72 hours. There is no bug bounty programme yet.