Writer Privacy: Auditing Personal Exposure Without Killing Your Voice

The Problem

Writers put themselves in the work. Personal experience. Authentic voice. Real details that make stories land.

That's not the problem.

The problem: Street addresses in photo metadata. API keys in GitHub repos. Family names in article examples. Email patterns establishing baseline for spear phishing. Phone numbers in old blog posts. Home city narrowed to neighborhood through casual references.

Authenticity doesn't require operational security disasters.

You can write "I grew up in Brooklyn" without writing "I lived at 347 Bergen Street."

You can say "my daughter" without saying "my daughter Emma who goes to PS 321."

Personal voice vs. personal information. Different things.

What Attackers Want

Not your literary style. Your attack surface.

High-value targets:

• Writers with money (book deals, platforms, audiences)
• Writers with access (journalist contacts, industry connections)
• Writers with platforms (social media reach = influence)
• Writers who are public (easier to research, verify, target)

What they extract:

• Home location (property records, swatting, physical threats)
• Family details (leverage, social engineering vectors)
• Financial patterns (crypto addresses, payment processors, income level)
• Communication patterns (email style, response times, trusted contacts)
• Technical holes (GitHub keys, API tokens, server credentials)

Writers are soft targets. Public by profession. Share personal details as craft. Don't think like security professionals because that's not the job.

Until it becomes the job.

The Balance

I understand the resistance.

Writing requires vulnerability. Stripping personal details makes work feel sterile. Corporate. Fake.

But there's a spectrum:

Too exposed: "I wrote this article at my home office at 1247 Maple Street while my kids (Jake, 8, and Sophie, 6) were at Lincoln Elementary. My wife texted from her job at Memorial Hospital. I paid for my coffee with the card ending in 4829."

Too sterile: "A writer works. Time passes. Things happen. The end."

Balanced: "I wrote this at home while the kids were at school. Coffee helped. The work happened."

Same authenticity. Zero attack surface.

The reader doesn't need your street address to feel the truth of your experience. They need the emotional core. The specific universal. Not the literal coordinates.

Red Team Exercise: Mining Writer Profiles

Objective: Extract personal information useful for targeting from public writer presence

Attack Vector 1: The GitHub Credential Harvest

Target: Writers who code. Dev writers. Technical writers. Anyone with public repos.

Method:

1. Find target's GitHub profile
   - Usually same username across platforms
   - Listed on writer website/bio
   - Searchable: "Jane Doe github"

2. Scan all repositories for exposed secrets:
   - API keys (Stripe, OpenAI, AWS, Anthropic)
   - Database credentials (hardcoded passwords)
   - Private keys (RSA, SSH, PGP)
   - OAuth tokens (Twitter, GitHub, Google)
   - Webhook secrets
   - Environment variables in committed files

3. Common exposure patterns:
   - .env files committed by mistake
   - Config files with credentials
   - Old commits containing keys (still in git history)
   - Test files with real API keys
   - Documentation with example keys (that are real)
   - Notebooks with hardcoded credentials

4. Automated tools:
   - TruffleHog: Scans git history for secrets
   - GitLeaks: Finds API keys and tokens
   - GitGuardian: Real-time secret detection
   - Grep patterns: Simple but effective

5. Exploitation:
   - API key = access to their services
   - Database creds = full data access
   - SSH keys = server access
   - Payment API = charge their account
   - OAuth tokens = account takeover

Real example pattern:

# Search GitHub for exposed OpenAI keys
git clone https://github.com/target/project
cd project
git log -p | grep -i "sk-" # OpenAI key pattern
git log -p | grep -i "api_key"
git log -p | grep -i "password"

Even if key was removed, git history preserves it. Forever. Until you rewrite history (which breaks forks and clones).

Success Rate: High. Developers commit secrets constantly. Writers who code do it more (not security-trained). Automated tools find them fast.

Attack Vector 2: Photo Metadata Mining

Target: Writers who post photos (social media, blog images, article illustrations)

Method:

1. Download images from writer's public posts
   - Blog post images
   - Social media uploads
   - Profile pictures
   - Article illustrations

2. Extract EXIF metadata:
   exiftool photo.jpg

   Reveals:
   - GPS coordinates (exact location where photo taken)
   - Camera model (income proxy, equipment)
   - Software used (workflow info)
   - Copyright info (real name if stripped elsewhere)
   - Creation date (timeline patterns)

3. GPS coordinate analysis:
   - Home location if photo taken there
   - Recurring locations (work, gym, school)
   - Travel patterns
   - Favorite spots

4. Cross-reference with other data:
   - Match GPS to property records
   - Identify home address
   - Find family members (property ownership)
   - Map daily routine locations

Common writer mistakes:

• iPhone photos preserve GPS by default
• Instagram strips EXIF, Twitter doesn't always
• Blog posts often don't strip metadata
• Downloads from cameras include everything
• "Behind the scenes" photos from home office

One photo with GPS = home address.

Attack Vector 3: Casual Reference Aggregation

Target: Writers who share personal anecdotes (most writers)

Method:

1. Aggregate all public content:
   - Blog posts
   - Articles
   - Social media threads
   - Podcast interviews
   - Conference talks
   - Newsletter archives

2. Extract casual references:
   "My morning coffee shop on 5th Avenue..."
   "Walking my dog in Prospect Park..."
   "My daughter's school fundraiser..."
   "The bodega near my apartment..."
   "My wife works in tech..."

3. Cross-reference details:
   - City mentioned: Brooklyn
   - Neighborhood hinted: "Prospect Park area"
   - Coffee shop: "5th Avenue" = Park Slope
   - School: "fundraiser" + local news = specific school
   - Property records: married couple, right age
   - Result: Home address narrowed to 2-3 blocks

4. Social media verification:
   - Background details in photos
   - Check-ins (even old ones)
   - Friends/family tagged locations
   - Event photos with visible landmarks
   - Time-stamped posts + location = routine

AI amplification:

Query to LLM: "Analyze all articles by [writer]. Extract:
- Geographic references and specificity level
- Family member mentions (names, ages, schools)
- Routine activities and timing
- Workplace/location hints
- Financial status indicators
- Contact method preferences"

Response: Complete profile in seconds.

Writers leave breadcrumbs across years of content. AI connects them instantly.

Attack Vector 4: Email Pattern Analysis

Target: Writers with public email (newsletter, contact pages, public correspondence)

Method:

1. Collect email samples:
   - Newsletter responses
   - Public correspondence
   - Interview questions/answers
   - Replies to readers
   - Professional outreach

2. Pattern analysis:
   - Response time (baseline for spoofing)
   - Subject line style
   - Greeting patterns
   - Sign-off style
   - Tone markers
   - Vocabulary quirks
   - Formatting preferences
   - Typical length

3. AI baseline generation:
   "Create email style model for [writer] based on samples.
   Generate new email maintaining voice for:
   - Urgent request
   - Professional introduction
   - Collaboration proposal
   Include style markers, tone, and timing preferences."

4. Spear phishing preparation:
   - Attacker can now write as target
   - Matches baseline = bypasses suspicion
   - Can impersonate to target's network
   - Or impersonate others to target

Why this works:

Writers have distinctive voices. That's the goal. But distinctive voice = machine-learnable pattern. AI clones writing style from samples.

Your authentic voice becomes attack vector.

Attack Vector 5: Social Graph Mapping

Target: Writers with public networks (visible connections, collaborations, mentions)

Method:

1. Map visible relationships:
   - Co-authors
   - Interview subjects
   - Podcast guests/hosts
   - Conference connections
   - Social media interactions (replies, mentions)
   - Acknowledgments in published work
   - Blurbs and endorsements

2. Identify trust chains:
   - Who introduces them to opportunities?
   - Who do they publicly thank?
   - Whose work do they promote?
   - Who appears in multiple contexts?
   - Family/friends visible in network?

3. Relationship weight analysis:
   - Frequency of interaction
   - Tone of interactions
   - Reciprocity patterns
   - Public vs private connections
   - Trusted vs transactional

4. Attack vector selection:
   - Compromise close connection
   - Spoof trusted introducer
   - Leverage visible relationship
   - Social proof through known associate

Writers collaborate publicly. Network is visible. Trust chains documented.

One compromised connection = access to target through documented trust.

Red Team Assessment Summary

What Attackers Extract:

1. GitHub Repos: API keys, credentials, infrastructure access
2. Photo Metadata: GPS coordinates, home location, equipment, routine
3. Content Analysis: Family details, location narrowing, patterns
4. Email Patterns: Baseline for impersonation, communication style
5. Social Networks: Trust chains, leverage points, access routes

Scale Factor: AI processes years of content in hours. Cross-references automatically. Pattern matching instant. One attacker operates at research team scale.

Writer Vulnerability: Public by profession. Share personal details as craft. Don't think operationally. High value (audience, access, influence). Soft target.

Blue Team Defense: Audit Protocols for Writers

Assumption: You have years of exposed content. Start reducing surface now.

Defense Layer 1: GitHub Security Audit

Your repos are probably leaking secrets. Fix it.

Immediate Actions:

# Install TruffleHog
pip install trufflehog

# Scan all your repos
trufflehog git https://github.com/yourusername/repo-name --only-verified

# Scan local directories
trufflehog filesystem /path/to/code --json

# Common secret patterns to search manually
git log -p | grep -E "(api[_-]key|password|secret|token)" -i
git log -p | grep -E "sk-[a-zA-Z0-9]{48}" # OpenAI keys
git log -p | grep -E "ghp_[a-zA-Z0-9]{36}" # GitHub tokens

What you're looking for:

• OPENAI_API_KEY=sk-...
• DATABASE_PASSWORD=...
• AWS_SECRET_ACCESS_KEY=...
• STRIPE_SECRET_KEY=sk_live_...
• Any key that starts with known prefixes

If found:

# 1. Immediately rotate compromised keys
# Go to service provider, generate new key, revoke old

# 2. Remove from code, add to .gitignore
echo ".env" >> .gitignore
echo "*.key" >> .gitignore
echo "config/secrets.yml" >> .gitignore

# 3. Clean git history (WARNING: breaks existing clones)
git filter-branch --tree-filter 'rm -f config/secrets.yml' HEAD
git push --force

# Better: Use BFG Repo-Cleaner
java -jar bfg.jar --delete-files secrets.yml
git reflog expire --expire=now --all
git gc --prune=now --aggressive

Prevention:

# Use environment variables, never hardcode
export OPENAI_API_KEY="sk-..."

# In code:
import os
api_key = os.environ.get('OPENAI_API_KEY')

# Never this:
api_key = "sk-proj-abc123..." # Committed to git = compromised forever

Git hooks to prevent future leaks:

# .git/hooks/pre-commit
#!/bin/bash
if git diff --cached | grep -E "(api[_-]?key|password|secret)" -i; then
  echo "⚠️  Possible secret detected. Commit blocked."
  exit 1
fi

Every writer who codes should run this audit today.

Defense Layer 2: Photo Metadata Stripping

Your photos expose location. Strip EXIF before posting.

Audit existing photos:

# Install exiftool
brew install exiftool  # Mac
apt-get install libimage-exiftool-perl  # Linux

# Check single photo
exiftool photo.jpg | grep GPS

# Check all photos in directory
exiftool -GPS* -r ~/Pictures/blog/

# See what's exposed
exiftool -a -G1 photo.jpg

What GPS coordinates reveal:

• Exact latitude/longitude (home, work, school)
• Timestamp (when you were there)
• Altitude (floor of building)
• Direction (which way you faced)

One photo = complete location.

Strip metadata before posting:

# Remove ALL metadata
exiftool -all= photo.jpg

# Remove GPS only, keep camera info
exiftool -GPS*= photo.jpg

# Batch process directory
exiftool -all= -r ~/Pictures/to-post/

# Verify stripped
exiftool photo.jpg | grep GPS  # Should show nothing

Platform behavior:

• Instagram: Strips EXIF automatically (reliable)
• Twitter: Sometimes strips, sometimes doesn't (unreliable)
• Facebook: Strips most, keeps some
• Your blog: Probably keeps everything unless configured
• Substack/Medium: Varies by upload method

Don't trust platforms. Strip manually before upload.

Alternative: Screenshot approach

Taking screenshot of photo removes all EXIF. Quick but reduces quality.

Ongoing practice:

# Create stripped copies for web
mkdir -p ~/Pictures/web-safe
exiftool -all= -o ~/Pictures/web-safe/ ~/Pictures/original/*

# Always post from web-safe directory

Defense Layer 3: Content Audit for Personal Details

Your published content exposes you. Audit and redact where possible.

Systematic audit process:

1. Aggregate all public content:
   - Blog posts (export/scrape)
   - Articles (save locally)
   - Social media threads (archive)
   - Newsletter archives
   - Podcast transcripts
   - Conference talks (video/slides)

2. Search for exposure patterns:
   "street" "address" "avenue" "road"
   "school" "elementary" "kindergarten"
   Names of family members
   Email addresses
   Phone numbers
   Specific neighborhood landmarks
   "where I live" "my apartment" "my house"

3. AI-assisted analysis:
   "Review all articles. Flag:
   - Geographic specificity beyond city level
   - Family member names or identifying details
   - Routine patterns (locations + timing)
   - Financial details
   - Contact information
   - Identifiable locations in photos"

4. Categorize by risk:
   HIGH: Home address, family names, phone numbers
   MEDIUM: Neighborhood details, school mentions, routine
   LOW: City, general area, vague references

5. Remediation options:
   - Edit old posts if you control platform
   - Request removal/edit from publications
   - Add note at top: "Personal details redacted 2026"
   - Can't edit? At least know what's out there

Specific redaction examples:

Before: "I wrote this from my home office at 1247 Bergen Street in Park Slope while my daughter Emma was at PS 321."

After: "I wrote this from home while my daughter was at school."

What you kept: Personal context, parental experience, authentic detail What you removed: Street address, neighborhood, school name, child's name

Before: "My morning routine: coffee at the Cafe on 7th and 9th, then walk through Prospect Park, stop at the playground near the boathouse."

After: "My morning routine: coffee at a local spot, then walk through the park."

Authenticity maintained. Attack surface removed.

Defense Layer 4: Communication Pattern Disruption

Your email style is documented. Becomes impersonation baseline. Disrupt it.

If you have public email presence:

Old Pattern (Documented in your newsletters):
- Response time: Within 2-4 hours
- Greeting: "Hey [name]"
- Style: Casual, conversational
- Sign-off: "Cheers, [Your name]"
- Subject lines: Lowercase, minimal punctuation
- Links: Always include context

Disrupted Pattern:
- Response time: Vary deliberately (30 min to 48 hours)
- Greeting: Rotate ("Hello", "Hi", "[Name]", formal/informal mix)
- Style: Vary formality by context
- Sign-off: Multiple styles in rotation
- Subject lines: Mix styles
- Links: Include verification phrases

Why this matters:

Attacker trains AI on your email samples. AI generates messages matching your style. Your contacts don't suspect because it sounds like you.

If your pattern is unpredictable, AI-generated messages feel off.

Verification protocols:

For important contacts, establish:

1. Code phrases (change monthly):
   "Hope the weather's nice" in any important email
   Missing phrase = assume compromised

2. Out-of-band confirmation:
   Important request via email = call to confirm
   Use number you have, not number in email

3. Financial request rules:
   Never via email, regardless of urgency
   Video call required
   24-hour minimum delay

4. New contact procedure:
   Warm intro by email = verify with introducer directly
   Call them at known number
   Ask: "Did you just introduce me to [name]?"

Your established voice is attack surface. Make it harder to clone perfectly.

Defense Layer 5: Social Network Hardening

Your public connections are mapped. Harden the trust chain.

Immediate actions:

1. Audit visible connections:
   - Who appears frequently in your content?
   - Who have you publicly thanked?
   - Who introduces you to opportunities?
   - Who can vouch for you publicly?

2. Inform key connections:
   "FYI: We're both visible in [context].
   Attackers might impersonate you to reach me or vice versa.
   Let's establish verification protocol."

3. Establish shared verification:
   - Code phrases for intros
   - Out-of-band confirmation method
   - What constitutes suspicious request
   - Agreed response to compromise

4. Reduce public visibility where possible:
   - Close collaborations don't need public posts
   - Acknowledgments can be vague ("thanks to early readers")
   - Family/friend mentions: first name only, no relationship
   - Professional vs personal separation

Your network is your attack surface. One compromised connection = your trust exploited.

Coordinated security > individual security.

Defense Layer 6: New Content Protocols

Going forward, write with operational security.

Personal detail guidelines:

SHARE:
✓ City/general area: "Brooklyn"
✓ Parental status: "my kids"
✓ Career background: "worked in tech"
✓ General experiences: "at home", "at coffee shop"
✓ Emotional truth: feelings, realizations, growth

DON'T SHARE:
✗ Street addresses, specific locations
✗ Names of family members (especially children)
✗ Schools, daycares, specific institutions
✗ Routine timing + location combos
✗ Identifiable photos of home/car/neighborhood
✗ Financial specifics beyond necessary context
✗ Phone numbers, personal emails
✗ Upcoming travel plans with dates

The test:

"Could someone use this detail to find me, harm me, or harm my family?"

If yes: Generalize it or cut it.

"Does removing this detail change the reader's experience?"

If no: Remove it.

Examples:

Bad: "I'm at JFK airport heading to Los Angeles for three days, house will be empty" Good: "Traveling for work this week"

Bad: "My son Jake's soccer game at Memorial Field this Saturday at 10am" Good: "My son's soccer game this weekend"

Bad: "Email me at jane.doe.writer@gmail.com or text 917-555-1234" Good: "Contact via website form" or "DM me on Twitter"

The authenticity remains. The attack surface shrinks.

Defense Layer 7: Ongoing Monitoring

You can't delete past exposure. Monitor for exploitation.

Set up alerts:

Google Alerts for:
- Your full name + "address"
- Your full name + "phone"
- Your full name + "lives at"
- Your full name + family member names
- Your username variations

GitHub monitoring:
- Watch for your API keys in public repos (someone else exposed)
- Check: https://github.com/search?q=[your-email]
- TruffleHog scheduled scans of your repos

Credit monitoring:
- Freeze credit if not actively using
- Monitor for new accounts/inquiries
- Check property records for weird changes

Social media:
- Privacy checkup quarterly
- Review tagged photos
- Check friend/follower lists for suspicious
- Review what's public vs friends-only

Early detection = faster response.

Can't prevent all exposure. Can detect exploitation attempts.

Defense Layer 8: Network-Level Protection

Your ISP sees everything. Coffee shop WiFi is surveillance infrastructure.

The problem:

Every site you visit. Every API you call. Every server you connect to. Your internet service provider logs it. Coffee shop WiFi? Anyone with Wireshark captures your traffic. Hotel networks harvest data. Public WiFi at conferences = packet sniffing playground.

Writers research sensitive topics: Sources. Whistleblowers. Legal cases. Competitive analysis. Controversial subjects. Your search history documents everything. Your ISP sells that data. Government requests access it. Hostile actors intercept it.

Solution: VPN

Virtual Private Network routes traffic through encrypted tunnel. Your ISP sees noise. Coffee shop packet sniffers get encrypted garbage. Government requests hit dead ends.

What NordVPN does:

• Encrypts all internet traffic end-to-end
• Hides your real IP address (location masking)
• Routes through servers in different countries
• Prevents ISP logging of visited sites
• Blocks DNS leaks (your queries stay private)
• Kill switch if VPN drops (no unencrypted traffic escapes)

When to use:

ALWAYS:
- Coffee shops, hotels, airports (public WiFi)
- Researching sensitive topics
- Accessing sources/whistleblowers
- Traveling internationally
- Working from untrusted networks

OPTIONAL:
- Home network (depends on threat model)
- Trusted office network
- Low-sensitivity browsing

What VPN doesn't protect:

• Content you publish (that's still public)
• Login credentials if phished
• Malware on your device
• Social engineering attacks
• Platform-level tracking (Facebook still knows it's you)

VPN protects network layer. Doesn't replace operational security.

Setup priority:

1. Install VPN on all devices (laptop, phone, tablet)
2. Enable auto-connect on untrusted networks
3. Verify no DNS leaks: https://dnsleaktest.com
4. Test kill switch works (disconnect VPN, traffic should stop)
5. Use when researching anything sensitive

Writer-specific use case:

Researching article about surveillance? VPN prevents your ISP from seeing those searches. Interviewing anonymous source? VPN hides your location and ISP. Traveling to cover story? VPN protects hotel/airport network access.

Network security is baseline hygiene. Not paranoia.

Blue Team Assessment Summary

Defense Priorities:

1. GitHub: Clean secrets, prevent future exposure (HIGH - immediate compromise)
2. Photo EXIF: Strip metadata before posting (HIGH - reveals exact location)
3. Content Audit: Know what's exposed, redact where possible (MEDIUM - slow aggregation)
4. Email Patterns: Disrupt baseline, add verification (MEDIUM - targeted spear phishing)
5. Social Network: Harden trust chains (MEDIUM - access vector)
6. New Content: Write with OPSEC (ONGOING - prevent future exposure)
7. Monitoring: Detect exploitation (ONGOING - early warning)
8. Network Protection: VPN on untrusted networks (HIGH - prevents ISP/WiFi surveillance)

Maintenance: Quarterly audit. New content review before posting. Monitor alerts weekly.

Balance achieved: Personal voice maintained. Operational security improved. Attack surface reduced without killing authenticity.

The Writer's Dilemma

Personal writing requires personal details.

Memoir needs specificity. Essays need real experience. Fiction draws from lived truth.

But personal doesn't mean identifying.

"I grew up poor in the South" has same emotional impact as "I grew up in a trailer park at 247 County Road 15, Madison County, Mississippi."

Reader feels the truth either way. One protects you. One exposes you.

The craft remains intact.

Specific universal: Describe experience so specifically that it's recognizable universally. That doesn't require your literal home address.

Example - Too specific:

"Every morning I walked Emma and Jake to PS 321 on 7th Avenue in Park Slope, then got coffee at the Cafe Grumpy on 5th before heading home to 1247 Bergen Street to write until 3pm pickup."

Example - Universal specific:

"Every morning I walked my kids to school, got coffee at the local spot, then headed home to write until pickup time."

Same routine. Same parental context. Same writer's life. Zero doxxing risk.

The emotional truth comes through. The operational security remains.

Common Objections

"I'm not famous enough to target."

Attackers scale. AI processes thousands of targets simultaneously. You don't need to be famous. You need to be worth $500 in crypto, or have access to someone who is, or have a platform worth hijacking.

"My readers expect authenticity."

They expect emotional truth, not your street address. Authenticity is vulnerability, not exposure. You can be authentic about experience without providing coordinates for swatting.

"I can't edit 10 years of blog posts."

You can't delete past exposure completely. But you can stop adding to it. Audit what's most dangerous (contact info, location specifics). Edit what you control. Know what you can't change. Monitor for exploitation.

"This feels paranoid."

It's operational security, not paranoia. Every writer with public presence has been doxxed, harassed, threatened, or knows someone who has. Prevention is easier than recovery.

"Stripping details makes my writing bland."

Wrong details. "My daughter" isn't bland. "My daughter Emma who goes to PS 321" is specific but dangerous. "My daughter asked why the sky is blue" is specific and safe. Choose different specifics.

The GitHub Problem Nobody Talks About

Writers who code are especially vulnerable.

You write articles teaching technical concepts. Code examples in blog posts. Projects on GitHub. Everything public because that's how dev community works.

Problem: Developers commit secrets all the time. Writers who code do it more (not security-trained).

One committed API key = full account access.

Example pattern seen constantly:

# Tutorial example
import openai

openai.api_key = "sk-proj-abc123..."  # Their real key, committed
response = openai.ChatCompletion.create(...)

They meant to replace it with "YOUR_API_KEY_HERE" before committing.

They didn't.

Now it's in git history forever. Anyone can use their API key.

Costs them hundreds or thousands in charges. Compromises their projects. Exposes their infrastructure.

Common secret exposure patterns:

Pattern 1: The Tutorial Example

// config.js - REAL file committed to GitHub
module.exports = {
  stripeKey: 'sk_live_abc123...',  // Real key, hundreds of $ access
  databaseUrl: 'postgres://admin:password@...'  // Full DB access
}

Pattern 2: The Notebook Commit

# jupyter notebook committed with output
API_KEY = "sk-..."
# Notebook includes execution output with response containing sensitive data

Pattern 3: The Environment Example

# .env file that should be .gitignored but isn't
OPENAI_API_KEY=sk-proj-...
AWS_ACCESS_KEY=AKIA...
STRIPE_SECRET_KEY=sk_live_...

Pattern 4: The Config Leftover

# config/production.yml - committed by mistake
production:
  database_password: "actual_prod_password"
  api_keys:
    openai: "sk-..."
    anthropic: "sk-ant-..."

Every one of these is trivially searchable on GitHub.

Attackers run automated scans. Find keys. Use immediately. Charge up accounts. Extract data. Compromise infrastructure.

If you have public repos, audit them today.

The Photo Metadata Problem

Every photo contains invisible data.

iPhone photos include:

• GPS coordinates (latitude/longitude to 6 decimal places)
• Timestamp (exact time photo taken)
• Camera model (income proxy)
• Software version
• Sometimes: Copyright/author metadata

One photo from home office = your home address.

Cross-reference GPS coordinates with property records = your name, family members, home value, everything.

Writers post photos constantly:

• Blog post illustrations
• Social media behind-the-scenes
• Newsletter graphics
• Conference photos
• Book launch images

Most don't strip EXIF first.

This is how doxxing happens:

1. Find writer's Instagram
2. Download photo from home
3. Check EXIF: GPS coordinates
4. Google Maps: That's their house
5. Property records: That's their legal name
6. Now you know where they live

Takes 5 minutes.

Strip EXIF before posting anything.

What Actually Works

Not theoretical. Operational.

GitHub audit revealed:

• 3 API keys in old commits (now rotated)
• Database password in config example (now removed)
• SSH private key in dot files directory (now deleted)

Photo EXIF check showed:

• 47 blog images with GPS coordinates
• All from same location (home office)
• Exact address derivable from coordinates
• All images re-uploaded without EXIF

Content audit found:

• Family member names in 12 articles (now first-name only)
• Neighborhood specifics narrowing to 2-block radius
• School mentions with enough detail to identify
• Phone number in old blog post (now removed)

Ongoing protocol:

• All photos stripped before upload
• No family member full names in new content
• GitHub repos scanned monthly
• Code examples use placeholder keys
• Location references stay city-level

Authenticity preserved. Attack surface reduced.

Voice remains personal. Privacy restored.

Ghost Says...

Personal voice vs personal information. Different things.

Writers confuse authenticity with exposure. You can be deeply personal without providing home coordinates.

Emotional truth doesn't require your street address.

Memoir needs vulnerability, not phone numbers. Essays need real experience, not school names. The craft demands personal truth. It doesn't demand operational security disasters.

Balance exists:

Write from lived experience. Use real details that make stories land. Keep emotional specificity. Remove identifying information.

"I grew up poor" hits as hard as "I grew up at 247 County Road 15."

Reader gets the truth either way. One version doesn't put your family at risk.

GitHub repos leak secrets constantly.

Writers who code are soft targets. Not security-trained. Commit API keys by accident. Leave them in git history forever.

One key = account compromise.

Scan your repos today. Strip credentials. Rotate exposed keys. Stop committing secrets.

Photo EXIF exposes location.

Every iPhone photo includes GPS. One blog post image from home = your address.

Strip metadata before posting. Every time. No exceptions.

The audit takes one afternoon. The protection lasts forever.

Aggregate your content. Search for exposure patterns. Redact where possible. Know what's out there.

New content protocol:

Write personally. Remove identifying details before publishing. Ask: "Could someone use this to find me?"

If yes: Generalize or cut. Authenticity remains. Safety improves.

Not paranoia. Operational security.

Every writer with public presence gets targeted eventually. Prevention beats recovery.

Your voice stays authentic. Your family stays safe.

That's the balance. That's the work.

---

Audit your GitHub repos. Strip photo EXIF. Review old content. Write with OPSEC going forward.

The craft demands personal truth. It doesn't demand your home address.