Sharing sensitive personal information online—whether it’s a national ID, driver’s license, or passport—always makes me uneasy. With data breaches being a matter of “when, not if,” it’s important to minimize our digital footprint.

While the best defense is simply not sharing the data at all, modern life often makes that impossible. Whether you’re renting a holiday cottage, opening a bank account, or complying with some website’s verification process, you eventually have to share sensitive documents.

I like “dirtying” my documents to make them less valuable to hackers and easier to track if a leak occurs.

Lower Quality

Before I upload anything, I strip the EXIF data (metadata like location and device info), resize the image, and convert it to grayscale.

If my data is stolen, it’s easier to prove the source if the scan is low-resolution and looks “off.” It hopefully also makes the document less useful for identity theft if the quality is lacking.

No one needs a 4000×3000 pixel, high-fidelity photo of my ID. High resolution only helps bad actors. I downsize the image with squoosh.app and convert it to a JPEG with around 70% quality. This intentional quality loss is a bonus; it remains legible for verification but loses the pristine look in case of forgery.

Visual Watermark

Next, I add an almost transparent watermark. This helps identify who lost my data in the case of a data breach. I include the name of the service I am sharing it with.

ImageMagick can do this, of course. It places the text in the center with low opacity—enough to be legible, but not so much that it jumps out too much.

magick input.jpg -pointsize 72 -gravity center -fill "rgba(255,255,255,0.3)" -annotate 0 "EXAMPLE.COM" to_share.jpg

I often play with the RGBA settings to fine-tune the opacity depending on the document’s background.

Steganography

This week, I added an extra layer of invisible tracking using steganography to my workflow. This embeds a hidden text note directly into the image data.

You must do this after watermarking and resizing, as those processes will destroy the hidden metadata.

steghide embed -cf to_share.jpg -ef <(echo "Shared with example.com in 2025")

Alternatively, you can use the hyphen method shown below. However, note that passing a password directly within the command is less secure, as it may be recorded in your shell history.

echo "Shared with example.com in 2025" | steghide embed -cf to_share.jpg -p "" -ef -

Now, the file itself contains a hidden “receipt” of when and where it was uploaded. The embedded data can be extracted via:

steghide extract -sf to_share.jpg -xf extract.txt

Reality Check

It is important to note that these methods are not waterproof:

• Steganography is fragile; if the receiving website automatically resizes my upload, the hidden note is gone.
• Watermarks can, of course, be manually edited out.

However, these steps provide me some peace of mind. By adding layers of friction, my data is that little harder to use for automated identity theft.