| Oof, that's a great point. We briefly touched on this a few weeks ago, but from the angle of canary tokens / tracking pixels [1]. Security-wise, our main concern is protecting people who read suspicious documents, such as journalists and activists, but we do have sources/leakers in our threat model as well. Our docs are lacking in this regard, but we will update them with information targeted specifically to non-technical sources/leakers about the following threats: - Metadata (simple/deep) - Redactions (surprisingly easy to get wrong) - Physical watermarking (e.g., printer tracking dots) - Digital watermarking (what you're pointing out here) - Fingerprinting (camera, audio, stylometry) - Canary tokens (not metadata per se, but still a de-anonymization vector) If you come in FOSDEM next week, we plan to talk about this subject there [2]. The goal here isn't to provide a false sense of security, nor frighten people. It's plain old harm reduction. We know (and encourage) sources to share documents that can help get a story out, but we also want to educate them about the circumstances in which they may contain their PII, so that they can make an informed choice. [1]: https://social.freedom.press/@dangerzone/115859839710582670 [2]: https://fosdem.org/2026/schedule/event/JZ3F8W-dangerzone_ble... (Dangerzone dev btw) |