Office documents are a difficult format for anonymity.
Word, Excel, and PowerPoint can retain author information, change history, comments, hidden sheets, templates, internal paths, and collaborative editing information. Even if you think you removed something visually, the work process may remain inside.
This article organizes the risks of Office metadata. A discussion focused on author information is handled in "Author information in Office files."
What is Office metadata?
Office metadata is information attached to a document other than the body text.
Information
Example
Risk
Document properties
Author, company name, title
Person or organization becomes visible
Change history
Editor, edited content
People involved and sequence remain
Comments
Review notes, names
Internal conversations appear
Hidden information
Hidden sheets, notes
Non-displayed data remains
Links
Internal file paths, cloud URLs
Organizational environment becomes visible
Office files are suited for editing and collaboration.
For that reason, when treating them as publication files, internal information needs to be checked.
Easy-to-miss items in Excel and PowerPoint
Pay attention not only to Word, but also to Excel and PowerPoint.
Excel may retain hidden sheets, filters, cell comments, defined names, and external links. PowerPoint may retain presenter notes, hidden slides, original image information, and comments.
Check target
Easy-to-miss information
Notes
Word
Change history, comments
May remain even in final display
Excel
Hidden sheets, external links
Cannot judge from visible range alone
PowerPoint
Presenter notes, hidden slides
Easily remain in handouts
Template-derived
Organization name, department name
Internal templates become clues
Collaborative editing
Account names, history
Look at cloud-side information too
Checking only the visible page is not enough.
You need to use the application's document inspection feature and recheck after conversion to another format.
Be careful with sharing methods
Office files are often combined with cloud sharing.
Even if metadata in the file itself is removed, the sharing link's owner name, editing history, access permissions, and information contained in the URL may remain.
Sharing method
Information that remains
Notes
Cloud link
Owner name, account name
Do not share from a real-name account
Email attachment
Sender, subject, headers
Look at correlation of the contact route
Collaborative editing
Edit history, comments
Names of people involved remain
Compressed file
Folder names, unnecessary files
Check the contents
PDF conversion
PDF-side metadata
Check after conversion too
For anonymity, check not only the file, but also the sharing route.
Flow for making a publication file
When making an Office document ready for publication, separate the editing file from the publication file.
The editing file may need history and comments. But if it is published as-is, the creation process and people involved become visible.
Step
What to check
1
Store the original file and create a publication copy
2
Check document properties
3
Remove comments, change history, and hidden information
4
Check filename and folder name
5
If converting to PDF, check again after conversion
6
Check whether owner names appear at the sharing destination
Creating a publication copy lets you preserve evidentiary value and work history while reducing the information released outside.
In whistleblowing and legal consultation, how to store the original file is also important.
Situations where you should not hand over an Office file as-is
In situations where anonymity is important, there are cases where you should not hand over an Office file as-is.
Especially in whistleblowing, workplace trouble, school issues, and source protection, author information and editing history can narrow the people involved.
Situation
Reason
Alternative
Whistleblowing
Internal author information remains
Confirm handling with the consultation destination
Reporting material
The source can be inferred backwards
Use a safe submission method
School issue
Minors or people involved appear
Organize only the necessary scope
Workplace consultation
Department or supervisor becomes visible
Blur for publication
General publication
Unnecessary editing history appears
Convert to PDF and recheck
Office documents are good at retaining traces of collaboration.
This is convenient for work, but dangerous for anonymous publication. Information about who changed what, when, and where can become a stronger clue than the content itself.
Handling documents you receive
Pay attention not only to Office documents you created, but also to documents received from others.
In whistleblowing, reporting, and consultation, you may receive documents created by a provider. Those documents may contain information about the provider, colleagues, organization, device, or cloud.
Information that remains
Impact
Author or company name
Provider or organization becomes visible
Change history
Shows who was involved
Hidden sheets
Information not intended for release appears
Links
Internal environment or cloud becomes visible
Comments
Judgment process and people involved remain
Documents you receive often contain information the person themselves did not notice.
Before publishing or sharing, always check with a separate copy.
Do not stop at document inspection
Office includes features for checking personal information and hidden information inside documents.
This is useful, but it cannot be entrusted with all anonymity checking. Information found by document inspection and information readers infer from the text or tables are separate. Internal terms, case names, abbreviations used only by a department, table ordering, and text inside images can be difficult to judge through mechanical inspection alone.
Check method
Easy to find
Things to check separately
Document inspection
Author, comments, hidden information
Proper nouns in body text
Property check
Title, company name
Clues in tables and images
Check after PDF conversion
PDF-side metadata
Redaction broken by conversion
Third-party review
Reader-perspective oddness
Sharing risk with the reviewer
Display in another environment
Owner name and link display
Recipient-side saving and forwarding
For anonymous publication, combine tool checking with human reading.
Do not think "it is safe because I removed it with a feature." Reread the final document to be published from the recipient's perspective.
Summary
Office metadata may include author, company name, change history, comments, hidden sheets, presenter notes, links, and collaborative editing information.
For anonymity, the basic rule is not to publish Office files as-is.
Create a publication copy and check document inspection, hidden information, comments, links, filenames, and sharing destinations.
Even if you convert to PDF, metadata checking after conversion is necessary.
Office documents are a format that may hand over not only the body text, but also the work environment.
Related tools
Anonymous communication
Tor Project
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.