Field guideJun 19, 2026 · 7 min read
PDF redaction done right — why black boxes leak
A black rectangle hides text from your eyes, not from a computer. How true redaction removes the data, and how to verify it actually held.
By Khine1,428 wordsExtractable lead
A black rectangle over a name is a reassuring thing to look at. The
eye reads it as a wall. The trouble is that a PDF is not built for
eyes — it is built for software, and the software underneath that
rectangle very often still knows the name, still stores it as
selectable characters, and will hand it back to anyone who asks
politely.
This is the single most common way sensitive documents leak, and it
has been the same mistake for twenty years. Someone confuses
covering text with deleting text. The two look identical on
screen. They are not remotely the same in the file.
What a black box actually is
A PDF stores a page as a content stream: a sequence of drawing
instructions. “Place this glyph here, fill this rectangle there, show
this image at that position.” When you grab the rectangle tool in a
viewer and draw a filled black box over a line of text, you have not
removed the text instruction. You have added a second instruction —
draw a black rectangle — that paints on top of it.
The original text is still in the stream, in full, at its original
coordinates. The rectangle merely sits at a higher position in the
paint order, like a sticker. Anything that reads the document instead
of rendering it walks straight past the sticker:
- Select-all and copy, then paste into a plain text editor.
- A
pdftotext-style extraction tool, which dumps the text layer and
ignores graphics entirely.
- Deleting the annotation object, if the box was added as a markup
annotation rather than baked into the page — sometimes a single
click.
The black box was a costume, not a deletion. The same applies to
white boxes over text on a white page (a favourite of people who
think “it’s invisible, so it’s gone”) and to lowering an object’s
opacity rather than removing it.
The incidents are not rare, and they are not amateurs
In January 2019, lawyers for Paul Manafort filed a court document
with portions blacked out. Within hours, reporters discovered that
highlighting the black bars and pasting the result into a new
document revealed the hidden text — including, among other things,
the allegation that Manafort had shared 2016 campaign polling data
with a business associate tied to Russian intelligence. The
redactions were drawn, never applied. This was a federal case with
serious counsel, not a careless intern.
Go back to December 2009 and the Transportation Security
Administration posted a copy of its airport screening manual to a
federal contracting website with sensitive sections covered by black
boxes. The boxes came off with a few keystrokes in Adobe Acrobat. The
exposed material included screening percentages for checked bags, the
limitations of imaging equipment, and sample credentials for CIA, law
enforcement, and congressional personnel. The agency’s own Office of
Inspector General later documented the breach in report OIG-10-37.
The information was meant to be Sensitive Security Information; the
redaction was decorative.
It is fair to add the counter-example, because the popular story
usually gets it wrong. When the U.S. Department of Justice released a
large tranche of Epstein-related PDFs in December 2025, the headlines
announced that the redactions had failed and the names could be
copied straight out. A forensic review by the PDF Association found
the opposite for the main datasets: those black boxes had been burned
directly into the page image — the text underneath was genuinely
gone, and nothing came back on copy-paste. Some other documents in
the broader release did leak, which is how the narrative got muddled.
The lesson is not “redaction always fails.” It is that a black box
tells you nothing on its own. You cannot judge a redaction by looking
at it. You have to test it.
What true redaction does
Proper redaction removes the underlying data, not just the view of
it. The guidance has been public and consistent for a long time. The
NSA’s 2005 paper Redacting with Confidence puts it plainly: the way
to avoid exposure is to ensure that sensitive information is not just
visually hidden or made illegible, but is actually removed from the
document. Adobe draws the same line in its own documentation,
distinguishing redaction — which replaces content so it cannot be
recovered — from sanitisation, which strips the hidden data around it.
In practice, doing it right means one or more of the following:
- Delete the text and image objects themselves, not paint over
them. A real redaction tool removes the glyphs and any images in the
marked region from the content stream, then draws the box in their
place. Nothing is left to extract because nothing is there.
- Flatten the result. Annotations, form fields, and layers can all
carry data. Flattening merges them into the page and discards the
separate objects, so there is no annotation to peel back.
- Re-rasterise when in doubt. Converting the page to an image and
rebuilding the PDF from that image throws away every text and vector
layer underneath. It is the bluntest method and it costs you
searchable text and crisp type, but it is also the hardest to get
wrong — which is precisely why the careful Epstein redactions used
it.
Each of these destroys recoverable content. A drawn rectangle
destroys nothing.
Even a correctly redacted page leaves a second avenue open. PDFs
carry a surprising amount of data that never appears on any page:
- Document metadata — author, title, the software used, and
sometimes the original filename, which alone can be revealing.
- Embedded thumbnails and previews generated from earlier,
unredacted versions.
- Incremental save history. PDFs are often saved by appending
changes rather than rewriting the file. Earlier states, including
pre-redaction text, can survive in the file’s tail. The NSA paper
specifically warns about residue from a document’s edit history —
the equivalent of an “undo stack” riding along inside the file.
- Attachments, form data, JavaScript, and comments that no one
remembers adding.
This is why the professional workflow has two distinct steps:
redact the visible content, then sanitise the document to remove
hidden information. Adobe’s “Remove all” sanitise option exists for
exactly this. Skipping the second step has burned people who got the
first step completely right.
Verify, every time
Treat a redaction as untrusted until you have tried to defeat it. The
checks take very little time and they are the only thing standing
between you and an apology letter.
- Select-all and copy. Open the finished PDF, press select-all,
copy, and paste into a plain text editor. If any redacted word
appears in the paste, the text is still in the file. This is the
test that caught the Manafort filing.
- Search for what should be gone. Use the viewer’s find function
to search for a name, number, or phrase you redacted. A match means
the term is still indexed in the text layer, even if the box hides
it on screen.
- Extract the text outside a viewer. Run a text-extraction tool
over the file (
pdftotext, or any library that dumps the content
stream). This bypasses the rendering layer entirely and is the
closest thing to how a determined adversary would read it. Nothing
you redacted should appear in the output.
- Inspect the metadata. Check document properties and, ideally,
look at the raw structure for leftover attachments, XMP metadata,
or appended revisions. Confirm the hidden data went with the
visible.
- Click the boxes. If a redaction box can be selected, moved, or
deleted as an object, it is an annotation sitting on top of live
content — not a redaction. A true redaction is part of the flattened
page and cannot be picked up.
If any of these returns the text you meant to remove, the redaction
did not hold. Fix the document and run the checks again. Do not ship
on the assumption that it probably worked.
The short version
The visual is not the security boundary. A black box is a claim, and
the file underneath either backs it up or quietly contradicts it. Do
the work that actually removes the data — delete the objects, flatten,
rasterise if you must — strip the metadata as a separate step, and
then prove it with copy-paste, search, and extraction before the
document leaves your hands. The people in the cautionary tales were
not lazy. They simply trusted the rectangle and never tested it. The
test is the whole job.