Skip to main content
Support

Browse by category

All categories
← All posts
Field guideJun 19, 2026 · 7 min read

PDF redaction done right — why black boxes leak

A black rectangle hides text from your eyes, not from a computer. How true redaction removes the data, and how to verify it actually held.

By Khine1,428 wordsExtractable lead
PDF redaction done right — why black boxes leak — hero illustration

A black rectangle over a name is a reassuring thing to look at. The eye reads it as a wall. The trouble is that a PDF is not built for eyes — it is built for software, and the software underneath that rectangle very often still knows the name, still stores it as selectable characters, and will hand it back to anyone who asks politely.

This is the single most common way sensitive documents leak, and it has been the same mistake for twenty years. Someone confuses covering text with deleting text. The two look identical on screen. They are not remotely the same in the file.

What a black box actually is

A PDF stores a page as a content stream: a sequence of drawing instructions. “Place this glyph here, fill this rectangle there, show this image at that position.” When you grab the rectangle tool in a viewer and draw a filled black box over a line of text, you have not removed the text instruction. You have added a second instruction — draw a black rectangle — that paints on top of it.

The original text is still in the stream, in full, at its original coordinates. The rectangle merely sits at a higher position in the paint order, like a sticker. Anything that reads the document instead of rendering it walks straight past the sticker:

  • Select-all and copy, then paste into a plain text editor.
  • A pdftotext-style extraction tool, which dumps the text layer and ignores graphics entirely.
  • Deleting the annotation object, if the box was added as a markup annotation rather than baked into the page — sometimes a single click.

The black box was a costume, not a deletion. The same applies to white boxes over text on a white page (a favourite of people who think “it’s invisible, so it’s gone”) and to lowering an object’s opacity rather than removing it.

The incidents are not rare, and they are not amateurs

In January 2019, lawyers for Paul Manafort filed a court document with portions blacked out. Within hours, reporters discovered that highlighting the black bars and pasting the result into a new document revealed the hidden text — including, among other things, the allegation that Manafort had shared 2016 campaign polling data with a business associate tied to Russian intelligence. The redactions were drawn, never applied. This was a federal case with serious counsel, not a careless intern.

Go back to December 2009 and the Transportation Security Administration posted a copy of its airport screening manual to a federal contracting website with sensitive sections covered by black boxes. The boxes came off with a few keystrokes in Adobe Acrobat. The exposed material included screening percentages for checked bags, the limitations of imaging equipment, and sample credentials for CIA, law enforcement, and congressional personnel. The agency’s own Office of Inspector General later documented the breach in report OIG-10-37. The information was meant to be Sensitive Security Information; the redaction was decorative.

It is fair to add the counter-example, because the popular story usually gets it wrong. When the U.S. Department of Justice released a large tranche of Epstein-related PDFs in December 2025, the headlines announced that the redactions had failed and the names could be copied straight out. A forensic review by the PDF Association found the opposite for the main datasets: those black boxes had been burned directly into the page image — the text underneath was genuinely gone, and nothing came back on copy-paste. Some other documents in the broader release did leak, which is how the narrative got muddled. The lesson is not “redaction always fails.” It is that a black box tells you nothing on its own. You cannot judge a redaction by looking at it. You have to test it.

What true redaction does

Proper redaction removes the underlying data, not just the view of it. The guidance has been public and consistent for a long time. The NSA’s 2005 paper Redacting with Confidence puts it plainly: the way to avoid exposure is to ensure that sensitive information is not just visually hidden or made illegible, but is actually removed from the document. Adobe draws the same line in its own documentation, distinguishing redaction — which replaces content so it cannot be recovered — from sanitisation, which strips the hidden data around it.

In practice, doing it right means one or more of the following:

  • Delete the text and image objects themselves, not paint over them. A real redaction tool removes the glyphs and any images in the marked region from the content stream, then draws the box in their place. Nothing is left to extract because nothing is there.
  • Flatten the result. Annotations, form fields, and layers can all carry data. Flattening merges them into the page and discards the separate objects, so there is no annotation to peel back.
  • Re-rasterise when in doubt. Converting the page to an image and rebuilding the PDF from that image throws away every text and vector layer underneath. It is the bluntest method and it costs you searchable text and crisp type, but it is also the hardest to get wrong — which is precisely why the careful Epstein redactions used it.

Each of these destroys recoverable content. A drawn rectangle destroys nothing.

Metadata is the second door

Even a correctly redacted page leaves a second avenue open. PDFs carry a surprising amount of data that never appears on any page:

  • Document metadata — author, title, the software used, and sometimes the original filename, which alone can be revealing.
  • Embedded thumbnails and previews generated from earlier, unredacted versions.
  • Incremental save history. PDFs are often saved by appending changes rather than rewriting the file. Earlier states, including pre-redaction text, can survive in the file’s tail. The NSA paper specifically warns about residue from a document’s edit history — the equivalent of an “undo stack” riding along inside the file.
  • Attachments, form data, JavaScript, and comments that no one remembers adding.

This is why the professional workflow has two distinct steps: redact the visible content, then sanitise the document to remove hidden information. Adobe’s “Remove all” sanitise option exists for exactly this. Skipping the second step has burned people who got the first step completely right.

Verify, every time

Treat a redaction as untrusted until you have tried to defeat it. The checks take very little time and they are the only thing standing between you and an apology letter.

  1. Select-all and copy. Open the finished PDF, press select-all, copy, and paste into a plain text editor. If any redacted word appears in the paste, the text is still in the file. This is the test that caught the Manafort filing.
  2. Search for what should be gone. Use the viewer’s find function to search for a name, number, or phrase you redacted. A match means the term is still indexed in the text layer, even if the box hides it on screen.
  3. Extract the text outside a viewer. Run a text-extraction tool over the file (pdftotext, or any library that dumps the content stream). This bypasses the rendering layer entirely and is the closest thing to how a determined adversary would read it. Nothing you redacted should appear in the output.
  4. Inspect the metadata. Check document properties and, ideally, look at the raw structure for leftover attachments, XMP metadata, or appended revisions. Confirm the hidden data went with the visible.
  5. Click the boxes. If a redaction box can be selected, moved, or deleted as an object, it is an annotation sitting on top of live content — not a redaction. A true redaction is part of the flattened page and cannot be picked up.

If any of these returns the text you meant to remove, the redaction did not hold. Fix the document and run the checks again. Do not ship on the assumption that it probably worked.

The short version

The visual is not the security boundary. A black box is a claim, and the file underneath either backs it up or quietly contradicts it. Do the work that actually removes the data — delete the objects, flatten, rasterise if you must — strip the metadata as a separate step, and then prove it with copy-paste, search, and extraction before the document leaves your hands. The people in the cautionary tales were not lazy. They simply trusted the rectangle and never tested it. The test is the whole job.

References

  1. Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF — National Security Agency (via Federation of American Scientists) (accessed 2026-05-29)
  2. How a Simple Copy/Paste Revealed Explosive New Detail in Manafort's Case — Vice (accessed 2026-05-29)
  3. Unredacted TSA Manual Leaked Online — CBS News (accessed 2026-05-29)
  4. A case study in PDF forensics: The Epstein PDFs — PDF Association (accessed 2026-05-29)
  5. About redacting and sanitizing PDFs in Acrobat Pro — Adobe (accessed 2026-05-29)
  6. TSA's Breach of Sensitive Security Information (OIG-10-37) — U.S. Department of Homeland Security, Office of Inspector General (accessed 2026-05-29)