When it comes to security, the key is [redacted].
Redaction is important for legal documents and classified information, helping to restrict access and keep sensitive content private. But it’s not foolproof. On a number of occasions, redaction mishaps—be they improper application of redaction tools or general errors, leading to malicious actors accessing information—have led to embarrassment and exposure.
Often, ineffective redaction techniques can lead to outside users accessing private information by getting around the blackout by copying and pasting the redacted section; other tactics include metadata analysis and image layer disruption.
Improper redaction comes with another danger: the threat of exposing personal information to hackers. Amanda Levay, founder and CEO of Redactable, told IT Brew that IT teams need to take concerns around redacted information seriously and add it to their ever-expanding portfolio of security priorities.
“The liability on the company is huge, especially with all of the regulations around redaction,” Levay said. “Obviously, if they redact something that isn’t truly redacted, and they send it to a third party, it could [lead to] identity theft on that customer or consumer.”
Publication time. As with a number of other security issues, organizations tend not to address a redaction-related vulnerability until there’s a breach. Levay urged IT teams to be more aware of the danger and take action to avoid disaster. Education is a good step, in part because IT pros are often on their own when it comes to securing their tech stack.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We recommend educating the IT world in terms of being very proactive, because this is already happening within their organization,” Levay said. “They just haven’t been made aware, and those third parties who have the information because it’s not really redacted aren’t going to make them aware either.”
In a 2022 test of 11 PDF redaction tools, University of Urbana-Champaign researchers discovered that two free online redaction tools—PDFzorro and PDFescape Online—left all redacted text accessible. Redactable was not one of the tools used in the study.
“Even if you do the redaction, supposedly correctly, even if you remove the text, there’s a lot of latent information that is dependent on the content that was redacted, and even that can leak information,” researcher Kirill Levchenko told Wired. “If you redact a name in a PDF, if the attacker has any context—they know this is an American—they will be able to, with high probability, either recover that name or narrow it down to a very small list of candidates.”