In wake of TSA breach, a refresher on redacting PDFs

What works on printed documents doesn't doesn't translate to digital

News that the Transportation Security Administration (TSA) accidentally posted secret information detailing its airline screening practices may have had a familiar ring to feds. The information was exposed because of inadequate redaction procedures.

TSA’s operating manual had been posted on a procurement Web site in the spring in redacted form. But anyone who copied the document and pasted it into another format, such as Microsoft Word or Windows Notepad, could read the redacted sections. Some of those sections included the settings for X-ray machines and explosives detectors, as well as procedures for dealing with diplomats, CIA employees and law enforcement officers.

Information breaches due to improper redaction are not new. In 2005, the Multi-National Force-Iraq ran into a similar problem when a memo with redacted classified information about a shooting was posted on the Web. The classified information, however, wasn’t actually redacted so much as blacked out, and the information could be revealed by copying and pasting it into a different format.

The White House, Justice Department and United Nations also have encountered similar slip-ups.

In wake of those embarrassments, the National Security Agency issued guidance to federal agencies, titled “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF.”

In the guidance, NSA identified the three most common mistakes analysts make in redacting documents intended for the Web, all of them essentially the result of thinking that what works for a print copy works for a digital copy. The three most common mistakes:

  • Covering text, charts, tables, or diagrams with black rectangles, or highlighting text in black. most common mistake is covering text with black (or changing the background to black).
  • Covering up parts of an image with separate graphics such as black rectangles, or making images “unreadable” by reducing their size. As with text, this works only on printed copies.
  • Failing to remove metadata and documents properties, which is often as sensitive as the original document; its presence in downgraded or sanitized documents has historically led to compromise.

A few tips NSA offers on how to properly redact a document:

  • Save a copy of the original document; make changes to the copy and keep the original.
  • Delete, rather than black-out, sensitive text, diagrams, tables and images.
  • Turn off track changes, comments and other visible markups, which can contain potentially compromising hidden data.
  • Rename the document to show that manual redaction is complete.
  • Create a new Word document, and copy and paste the edited text.
  • Convert a Word document to PDF and review final output for missed redactions or formatting issues.

Metadata and recorded, but often not visible, changes to a document are potential dangers because they often go unnoticed by the user. Knowing how to find that data is the key to removing it.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Dec 17, 2009 DocsCorp

The latest redaction incident with the Transport Security Administration (TSA) highlights two important issues: 1. If you need to redact documents, get software that will enable you to redact PDF documents safely. 2. If you have redaction software, make sure your staff know that they have it and how to use it. DocsCorp has published a White Paper on how to redact PDF documents safely. Download a complimentary copy of the paper.

Tue, Dec 15, 2009 Bob California

As a Freedom of Information Act Officer and Privacy Act Officer, we have specific guidelines on how to redact documents. It should be a simple procedure if we pay close attention to detail. With the new policies on Open Government, we need to pay even more attention, since more and more is given out to the public from the Government.

Fri, Dec 11, 2009 oracle2world

The CIA credentials look sort of cool (maroon two part with an eagle facing left). And I didn't know you could take on board a "Curling Iron (with flammable gas cartridge) One curling iron. Safety cover must be over heating element. No spare gas (butane) cartridges allowed" that could double as a bernzomatic. Oh, and you can pack brass knuckles in checked baggage.

Thu, Dec 10, 2009 Craig Sacramento

The National Security Agency (NSA)has a updated version of their guidelines updated to Word 2007 and Adobe version 8.1 and above

Thu, Dec 10, 2009 John Landwehr San Jose, CA

FYI - Adobe has a post at with some recommendations on proper redaction techniques.

John Landwehr
Security Solutions and Strategy
Adobe Systems Incorporated

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group