hoakley December 11, 2020 General, Language, Macs, Technology

How effective and safe is Preview’s redaction tool?

I hadn’t noticed it before Big Sur, but Apple’s bundled Preview app can now redact PDF documents. This article looks at how thorough that is, and whether you can rely on it removing all access to sensitive content in your PDFs.

The PDF format was never designed for tasks such as redaction of content. A typical PDF document consists of dozens or even thousands of objects containing snippets of text, each normally compressed and assembled in a complex tree. Not only that, but they often contain objects from previous edits, some of which may still contain text which is invisible to the user. Ensuring that all those objects have been properly redacted, and none leaks anything that could cause trouble, is an almost impossible task.

In short, no one should ever choose to develop a redaction tool for PDFs, as it’s a course to almost inevitable failure. And any user whose sensitive content has been left accessible in a redacted PDF will never forgive you.

How does it work?

Preview’s Redact tool is simple to use. Open the document you want to redact, select the Redact command in the Tools menu, and outline the text and graphics which you wish to redact. If you just want to select text, you can use the text selection cursor; otherwise draw a box around the area and it will turn black. Once you’ve finished, visit the Tools menu and uncheck the command before you wipe anything else out: this isn’t a single-shot command, but a tool state.

When you first select the command, unless you’ve already disabled it, you’ll be warned that what you’re about to redact will be removed permanently.

previewredact1

Once text has been selected for redaction, it’s shown in black overprint with Xes, which is reassuring.

previewredact2

More troubling, perhaps, is that when you place the pointer over the area of redaction, you can still see the text which has been “removed permanently”.

previewredact3

Save the file, though, and when it’s opened it does appear to have been fully redacted apart from a few fragments of letters at the right edge.

previewredact4

Does it work?

However, my redaction test file contains a secret: the visible text actually extends further to the right, off the edge of the page. That invisible text is easily recovered from the PDF using Adobe Acrobat CC. So has Preview removed that, or was it too fooled into leaving what it couldn’t see on the page?

When examined in Acrobat’s Sanitize tool, it was able to recover the visible fragments of letters, and the whole of the hidden text.

previewredact5

Preview’s redaction tool actually does appear to do quite a good job, as far as it can see text in a PDF document. The visible letter fragments are a bit worrying, but its inability to redact the invisible text casts doubt on its use for anything in the slightest bit serious.

I have written this before and will repeat it here: no redaction tool can be worth using unless the same app can scavenge PDFs for hidden content in the way that Acrobat’s Sanitize tool does. Redact is only part of the solution – sanitize is the more difficult and more essential companion. For the moment, Adobe Acrobat CC remains the only tool capable of reliable redaction of PDFs, and even there I have my doubts.

15Comments

Add yours

1

p33t3r on December 11, 2020 at 7:50 am

Just being curious, what would happen if you print the redacted document to pdf, using MacOS’s built-in Print to pdf function? Will that print and make a new pdf without the redacted material or will it still be there?

LikeLiked by 1 person
- 2
  
  hoakley on December 11, 2020 at 8:53 am
  
  What should happen is the X-and-black redacted area appears in the ‘printed’ PDF just as displayed on screen, but the redacted content isn’t visible or in the PDF. I will check shortly how that affects the hidden text in my test file: I suspect that will remain unaffected, but will confirm that later today.
  You can also check this using my free tool Podofyllin, which lets you look inside at the source code of the PDF, although it doesn’t (yet) decompress objects to reveal their contents.
  Howard.
  
  LikeLike
- 3
  
  hoakley on December 11, 2020 at 9:34 am
  
  I can now confirm that neither printing to PDF nor exporting as PDF from Preview affect the redaction at all. The resulting PDF looks fully redacted, and the text ‘under’ the redacted area has been removed. However, the residual visible text fragments and the hidden text remain unaltered.
  So what you get and see is exactly what you see in the redacted version: the text under the redaction is correctly removed, but any that you couldn’t see in the first place remains.
  This re-emphasises the need for a Sanitize feature to reveal all hidden text.
  Howard.
  
  LikeLike
4

Joss on December 11, 2020 at 11:25 am

After redaction, you can send your PDFs to the mat2 program, imho the best tool to completely remove any text, layers, metadata etc. However, PDF file sizes tend to get pretty big when using mat2 in paranoid mode.

LikeLiked by 1 person
- 5
  
  hoakley on December 11, 2020 at 1:30 pm
  
  Thank you.
  I’ve looked back at mat2 again, and I can’t see that it does anything outside the metadata. So the sort of problem in my test PDF here would pass unnoticed. The only tool that I know of which can address that is Adobe’s full pro version of Acrobat CC.
  Howard.
  
  LikeLike
  - 6
    
    Joss on December 11, 2020 at 4:01 pm
    
    After your comment, I tested mat2 again, and I used a PDF with metadata, embedded fonts and a text layer (265 kB), and mat2 turned it into a flat PDF, no metadata, no fonts, no text layer (1.5 MB). So it does a *lot* more than just metadata removal. But you have to run mat2 without any arguments. When you run `mat2 -L foo`, it will ensure a smaller filesize (via *actual* metadata removal), but it will retain embedded images, font, text layers etc. But even with the `-L` argument, mat2 is (to my knowledge) the only tool that will remove metadata for real, i.e. unrecoverable. Many PDF metadata removal tools just play tricks: if you use the macOS Quartz Engine, it will just write different metadata; if you use exiftool, the metadata will be left in a recoverable state, which could even increase the PDF size slightly; if you use qpdf, it allegedly removes even this latent/recoverable metadata, but might leave it in, if that metadata is referenced somewhere else in the PDF. But mat2 will wipe it all, and without the `-L` argument nothing that was ever added or embedded should be left, incl. text layers. But maybe your test pdf with the hidden text layer is somehow tricking mat2? (Can’t say.)
    
    LikeLiked by 1 person
    - 7
      
      hoakley on December 11, 2020 at 9:25 pm
      
      Thank you. That’s strange, because all I see about mat2 refers constantly to metadata removal, not changing of content. How does it know which text to remove, then? As far as I’m aware, there are no layers inherent in the structure of objects within a PDF file. Arbitrarily stripping objects containing text will damage many documents, particularly those which are likely to need redaction. And trying to do this in a command tool seems utterly crazy. Or am I misunderstanding something?
      Howard.
      
      LikeLike
  - 8
    
    Joss on December 12, 2020 at 8:37 pm
    
    Yes, that’s why you should redact and sanitize first in Acrobat, because that’s way easier to do when you can still select text passages (because there’s still a plaintext layer present in the PDF), then save & push the redacted PDF through mat2. Afaik mat2 will remove all text layers and embedded content (because e.g. embedded images can have metadata of their own), and instead re-render the PDF as images strung together in PDF format, including any font functionality (select, modify, replace etc.), in the same manner as the PDFs you get from a raw scan (without OCR), minus the metadata, of course. (So if there’s a secret text layer without any visible representation, mat2 should just remove that, and should only re-render & output the visible contents.) That’s why PDFs processed by mat2 in “paranoid mode” tend to become so large, huge even, e.g. 3.5 MB becomes 90 MB etc. Afaik, the only thing mat2 can’t remove (yet) are these microdots to identify originating printers… but there are other tools for that.
    
    LikeLiked by 1 person
    - 9
      
      hoakley on December 12, 2020 at 10:07 pm
      
      Thanks, Joss.
      Ah – I understand now that you’re referring to OCRed scans, which do effectively have separable image and text layers.
      First, although they form some of the most sensitive of the documents to be redacted (e.g. legal papers), there are far more regular PDFs being produced, and they need to be redacted too.
      One major problem with stripping out the OCRed layer is that it makes the PDF unsearchable. For long legal documents that’s a disaster, so most users then have to re-OCR it before it’s usable. Using paper is probably quicker and simpler.
      While Preview could probably redact such PDFs, that isn’t its main intent. Besides, if you’ve performed OCR on scanned images, that’s the app in which you’re most likely to perform redaction, which will generally be Acrobat.
      That means that mat2 does precious little for those of us who might need to redact conventional (non-scanned) PDFs. We’re still stuck with Adobe’s software-on-rental, and using its sanitize feature.
      Howard.
      
      LikeLike
10

Kurt J. Meyer on December 11, 2020 at 11:59 am

I tested redacting in Preview as well as in PDFpen Pro.
PDFpen Pro has two methods of redacting: Block and Erase.
My result: Podofyllin is not able to show any of the three redacted text passages.
I am wondering if Adobe’s tools are able to display any residuals of PDFpen Pro’s blocked or erased text.

LikeLiked by 1 person
- 11
  
  hoakley on December 11, 2020 at 1:35 pm
  
  Thank you.
  It has been a while since I last looked at PDFPen Pro, but I have a whole page full of articles about PDF and its issues, including assessments of redaction. Although Podofyllin does give some indication of the effectiveness of redaction, only Acrobat CC can actually discover things like hidden text content which has been missed. So any app which claims to redact must also provide a facility equivalent in power to Acrobat’s, or you’ll only have to keep checking its work using Acrobat, which is rather pointless.
  Howard.
  
  LikeLike
12

MH on March 1, 2021 at 3:18 pm

Redacting in Preview makes the file 3X the original size. Not really a useful tool.

LikeLiked by 1 person
- 13
  
  hoakley on March 1, 2021 at 11:39 pm
  
  Thank you. Yes, you may well need to recompress the PDF afterwords. This does vary depending on how much is changed, of course.
  Howard.
  
  LikeLike
14

VW on April 20, 2021 at 12:06 pm

I found that after redacting parts of a document in Preview, adobe cannot display that document anymore (it just shows the title). That makes it unusable for me because I cannot assume that everybody I’d send the PDF to has access to preview :(. Is that a general issue or just a problem with my file?
And unfortunately, I don’t have access to Adobe Pro, otherwise I would use that to redact.
Cheers

LikeLiked by 1 person
- 15
  
  hoakley on April 20, 2021 at 10:56 pm
  
  Thank you.
  I’m not surprised. I’m afraid the PDF ‘standard’ so often results in that sort of problem. Good redaction is also available in PDF Expert and PDFPenPro. Sadly, neither is free, but they’re good apps by independent Mac developers.
  Howard.
  
  LikeLike