Use Tools Free →
🛡️ Security

How to Redact a PDF Properly (and Why "Black Box" Redaction Isn't Enough)

Drawing a black rectangle over a sentence looks like redaction. In a lot of PDF tools, it isn't — the text is still there, just covered up, and it takes nothing more than a copy-paste to get it back. This has happened in real, publicly reported court filings.

The core problem: a black box drawn on top of a PDF page is often just another shape layered over the content — the original text objects remain untouched underneath in the page's data. Real redaction means deleting that underlying content, not covering it.

This isn't hypothetical — it's happened in public court filings

2019 — Paul Manafort court filing: Lawyers for Paul Manafort filed a document in the Mueller investigation with black-box redactions over sensitive passages. The underlying text hadn't actually been removed, and once extracted, it revealed new details about Manafort's contact with a Russia-linked associate — information the redaction was specifically meant to hide.

More recent filings: Similar failures have continued to surface in government and court documents in subsequent years — cases where "redacted" PDFs still contained fully recoverable text, discovered simply by copying the document into a word processor. The failure mode is the same each time: the visual cover was applied without deleting the content underneath.

Why this keeps happening, technically

A PDF page isn't a flat image (unless it's a scan) — it's a set of positioned objects: text, in specific fonts and coordinates, plus images, lines, and shapes, all layered in a content stream. When a tool "redacts" by drawing a black rectangle, it's frequently just adding one more shape object on top of the existing ones. The text objects underneath are untouched — still present, still findable by a search function, still selectable and copyable, and still extractable by any script that reads the PDF's content stream directly.

This is different from a printed document, where covering text with a marker or a paper cutout physically removes access to it. A PDF's "cover" can be trivially bypassed by anyone who knows to try — select the area with a cursor, hit copy, and paste into a text editor. No special tools required.

There's a second, related failure mode: even when the visible text is genuinely gone, other artifacts can survive — thumbnail previews generated before redaction, embedded comments or tracked-change history, or metadata fields (author, edit history, previous file names) that were never part of the visible page at all.

What proper redaction actually requires

A tool that redacts correctly needs to do two distinct things:

  1. Locate the target content — search the actual text layer of the document for the phrase or pattern to redact, not just visually mark a region.
  2. Delete it from the content stream, then draw the visual mark — remove the underlying text (and any image content in that area) from the page data entirely, so nothing remains to select, search, or extract, and only then apply the black box as a visual indicator of what was removed.

SecurePDFSuite's redact tool works this way: it searches the document for the phrases you specify, marks each match using PDF redaction annotations, and then applies those annotations — which removes the underlying text and image content within that area from the page itself, not just paints over it. Because this runs locally in your browser, the document (and whatever you're redacting from it) never leaves your device during the process either.

One honest limitation worth naming: removing visible text and scrubbing hidden metadata are two separate jobs. Deleting a sentence from the page doesn't automatically strip the document's author field, embedded revision history, or other metadata — if that matters for your document, check and clear metadata as its own step, using your PDF tool's document-properties view.

How to verify a PDF was actually redacted

The bottom line

A black box is a visual signal, not a security control, unless the tool behind it actually deletes the underlying content. Before sharing or filing anything you've redacted — a legal document, a leaked-data response, an HR file — take the thirty seconds to try selecting and searching the "hidden" text yourself. If you can retrieve it, so can anyone else who receives the file.

Frequently Asked Questions

Why doesn't a black box actually redact text in a PDF?
Because a black rectangle drawn over text in many tools is just another visual object placed on top of the page — the original text objects remain in the PDF's underlying content stream. Anyone can select, search, or copy-paste that text out from under the box, or extract it programmatically, because it was never actually deleted.
Has this actually caused real leaks?
Yes, repeatedly, in high-profile cases. A 2019 Paul Manafort court filing in the Mueller investigation used black-box redactions that left the underlying text intact, revealing details about his contacts with a Russian associate. Similar failures have recovered supposedly-redacted government and court filings in more recent years by simply copy-pasting the "redacted" text elsewhere.
How do I know if a PDF was redacted properly?
Try to select the text under the black box with your cursor and copy it elsewhere, or search the document for the redacted word using Ctrl/Cmd+F. If either works, the underlying content wasn't removed. Proper redaction tools delete the text and image content from the page itself, not just draw over it, so there's nothing left to select or search.
Does removing the visible text also remove hidden metadata?
Not automatically. Redacting visible text and scrubbing metadata (author, edit history, embedded comments, previous versions) are two separate steps. A properly redacted document can still carry identifying metadata unless it's checked and cleared separately.

Try SecurePDFSuite's Secure Redact — nothing to upload, nothing to install

Redact a PDF →