Private Redaction

Guide · 6 min read

How to redact a PDF properly (and why most redactions fail)

Most "redactions" leave the underlying text intact and copyable. Here's what actually works, where Adobe's tool trips people up, and how to check a redaction really stuck.

Every few weeks, someone redacts a PDF wrong and it makes the news. Names buried under black bars that lift with a click. Account numbers any recipient can copy. Court filings where the "redacted" version turns out byte-for-byte identical to the original. The pattern is always the same: someone thought redaction meant covering the text up.

It doesn't. Redaction means removing the text. Covering it is just painting a black bar over a window — anyone can still look inside.

This guide covers what redaction actually has to do, why the common methods fail, where Adobe's tool catches people out, and how to verify a redaction actually worked.

What "redacted" should mean

A properly redacted PDF has four properties for every piece of redacted content:

  1. The text is not visible on the page.
  2. The text is not selectable, copy-pasteable, or searchable.
  3. The text is not retrievable from the file in any way — copy, paste, search, OCR, or reading the PDF's underlying object structure.
  4. The redacted zone is a permanent, flat marking — there's no "original" sitting underneath that someone could recover.

If any of those is false, the redaction didn't happen. You just dressed the text in black.

The three common approaches — and why two of them fail

Highlighter or marker tool

The colour changes, but the underlying text is untouched and still copy-pasteable. Open the file in any text-aware viewer, drag across the highlight, copy. Or OCR the rendered page and the "hidden" text comes straight back.

A "draw a black rectangle" shape

Same problem, same failure. The shape sits over the text; the text itself is unaffected. A surprising number of organisations have filed documents "redacted" exactly this way.

Adobe Acrobat Pro's Redact tool

Adobe's tool does the right thing mechanically — it genuinely removes the underlying content — but its workflow has tripped up even careful users. The classic mistake: you draw the redaction boxes, then hit Save before hitting Apply Redactions. Marking a redaction and actually removing the content are two separate steps, and if you save between them, the marks are saved but the text underneath may not be. The error is silent: no warning, and the file looks finished.

Other well-documented pitfalls: converting to "image only" can re-introduce a searchable text layer depending on the tool; a single search-and-redact pattern can miss format variants ((555) 555-1234 vs 555-555-1234); and cloud version history can retain an unredacted draft outside the file you send. Adobe works — if you're careful, every time, and if you verify. Most people aren't doing all three on a Friday afternoon.

What safe redaction workflows have in common

  1. The redaction happens on a device you control. Cloud processing means a copy of your document sits on a server you don't own — possibly logged, possibly retained.
  2. The tool removes the content, then confirms it's gone — rather than just telling you it's done.
  3. There's no separate "apply" step to forget. The action that marks a redaction and the action that removes the content are the same.
  4. You can check the result. The output is something you, or a recipient, can inspect and confirm.

Four checks to run before you trust the output

Anyone publishing redacted documents at scale — legal, journalism, compliance, healthcare — should make these routine. For personal documents, the copy-paste test alone catches the vast majority of mistakes.

When "trust us" isn't enough: private, verifiable processing

There's one gap the checks above don't close. Finding what's sensitive in a document is the part that usually needs AI — and AI usually means sending your text to someone else's servers. That's where privacy quietly breaks, and no amount of copy-paste testing tells you whether your document was read, logged or kept along the way.

Confidential computing addresses that. The sensitive step runs inside a sealed hardware enclave — for example an AMD SEV-SNP enclave, a region of a processor whose contents are invisible to the host operating system, the cloud provider, and even the tool's operator. The hardware can produce a signed attestation proving which code ran and that it genuinely ran inside a real, sealed enclave. If that attestation verifies, the privacy of that step is a cryptographic fact, not a promise.

This is the approach Private Redaction takes, and it splits the job across two places:

One honest distinction: this proves your document was handled privately — it does not, on its own, prove the redaction caught everything. Completeness is still on you, which is exactly why the four checks above matter whatever tool you use.

When this level of proof matters — and when it doesn't

Verifiable private processing is worth it when:

You don't need it when you're redacting your own documents for your own files and the worst case is redoing it later.

A practical workflow

Private Redaction is a free tool built this way: redaction runs in your browser, the AI detection runs in a verified private enclave, and the output is a PDF with the sensitive content genuinely removed. Upload a file, choose what to redact, download the result.

Takeaways