The Redaction That Wasn't: Twenty Years of the Same Mistake

|7 min read
The Lex Cloak workspace scanning a sample patient intake form — matches grouped by category in the sidebar, every sensitive field outlined in red on the page

A black rectangle over text is a costume, not a shredder. That one misunderstanding has leaked national-security names, campaign secrets, and confidential medical and corporate data — over and over, for two decades.

In April 2005, the U.S. military released its report on the death of Nicola Calipari, an Italian intelligence officer shot at a Baghdad checkpoint. The sensitive parts were hidden under neat black bars. Within hours, readers had the “hidden” text on their screens — because all you had to do was select it, copy it, and paste it somewhere else. Out came the names of the soldiers at the checkpoint, their units, and the procedures they followed.1

The black bars looked like redaction. They weren’t. The text underneath was never removed — just covered.

Here’s the uncomfortable part: that was twenty years ago, and it is still happening. Not because the technology is hard, but because the mistake is so easy to make and so invisible until it’s too late.

The same failure, again and again

Once you know the pattern, you start seeing it everywhere.

  • 2009 — the TSA. The Transportation Security Administration posted its airport screening operations manual online as a PDF, with sensitive sections blacked out. The black boxes came off with a copy-paste, exposing screening procedures and tolerances and triggering a congressional inquiry.2
  • 2019 — Paul Manafort. This one is almost hard to believe: it was Manafort’s own defense lawyers who filed a court document whose redactions could be defeated by copy-paste. The recovered text revealed that Manafort had shared 2016 campaign polling data with an associate the FBI has linked to Russian intelligence. The filing was pulled from public access — but not before reporters had it.3
  • 2021 — the Giuliani investigation. A filing by a lawyer for Lev Parnas hid its sensitive passages behind black boxes. CNN recovered the text itself, by copy-paste, and reported that federal prosecutors’ seizure in the Giuliani probe was broader than previously known.4
  • 2024 — TikTok. Kentucky’s Attorney General filed a roughly 119-page complaint against TikTok. The internal company material under the black boxes wasn’t removed, and Kentucky Public Radio lifted more than thirty pages of it out by copy-paste — including an executive’s own words about the app’s effect on kids, and an internal finding that a habit can form after as few as 260 videos. A judge later sealed the full complaint. Too late.5
  • 2025 — Meta. During the FTC’s antitrust trial, Meta’s court filings carried redactions over other companies’ confidential data — and they were trivially removable. Out came material reported to include Apple’s internal iMessage metrics and Snap’s assessment of the TikTok threat. Lawyers for Apple and Snap called it “egregious,” and Apple signaled it might think twice before trusting Meta with its data again.6
  • 2025 — the Epstein files. When the Justice Department released its Epstein documents, some of the redactions could be undone — you guessed it — with a simple copy and paste. As CNN pointed out, Adobe shipped tools that remove the underlying text properly back in 2006. The crude method persists anyway.7

Calipari. TSA. Manafort. Parnas. TikTok. Meta. Epstein. Different decades, different stakes, one identical root cause: someone drew a black shape over live text instead of removing the text.

A note on the Epstein files

Because the internet ran wild with them: the reversible-redaction mechanism is confirmed by major outlets. Claims about what specific documents “really said” that circulated on social media are a different thing — treat those with skepticism.

Why a black box doesn’t work

A PDF isn’t a photograph of a page. Underneath what you see is a structured document — the actual text, plus a layer of information about the document. When you drag a black rectangle over a paragraph, you’ve added a shape on top of that structure. The paragraph is still there, in full, waiting. Anyone can:

  • select and copy the “hidden” text and paste it into a document, or
  • run the file through a free PDF-to-text converter, which ignores the black shape entirely and dumps out everything underneath.

The same is true of highlighting text in black, or setting the text color to match a black background. It looks solid on screen. It is a curtain, not a wall.

This isn’t a fringe insight. Back in 2005, the National Security Agency published a guide — Redacting with Confidence — whose entire purpose was to warn government staff not to do exactly this. Its top-listed mistakes: covering text with black rectangles, and highlighting text in black. Neither removes anything.8

The two quieter leaks

Even people who redact the visible text correctly get caught by two things they didn’t think to look at.

Metadata. A document carries hidden information: who authored it, tracked changes and comments, earlier drafts, and — for embedded photos — even the GPS coordinates where the picture was taken. The NSA guide is blunt that converting a Word file to PDF does not strip this automatically, and that metadata is “often as sensitive as the document itself.”8 You can black out every name on the page and still ship the client’s identity in the file’s properties.

The wrong version. The most human failure of all: attaching the marked-up copy instead of the clean one, or the redline instead of the redacted. It happens in family law, in personal-injury demand packages, in medical records — anywhere someone is racing a deadline with two nearly-identical files open. The mechanism that exposes a Social Security number in a court filing is the same one that exposes a diagnosis, a medical record number, or an insurance ID in a health file. The stakes just get quieter and more personal.

What actual redaction does

Real redaction doesn’t cover the text. It removes it from the document — deletes the underlying content so there’s nothing left to copy, paste, or extract — and it cleans the metadata too. That’s the standard the NSA guide describes, and it’s the standard every one of the failures above missed.

There’s a manual workaround people reach for: “flattening” the file, or printing it to a fresh PDF, which turns the page into a flat image with nothing selectable underneath. It works, but it can destroy the searchable text you may need, and it’s slow and easy to get wrong across hundreds of pages. (See why most PDF redaction quietly fails for the mechanics.)

The ten-second test

Before a redacted file leaves your hands, open it, try to select the text you hid, and copy-paste it somewhere. Run it through a free PDF-to-text tool. If anything comes back, the redaction didn’t take. If you’re seeing this test for the first time, do it on the last thing you sent out. It’s the single cheapest habit in this whole field.

Where Lex Cloak comes in

We built Lex Cloak because “black box over live text” should not still be a career-ending mistake in 2026. Lex Cloak removes the underlying text and image content rather than covering it, and strips the document metadata along with it — so there’s nothing left underneath to recover. It runs entirely on your computer: your files are never uploaded to a cloud, never sent to an AI service, never leave your machine. For people who handle privileged legal files or protected health information, that isn’t a nice-to-have — it’s the whole point.

It’s built for the real job, too: OCR so you can redact scanned documents, batch processing for the hundred-page discovery dump, and a workflow that lets you confirm the text is actually gone before you hit send. You shouldn’t have to hold your breath every time you apply a redaction.

Sources

  1. NBC News, “Data leak highlights common mistake” (2005). nbcnews.com
  2. Washington Technology, “In wake of TSA breach, a refresher on redacting PDFs” (Dec 2009). washingtontechnology.com
  3. NPR, “Manafort Allegedly Shared 2016 Polling Data With Associate Linked to Russian Intelligence” (Jan 8, 2019). npr.org
  4. CNN Politics, “Giuliani investigation redactions” (May 25, 2021). cnn.com
  5. NPR, “TikTok redacted documents in teen-safety lawsuit revealed” (Oct 11, 2024). npr.org
  6. The National, “Meta trial: giant inadvertently sends reporters sensitive information” (Apr 16, 2025, citing The Verge). thenationalnews.com
  7. CNN, “‘Redact’ resurfaces with the Epstein files” (Dec 31, 2025). cnn.com
  8. NSA, Redacting with Confidence: How to Safely Publish Sanitized Reports Converted from Word to PDF (report I333-015R-2005). sgp.fas.org