Secure Document Redaction for Journalists: Protecting Sources

This guide is educational. For high-risk source protection, work with an editor experienced in operational security and consider a formal threat model. Redaction is one layer of source protection, not the whole.

In June 2017, a 25-year-old NSA contractor named Reality Winner was arrested. The document she had printed and mailed to The Intercept - a classified report on Russian interference in the 2016 election - contained something she had not noticed: a pattern of nearly invisible yellow dots encoding the printer's serial number and the exact time of printing. The Intercept photographed the document and posted those images. The FBI decoded the dots within days.

She was sentenced to five years and three months in federal prison - the longest sentence ever handed to a US government employee for leaking classified information to a journalist.

Her case is not primarily a story about redaction. But it is a precise illustration of a problem every journalist working with sensitive documents faces: a file can carry evidence of its origin long after the text has been read. That evidence may not be visible.

Why cloud-based redaction cannot be used for source-sensitive documents

Most mainstream redaction tools upload your document to a remote server for processing. Adobe Acrobat's online tools, Redactable, and similar services all work this way. For routine commercial workflows this is a reasonable trade-off.

For documents that could expose a source, it is not.

The moment a leaked document or whistleblower submission leaves your device and travels to a third-party server, you have introduced a chain of custody outside your control. Server logs record IP addresses and timestamps. Cloud providers are subject to legal process - subpoenas, national security letters, Section 702 orders - in jurisdictions you cannot monitor. Even strong privacy policies are subordinate to applicable law.

The only architecture that genuinely eliminates server-side exposure is one where the file never leaves the device. RedactProof processes documents entirely in your browser. No file travels to any server. The standard detection engine runs locally. This is the architectural difference that matters for source protection.

What the cases actually show

The Reality Winner case is the clearest modern example of printer metadata exposure. Many office printers - Xerox DocuColor models and others - print Machine Identification Codes: tiny yellow dots, nearly invisible to the naked eye, encoding the printer serial number and the date and time of printing. Winner's document was printed on May 9, 2017, at 6:20 a.m. The NSA logs all print jobs. The combination identified her within a group of six people, then to her specifically.

This is not a government-specific risk. Any printer using this tracking system - and many consumer and office printers do - embeds this data by default.

Paul Manafort's attorneys, January 2019. Lawyers for the former Trump campaign chairman filed court documents in the Mueller investigation with redactions applied as black highlight overlays in Microsoft Word. A Guardian reporter discovered that copying and pasting the blacked-out text restored it in full. The exposed passages revealed polling data shared with a person the FBI believed to have Russian intelligence connections, and a Ukraine peace plan Manafort had previously denied discussing.

This is the overlay redaction failure at its most documented. Overlay places a visible element over text while leaving the underlying data intact. Pixel-burn converts the page to a flat image and permanently destroys the text layer. The difference is not cosmetic.

The Pentagon Papers, 1971. Daniel Ellsberg's disclosure of the classified Vietnam War history to the New York Times and Washington Post predates digital metadata. But Ellsberg was identified partly through photocopier usage logs at the RAND Corporation. The mechanism differs from modern metadata; the principle is identical: document handling leaves traces.

Modern digital documents extend this substantially. Word files contain author names, revision histories, and tracked changes that may persist even after acceptance. PDFs carry creating software, author fields, and sometimes hidden text layers from OCR. Image files carry EXIF data: GPS coordinates, camera model, device serial number, and timestamp.

Metadata: the record you cannot see

PDF metadata sits in the document's XMP and DocInfo dictionaries. Fields including Author, Creator, Producer, CreationDate, and ModDate are not visible when the document is opened normally but are fully recoverable. A government document may carry the creating user's Active Directory username, department, and software version.

Word documents (.docx) are ZIP archives containing XML. The core.xml file stores author, last-modified-by, creation date, and revision count. Tracked changes - accepted and no longer visible - remain in the XML until explicitly purged. Comments, including deleted comments, may persist. If a source annotated a document before providing it, those annotations can survive a naive PDF export.

EXIF data on photographs is a particular risk for photojournalists and for sources who photograph documents on phones rather than scanning them. iPhones and Android devices embed GPS coordinates by default unless location services are disabled for the camera app. A photograph of a document taken inside a specific building may contain the precise latitude and longitude. Camera model and serial number are typically recorded as well.

Stripping metadata requires deliberate action. Checking "Remove personal information from file properties on save" in Word does not remove all metadata. Converting to PDF via a print driver removes more but is not exhaustive. For source-sensitive documents, metadata removal should happen before the document is published or shared - and ideally before it is opened on a networked device.

RedactProof processes document content for PII detection and redaction. It does not strip all file-level metadata from arbitrary input formats - that is a separate step. Both steps are necessary.

What redaction can and cannot do

Redacting a document removes specified visible content. Pixel-burn redaction, done correctly with separate metadata removal, prevents redacted information from being recovered from the file.

It does not address several other exposure vectors.

Unique factual details present a related risk. A document describing an internal meeting or decision known only to a small group may identify its source by demonstrating access, regardless of whether any names are present.

Access logs: In most organizations, retrieving a restricted document is itself logged. A source may be identifiable from access logs even if the document reveals nothing about handling.

Network and device metadata are outside the scope of document redaction entirely. A source who accessed documents on a monitored corporate network, or communicated with a journalist on a managed device, has an exposure profile that document redaction does not address.

The Freedom of the Press Foundation and the Committee to Protect Journalists publish operational security guidance for journalists and sources that covers the full threat model. The Reporters Committee for Freedom of the Press covers the legal side. For high-stakes investigations, this guidance should be read before making contact with a source.

FOIA documents: checking before publication

When publishing documents obtained under federal FOIA or state public records laws, the redaction concern shifts. The disclosing agency has already processed the documents - but that processing may be incomplete.

Partial disclosures sometimes contain residual personal data that should have been removed: staff names, internal contact details, incidental personal information. Before publishing a government-released document, review it for information that could identify a private individual who has not consented to publication.

State shield laws vary significantly in the protection they provide to journalists who receive and publish leaked or disclosed documents. The Reporters Committee for Freedom of the Press maintains a state-by-state reporters' privilege compendium. Understanding your state's shield law before publication is not a substitute for operational security, but it is relevant to understanding legal exposure.

FOIA-released documents may also contain third-party data that is technically within scope of release but where publication still requires editorial judgment. An internal report naming junior employees in connection with a systemic failure may have been correctly released while still raising questions about whether those names serve public interest when published.

Working with leaked or whistleblower documents

The first handling matters. Opening a PDF on a standard computer does not transmit the file by itself - but saving to a cloud-synced folder uploads it. Sharing via standard email routes it through servers. Forwarding a photograph from a mobile phone may retain EXIF data.

Journalists working on investigations where source identity is a genuine risk are generally advised to use air-gapped devices for initial document review. Tails OS boots from USB and leaves no trace on the host machine. SecureDrop, developed by the Freedom of the Press Foundation, provides a complete system for receiving documents from sources anonymously.

These are operational security measures that sit upstream of redaction. Once the investigative work is complete and the decision is made to publish, the redaction workflow applies: identify what needs to be removed, apply pixel-burn redaction, strip metadata separately, and verify the output before it leaves the secure environment.

Verification before publication: after redacting a document, open the output in a second, different PDF viewer and attempt to select text in the redacted areas. Search the file for strings you know were removed - names, reference numbers, identifiers. If text is selectable or searchable in redacted areas, the method used was overlay, not pixel-burn. The document is not safe to publish.

Further reading

For a technical explanation of why overlay redaction fails and pixel-burn succeeds, see overlay vs pixel-burn redaction.

For the most common errors that lead to accidental exposure - missed PII, metadata leaks, format-specific risks - see common redaction mistakes.

For a practical step-by-step guide to redacting a PDF, see how to redact a PDF.