TL;DR: A black box over PDF text is an illusion - the text still exists in the file and anyone can access it in seconds. Only real redaction permanently deletes the data. If you shared a sensitive document with a black box over it, your information may already be exposed.
Black Box vs. Real Redaction: The Core Difference
A black box is just a drawing on top of the file
When you draw a black rectangle over a PDF - whether in an editing tool, an online service, or any other method - you are adding a drawing layer on top of the page. The text underneath is not deleted. It is not securely hidden. It exists exactly as it did before.
A PDF file is structured in layers: a content layer (the text, images, metadata) and a display layer (what you see on screen). A black rectangle adds an element to the display layer only. The text in the content layer remains completely intact.
Real redaction is deletion at the data level
Real redaction works entirely differently. It does not draw over text - it removes the text from inside the file. The data is eliminated and cannot be recovered. What remains is a true empty black box with nothing beneath it.
| Black Box | Real Redaction | |
|---|---|---|
| How it works | Draws on top of text | Deletes text from the file |
| Text still exists? | Yes, still in the file | No, permanently removed |
| Can be exposed? | Yes, easily | No |
| Ctrl+A test | Reveals the text | Nothing to reveal |
| Security level | Zero | Complete |
How Hidden Text Is Revealed in Seconds
This is simpler than you might think. Anyone who receives a document with a fake black box can expose the hidden text in three steps - no special tools required.
Method 1 - Select and copy:
- Open the PDF in any PDF reader
- Press Ctrl+A (select all)
- Press Ctrl+C (copy)
- Open Notepad and press Ctrl+V (paste)
- The text that was supposed to be hidden appears in full
Method 2 - Manual text selection:
- Open the PDF
- Drag your cursor over the blacked-out area
- Discover that the text is selected and can be copied
Method 3 - Examining file properties:
- Open the file in a document tool
- Inspect the document layers
- Hide the black rectangle layer
- See the complete original text
No expertise needed. No special software. Anyone can do it in under a minute.
Real-World Leaks Caused by Fake Redaction
Government and legal documents
Over the years, government agencies and law firms around the world have published documents they believed were properly redacted, but the hidden text was trivially accessible. Common scenarios include:
- Investigative documents - Filed with blacked-out names, locations, and sensitive details. Journalists extracted all the information within minutes using basic copy-paste.
- Court filings - Attorneys submitted documents with fake redactions covering classified or privileged information. The opposing side immediately accessed all of it.
- Healthcare reports - Medical records published with black boxes over personal data caused patient information to be exposed to anyone who downloaded the file.
The pattern that keeps repeating
In every case the pattern is the same: someone needs to publish a document, hides sensitive information with a black box because it looks right, and then someone discovers they can read everything.
The most common mistake: believing that if text is not visible, it does not exist. In a PDF file, what you see and what is stored in the file are two entirely separate things.
Three Realistic Scenarios That Caused Actual Damage
Scenario 1: A law firm in a commercial lawsuit
A law firm filed a statement of claim in district court. Inside the filing were "redactions" over witness names, bank account numbers, and transaction amounts considered confidential. Opposing counsel opened the PDF, selected all with one shortcut, and pasted into Notepad. Every piece of text that was supposed to be hidden was revealed within 30 seconds.
What went wrong: The lead attorney used a general editing tool that draws a black rectangle, not a dedicated redaction tool.
What should have happened: Use a real redaction tool. Run the Ctrl+A test before filing. Keep a clean version in the internal archive only.
Scenario 2: A medical report sent to an insurance company
A family doctor sent a medical report to an insurance company for a claim review. The report referenced other patients for medical comparison purposes, with names hidden behind black rectangles. The insurance company revealed the names, opened investigations against those patients, and one of them filed a complaint with the privacy authority.
What went wrong: The doctor assumed that because the black color covered the name visually, the name was deleted. In reality, the text remained completely intact in the file.
What should have happened: Real redaction of the names. Even better - removing any mention of other patients from the report before it ever leaves the office.
Scenario 3: An accountant and professional fees
An accountant transferred a client file to a colleague. Hidden under a black rectangle were the high fees a previous accountant had charged on the same engagement. The client received the file, saw the numbers in two clicks, requested a refund from the previous firm, and triggered a professional dispute between the two.
What went wrong: The black rectangle looked opaque on screen, but the text remained fully selectable.
What should have happened: Real deletion of the numbers from the document, or sending a summary version without the original financial figures.
The common thread: In all three scenarios, the responsible party believed they had performed a security action. In practice, they created an illusion of security - which is worse than doing nothing at all, because it provides false confidence.
The legal dimension
Privacy laws across most jurisdictions impose responsibility on anyone handling personal data. Sharing a document with a failed redaction that allows personal information to be exposed can be treated as a breach of data protection obligations. In serious cases, regulators are empowered to issue administrative fines, and individuals whose data was leaked may pursue civil damages without needing to prove specific harm. Law firms are also bound by professional ethics rules that require maintaining client confidentiality. A failed redaction is not just a technical mistake - it can be a breach of a legal duty. For a broader view of the security standards involved, see PDF Password Encryption Standards.
How to Verify Your Redaction Succeeded
Before sending any document with redactions, run these checks:
Test 1: The Ctrl+A test
- Open the redacted PDF
- Press Ctrl+A (select all)
- Watch the document - are the redacted areas highlighted?
- Press Ctrl+C then open Notepad and paste
- If the supposedly redacted text appears - the redaction failed
Test 2: Drag over the redacted area
- Click and hold directly over one of the redacted areas
- Drag slowly across the area
- If a blue text selection appears - the text still exists in the file
Test 3: Try multiple viewers
Open the file in a different browser and attempt to select text. If the text is accessible by any method, the redaction did not succeed.
What you should see after real redaction
- The cursor changes to an arrow (not a text cursor) when hovering over a redacted area
- Ctrl+A does not select anything in redacted areas
- No text can be copied from those areas
- The area displays as a solid, empty black box
How to Perform Real Redaction
Step 1: Use the right tool
To perform real redaction, you need a tool that actually removes data from inside the file - not one that draws on top of it. Go to the Kovetz redaction tool.
Step 2: Mark the areas to redact
Drag your cursor over the text you want to permanently remove. You can mark:
- Names and personal details
- ID numbers and account numbers
- Addresses and phone numbers
- Sensitive business information
- Any other text that must not be shared
Step 3: Apply the redaction
Click the redact button. The tool performs deletion at the data level inside the PDF file.
Step 4: Verify and confirm
After downloading the file, run the Ctrl+A test. If redaction succeeded, the text will not be selectable.
Step 5: Keep the versions separate
Make sure you send the redacted version - not the original. Save both versions with clear, distinct file names.
Pre-Sharing Checklist - 10 Steps
Before sending, uploading, or attaching a redacted document, run this list from start to finish:
- Open in a clean PDF reader - without browser extensions or add-ons that might distort rendering
- Ctrl+A across the full document - if anything is selected in supposedly redacted areas, the redaction failed
- Manual mouse drag over every redacted area - the cursor should change to an arrow, not a text caret
- Paste into Notepad - confirm that none of the supposedly hidden words appear
- Open in a different viewer - if it looks fine in a browser, try a desktop reader too, and vice versa
- Search (Ctrl+F) for words that should be removed - if the name or number appears in results, the text is still in the file
- Inspect metadata - author name, original file path, prior versions, and internal comments can expose what existed before the redaction
- Save the redacted version under a new filename - never overwrite the original; keep both files with distinct, clear names
- Confirm the correct file is attached - before sending an email, open the attachment and verify it is the redacted version
- Internal documentation - log who performed the redaction, when, and over what information - for future legal defense
This short checklist takes two minutes. It can save you from a lawsuit, a regulatory fine, or reputational damage that may cost hundreds of thousands.
Common Mistakes to Avoid
Mistake 1: "I colored it black - it is secure" Color is a drawing, not deletion. Always verify with Ctrl+A.
Mistake 2: "I exported from Word/Excel to PDF - redaction works differently" It does not. In all PDF types, a black box is only a drawing layer over existing data.
Mistake 3: "I printed and scanned it again - now it is safe" Printing and rescanning does convert the document to an image, which prevents direct text extraction, but it degrades document quality significantly and is not the professional solution.
Mistake 4: "I trust the recipient" Even if you trust the recipient, files can be forwarded, leaked, or accessed without authorization. Proper redaction removes the risk entirely.
Summary: What to Remember
- A black box is an illusion. The text exists in the file and is accessible to anyone.
- Real redaction is deletion. The data is permanently removed.
- Always test with Ctrl+A before sending any document.
- Use a professional tool that performs redaction at the data level — use the Kovetz redaction tool.
When it comes to legal, medical, financial, or any document with personal information - there is no room for error. The redaction must be real.
For additional protection before sending, consider also protecting the PDF with a password or cleaning hidden metadata. For privacy considerations around online PDF tools, see Are PDF Services Private?.
Related Guides
Want to redact info in a PDF now?
With full Hebrew support
Frequently Asked Questions
Does drawing a black rectangle over text in a PDF delete it?
No. A black rectangle is only a drawing layer placed on top of the document - the original text remains in the PDF file untouched. Anyone can reveal it by selecting all text with Ctrl+A, copying it, and pasting into a text editor. Only real redaction permanently removes the data from the file.
What is real PDF redaction?
Real redaction removes text from the PDF at the data level, not just visually. After proper redaction, the information no longer exists inside the file - it cannot be recovered by any means, even by opening the file in professional software or examining its raw structure.
How do I verify that my redaction worked?
Press Ctrl+A to select all text in the document. If you can copy and paste the text that was supposed to be redacted, the redaction failed. After real redaction, the blacked-out area is empty - no text can be selected from it and nothing appears when you paste.
What is the real danger of fake redaction?
Anyone who receives the document can expose the hidden text in seconds with no special tools. Government agencies, law firms, and public authorities have caused serious data breaches this way. When legal, medical, or financial documents are involved, the consequences can include lawsuits, regulatory fines, and severe reputational damage.
Are online redaction tools reliable?
It depends on the tool. You need to verify that the tool performs actual data deletion from the file, not just paints over the text. Kovetz (kovetz.co.il) performs real redaction that permanently removes data from the PDF file, not a visual overlay.
Is there a difference between scanned PDFs and regular PDFs for redaction?
Yes. A scanned PDF is an image, so a black box hides the image rather than text data. However, if OCR was performed on the scanned file, the recognized text layer may still be accessible even after drawing a black box. Real redaction handles both layers correctly.