Why Solid Black Bars May Be Best For Redacted Text

In this insight, we look at how to best avoid redacted text from being ‘unredacted’ by certain software tools, and we look at what researchers advise based on recent experiments.

The Problem With Redacted Text

For businesses and organisations, the increased need for data sharing and/or making some data public can mean that certain (sensitive) parts of documents need to be obscured/obfuscated/censored for legal or security purposes (and to stop data leaks and fines). There are several different methods for achieving this in a document, including blurring, swirling, or pixelating letters and images. The issue is that some of these methods may not be effective enough and could potentially be recovered or de-obfuscated using specific tools and techniques, such as the Depix tool or the ‘Unredacter’ tool. A Python program like Depix, for example, is designed to recover censored text to a readable format via a simple command, and this type of tool in the wrong hands could potentially lead to a security breach.

Challenge Issued 

The challenge of testing the level of security of pixelated text is something that researchers have focused on for some time. For example, researchers at a company called Jumpsec tested the Depix tool to see if it could recover text that has been pixelated. The results broadly showed that:

– Using the supplied examples, text redaction with Depix was possible to a reasonable degree.

– Using original content (not the author’s supplied example), and after taking a long time, Depix failed to recover the obfuscated text.

It was concluded that the Depix tool poses minimal risk to security at present, as it requires specific criteria to be met to be effective. Still, there is a slight chance that users can depixelate images using the tool.

Jumpsec then issued (2021) an Internet challenge for someone to develop a tool that could effectively recover censored text to a readable format.

Bishop Fox Research on Redacted Text

Dan Petro, Lead Researcher, accepted the challenge at the US security company Bishop Fox. Mr Petro built his own ‘Unredacter’ tool and tested it in a similar way to the Depix tool.

Mr Petro noted that pixelation tools use an algorithm to divide an image into a grid of a given block size (e.g. 8×8) and, for each block, the redacted image’s colour is set to be equal to the average colour of the original for that same area. This “smears” the image information across each block, and although it can work, it has several problems. These include characters not lining up with the blocks and bleeding over, problems with white spacing, problems with variable-width fonts, and font inconsistency.

The ‘Unredacter’ Tool 

The ‘Unredacter’ tool, created by Bishop Fox researchers, however, solved many of the problems that the Depix tool had encountered and was able to recover the text in a test image to a reasonable degree.

The Conclusions 

The conclusions of both the Jumpsec Labs and the Bishop Fox text recovery tool experiments were the same. Both advise that, when covering redacted text, only use black bars surrounding the whole text. Never use other methods such as pixelisation, blurring, fuzzing, or swirling, and edit the text as an image. Bishop Fox’s Mr Petro also advises that using a black background with black text in a Word document means that the text can still be read, even by highlighting it. This means that it is not a secure method and could lead to the accidental disclosure of sensitive information due to an insecure redaction technique.

What Does This Mean For Your Business? 

There are now numerous ways a data security breach can occur. Although using an insecure redaction technique may seem less common, the result could be just as devastating as other, more popular types of breaches. The lessons for businesses resulting from this research are that software may be used to uncover redacted text and that relying on fast methods, such as using a black background with black text, is ineffective and very risky. The research indicates that businesses can best protect themselves from this threat by editing the text as an image and using only black bars to cover the entire text.

If you’re looking for Managed IT Services, VoIP Phone Systems or looking to integrate AI into your business, contact us today.