← All posts

Flatten it first: what a PDF still gives away after you think you've hidden it

By: Atty. JJLL

Lawyers redact for a living. We black out a client’s address, a settlement figure, the name of a witness, and we send the file off believing the secret is gone. Most of the time we never find out otherwise. Occasionally someone does find out, and it makes the news.

The uncomfortable truth is that a PDF is not a picture of a page. It is a stack of separate instructions: draw this text here, place this image there, paint this rectangle on top. When you cover something with a black box, you are adding one more instruction to the stack. The thing underneath is still in the file, still selectable, still one copy-and-paste away. Flattening the page into a single image is one of the few reliable ways to make what you see actually be what you send.

The black box that wasn’t

This is not a theoretical risk. It is one of the most repeated embarrassments in modern document handling, and the victims are not careless amateurs.

  • Paul Manafort’s lawyers, 2019. A court filing made public on January 8 covered sensitive passages with black boxes. Reporters recovered the hidden text by selecting it and pasting it elsewhere, exposing that Manafort had shared 2016 campaign polling data with an associate tied to Russian intelligence.
  • The TSA screening manual, 2009. A roughly 93-page standard operating procedure for airport screening came to light that December with its redactions drawn as removable black overlays. The blacked-out portions were lifted out and the full manual reposted; five employees were placed on leave.
  • The New York Times and the NSA, 2014. A leaked intelligence slide was published with three overlay redactions. Highlight, copy, paste, and the underlying text reappeared, including the name of an agency analyst. The paper called it a production error and reposted a corrected version.

The pattern is so familiar that the American Bar Association has written up the genre under the heading “embarrassing redaction failures.” An audit of the federal courts’ PACER system years earlier had already turned up well over a thousand filings with Social Security numbers sitting under black rectangles.

Why covering is not deleting

Every one of these failures has the same cause. The black box is a visual layer painted over a text layer that was never removed. Because a PDF’s content stream is built by appending instructions, drawing a rectangle on top does nothing to the words drawn earlier. They stay in the file, indexed and searchable, exactly where they were. Proper redaction has to delete the content, not hide it. When a tool gets this wrong, the box is theatre.

Flattening attacks the problem from the other direction. It renders the page to a flat image and rebuilds the document from that image, so there is no separate text layer left for anyone to select, search, or peel back. There is nothing underneath the box anymore, because there is no longer an underneath.

It isn’t only the things you tried to hide

Redaction failures are the dramatic case. The quieter problem is the data you never thought about. In 2021, researchers at INRIA analyzed nearly 40,000 PDFs published by government security agencies across dozens of countries and recovered hidden information from more than three-quarters of them: author names, internal file paths, the software and operating system used, occasionally an email address. Strikingly, even among the few agencies that had clearly tried to scrub their files first, most still leaked something.

Some of this is the editing history itself. When you choose “Save” rather than “Save As” in many PDF editors, the program appends your changes to the end of the file instead of rewriting it, and the earlier version of the content can remain recoverable inside. The draft figure you talked your client down from, the comment you meant to delete: all potentially still there. To an attacker, the names and system details are reconnaissance, a free map of who and what to target. To a client, it is simply their business in someone else’s hands.

Your signature is a reusable image

There is one more reason this matters for anyone who signs documents. The image of your handwritten signature sitting inside a shared PDF is, to the right person, a reusable asset. Forensic document examiners routinely encounter “cut and paste” forgeries, where a genuine signature is lifted from one document and dropped onto another the signer never saw. The cleaner and higher-resolution the source, the easier the transplant.

This is the case that started us building. If you have to send a signed contract or a filled form, you usually do not need to hand over a crisp, extractable copy of your signature along with it. Flattening the document turns that signature back into ordinary pixels in a page image, with no clean object to lift. We added a tool that does exactly this in your browser: you can flatten a PDF without it ever leaving your device.

What flattening does not do

I would be doing the opposite of my job if I oversold it. Flattening is a sharp tool for one set of problems, not a magic wand, and it is worth being precise about the edges.

  • It does not, by itself, strip file-level metadata. Rasterizing the pages removes the text and overlay layers, but the document’s own properties (title, author, the producing application) live in a separate place. If that metadata matters, clear it as a separate step.
  • The words can be read again with OCR. A flattened page is an image of text, and optical character recognition can turn that image back into characters. Flattening defeats casual copy-paste and layer-peeling, which is what burns most people, but it is not encryption.
  • It breaks a real digital signature. A cryptographic PDF signature is a hash over the file’s bytes. Flattening rewrites those bytes, so the signature no longer verifies. If a document carries a digital signature that has to stay valid, do not flatten it. (And note the converse: research on the “Shadow Attack” showed a still-valid signature does not always guarantee the page you see is the page that was signed, which is its own reason not to over-trust a green checkmark.)

In short, flatten the things you are about to share by sight: signed contracts, redacted exhibits, anything where the picture on screen is the whole point and the layers underneath are only liability. Keep the editable original for yourself.

Beyond the file

Flattening protects the document. It does nothing for the path the document travels once you hit send, and that is a separate layer worth closing. Two habits cover most of it: a VPN to encrypt the connection you send and fetch files over, especially on networks you do not control, and a password manager so one leaked login cannot open everything else. The ones I use are NordVPN and NordPass; there is more on the reasoning on the privacy toolkit page. If you want the wider threat model, I wrote about how PDF tools get exploited and PDF privacy for lawyers.

These are affiliate links: if you sign up through them, QuietPDF may earn a commission at no extra cost to you. We only suggest tools that fit the same privacy-first habit as the rest of the site.

General information for people who handle sensitive documents, not legal advice or a security audit of any particular file or workflow. When a matter is high-stakes, verify your redaction and sanitization against your own tools before you rely on it.