Home Blog Redaction vs Metadata Removal

Redaction vs Metadata Removal

Two different operations. Two different risks. Most people only do one — and silently expose the other.

📅 May 2026 ⏱ 9 min read ✍️ FileIntel

In 2021, the New York Police Department filed a civil case and accidentally included a redacted court document — redacted by drawing black rectangles over text in Microsoft Word, then converting to PDF. The text underneath was still selectable. Journalists extracted it in seconds. The department had assumed redaction meant the information was gone. It wasn't.

That's the gap this article is about. Redaction and metadata removal are both "privacy operations" on a document, but they target completely different layers of the same file. Confusing them — or doing only one — is how sensitive information leaks even from documents that look cleaned up.

What redaction actually does

Redaction removes or obscures visible content in a document. Names, account numbers, addresses, signatures, dates of birth — anything you can read on the page. Done correctly, the underlying text or image data is permanently destroyed, not just hidden.

That last part matters. There are two very different things people call "redaction":

1

Black box redaction (dangerous)

A rectangle drawn on top of text. The text is still in the file — it's just covered. Copy-paste, text extraction tools, or some PDF readers can recover it instantly.

2

True redaction (safe)

The underlying text or image data is permanently deleted from the file structure. Nothing can recover it because it no longer exists in the document.

FileIntel's PDF Redactor uses the second approach — pdf-lib draws the redaction rectangle and then removes the underlying content from the page stream, not just covers it.

⚠ Warning

Adobe Acrobat's "black highlight" tool does not redact. It draws a black box on top. The text remains. Only Acrobat's dedicated Redact tool (under Tools → Redact) permanently removes content. Many people use the wrong one.

What metadata removal actually does

Metadata removal strips the hidden data layer embedded in the file itself. This has nothing to do with what you see on the page. A fully blank document still has metadata. A heavily redacted document still has metadata.

PDF metadata fields include:

Field What it contains Risk if exposed
Author Full name of the person who created the file High
Creator Software used to create it (Word, InDesign, etc.) Medium
Manager Manager name from Office org chart data High
Company Organisation name from Office profile Medium
ModDate Last modification timestamp Low
Producer PDF conversion tool (can reveal internal software stack) Medium
Keywords Internal classification tags added by author High

Beyond the standard Info dictionary, PDFs also carry an XMP stream — an XML block that can contain an extended version of all these fields, plus revision history, embedded thumbnail images, and in some cases comment data. Stripping the Info dictionary but leaving the XMP stream intact is a common partial-cleaning mistake.

FileIntel's PDF Metadata Remover handles all three layers: Info dictionary setters, direct dictionary deletion, and XMP stream removal. See our guide to what PDF metadata actually is for the full breakdown.

Strip metadata from your PDF now

No upload. No account. Runs entirely in your browser.

Open tool →

The actual difference, clearly

Here's the simplest way to frame it:

Key distinction

Redaction protects what's on the page. Metadata removal protects what's about the file. They operate on different layers and neither one covers the other.

A document can be perfectly redacted — no visible sensitive content — and still leak the author's full name, their manager, their company, the internal software used, and when the file was last edited. That's an intelligence profile built entirely from metadata, with zero content visible.

Conversely, a document with clean metadata can still contain visible personal data that was missed in redaction review. Both operations are necessary. They're not alternatives to each other.

When you need both — and when you need just one

Scenario Redaction needed? Metadata removal needed?
Legal filing with client names Yes Yes
FOIA response with exempt sections Yes Yes
Report sent to external client (no sensitive content) No Yes — author/company data still present
Internal document shared between departments Maybe Unlikely unless crossing org boundaries
Press release or public statement No Yes — internal author names often irrelevant
Employment records shared with third parties Yes Yes
Contract sent to counterparty Probably not Yes — drafter's identity may be confidential

How to sanitize a PDF completely

The correct order matters. Always redact first, then strip metadata. If you strip metadata first and then open the document again in Word or Acrobat to add redaction marks, the software will write a fresh set of metadata — including your name and timestamp — when you save.

1

Review the document for visible sensitive content

Names, addresses, signatures, account numbers, dates of birth, medical details, legal references you want excluded.

2

Apply true redaction — not black boxes

Use a tool that deletes the underlying content from the page stream. FileIntel's PDF Redactor, Adobe's Redact tool, or the exiftool + qpdf command-line approach for technical users.

3

Strip metadata from the redacted file

Run the output through a metadata remover. Don't reopen the file in authoring software between steps — that re-stamps metadata.

4

Verify both operations

Try to select and copy text from redacted areas. Open metadata properties — Author, Creator, Manager, Keywords should all be empty. Check for an XMP stream if you have access to a hex editor or ExifTool.

Checking with ExifTool (command line)

If you want to verify metadata removal programmatically before distributing a document:

# Install ExifTool, then inspect a file
$ exiftool your-document.pdf

# Fields to check — all should be empty or absent:
Author : [should be blank]
Creator : [should be blank]
Manager : [should be blank]
Keywords : [should be blank]

# Strip everything in one command if needed:
$ exiftool -all= your-document.pdf

Compliance implications

Under GDPR Article 4(1), personal data means any information relating to an identified or identifiable natural person. An author's full name in a PDF metadata field is personal data. Sharing that document without stripping the field may constitute a personal data transfer without a lawful basis — particularly if the recipient is in a different organisation or jurisdiction.

The ICO's guidance on privacy by design explicitly calls out unnecessary data minimisation failures — sharing more personal data than required for the purpose. Metadata that serves no function in the distributed document should be removed before distribution. That applies to legal filings, procurement documents, correspondence, and HR records alike.

See our full GDPR and PDF metadata guide for the regulatory breakdown in detail.

Real case

In 2003, the UK government published a dossier on Iraq's weapons capabilities as a PDF. Metadata revealed it had been edited by a Number 10 communications official — and showed the document had been copied from an academic paper without attribution. The metadata told a story the visible document didn't. It became a significant political incident.

Remove metadata before you share

Free, private, instant. Nothing leaves your device.

Open PDF Metadata Remover →

Frequently asked

Redaction removes visible content from the page — names, numbers, images drawn over with black boxes. Metadata removal strips the hidden data embedded in the file itself: who created it, when, on what software, and revision history. They target completely separate layers. Neither one does the other's job.
No. Redaction only affects the visible content layer. The metadata — Author, Creator, modification timestamps, Keywords — stays intact regardless of how much content you redact. You need a separate metadata removal step after redaction.
Not from standard metadata fields, no. But if redaction was applied incorrectly — a black rectangle drawn on top of text rather than true redaction — the underlying text can be extracted via copy-paste or a text extraction tool. That's a redaction failure, not a metadata issue. They're separate problems.
Any time you share a document externally and it contains sensitive visible content. Legal filings, FOIA responses, employment records, client reports with confidential sections — all need both. If the document has no sensitive visible content but you still don't want your author name and internal tags exposed, you need metadata removal only.
The text under the black box remains in the file. Anyone who selects the area and copies, or runs the PDF through a text extraction tool, can read the "redacted" content. This has caused documented legal, political, and national security incidents. Always use a tool that permanently removes underlying text — not one that covers it.
GDPR Article 4(1) defines personal data as anything that identifies or can identify a natural person. An author's full name in a metadata field qualifies. The data minimisation principle (Article 5(1)(c)) requires that personal data be "adequate, relevant and limited to what is necessary." Metadata that serves no purpose in the distributed document should be stripped. Failing to do so may be a compliance issue depending on context.