Do not lift this cover

Having accidentally sent a journalist an ineptly redacted document, the Public Health Agency of Canada is - quite rightly - roasting uncomfortably in the glare of the media spotlight today:

"Raphael Satter, an Associated Press correspondent in Paris, was dumbfounded when he received files from the Public Health Agency of Canada that were censored using only Scotch tape and paper ... He was able to see the redacted confidential information simply by peeling back the paper."

There are at least 11 information risks or types of incident associated with redaction:

1. Making bad decisions about the data to be redacted, the technical methods or process to be used and/or the suitability (primarily competency and diligence) of those tasked to do it;
2. Failing to identify correctly all the sensitive data that must be redacted (both the individual data items and the files);
3. Failing to render the redacted data totally unrecoverable, for example:
• Using inappropriate or ineffective technical methods for redaction, such as crudely modifying rather than permanently deleting the sensitive data using methods that can be completely or partially reversed (for example simply reformatting or overlaying redacted text to appear invisible, or applying readily-reversed mechanistic transformations or tokenization of textual identifiers);
• Accidentally leaving one or more copies of the sensitive data completely or partially unredacted (perhaps releasing multiple, independently and differently redacted versions of a sensitive document, enabling it to be reconstructed directly or by inference);
• Partially deleting the sensitive data, leaving data remnants or sufficient information (such as the editing journal or cached copies) enabling the data to be restored from the redacted file;
• Relying excessively on pixellation, blurring or similar methods of obfuscation to obscure parts of images (typically for personal privacy reasons), whereas deconvolution and other more or less advanced image manipulation/transformation techniques may restore enough of the original image to permit recognition;
• Neglecting to redact sensitive metadata (e.g. in document properties or reviewer comments, GPS data on digital images, or alternate data streams);
4. Failing to distinguish all redacted from non-redacted data, consistently and accurately, such that recipients know unambiguously which parts are no longer original;
5. Excessive or inappropriate redaction, removing more than just the specific sensitive items that were supposed to have been redacted or doing so clumsily (which raises the prospect of having to justify redaction decisions and activities to a trustworthy intermediary or authority);
6. Inappropriately or inadvertently altering the meaning of the remaining data as a result of contextual issues (e.g. deleting selected data records may invalidate statistical analysis of the remainder), or by causing collateral damage to the file structure (such as file integrity issues and inappropriate formatting changes) during the redaction process;
7. Leaving sufficient data in the file to enable recipients to infer sensitive information, perhaps in conjunction with other available information sources (e.g. replacing people’s names with anonymous labels in a redacted file but separately disclosing the relationship between labels and names; disclosing anonymous statistical data on known small populations; disclosing the number of characters redacted, and perhaps even giving clues to the most likely characters by dint of their printed size; applying data mining, correlation and inference techniques to glean sensitive data from redacted or anonymized content);
8. Placing excessive reliance on redaction, believing it sufficient to keep sensitive data totally confidential under all circumstances whereas technical and process failures are possible and incidents sometimes occur in practice; conversely, placing zero reliance on redaction, believing it to be totally incapable of protecting sensitive information (these are governance and assurance risks);
9. Information security issues that are incidental or peripheral to the redaction process itself such as:
• Sending the original files, redaction instructions, redacted content or indeed the redacted files to the wrong recipients;
• Failing to secure information relating to the redaction process, such as the original files or detailed redaction instructions, while in transit, during processing and in storage (e.g. interception of sensitive content in clear on the network);
• Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately;
• Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks);
• Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters);
• Damaging the integrity and/or availability of the original unredacted files (e.g. overwriting them with the redacted versions);
10. Use of redaction to conceal illegal or inappropriate activities (such as pedophilia - image redaction was ineffective in that particular case!);
11. Various other risks (the risk analysis implied here is generic and not comprehensive: it does not necessarily reflect any specific situation).

The Public Health Agency of Canada redactors appear to have experienced risks #9.1, 9.3 and 8 on the list ... and possibly others too (e.g. #3: even if they had photocopied the paper-masked page and sent the photocopy, it’s quite possible the original text would have been discernible through the mask). 

Instead of merely being an intensely embarrassing privacy incident, this could literally have been a killer if, say, a security services informant, undercover agent or counter-terrorism operation had been accidentally unmasked.  Let’s hope the relevant parties are more competent than the agency in this case.