Having accidentally sent a journalist an ineptly redacted document, the Public Health Agency of Canada is - quite rightly - roasting uncomfortably in the glare of the media spotlight today:
"Raphael Satter, an Associated Press correspondent in Paris, was dumbfounded when he received files from the Public Health Agency of Canada that were censored using only Scotch tape and paper ... He was able to see the redacted confidential information simply by peeling back the paper."
There are at least 11 information risks or types of incident associated with redaction:
- Making bad decisions about the data to be redacted, the technical methods or process to be used and/or the suitability (primarily competency and diligence) of those tasked to do it;
- Failing to identify correctly all the sensitive data that must be redacted (both the individual data items and the files);
- Failing to render the redacted data totally unrecoverable, for example:
- Using inappropriate or ineffective
technical methods for redaction, such as crudely modifying rather than
permanently deleting the sensitive data using methods that can be
completely or partially reversed (for example simply reformatting or
overlayingredacted text to appear invisible, or applying readily-reversed mechanistic transformations or tokenization of textual identifiers);
- Accidentally leaving one or more copies of the sensitive data completely or partially unredacted (perhaps releasing multiple, independently and differently redacted versions of a sensitive document, enabling it to be reconstructed directly or by inference);
- Partially deleting the sensitive data, leaving data remnants or sufficient information (such as the editing journal or cached copies) enabling the data to be restored from the redacted file;
- Relying excessively on pixellation, blurring or similar methods of obfuscation to obscure parts of images (typically for personal privacy reasons), whereas deconvolution and other more or less advanced image manipulation/transformation techniques may restore enough of the original image to permit recognition;
- Neglecting to redact sensitive metadata (e.g. in document properties or reviewer comments, GPS data on digital images, or alternate data streams);
- Sending the original files, redaction instructions, redacted content or indeed the redacted files to the wrong recipients;
- Failing to secure information relating to the redaction process, such as the original files or detailed redaction instructions, while in transit, during processing and in storage (e.g. interception of sensitive content in clear on the network);
- Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately;
- Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks);
- Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters);
- Damaging the integrity and/or availability of the original unredacted files (e.g. overwriting them with the redacted versions);
The Public Health Agency of Canada redactors appear to have experienced risks #9.1, 9.3 and 8 on the list ... and possibly others too (e.g. #3: even if they had photocopied the paper-masked page and sent the photocopy, it’s quite possible the original text would have been discernible through the mask).
Instead of merely being an intensely embarrassing privacy incident, this could literally have been a killer if, say, a security services informant, undercover agent or counter-terrorism operation had been accidentally unmasked. Let’s hope the relevant parties are more competent than the agency in this case.