Secrets revealed at the click of a button
Sounds like a catchy tagline for an IT-themed Hollywood thriller, doesn’t it? Unfortunately, it’s one description that has been applied to a gaffe by US government employees responsible for censoring a report that was posted to the Pentagon website over the weekend. Just a few clicks were enough to reveal names, training procedures and other secrets the U.S. military thought it had blacked out in a PDF report — a process formally known as ‘redaction.’
They really were trying to do the right thing. Distributing reliably censored hard-copy reports is slower and far less efficient than doing so electronically, but in this case, the procedures followed were insufficient. ‘Software is basically a lot more complicated than mechanical typewriters, whiteout and black ink,’ according to Richard M. Smith, a privacy and security consultant in Cambridge, Massachusetts. Although there are ways to permanently redact data in a PDF document — Appligent’s range of redaction tools springs to mind — these tools must be properly used before documents can be satisfactorily censored.
The report dealt with the US killing of an Italian intelligence agent in Baghdad. Nicola Calipari, 50, died after being shot in the head on March 4 at a US checkpoint in Iraq while escorting a rescued hostage. The hostage in question, Italian journalist Giuliana Sgrena, was wounded during the incident, and the Italians have disputed the US-version of events.
After reviewing a copy of the report, it appears that the PDF document was produced directly from Microsoft Word using Adobe Acrobat 6.0’s PDF Maker. In Word, it’s possible to add shading behind text; if the shading is dark enough, it can appear to the user as if the text has been effectively obscured. While this should work for a physically printed version of the document, Word’s shading option was never designed for redaction. As a result, the text can still be selected in the resulting PDF using the Select Text Tool in Adobe Reader.
The discovery of the mistake has been variously attributed to an Italian IT worker and a German ‘hacker.’ Regardless, The problem was a significant security breach, a claim admitted by U.S. Air Force Colonel Donald Alston, a spokesman for U.S.-led forces.
‘We need to improve our procedures. We regret this happened. We obviously didn’t take sufficient precautions,’ said Colonel Alston, before adding that some of the leaked information appeared classified.