MetaMarshal
Log inSign up free
← All articles

How to redact a photo so it stays redacted

July 5, 2026 · 6 min read

You blur a face, pixelate a card number, drop a black bar over an address, and post the photo — the secret is gone. Often it isn't. Redaction fails in specific, repeatable ways, and they all share a theme: the thing you tried to remove is still in the file, one step of effort away from anyone who wants it.

Pixelation is reversible

Pixelation looks destructive, but it's really just a shuffle. It averages each block of pixels down to one colour — a lossy transform, but a deterministic one. If an attacker knows the shape of the answer — a 16-digit card number, a plate in a fixed format, a six-letter surname — they can generate every candidate, pixelate each one the exact same way, and keep the one whose blocks line up with yours. Researchers have recovered pixelated text and even faces doing precisely this. Against anything guessable, pixelation is a puzzle, not a wall.

Blur only looks destructive

A gaussian blur spreads a region's detail across neighbouring pixels, but it doesn't delete it — enough of the original signal survives that deblurring can claw some of it back, especially at small radii over sharp text. And blur is seductive precisely because the result still looks like the thing: you can usually half-read a blurred street sign or house number at a glance. If you can half-read it, so can someone motivated.

The bar you can copy out from under

The most infamous failure lives in documents. A black rectangle is drawn over a name in a PDF, with the actual text still sitting underneath — select, copy, paste, and the 'redacted' word reappears in full. Governments have leaked classified names this way. The lesson generalises to images: a redaction that sits on top of the data instead of replacing it is decoration. It has to change the underlying bytes, not cover them.

The crop that uncrops

Screenshots carry their own trap. Some phone editors, when you crop or mark up a screenshot and save back over the original, leave the discarded pixels quietly appended to the file — the bug widely known as aCropalypse. The image displays cropped, but the full frame can be reconstructed from the leftover data. Cropping something out of view is not the same as removing it from the file.

And the metadata underneath

Even a flawless visual redaction leaves the EXIF block untouched. You black out the storefront, but the GPS tag still names the street corner it stood on. A tool that only paints over pixels and re-saves the same container can preserve the exact fact you were hiding. Baking the redaction into the image and re-encoding the whole file — so the metadata leaves with the pixels — is what closes that gap.

How to make it hold

Replace, don't cover: the hidden region should become solid, uniform pixels with no recoverable structure, baked into the image rather than layered on top. Reach for a hard blackout — not blur or pixelate — for anything an attacker could guess: names, numbers, plates, faces you truly need gone. Blur and pixelate are fine for de-emphasising a bystander, as long as you remember they only obscure. Re-encode the file afterwards so metadata goes too, and then check your work — open the export and try to read back what you removed. MetaMarshal's redaction does this in your browser: blackout, blur, or pixelate is baked straight into the pixels and the file is re-encoded on export, so the metadata is stripped in the same step. The photo never leaves your device, and what you took out doesn't come back.

See what your own photos say

Free, in your browser, nothing uploaded.

Clean a photo
How to redact a photo so it stays redacted