This is the story of how the PDF conquered the document world — and why, three decades on, the way we handle sensitive information inside PDFs still hasn't caught up.
Camelot: the paperless office that almost wasn't
In the summer of 1990, Adobe co-founder John Warnock wrote a short white paper — six pages, code-named “The Camelot Project” — describing a problem that sounds quaint today: there was no reliable way to exchange a high-fidelity document between different computer applications and systems and have it look the same on both ends [1][2]. “These documents should be viewable on any display and should be printable on any modern printers,” Warnock wrote. “If this problem can be solved, then the fundamental way people work will change.” [2]
Warnock's proposal drew heavily on PostScript, Adobe's page description language that had already powered the desktop publishing revolution. Where PostScript was built for rendering print jobs to output devices, the Camelot approach — the paper's working name for the proposed language was Interchange PostScript, or IPS — flattened documents into a simplified, self-contained format optimised for display on any screen and any platform, with fonts embedded so a file carried everything needed to reproduce itself [2][3].
Adobe Acrobat and the Portable Document Format were formally launched on 15 June 1993 [1]. Success was not immediate. PDF entered a crowded field of competing electronic document formats — Envoy, Common Ground Digital Paper, Farallon Replica, and raw PostScript itself, with others such as DjVu emerging later in the decade [3][4]. For a few years, the paperless office remained as mythical as Camelot.
From proprietary format to ISO standard
The decision that mattered most for professional users came 15 years later: in 2008, PDF was standardised as ISO 32000, moving the specification out of Adobe's sole control and into open international governance [5]. Today the format is developed in ISO technical committee TC 171/SC 2 (working group WG 8), with the PDF Association serving as ISO committee manager for the subcommittee [7]. PDF 2.0 was first published as ISO 32000-2 in 2017; the current edition, ISO 32000-2:2020, followed in December 2020 [6].
Open standardisation is what let governments and courts mandate the format. An ISO standard can be written into procurement rules, e-lodgment specifications, and archival regulation in a way a vendor-owned format never could. The format Warnock sketched to solve a document-exchange annoyance had become legal infrastructure.
That evolution also made the PDF a true container format. Beyond flat text and graphics, the specification supports logical structure, annotations and form fields, layers, rich media, embedded file attachments, encryption, digital signatures, and metadata [6]. That richness is the PDF's superpower — and, as it turns out, its most dangerous property.
The dark side of fidelity: what a PDF really contains
A PDF is not a picture of a page. It is a layered structure of content streams, fonts, images, annotations, and metadata. The gap between what a PDF displays and what a PDF contains has been embarrassing institutions for more than 20 years, and the classic failure pattern is remarkably consistent: someone draws a black rectangle over sensitive text and assumes the text is gone. It is not. The characters remain fully intact underneath, one select-copy-paste away from exposure.
The casualty list is long and distinguished:
2005 — the Calipari report. The US military published its report into the death of Nicola Calipari, an Italian intelligence agent killed at a US checkpoint in Iraq, as a PDF with the classified sections covered by opaque blocks. Readers discovered that the blocked-out portions could be recovered simply by copying and pasting them into a word processor [8][9]. The recovered material included sensitive detail about US military operations [8]. Security technologist Bruce Schneier's assessment at the time captured the industry's exasperation: masking text in a PDF does not erase the underlying text — and yet the mistake kept happening [10]. The NSA had, in fact, already published guidance on safely sanitising documents in December 2005 [11]. It didn't stop the pattern.
2006 — the AT&T wiretapping brief. Lawyers for AT&T filed a legal brief concerning the company's cooperation with NSA domestic surveillance. Text on pages 12 to 14 was incorrectly redacted and could be retrieved from the PDF [9].
2019 — the Manafort filing. In one of the most-watched court cases in the world, lawyers for former Trump campaign chairman Paul Manafort filed pleadings in federal court with black rectangular boxes over confidential passages. The underlying text was fully intact; journalists recovered it within minutes by copy-paste [12][13]. The failed redactions revealed previously confidential details, including that Manafort had shared 2016 presidential campaign polling data with Konstantin Kilimnik, a former business partner who the special counsel's office said has ties to a Russian intelligence service [12][13]. Subsequent analysis indicated the legal team had used markup tools to draw boxes over the text rather than a purpose-built redaction function that removes it [14].
2023 — FTC v Microsoft/Activision. The failure mode isn't always a black rectangle. During the FTC's challenge to Microsoft's acquisition of Activision Blizzard, confidential business information — unannounced titles, release plans, acquisition strategy — became public because a set of fully unredacted exhibits was supplied via a link from Microsoft's own lawyers and uploaded to the public court docket [15][16]. No overlay failed; the redacted versions simply never made it into the process.
The overlay mistake — a decoration masquerading as a deletion — is the most common root cause across the classic cases. But the through-line across all of them, the Microsoft leak included, is the absence of any verification step: nobody checked what the published file actually contained before it went out.
The newest failure mode: your agent read the PDF
For most of this history, the leak lived inside the PDF — the text under the black box, the metadata behind the page. That is changing. When an AI assistant or an automated workflow “reads” a document today, it rarely works with the PDF directly. The usual first step is extraction: the PDF is converted into plain text or Markdown — the formats language models actually process — and the machine reasons over that copy. The tidy PDF at the end may be rebuilt from the text, or never rebuilt at all.
This moves the sensitive content upstream of the file everyone thinks to check. A single contract fed through an AI workflow can leave copies of itself in places no one is watching: extracted text sitting in a model's context, document fragments stored in a search index, intermediate Markdown files in a working directory, and summaries that quote the exact paragraph meant to stay private. You can redact the final PDF perfectly and still have leaked the document — because the machine kept a plain-text copy of it somewhere in the middle.
It is the same lesson as Calipari and Manafort, one layer earlier. Those failures happened because nobody verified what the finished file contained; the agentic version happens because nobody can see what the pipeline retained. The question is no longer only “is the black box a real deletion?” but “of all the copies this document became, which of them still hold what should have been removed?” The answer, again, is evidence — a way to prove what was removed, on every artifact a document turns into, not just the one with the letterhead.
Why redaction is becoming a regulated professional obligation in Australia
Current as at 5 July 2026.
For most of the PDF's history, botched redaction was an embarrassment. Increasingly, it is a compliance event — and in Australia, the regulatory perimeter has just moved.
Under the Tranche 2 reforms — enacted through the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024, which received Royal Assent on 10 December 2024 [17] — Australia's AML/CTF regime now extends beyond banks and casinos to real estate professionals, dealers in precious metals and stones, and professional service providers including lawyers, conveyancers, accountants, and trust and company service providers [18]. Obligations for these newly captured “Tranche 2 entities” commenced on 1 July 2026, with AUSTRAC enrolment open from 31 March 2026 [19] and required by 29 July 2026 for firms providing the new designated services from day one (firms that start later have 28 days from their first designated service) [20].
Practices captured by the regime take on AML/CTF program, customer due diligence, record-keeping, and suspicious matter reporting obligations [19][21], all of which multiply the volume of sensitive client information that firms must hold, process — and, when documents are produced, disclosed, or lodged — selectively remove. The Amendment Act also specifically addresses the treatment of legal professional privilege: Schedule 4 preserves the doctrine (substituting a new section 242, with guidelines to follow under a new section 242A) while ensuring reporting entities can meet their obligations [17][18].
In this environment, a “redacted” document that still contains the client's identity details, account references, or privileged material is no longer just awkward. It is evidence of a control failure in a regulated process.
This section is general information about the reforms, not legal advice — how the obligations apply to your practice is a question for your firm and its advisers.
The next chapter: redaction you can prove
Proper redaction — the kind every post-incident analysis recommends — means actually removing content: deleting the sensitive text from the file's underlying structure, scrubbing metadata, and then verifying that nothing survives, rather than relying on visual inspection of black boxes [11][22]. It is removal, not concealment. And like any handling of sensitive material in professional practice, it increasingly needs to be provable.
That is the problem the next generation of document tooling is built around. Modern redaction workflows treat removal as a verifiable event: content is removed at the object level, the output is independently checked, and the operation produces tamper-evident proof that the removed content is absent from the delivered file — without ever exposing the sensitive content itself. Just as importantly for legal professionals handling privileged material, the entire process can run locally on the practitioner's own device, so client documents never transit a third-party cloud at all.
The PDF was born from a simple promise: what you send is exactly what they see [1]. The promise the profession needs now is the mirror image: what you remove is provably absent.
That's the promise Omitly was built to keep.