Introduction — The Dangerous Landscape

Disclosures to government regulators have always posed risks to trade secrets and other proprietary information. It came as little surprise, therefore, when the Federal Trade Commission’s mishandling of confidential information in its antitrust challenge to the merger of Whole Foods and Wild Oats came to light in an Associated Press (AP) article. See, e.g., Christopher S. Rugaber, Error by FTC Reveals Whole Foods’ Trade Secrets (AP Aug. 15, 2007).

I. FTC’s Leakage of Whole Foods’ “Under Seal” Information

Unsound electronic redaction in FTC v. Whole Foods Market and Wild Oats Markets, Civ. No. 07-cv-01021-PLF (D.D.C. June 5, 2007) resulted in an electronically-filed FTC brief exposing significant operational and strategic business information considered confidential by Whole Foods. By the time the court discovered the error, the national press had already obtained a copy of the brief. Too late for Whole Foods, the FTC filed a corrected copy that had been printed to paper and scanned into image format.

The District Court’s August 16, 2007 order denying the FTC’s motion for a preliminary injunction did not mention the redaction error. In fact, the order praised both sides for litigating the matter on a tight schedule. The FTC’s disclosure appears not to have prejudiced either side with respect to the merits of the merger challenge. However, it remains to be seen whether Whole Foods faces negative blowback from its aggressive stance towards competitors or site-selection criteria revealed by the FTC’s error.

The mistake made by the FTC was basic. In preparing its brief for filing, FTC staff wrongly assumed that the metadata in its word processing file would not migrate upon direct conversion from native format to portable document format (.pdf). In particular, they wrongly assumed that using Microsoft’s “Highlight” (or “Borders and Shading”) tool to black out text actually removed the text from the file’s contents. It does not. It “covers up” the text, but the text itself remains in the file, fully searchable and available for copying. The resulting .pdf appears at first glance to contain only black boxes in place of the redacted content. That content, however, is present in the .pdf file and can be easily revealed either by copying and pasting the blacked-out text into a word-processing file or an e-mail message or by viewing the .pdf file in a reader such as Preview or Xpdf.

II. Similar Prior Well-Publicized Mishandlings of Redactions and Metadata

The FTC is not the first litigant to make this type of mistake to the detriment of another party. Redaction faux pas and other types of metadata-handling errors are, regrettably, fairly common. Famous entities bitten by the metadata cobra in recent years include the United Nations, the British Prime Minister’s Office (via the “Downing Street Memo”), the current Republican administration, the Democratic National Committee, the California Attorney General’s Office, the Motion Picture Association of America, and SCO Group. See, e.g., Tom Zeller Jr., Beware Your Trail of Digital Fingerprints, N.Y. Times (Nov. 7, 2005).

The publicized snafu most analogous to the FTC’s recent error occurred in May 2006, in a case filed by various civil liberties groups challenging National Security Administration surveillance activity. In Hepting, et al. v. AT&T, 439 F. Supp. 2d 974 (N.D. Cal. 2006), a law firm representing AT&T filed a redacted reply brief suffering the same deficiency as the FTC’s Whole Foods brief. That reply brief — still posted on multiple websites — listed potential uses (aside from allegedly illegal, NSA-requested surveillance) AT&T might have for a “secret” switching room designed to monitor telephone calls and internet transmissions. That disclosure was especially ironic given the NSA’s recent prior publication of Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF (Feb. 2, 2006).

One month later, in June 2006, a brief filed in connection with the investigation of leaked grand jury testimony from the BALCO steroid case also contained faulty redactions. That gaffe had resulted in disclosure of eight pages of e-mails between Victor Conte, the primary criminal defendant, and Mark Fainaru-Wada, a Chronicle reporter whose articles had referenced the leaked materials. The emails show Fainaru-Wada aggressively pursuing a CDROM containing the record of the grand jury proceedings. See, e.g., Adam Liptak, Prosecutors Can’t Keep a Secret in Steroid Case, N.Y. Times (June 23, 2006).

III. Proper Methods of Redaction

Fortunately the redaction error made in those cases is easily avoided under a variety of methods, one or more of which ideally should be adopted as a strict protocol at the outset of a proceeding. Here is just one such protocol for Office 2003 users in the e-filing context:

(1) Make sure that the applicable local rules, “under seal” order or judge’s procedures actually require efiling a redacted version of the document (as opposed to just filing a physical copy at the clerk’s office and/ or in chambers).

(2) Do not use the “Highlight” or “Borders and Shading” features in Word for redactions (unless you then print the document to paper and scan it into an image file), instead:

(a) Download and install the “Word Redaction” tool from the Microsoft website.

(b) Copy the Word file that is to be redacted, and once in the copy, follow the instructions provided with the “Redaction” tool.

(c) Use metadata-removal software to clean (a.k.a. “scrub”) file-system data and embedded data from the redacted copy.

(d) Convert the redacted, scrubbed copy of the Word file to .pdf.

Adobe® Acrobat® 8 Professional now has its own redaction tool, which may also provide a workable solution to this problem. One “low-tech” solution is to print the document to paper, redact the confidential portions manually with black marker or cover-up tape and then scan the document into an image file. If necessary, text-searching – as well as copy-and-paste capability – can be restored to a scanned document using OCR software or Acrobat’s “Capture” feature. Alternatively, Word’s “Highlighter” or “Borders/Shading” feature – or any electronic redaction tool — can be used prior to printing. Either way, the scan of the paper printout will not retain the metadata from the original file.

Even after a protocol is established and adopted by litigants, there remains the hurdle of the court’s own procedures. A separate source of disclosure risk is the court itself, typically the most overburdened and understaffed participant in the litigation process. Disclosure may occur via an inadvertent mention on the record at a hearing or a reference in a written order. In Whole Foods, the court’s novel solution to the latter problem was to provide a non-public draft order to the parties and have them lodge suggested redactions with chambers prior to the release of the public version. Other courts may be willing to take similar precautions, but the onus likely will be on parties desiring such relief to make the court aware of the issue and affirmatively seek help. Litigants concerned about safeguarding confidential information should not presuppose sua sponte protective action by courts struggling to get through their dockets.


Ultimately, litigants and entities facing government inquiry are always susceptible to risks associated with mistreatment of their confidential information. Often, disclosures result from simple inadvertence regarding the nature of the information itself. The above examples of technological mistakes are especially vexing, however, because the attorneys in question both recognized the need for confidential treatment and implemented a method that they believed would effectively protect the confidence. Regrettably, this type of disclosure is likely to be just as persistent — and as damaging — as plain inadvertence or even an intentional violation. As document-generating software and other technological tools used by parties and regulators are constantly updated — with new holes appearing in each subsequent version — generating a one-size-fits-all protocol may prove difficult, if not impossible. For now, at least, the suggestions discussed above will help avoid the most egregious forms of mistaken disclosures.