It is hard to not leak PII when redacting screen shots with some editor programs

I ran into a situation recently where I almost leaked some private data when using a sanitized screenshot. I took a screenshot of an order screen and then marked out all the PII. The programs retain the original image and editing information inside the image so that you can re-edit it later.  This means that anyone else can re-edit unless you protect yourself. 

I'm still not sure if I did a transitory upload into some cache before fixing this. 


Flatten or screenshot any editable PNG files. The latter works for every image.

Creating and Using the Image

This image started off as a Windows 10 snip screen capture. I then redacted the private information with black squares.  Later I came back and adjusted the squares to hide data.  I copied the image into a Powerpoint presentation and did a talk.  There was no risk up to this point.

My solution

I exported the Powerpoint as PNGi mage files.  The image files are flattened images of all the rendered components and are not editable PNG files.

Risky Behavior

Then I debated about posting the slide show as a PPT or taking the original image for a blog article like this one.  Both options would leak my home address and order number.
  1. The editable power point is, well, editable.  This means someone could edit the PowerPoint, copy the image and then edit the image with the original editor if they could guess which one it was.  The editing metadata might still be there.
  2. Putting the redacted image on the blog has the same risk.  Anyone could download the PNG from the blog and have a reasonable chance of editing the image and removing the redactions.


  1. Export the image without any editability enabled.
  2. Take a screenshot of the image after editing it.
  3. Flatten the image using the editing tool.

Revision History

Created 2023 02


Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs