Document formats have gotten so complicated that you have no idea whether the redaction software you use actually does its job or doesn't. Going analog then back gives you a very good guarantee that you can't get otherwise.
In order for there to be guaranteed no leaks, the redaction software has to be bug-free. Leaks can be anything, from how much free space there is between allocated regions to highly precise layout placement information that you can use to figure out censored words on a trial & error basis if you have a copy of the used software. So you can't really come up with a watertight formal definition of leak-freedom, which makes proving that your software removes all leaks impossible, at least in rich-text documents. The only way I see is to go full ascii or something.
Yeah they keep saying "they could have easily used native digital redaction" but that clearly isn't as easy as they think because there have been numerous instances of people screwing that up.
Maybe those people used the wrong software or buggy software, but how do you know software is buggy? Much easier to print and scan than to dive into the PDF file on a really low level.
They could however have just converted it to PNG and then back to PDF digitally to keep the quality good. No need to physically print and scan it.
to be honest the analog redaction techniques are pretty bad.
For example there's a list of names, alphabetical. Two names are redacted.
Michael Cohen, Richard Gates, [REDACTED], Roger Stone, and [REDACTED] (newline) [REDACTED]. The final redaction could fit approximately three letters.
The fact that these are analog redactions makes it really easy to tell that the two other people are Kushner and Donald Jr.
Meanwhile if they had opened the report in Word and done [REDACTED] they wouldn't have these super-basic issues.
There _is_ an advantage in that you can have more confidence that the original document is merely being redacted and not completely changed, but it's not really beyond motivated people to actually change the source doc if they wanted to.
I think the redaction just allows them to say that it was redacted, not that anyone didn’t know who was in the list of names. Anybody paying attention to television news for the past 2 years would know who was in that list of names.
I wonder how different it is to carry a USB stick from SCIF to SCIF compared to just moving paper.
I doubt that top secret counterintelligence information in the report can be retracted in normal office space. Installed software in a SCIF may be highly limited and out of date.
SCIFs generally have some sort of TS/SCI network connectivity, so the appropriate solution would to just use it. But every agency that has SCIFs wants their own network, because it would be disastrous if TLA #1 could see TLA #2's cafeteria menus. Congress, the White House, all seventeen IC agencies, and every customer agency have at least one; and people on one don't necessarily have the access they need to others (or the cafeteria menus would be visible, and we can't have that). Given sufficiently pathological connectivity, it can be easier to just have someone courier a DVD.
There's absolutely no legitimate reason for a computer in a SCIF to have outdated software. Data diodes exist, and there is no technical obstacle to setting up a mirror of whatever package repository you like. (Political obstacles may be non-trivial, because compliance is far more important than security, and too many members of upper management believe that classified networks are somehow magically secure.)
Virtually every government office I have been in the past 5 years dealing with any classified information has disallowed the use of flash drives being connected to government machines, and it is pretty strictly enforced with reminder posters all over.
Document formats have gotten so complicated that you have no idea whether the redaction software you use actually does its job or doesn't. Going analog then back gives you a very good guarantee that you can't get otherwise.
In order for there to be guaranteed no leaks, the redaction software has to be bug-free. Leaks can be anything, from how much free space there is between allocated regions to highly precise layout placement information that you can use to figure out censored words on a trial & error basis if you have a copy of the used software. So you can't really come up with a watertight formal definition of leak-freedom, which makes proving that your software removes all leaks impossible, at least in rich-text documents. The only way I see is to go full ascii or something.