Bug 450786 - Privacy problem: deleted annotations are not deleted
Summary: Privacy problem: deleted annotations are not deleted
Status: CONFIRMED
Alias: None
Product: okular
Classification: Applications
Component: general (show other bugs)
Version: 21.12.1
Platform: PCLinuxOS Linux
: NOR normal
Target Milestone: ---
Assignee: Okular developers
URL: https://gitlab.freedesktop.org/popple...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-24 07:41 UTC by utis
Modified: 2024-09-08 20:53 UTC (History)
7 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description utis 2022-02-24 07:41:34 UTC 
SUMMARY
***
Deleting an annotation only makes it invisible and does not delete it from the PDF.  This is unexpected behaviour and violates the privacy of the user, who will unwittingly share his deleted annotations.
***


STEPS TO REPRODUCE
1. Add an annotation containing the text `foobar` and save.
2. Delete it and save.
3. Find it in a text editor by searching for `f.o.o.b.a.r` or `FreeText`.

OBSERVED RESULT

The deleted annotation is found.

EXPECTED RESULT

The deleted annotation ought not to be found.

ADDITIONAL INFORMATION

I understand that this behaviour is to avoid rewriting the whole file, but the result is highly undesirable and unexpected.  I see three ways of addressing the problem; in prioritized order:

1. Always redact deleted annotations.  Even if they cannot efficiently be deleted, they can be overwritten with insignificant bytes.
2. Inform the user that the number and length of his deleted annotations are leaked.
3. Offer a procedure to purge annotations completely (rewriting the whole file if necessary).
Comment 1 Albert Astals Cid 2022-02-27 21:59:04 UTC 
Yeah, i guess we should warn users about it.
Comment 2 Nate Graham 2022-05-23 17:17:34 UTC 
Is there a technical reason why we can't delete them instead of hiding them?
Comment 3 Albert Astals Cid 2022-05-23 19:50:10 UTC 
Yes
Comment 4 Nate Graham 2022-05-23 20:03:36 UTC 
Would you mind explaining the technical reason?
Comment 5 Albert Astals Cid 2022-05-23 21:20:25 UTC 
It's very long and complicated, but it basically boils down to PDF being by design an "append only" kind of file format.
Comment 6 noyocet323 2022-05-27 18:39:57 UTC 
Would there be any objection to moving from poppler to mupdf? Because mupdf can save a PDF with deleted annotations removed rather than remain in there. MuPDF has a C++ API as well.(In reply to Albert Astals Cid from comment #5)
> It's very long and complicated, but it basically boils down to PDF being by
> design an "append only" kind of file format.
Comment 7 Albert Astals Cid 2022-05-28 08:42:11 UTC 
You're not the first person to suggest such idea, no one succeeded in creating a mupdf backend with all the features we have.
Comment 8 zafyipesti 2022-05-29 19:44:36 UTC 
(In reply to Albert Astals Cid from comment #7)
> You're not the first person to suggest such idea, no one succeeded in
> creating a mupdf backend with all the features we have.
Then it could be blamed on poppler itself for this issue because every other poppler based PDF reader has the same issue okular has. As suggested in the poppler bug report:
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1254
You could check out how MuPDF handles deletion of annotations. If you want a C++ example of a PDF reader that deletes annotations properly, check out https://github.com/JakubMelka/PDF4QT