The Metadata Anonymisation Toolkit (MAT) included in Tails is no longer maintained and it is not fit for purpose. It has a number of serious edge cases which can be encountered in day-to-day usage.
Using MAT on a document containing an embedded image only cleans the metadata from the document. Any EXIF or other metadata on the embedded image will be retained. This is not readily apparent to end users and creates serious risks.
Application-specific approaches to removing metadata are not and cannot be safe. The SecureDrop workstation project plans to solve this problem by using the Qubes qvm-convert-pdf tool to rasterize documents and convert them to flat PDFs (freedomofpress/securedrop-workstation#26).
This rasterization and recreation is the only safe way to remove unintentional metadata. It would be useful to have a similar tool available in Tails until securedrop-workstation is released.
First Look Media's pdf-redact-tools project is similar to qvm-convert-pdf in that it rasterizes PDFs using ImageMagick and it can then generate a new flat PDF. It does not have an isolated execution environment like qvm-convert-pdf. It is not possible to prevent a compromised SVS from exfiltrating digital information in the current architecture.
One approach would be to install the pdf-redact-tools package on the SVS and add a Nautilus extension allowing users to select Clean PDF from the right-click context menu. It's straight-forward to write an Nautilus extension implementing this behavior using the nautilus-python library. Office documents or presentations can be exported to PDF's before being cleaned.
As a journalist I want a user friendly interface to clean any document that I receive so that I can avoid leaking metadata about my source.
Related to #543 and freedomofpress/securedrop-workstation#26.
Thanks for filling this - pdf-redact-tools is definitely something we'd like to have in the SVS environment - the issue is that there isn't a super elegant install story for this. Instructing admins to manually install is probably the best we can do. However, given that this is so important for source security, until the workstation is ready for prod this is the best solution and needs to be done, so let's add some documentation on this for admins that want to provide something better than MAT for their journalists. The tasks here are to:
pdf-redact-tools over to the airgap environment (there is a deb package)dpkg and not apt-get it won't persist). Otherwise the only custom scripting we have in the SVS environment was added in #2208. For the record, proposed to add pdf-redact-tools to Debian GNU/Linux using @micahflee packages, if tails is willing to ship it by default.
@dachary: Thanks for filing the Tails ticket and considering to package pdf-redact-tools for Debian. You will probably also need to package a Nautilus extension for pdf-redact-tools in order to make this tool usable for non-technical journalists. The nautilus-pythondependency for Nautilus extensions is already included in Tails.
Update: thanks to @dachary, pdf-redact-tools is in Tails 3.6
Super! Great job @dachary :+1:
:blush: