GIMP not removing color information when using the eraser tool is desired behaviour. We urgently recommend to use the brush tool to fill a selection when blacking out sensitive information in images. Special care needs to be taken to use an opacity of 100% when doing so, otherwise the information might be retrievable. In our view the behaviour of GIMP is mandatory. Earlier experiments using pre-multiplied pixels for data storage resulted in complaints from users, since pre-multiplied pixels with 0% opacity can't carry color information. Most affected were users working with textures, where the alpha channel is used to store information independently from the color information (like e.g. reflectivity). The change at that time made GIMP unusable for this user group, since it lost color information in transparent pixels. Most notably we also now have functionality that relies on this behaviour: In the tool options of the eraser tool you'll find the "anti-erase" toggle, which makes the eraser do the opposite: it increases the opacity of the affected pixels again, revealing the color information again. This is useful when using the eraser to remove the background of an object: If you realize that you've been too aggressive on one side of the object you can use anti-erase to restore it again. Furthermore there is a toggle in the PNG export dialog that allows the user to choose if the color information of transparent pixels should be stored or not. This alone should set the alarm bells ringing for persons seriously working with sensitive data. As mentioned earlier I want to emphasize, that for redacting information it is vital to work with 100% Opacity. This important for filling selections as well as for painting with the brush tool. If you don't pay attention to this it is possible that the original information is invisible, yet still may be reconstructed. Doubly so if you're working with 16 bit data (or more): Even 99.9% opacity is not enough to kill the information completely, yet it still is invisible to the naked eye. In our view the situation can be compared to the PDF situation: People trying to redact PDFs by placing black rectangles on top of the sensitive text have a problem - and need to learn more about the tools and file formats they use to black out information. Using an rubber eraser to remove text from a sheet of paper still might leave traces of information on the paper, which could be revealed by a technical analysis. Using "intuitive" as the relevant standard in security questions in our opinion falls short of what is required for a serious approach to security work.