In this paper we give a new signature algorithm that allows for controlled changes to the signed data. The change operations we study are removal of subdocuments (redaction), pseudonymization, and gradual deidentification of hierarchically structured data. These operations are applicable in a number of practically relevant application scenarios, including the release of previously classified government documents, privacy-aware management of audit-log data, and the release of tables of health records. When applied directly to redaction, our algorithm improves on by reducing significantly the overhead of cryptographic information that has to be stored with the original data. Publication Info: To be published and presented at ACM Symposium on Information, Computer & Communication Security (ASIACCS'08), Tokyo, Japan, 18-29 March 2008. 10 Pages