At work, we have been discussing protection of Intellectual Property this week… How to keep valuable content within a small network of supposedly ‘trusted’ users. Much of it is in publications we sell as PDF’s.
The utility value of PDF’s is that you can read them anywhere on anything; but while there are measures you can take to protect content, anyone determined enough will find a way to grab and re-distribute that content. There is no such thing as totally protected content…
So how much effort do you put in and how difficult can you make it for the determined ‘PDF magpie’?
If you want to go through the issues with PDF’s, read on, but the short answer is passworded PDF’s are only partly secure and inconvenient, restricted PDF’s can be circumvented and there’s nothing you can do about someone screen-shotting the pages and saving the graphics.
So what are the vulnerabilities?
Cache it: Even the luddites in my family know you have to download a PDF before you can read it in any PDF reader; which means there is a copy sitting on your local machine somewhere, even if only in the web browser
cache. So even if you have to login to a site to access the PDF, a copy gets stashed away while you read it and that’s where you can grab it and save it.
Counter-measures: in practice, none.
‘Magpie’ rating: often difficult to find and grab the copy from the browser cache among all the other junk, depends on the browser and the cache setup. But when you know the date, time and file type you can comb the cache and find it.
Save it: Practically every PDF reader (not just Adobe) and browser plugin has a “Save As…” option.
Counter-measures: in practice, none.
‘Magpie’ rating: easy.
Opening PDF, Printing, Editing, Copy/Paste:
Counter-measures: Create a PDF using “Protect with Permissions”
You can apply restrictions in Adobe Acrobat Editor and other PDF tools, using basic encryption.
- Document Open – it can be opened in Adobe Reader only if unlocked with a password
- Printing Editing – password protect it for printing or editing – including annotations
- printing yes/no,
- editing yes/no,
- enable copying of text images and other content yes/no – this is a setting you can use without needing passwords.
‘Magpie’ rating: moderate to easy.
Most of these properties are Adobe-specific, they are not mandatory in the PDF format specification. PDF passwords do not apply whole-document encryption, more like putting a padlock on the front door. You can find non-Adobe PDF readers that will ignore some or all of the restrictions, leaving the door wide open.
Issues: Passwords. In order to distribute the PDF, you also have to distribute the password; on a web-page, by email, whatever. How secure…
Passwords can also be cracked . I have a couple of PDF ‘crackers’ which brute-force the passwords to open the document. There are now websites like http://www.unlock-pdf.com/ which will do it for you. While there are legitimate use cases for this and strict terms of services, enforcement is a practical no-no.
I could use a separate tool to encrypt the whole document, but then anyone I give it then needs the ‘unlocker’ part of the program to open it.
Once you have a PDF open, you can generally select the content, copy and paste; the pasted version may look like garbage, but if the content is what you want, you can recreate a facsimile of the original to keep (I have done this to recover ‘lost’ originals). So you think disabling copy/paste takes care of that… No. If you have a ‘Print to file’ or ‘Save Page as PDF’ option you can output straight out to a new PDF. Aren’t browser plugins marvellous.
If those fail, I have a PDF Printer driver installed which pretends to be a regular paper printer, but saves PDF files instead, voiding some, most or all of the restrictions.
On Windows XP, Vista, 7 or 8, print the protected PDF as an “XPS” document, using the “Microsoft XPS Document Writer” printer. I can then open the document with Adobe Acrobat, and have the ability to copy-paste
the previously password protected material.
If all else fails, I can take a screenshot of individual pages (Windows Snipping tool is brilliant for this), save the graphics to my machine then I can insert them into a Word document or use another PDF tool to re-create a (larger) copy of the original – as pictures rather than text, but content is king, I get to keep what I want. On high-resolution displays, a screenshot is more than adequate.
So if my PDF is not secure, can I change the format to something that is?
Flipping Book: We have a tool called Flipping Book for generating PDF previews of publications for the website (like Amazon’s “Look Inside” feature). It takes the PDF and converts it to a pretty graphic version where you can thumb through a selection of the pages as a ‘try-before-you-buy’. Flipping book is a software plugin. We could generate full copies of documents in Flipping Book with all the pages.
‘Magpie’ rating: Moderate.
On machines with Adobe Flash, you can disable downloading, copy/paste and printing. There is a plain HTML-version for machines without Flash which disables downloading and printing but can’t stop copy/paste
to a word processor (the output loses all formatting, but I can clean that up.
Scribd: is an online library, where anyone can upload a document (docs or PDFs) which are displayed in a viewer like Flipping book. You can disable printing copy/paste and downloading. As a site Scribd is reasonably
secure but not completely; there are hacks, scripts and loopholes that will allow you to download some content. You can mark documents private so that only users with the document address can find it.
But over all this, screen-shotting the content still gives me it as pictures.
Whichever way you go, protected PDF’s, Flipping Book, Scribd, it’s not fool-proof, it is a series of trade-offs and compromises, but the alternative is implementing administrative layers of secure web-access, registration, loginand encryption. Just how valuable is your content? RC