For most people, PDF security and Digital Rights Management (DRM) are actually the same thing. But what are the things that must come together to deliver a working result?
The most important (but often overlooked) point of the PDF document format is that it produces the same output whether on-screen or printed out on any screen, printing device or operating system. (As the lawyers would have it – same form and format.) This may not sound like a big deal, but to have a mixture of text and pictures always appear the same is vital whether you are publishing atraining manual, a product maintenance book, a legal contract, or banknotes.
So it turns out that the very nature of the PDF structure is that it provides some essential elements of PDF security, that you are looking at what the original document looked like, just the same as when the publisher made it, its meaning has not been altered or messed around with just because its presentation has been changed.
But all of that only remains true only if the document recipients can’t change it in any way.As a result, there have to be ways of enforcing the actualsecurity of the PDF format, or it just remains a curiosity for lawyers.
Enforcing PDF security for added value
Generally speaking, the only way to prevent people from undetectably altering files is to encrypt them. It’s (fairly) easy to do that, and the result is that if someone tries altering the encrypted file it will not decrypt correctly. You can go a stage further and add a ‘digital signature’ to be super sure (or if you can’t be bothered to encrypt the file, but then you only prove the document is authentic!).
But once a file is decrypted, it goes back to its native form and the recipient can do anything they like with it.So encryption, on its own, does not add value to PDF security.
Applying controls to PDF documents
The second element of PDF security is therefore to be able to control what a user is able to do with a document once it has been decrypted. This means having a control application and licensing system so that the user is not able to unilaterally decide what they can do with the document against the wishes of the document owner. Control applications are typically called ‘Viewers’ because, although they can display the PDF document accurately, they are able to prevent the user from Saving the document in the native PDF format, or prevent printing.
But a Viewer has little control unless it is able to resist attacks by screen grabbers, or print-to-file drivers, so there is a little bit more to achieving PDF security than you might have guessed. Therefore a third element of PDF DRM is to control the external environment to the extent that you can. (It has to be said that operating systems manufacturers are not always helpful in that respect. Some insist that it is not acceptable to detect and prevent someone from taking a Print of the visible screen. Others do not allow checking to see if a printing device is genuine or not. Some include screen grabbing capabilities in their own product ranges. But they can be detected.)
Disincentives to copying
Given the practical difficulties of stopping people taking screen shots with their cell phones, the final piece of the puzzle is providing disincentives to copying. The greatest disincentive to copying a book (or a picture, or some music, or….) is the time and cost. Not to mention technical skill. But copying a computer file is trivial, and copies are perfect. In the paper book era, you often found a label ‘ex libris’ (from the library of) and the name, and sometimes an address, to show who really owned the book. So, there was no incentive for ‘borrowing’ it. Today it is the watermark. Applied to the visible page, it identifies who is the authorised user, so that if any copies get out, it is clear where they came from.
Of course, with a graphics editing package you can edit such things – but it is more work and more effort and more cost. And the person who is the licensed user has to do it because they can’t trust anyone else to protect them. And that has to be done each time they want to ‘give away’ a secured document. Not perfect, but still effective.
Jo Fletcher is an avid written on matters related to document security and digital rights management. She is currently affiliated to http://www.pdfsecurity.org/