Password-Protected PDFs

[lfm]

Quote:

Originally Posted by flouran

I am using what you dub an 'advisory password'. I am distributing a pdf to other people whom I am weary to trust, and thus I do not want them copying or printing the contents of the pdf. In other words, they can look but not touch. The encryption I am using is 128-bit AES. However, evince simply bypasses this restriction. The reason (I think) is that evince doesn't care for advisory passwords; however, evince could most definitely *not* open a document which requires a password to open unless the password is entered.

In an abstract theoretical sense, with general purpose computers there is no way to allow people to read a file on a screen and prevent them from doing other things such as printing. Any such measure is at best voluntary on the recipient's option. If you don't trust them then you shouldn't give them the "read only" copy.

It would be even harder to prevent anyone from making and distributing copies of a file.

Adobe may try to enforce such measures in their software but they don't control most other pdf/postscript interpreters. Even then its probably not too hard to patch adobe's software (hack) to bypass such restrictions. (I may be illegal in the US under the DCMA tho)

[CRGreathouse]

Quote:

Originally Posted by lfm

Adobe may try to enforce such measures in their software but they don't control most other pdf/postscript interpreters. Even then its probably not too hard to patch adobe's software (hack) to bypass such restrictions. (I may be illegal in the US under the DCMA tho)

It's not clear whether patching Acrobat with a nonapproved patch would fall afoul of the anticurcumvention clause. But using a program that doesn't listen to the suggestion shouldn't be a problem.

----

I've attached the standard Acrobat warning for those who are interested.

I would agree with everything said here. If you don't want someone to replicate a document the best path is to secure a legal copyright and have the users sign an agreement which would need to contain strict language to bind them.

It's so complex in this case that if you dont have control over the terminal that is being used to view the file, there is no way you could stop the user from replicating the file.

I would just screen capture it and then OCR import it to my scanner software. If I needed to have it look identical, then I'd export it as a PDF, then style the new PDF until my copy matched the screen capture. If the PDF has active features a set of screen captures would still be sufficient to replicate the document.

Even if the users could only see the document on the screen but not access the document, they could replicate it. And couldn't they also just tell someone what was contained in the document?

If it's the document form you want to protect, you'll need a copyright and/or legal agreement.
If it's the information you want to protect, trust noone, or show them only in person.

Tons of softwares which convert PDFs could be used once the password protection is bypassed or if the software ignores the protection. PDF just isnt as secure as everyone loves to believe. To truly be secure in the short term you'd want to write your own viewer/client app, but my screen capture method would still work.

One thing I was thinking that would work to deter most amatuers is to link files within the PDF that are external, on a secured server, with server/client program authentication. Then you can assure the layout/information can't be loaded without the server being up and current, you can swap the file on the server to disable the PDF in the future, and you can be sure that spoofing authentication of adobe acrobat IS illegal and not what most of the programs do. Most non-adobe PDF handling programs can be identified by the server when the document is loaded... If there would be one that "pretends" to be Adobe Acrobat it would be illegal use.

Still that doesn't stop a screen capture method... You need legal protection. Hire a lawyer local to the person and have them show them the print copy, then take it away.

(sorry so long)

[lfm]

Even keeping control of the physical copies might not work. If you let them read it at all they might have a concealed camera that will record everything they see. Its just getting harder and harder to keep secrets. Hmm, I wonder if we could construct some sorta shield out of tin foil .....

[starrynte]

don't forget print screen...

[cheesehead]

Quote:

Originally Posted by lfm

Even keeping control of the physical copies might not work. If you let them read it at all they might have a concealed camera that will record everything they see.

In fact, all "they" may need is for you to lay your keyring on a table in a public place where it can be photographed from across the room/street, if the ring has the key(s) controlling access to the physical copies.

It's now possible for someone to read the key code that can be used to duplicate a key, using only a photograph of the key, and without expensive equipment, using publicly-available software, and without any special knowledge. See "Duplicating Your Housekeys, From a Distance" at http://mersenneforum.org/showthread.php?t=10885

Quote:

Its just getting harder and harder to keep secrets.

So, I'm advising my friends to begin changing their habits if they habitually lay their keys on a table beside them in public places such as a restaurant. Better to keep all keys out of sight when not actually in use.

It's sad that technology keeps eroding our traditional privacy and security, but it is happening. (* sigh *) Stuff like this new key-copying technique is probably still very rare, but changes are gradually negating old assumptions about safety as new ideas spread faster and faster.