Category Archives: Copyright protection

New HTML5 service for online secure PDF viewing

Our online PDF viewer has just got better, faster and simpler to use, with even more security options. Examples of the new facilities are available via our Managed Online services page or simply click on the image below to see how this document looks within the secure PDF viewer – within your browser, on any device you like, with no software installations or downloads!

Adobe PDF print security is not secure at all!

Many people use the tools in Adobe Acrobat and related software (such as PDF exporting from MS Word) to add basic security features to their files. One such facility frequently required is protection against printing – essentially this disables the print menu and toolbar icon in Adobe reader and other Adobe products that display PDFs.

However, for some time now Adobe have recognized that this feature is not secure, because it is not part of PDF standards and other PDF reader providers do not implement this Adobe-specific feature. Indeed, Adobe Acrobat now displays a warning message to this effect (as shown below). For example, an Adobe print-protected PDF can be opened in Javelin for Windows and printed, with no problem at all! However, using the Print protection in our Drumlin PDF publishing software does provide such facilities, as the secured file is only readable using Javelin PDF readers (after authorization). Drumlin protects against printing of PDFs when you want to fully protect your PDF in this way, but also allows you to enable printing but restrict such printing to physical devices and specified numbers of pages.

adobeprint

Managed Services: Adding BUY NOW and ADD TO CART buttons

The Managed Services PDF Publishing facility we offer provides a web-based catalog ordering capability with Add to Cart or Buy Now buttons built into the online ordering pages. A full page examples can be seen at: http://www.drmz.net/PicJur/catalog.html

If required, these buttons can be placed on the publisher’s own website in order to provide a seamless user experience, optionally with the payment process etc being from the publishers own PayPal account. The result is still automated processing using our servers, so is essentially the same as linking to a catalog page on our managed services site. Other pages used in the process, such as the tailored email template and download template page, remain on our site and are managed by us on your behalf/with your branding/name etc..

Buttons such as these are created using simple HTML commands that look like: <form> a series of instructions… </form>. An example is:

If you click this button it will place a real order for a secure document (in this case a legal guide for US Law Students). In this example we have used the TEXT tab in the WordPress editor (as opposed to the VISUAL tab) to enter the HTML code that creates the button.

Some other points about this approach are noteworthy:

  1. Helpful information and guidance is needed to ensure that purchasers understand what technology platforms are supported (and maybe which are not supported) and whether or not printing of the item is permitted – our sample catalog pages all include this, so can be copied as examples
  2. If you do decide you would like buttons on your own site rather than ours we need to know this so we can ensure that customers return to your site rather than ours for additional orders etc – we would need to provide the button code for you, to ensure it is correct and has been tested on our servers first
  3. If we provide a managed service for a flat rate fee rather than a flat rate plus commission charge, you can be the recipient of the payments made directly rather than via us. Such payments have no commission deducted and appear directly into your PayPal account. In this case the PayPal payment receipt will be sent to you rather than us. You set the price and you are the contracting party for payment and any local sales tax/VAT computations and reporting.

For more information and advice on Managed Service PDF publishing please contact us

PDF Printing

It is often the case that PDFs are distributed without really thinking about protecting them against printing. Quite often people will add basic protection against copying and editing using the tools provided in Adobe Acrobat or similar software (see further, below), but files that are not protected against printing or do not control the printing process, can easily be copied, scanned (including to PDF with OCR) and onward distributed.

Pros and Cons of PDFs

There is a lot to be said for the humble PDF. It allows us to share documents easily across multiple platforms, preserving everything from our intended layout, to the correct page order, to our chosen font size and style. However, as noted above, standard PDFs are not protected against the editing or copying of content, nor from printing.

Using the Tools facility in Adobe Acrobat it is possible to add various forms of content protection. These include protection against copying, editing and printing. Date/time-based protection is not provided.

However, these facilities are specific to the Adobe PDF technology and can be bypassed by widely available software that implements decryption, memory-scraping and screen-scraping. Perhaps more importantly they do not provide protection against copying entire documents by simply forwarding these to third parties.

Knowing When to Secure PDFs against Printing

It goes without saying that printing sensitive information carries a significant security risk. Whether this be internally within your company, such as staff payroll documents, contracts, financial statements, or marketing plans, or externally when printing is outsourced. Securing against printing is an ideal way of limiting the unauthorized views of your documents. There may be other benefits, such as managing costs and meeting environmental objectives.

Protecting PDFs

For real protection of PDFs they need to be encrypted and have controls or permissions associated with them. Various tools exist for protecting PDFs. Many PC users, for example, have Microsoft Office as their main document creation facility, As with all current MS Office applications, the File menu, Export facility enables you to save the current document as a PDF. This includes on Options form, as illustrated below,which includes an option to encrypt the document with a password. This provides a level of security against opening the document – the saved document will only open in Adobe Reader if the correct password is entered. Note that this provides no protection otherwise, i.e. printing etc are still permitted.

wordexport

If Adobe Acrobat is installed on the same computer as above, it will automatically appear as an option on the File menu in MS Office applications as “Save as Adobe PDF”. In this case a different form is displayed, with more security facilities (see below). This is where you can see the options to control for printing (and for editing/copying etc.). The default settings are shown. As can be seen, in addition to the Open document password control there is a second password protected Permissions section.

adobeprotect

Digital Rights Management protection

The protection mechanism above works quite well, especially for documents that are not particularly sensitive or high value. There are two main problems with the above approaches however. The first problem is that the document can still be sent to anyone, anywhere in the world, and viewed and copied any number of times. The second problem is that the security applied can be removed in many cases, or simply ignored by using a different PDF reader that does not adhere to Adobe’s settings. The solution to both problems is to apply digital rights management (DRM) controls to the document. In this case the steps are:

  1. create a standard PDF with no special settings
  2. use a special program to encrypt and add security permissions to the file, such as print controls
  3. make the file available to the target user(s) via email, web download etc together with details of how they can open and view the secured document
  4. the target user(s) open the document using a PDF reader (general a free PDF reader provided by the DRM service operator). The document will only open if additional security checks are passed, in all cases requiring a local or wide area network connection, typically to an in-network DRM service. This all happens in 1-2 seconds and includes centralized logging of the events so that actions may be tracked

For more information on providing print security and other DRM-enabled facilities, please contact us

Screen capture protection

A very common question we are asked is “can we include protection against screen capture” for our PDFs on a cross-platform basis? The simple answer is “no”, whatever system or supplier you look at and whatever others may claim! A little background should help clarify this.

With the introduction of screens for interacting with computers in the 1980s it was necessary to provide dedicated hardware components to manage the display of text and graphics. As PCs and similar devices became more advanced, graphical demands became greater and specialized “graphics cards” (and later, “chipsets”) were included to provide this functionality. The cards and chipsets included both processing and memory handling functions, and software tools soon became available that would access the stored information directly. These were initially utility programs, and then rapidly this functionality was included in third party photo/image processing software and built-in tools (e.g. the Snipping tool in Windows 7 and Grab on Mac OSX 10). This allowed users to display information on screen and then “capture” all or part of the screen for subsequent editing. The user did not need to understand where this information came from, just that it was readily accessible. The operating system was essentially bypassed by the screen capture software, which could go straight to the hardware memory to read the information that was displayed visually on-screen.

To prevent such programs from being used to capture screens mechanisms had to be found that interfered with the way they worked. The principal mechanism was to identify that a process was running that was known to have screen capture functionality, and then to refuse to display some or all of the screen until the offending process (program) was terminated. This worked fine for some years, until new devices, operating systems and ways of working were introduced in the last few years.

With the introduction of mobile devices (tablets) manufacturers quickly realized that many customers wanted to capture screens for onward processing. Instead of leaving this to third party software providers they included combinations of buttons that could be pressed to screen grab and save to the local image “Gallery”, in the same way that photographs taken with built-in cameras were stored. This hardware-based screen capture facility meant that information display, such as a PDF on screen, could always be captured and no software mechanism could prevent it. In parallel, more advanced versions of desktop operating systems from Apple and Microsoft started to include screen capture software as standard, running in a background thread or process, that end users were completely unaware of. An example is Microsoft’s OneNote software, which even when closed still retains a background process for screen capture. These changes to the hardware and operating system environment have meant that mechanisms to prevent screen capture either no longer work in a cross-platform world or create more problems than they solve. However, limited scale protection is possible for specific operating systems, notably Windows variants, where systems such as Javelin now incorporate some quite clever procedures for preventing screen capture if this option is specified for secured PDFs.

A further development has been the introduction of much higher resolution screen displays. Until very recently all computer screens were less than 100dpi (dots or pixels per inch). This compares with typical print output which is at least 300dpi, and high quality print and image data which is 1200-2400dpi. High resolution screens require far more memory and processing, which is why they have only started appearing in the latest range of tablet and mobile phone devices (e.g. iPhone6 has a 400dpi screen). Such devices can be scanned or digitally photographed, so the display itself becomes like a paper copy of the source material, and nothing can prevent the use of such external mechanisms from capturing screens at a resolution that enables reading and/or conversion via OCR to structured text.

The only workable cross-platform solution to such issues is to add static and dynamic watermarking to secured PDFs. This information then forms part of the in-memory and on-screen data, and as such will always be included in any capture process, and can be difficult or impossible to remove. It is even possible to include invisible watermarks, using special characters or hidden graphics. The use of watermarking is discussed in another of our blog entries – please see here for more details.

Drumlin Security’s Javelin PDF readers support several mechanisms for content and screen capture protection. The first is the displayed information is essentially just a graphic image, rather than selectable text – there is no facility for text selection nor any support for the clipboard (i.e. copy/paste functions) and all information is held in memory, with no temporary disk files that include decrypted data. The second is support for static and dynamic watermarking, as discussed above. Finally, recently enhanced, there is the screen capture protection option. If you have any questions regarding this blog item, do please contact us or add your own comment to this entry.

How to catch the ebook pirates

The International Publishers Assocation (IPA) defines Book Piracy as follows: “Any unauthorised use of a copyrighted work, such as a book or a journal article, is an infringement of copyright, or a case of copyright piracy, unless covered by a copyright exception. Piracy has a harmful impact on the revenue streams of all creators”. But as they go on to say:

“Whether unlawful copies are made with or without commercial interest, by commercial pirates or by private individuals, for publishers the damage can be the same. Any unlawful copy of their book or journal, in paper or electronic form, affects their business as much as the theft of the same work as a book in a shop. Any unlawful copying amounts to a misappropriation of their property. Consequently, copyright laws generally sanction this theft, under civil and sometimes also under criminal law, just like the theft of tangible property. Unfortunately, copyright infringement is not as easy to detect as the theft of physical goods, particularly not in the electronic age where electronic files can be created and widely spread within short time periods. This renders the enforcement of copyright particularly difficult, and makes awareness-raising particularly important.”

Here is an example – the website bookzz.org claims to have links to over 2 Billion books for free download and over 20 Billion articles (another widely-cited example of this kind of search engine is Library Genesis). I searched on BookZZ website for the Life of Pi, by Yann Martel (see below). There were 28 hits – the first two links indicated that the pursuit of the hosting site by the legal owner has resulted in the download links being deleted – but many others on this site remain available, with downloads offered for the Life of Pi in ePUB, HTML and Text formats as entry #21 below shows. Clearly breaches of copyright and hard to eliminate.

So what do you do if your publications has been pirated, or your suspect this to be the case? Maybe you have issued them with limited security (e.g. Adobe-based PDF security with no DRM) or via a major DRM-enabled channel, such as Amazon or Apple, that has not provided the protection you expected? The answer is a three-fold approach:

1. Pursue the pirates by all means available;

2. Improve the level of protection you apply to your publications; and

3. Minimize the commercial impact of piracy on your business, if possible. We look briefly at these elements below, but please investigate the links provided for a fuller picture of the options available.

1. Pursuing the pirates can be a difficult and potentially expensive process, but specialist law enforcement units and commercial and trade bodies can help a lot. On the law enforcement side there are organizations like the UK’s Police Intellectual Property Crime Unit (PIPCU), and the US Govt National Intellectual Property Rights Coordination Center. Then there are working groups, seminars and even summits on how to tackle piracy (see for example the annual Anti-Piracy and Content Protection Summit), Finally there are commercial providers of anti-piracy services (stopping the abuse of your copyright) such as Digimarc Guardian and Rightscorp. These latter organizations take a pro-active approach to copyright abuse, seeking out websites and services that distribute material illegally and implementing a multi-step approach to removing the links and identifying the perpetrators.

2. The second part of the process is to try and improve the protection provided to your PDF publications. One key mechanism is to use a combination of static and dynamic (intelligent) watermarking to make any attempt to copy your material extremely difficult without inclusion of these watermarks. Of particular value are watermarks that uniquely identify the end user, as this provides a means for directly pursuing the individual or corporate body responsible. Our blog article on watermarking is a useful starting point. A strong DRM is also vital (Drumlin for example, but there are quite a few to investigate), but that is not always possible because distribution channels like Amazon and Apple have their own, proprietary DRMs. For those not dependent on such channels a powerful DRM combined with watermarking and strong Warning Notices is the preferred option. And where proprietary material is provided to Corporates, make it clear in your contracts that the Corporate will be held liable for any copyright abuse by their staff – which will encourage them to police their own staff and advise them of the sanctions available if such actions occur.

and finally…

3. If your publications are commercial, making the access to the material fast, simple but secure, and making the per copy cost reasonable (depending on volumes and content of course) may well help – this is how the big players in the ebook world, video and audio-media distributors, and games world have tackled the problem – basically they accept that piracy will occur but seek to make piracy pointless – worthy of consideration, always assuming that your business model can support this approach!

Permissioning vs Authorization – what are the differences?

There are three main approaches that can be taken to provide digital rights management (DRM) for documents (also referred to as Information Rights Management, IRM):

1. User-independent authorization systems: these are systems where files are downloaded and are authorized for offline usage by either device identification, which requires prior registration of the device, or by entry of an authorization code that is checked on a central DRM system (does not require prior registration). Note that with this second approach there is little or no requirement for central service management as the process is automated.

Examples of device-based systems are Amazon’s Kindle, iPADs with iBooks, and devices like Kobo and Nook (often managed via Adobe DRM services). In practice these systems require user registration in order to handle the financial transactions when ebooks are purchased, so are actually device- and user-based. Note that the great majority of PCs, unlike most other devices, do not have a consistent and uniquely identifiable deviceID.

An example of an authorization system with no prior user or device registration is the Drumlin DRM service with Javelin as the end-user reader. A diagram showing the key elements of this process is available here. Systems of this type will work on all supported devices, but not generally on proprietary devices like Amazon’s Kindle family. For these usage of the device provider’s DRM is often mandatory and in most cases does not include DRM support for PDFs.

2. User and/or device-dependent systems: these are systems where each person downloading a document must be pre-registered on a centrally managed service, and then each publication they are permitted to view is centrally enabled for them. These are “permissioning based systems” and are most commonly used in intra-corporate applications in conjunction with document (or content) management systems (CMS). Locklizard is an example of this kind of system, as is Microsoft’s 365 online services. Drumlin has facilities that provide centralized permissioning – please contact us if you want to know more about this option. However, in many instances publishers find manual permissioning is too labor intensive and not instant, so prefer the authorization code approach and/or device-based DRM services.

3. Online-based systems: approaches 1 and 2 assume the files are to be downloaded and read offline – no regular host connectivity is required after the initial stage of downloading and enabling. An alternative is a hosted service where the files are kept centrally and displayed via a web browser. A pure HTML or HTML5 based solution (with username/password login and other protective measures) would be an example of such a facility. Note that this option is simple to manage because the files are held centrally, and if required access can be controlled for entire groups of users (with usage tracking) rather than at the individual customer level. The compromises here are: (i) the files can only be viewed online; (ii) access is controlled via permissioning, so requires manual management; and (iii) the quality of display and level of security is typically not as good as offline PDF readers. In our previous newsletter (April 2014) we discussed the merits of online vs offline PDF security, with online examples using Flash and pure HTML. Since then we have added some HTML5 examples, which you can view via the online examples index page here.

In all the above instances there is usually little or no true user authentication. The term authentication refers to the process of identifying that the end user is actually who he or she says they are – as would be the case with many online Banking access systems or face-to-face contacts (e.g. at passport control). Authentication can be added to all of the above systems, but adding further layers of access control in an already contentious area, is likely to be a step too far for most commercial environments.