How secure is your PDF?
Adobe PDFs are frequently used in the business environment, but, say Keith Jones and Ryan Lerminiaux, other measures should be taken to increase security on more sensitive documents
February 10, 2010 at 06:26 AM
8 minute read
Adobe PDFs are frequently used in the business environment, but, say Keith Jones and Ryan Lerminiaux, other measures should be taken to increase security on more sensitive documents
You don't have to be in the business world very long to know that Adobe's portable document format (PDF) is used heavily in business-to-business, business-to-client, and internal business operations.
PDF documents are considered as a standard means of efficiently communicating information and data between users and computers. If you supply someone with a PDF of a document, you can be confident that it will open on their computer and print correctly without user intervention.
There is a potential drawback to the convenience and portability that PDF files provide. Once you give someone a basic PDF file, you lose control of its alteration and dissemination. This is the problem with many computer file formats when examining the issue from a digital rights management (DRM) viewpoint.
According to Christine Musil from Informative Graphics Corporation (IGC), "PDF is convenient because there are many applications to create and view them, but there are a number of applications to edit them." For example, says Musil, "A major university was considering using PDF for unofficial transcripts, but quickly discovered that any student willing to spend $20 on a PDF editor could change their grades."
To combat this problem, several technologies exist that allow lawyers to communicate information securely while maintaining document integrity. This article will address those technologies with the pros and cons of each technique.
Adobe security measures
First, Adobe offers security on a number of levels. When authoring a PDF file you can apply security using a variety of methods, depending on the version of Acrobat you are using and your computing resources.
The simplest security an author can apply to a PDF file is password protection, which attempts to secure the PDF file by limiting certain activities by the end user or the reader. PDF password security can prevent the end user from copying sections of the PDF, printing the contents or even opening the PDF file without supplying the correct password.
The problem with this method of security is that there are a number of tools that can be found via a simple internet search that can break password protected PDF files. Some of the tools are based on guessing the password used to secure the file to remove the restrictions placed upon it.
Relying on this form of minimal security may not give lawyers the level of integrity for documents that they demand to safeguard sensitive information. However, lawyers will continue to use this method because it does provide a modicum of security and is very easy to implement.
Adobe also offers security using a server and public key infrastructure to combat the problems faced by simple password security. Adobe's LiveCycle Rights Management ES is a server-based document security product that allows PDF authors to determine who can view or edit their document, as well as when the document will expire.
This is accomplished by selecting the desired security restrictions (ie, user accessibility, life span of document) when the document is created. These settings are then stored on the management server and synchronised with the PDF document. The restrictions remain with the document throughout its life cycle (online and off) and can be changed on demand on the server after the document is disseminated.
This allows for much greater control over security measures, but it does have its drawbacks. It is a much more complicated and costly option than simply password protecting a document. It can require costly computer hardware and an IT staff to support it, as well as the certificates, keys and users associated with public key infrastructures.
Other measures
There are also various companies that boast more secure alternatives to the PDF format using a variety of technologies. This article will only touch on a few of the available technologies, but a simple internet search will return a more exhaustive list of companies offering proposed alternatives to PDF that boast high levels of security and more DRM features.
The companies that attempt to complement or provide alternatives to Adobe's PDF file format use a variety of methods to provide stronger security and DRM. The general trend with these alternatives fall into four categories: a server-based approach, a public key infrastructure, encryption, or a proprietary format to transmit the data. Additional techniques employ a hybrid of these methods. In short, each method attempts to maintain control of the file after it is disseminated.
IGC mainly uses a proprietary file format with a high level of encryption to offer security and DRM features to their customers. By owning the technology to create and view the content secure format (CSF) file, IGC believes that they offer a high level of security by ensuring that the content is under the author's direct control at all times.
According to Musil, "IGC created the CSF file format to give customers a convenient, inexpensive way to protect document content whether that document is currently on the company network or beyond. Users publish to the CSF format and select any restrictions they want to assign the file. For example, they can restrict recipients from adding comments, re-publishing to a new format or printing the document.
"They can even add an expiration date past which the file will not be viewable. Because CSF files are only viewable by IGC products like the free Brava Reader, it is difficult to circumvent those settings." The benefit to this type of technology is using a simple technique to create a file with inherent security features.
And the burden? History has shown that giving an attacker unlimited time and resources to access data usually ends in his success. For example, proprietary DVD DRM technologies were cracked shortly after they were implemented by the industry.
On the other end of the spectrum, other services such as WatchDox mainly use internet-accessible servers to provide a high level of security and DRM features. By following the demonstration on the WatchDox website, it is clear that the protected document must be viewed through the website rather than viewing the file on your computer with a tool like Adobe PDF Viewer or Brava Reader. (Note that WatchDox offers a Microsoft Outlook plug-in for their protected files but it does not appear to be the main method for viewing a protected document.)
The benefit to this type of technology is that a lawyer does not have to use proprietary software to create a protected file for clients and the client does not have to install special software to view the protected file. The drawback is that the recipient of the protected document must be connected to the internet to access the computer server containing the document.
Which measure for your firm?
There are several factors to consider when purchasing a document security solution. For example, how large is your firm? How often does your firm send electronic confidential information to clients or other attorneys? How sensitive is that information?
Big firms with multiple offices that transmit large quantities of sensitive material would be good candidates for a server-based solution. Large firms generally have the proper IT staff to implement servers and certificates, which are meant to handle a larger number of users.
Solo practitioners and small firms would be better suited with a stand-alone product – one that can be installed on a desktop and does not require IT support. These products are generally much less costly than server-based products.
No matter which product you choose to secure your documents, they are all rendered useless if they are disused or used improperly. This seems like an obvious statement, but history shows that given the choice, most people will choose convenience and usability over security. Generally speaking, the process of creating and disseminating a secure document involves more steps and is more time consuming than simply sending an unprotected document to a client.
Depending on the method used to secure a document, the recipient is required to have the correct certificates/keys or a proprietary program to view the document which may be specific to a certain operating system (ie, Microsoft Windows or Apple OS X).
Many people find these additional steps inconvenient, especially when they are short on time or trying to view documents on the go, so they bypass security and embrace usability. In the end it comes down to security versus convenience – a traditional trade off when trying to implement any type of new security measure, including document integrity. So make sure the product you select is easy to use, and that its ease produces the desired secure result.
Keith Jones is a senior partner and Ryan Lerminiaux an associate at Jones Dykstra &
Associates, a consulting firm that specialises in e-discovery, computer forensics, expert witness testimony and computer intrusion response services. A version of this article first appeared on law.com.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trump and Latin America: Lawyers Brace for Hard-Line Approach to Region
BCLP Mulls Merger Prospects as Profitability Lags, Partnership Shrinks
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
