Unauthorized access to secure PDF content: Everywhere you look?

Is PDF living up to Adobe’s one-time claim of being ‘Everywhere you look’? At first glance, it looks as though that statement may be truer than was originally intended, thanks to the 500-pound gorilla of Internet search. The most public ‘private’ beta this writer has ever encountered — Google’s ‘Gmail’ email service — offers a ‘View as HTML’ function that may circumvent usage restrictions on some PDF documents.

Shock, horror! Whatever shall we do?

Security, and particularly PDF security, is a hot topic that rears its head every once in a while — the glitch behind this latest round of controversy seems to have been uncovered by a vigilant blogger on April 18. The first scare I encountered was when a little-known company called Elcomsoft claimed to have broken Adobe’s PDF security handler (true, by the way). What followed was nothing short of a circus, with Adobe officials and US federal agents both involved in the arrest and detention of a young Russian security specialist who was hapless enough to have his name included on a product splash screen. Planet eBook (a now-defunct sister site to Planet PDF) first broke the story in mid-July, 2001.

Basically, the story amounted to this: Dmitry Sklyarov — the aforementioned security specialist — worked for Elcomsoft. Elcomsoft had produced and sold products designed to break PDF security, which it claimed violated fair use guidelines in its native Russia. In the US, however, Adobe claimed that the software violated the then newly-minted DMCA (Digital Millennium Copyright Act). The FBI agreed. The problems really started when Elcomsoft tried to sell its product into the US market. After that, it all hit the fan when Sklyarov was nabbed on the way out of a conference in the US. Ultimately, Sklyarov was released, and Elcomsoft’s password-retrieval and other products are available for sale. If you want the full story, check Planet PDF’s complete archive.

Now to the issue at hand: when some PDF files are received in Gmail and the ‘View as HTML’ link is selected, the full text of the document can display as HTML — even if the original PDF is secured against ‘Content Copying or Extraction’. This is obviously dangerous for document creators who have posted their content but don’t want users to print, copy or extract the text of their PDF documents. In my testing, I could only reproduce the error with PDF files that were both set to ‘Acrobat 5.0 and later’ compatibility and did not require a password to be opened. Given that Google’s online search engine doesn’t seem to have this problem, it’s possible that this hole will soon be patched. Consequently, the scope of the problem seems to be somewhat limited. That said, it may be worth either bumping relevant files up to Acrobat 6.0 compatibility or adding an Open Password in the spirit of the ‘Better safe than sorry’ principle.

What this does highlight though — and there’s a heated discussion going on right now in the Planet PDF Forums about this — is that respecting security permissions on a PDF file (other than the Open Password) is something that must be done on a ‘honor’ basis by the application.

Anyway, that’s all from me for now. Until next time…

What are your thoughts on PDF security? Let us know in the Planet PDF Forum’s Talkback Conference.

You May Also Like

About the Author: Dan Shea

Leave a Reply