In your case you are talking about the 'permissions' restrictions on a PDF, so the file can be opened by everyone but has controls on printing, copying, etc.*
First thing; password-based permissions settings are not secure at all. It's trivial to remove them, and only Adobe software guarantees to respect them in the first place. They're an illusion of security which tends to convince most people not to bother trying to bypass the restrictions, but if someone wants to it'll take them 30 seconds.
Certificate-based encryption uses the digital ID of the recipient, not the creator - so it's only going to work if you get the digital ID from each recipient in advance, and cannot be used for public documents on a website. It can also be removed without access to the private key, but it takes a lot more effort to do so.
Digital rights management (using Adobe ADEP / LiveCycle Rights Management servers) can protect a file against printing and direct copying with no realistic possibility of the protection being removed, but it's extremely expensive.
However in every case, if a page is visible on screen it can be captured as a screengrab, then re-OCRed to extract text. You can't extract media, scripts and vector objects, but something like a novel is utterly impossible to secure against copying if it's distributed into an uncontrolled space.
*The 'open file' security on a file is another matter entirely - even password encryption is secure enough to be uncrackable in any real-world scenario, provided you use a complex string to prevent brute-force attacks.
Wow, Dave that was incredibly useful information, thank you so much! before I mark this thread a solved I was hoping I could ask one or two follow-up questions.
What I've learned so far:
- The way we've been password protecting our content is pretty sad.
- We can't use certificate-based encryption since it's a public site we obviously wouldn't know the signatures of visitors to the site.
The client's needs:
- Visitors should be able to open the PDFs (so that they can read them, both online and offline)
- The client mostly wants to make sure visitors don't edit the PDFs, save them, and use them for their own purposes.
- The PDFs are really just downloadable versions of articles that also appear on their website so visitors could always copy the text from the website if they can't copy it from the PDF.
- It's OK if visitors print the PDFs.
- So it's really just that the clients doesn't want people to edit and save the PDFs.
Given those requirements (and the fact that the PDF content is also readily available on their website) it almost sounds to me that the DRM solution is overkill (I couldn't find any details on pricing on Adobe's site, do you know where to find that?). It almost kind of sounds like just using passwords might still be the way to go (if only to make the process slightly more annoying for someone who is going to unlock it) unless there's a better suggestion...
Thanks again so much for your help!
1 person found this helpful
No matter what systems you use, you cannot prevent a PDF file from being saved, as they don't stream. To see a PDF on your screen you have already downloaded it, so you can always share that file even if you grab it from your browser cache.
DRM is the only way to guarantee that a public-facing PDF file cannot be edited, while remaining open for everyone to view - however given your client has the same content on their website, the cost and complexity isn't worth it. We don't have public pricing on ADEP, but thinking five figures is about right.
Thanks again so much for your help!