Something to Protect: Securing Acrobat Publishing

Emedia Professional, Dec, 1998 by Robert J. Boeri, Martin Hensel

In retrospect, even as we ignored it, today's security problem was inevitable. The plummeting prices of CD recorders and recordable media reduced them to departmental commodities. Adobe Acrobat made producing electronic documents almost trivial. Furthermore, at the same time, Adobe dropped the licensing cost of developing Acrobat full-text indexes from roughly $600 per title to zero, including Acrobat in a sub-$200 bundle with Verity's indexing software. Producing hundreds--even thousands--of corporate titles, full-text searchable, on a CD-R, then sending the master for replication, became routine. Then with Acrobat 3.0, Adobe added a feature: making minor textual changes in what had previously been read-only PDF documents. Suddenly it dawned on corporate publishers: "We've just provided our corporate knowledge assets to anyone who has the opportunity to duplicate our CD-ROM. And we're now exposed to hostile changes in PDF documents that we do publish."

The benefits of Acrobat electronic publishing had become too persuasive to resist, while the costs of losing control of electronic document assets threatened to destroy corporate competitive advantage. But how to preserve the former while defending against the latter?

BUILDING ON PDF SECURITY

For security, most corporations looked first to the native capabilities of Acrobat itself. After all, Adobe provided an encrypted solution for free, the RC4 security method from RSA Corporation. This solution provided password-protection for each PDF file, and allowed authors to prevent end-users from printing PDF files, changing PDF content, or even selecting text or graphics.

Although this solution works, it's hardly feasible. First, nobody releases software with only one license number. A single key for all locks is no protection at all. Second, if you publish not one, but hundreds of PDF files, you can't expect users to remember different passwords for each document. Acrobat's built-in security is useful for securing only single files, personal protection akin to that found in word processing documents.

By making Acrobat PDF specifications publicly available, Adobe cultivated the growth of third-party vendors willing to develop plug-ins or extensions to the core Acrobat product. Security solutions have been slow in coming, but are now beginning to emerge. None of these solutions is foolproof, but all provide a measure of protection from wanton theft or alteration of corporate documents. Still, tighter security usually means higher cost and usability barriers, and no solution is perfect.

Two recent security solution providers demonstrate the state of the emerging PDF document security art. Ambia Corporation (http://www.ambia.com) offers Signet, a security tool originally developed for publishers of small, periodic, collections of encrypted PDF files distributed to Windows users via an installer. Early versions let publishers develop one or more encryption specifications, each specifying a list of protections applying to discrete collections of PDF files. Typical protections included a range of dates between which collections could be opened, the number of times any document could be opened, and a collection-wide "product password" that a user had to supply during each session. Copy protection was easily bypassed by copying a CD-ROM and revealing the password.

Under the original Signet model, if you wanted to develop collections containing more than a few Acrobat files, the installation process took far too long. If your content was Web/CD hybrid or Web-only, the solution didn't apply. And if your target platforms included UNIX or Mac, you got no help since Signet was Windows-only. The latest version supports much larger collections, but remains a non-Web, Windows-only solution.

FileOpen Systems (http://www.fileopen.com) offers a similar security capability that addresses several of Signet's shortcomings. FileOpen PDF works on both Mac and Windows platforms and offers a "Smart Installer" feature that identifies the user's operating system, detects the presence of Acrobat, and installs it if necessary, and performs the FileOpen PDF client plug-in installation. FileOpen's protection model also lets a publisher upgrade user permissions to secured PDF content via the publisher's Web site. Significantly, FileOpen Systems incorporates an emerging standard called Digital Object Identifier or DOI (http://www.doi.org). DOI manages digital content and copyright protection by issuing unique, persistent names to digital documents.

BEYOND ACROBAT

But what if the documents that require secure delivery include multimedia or even executables?

Copy protection systems abound, and some promise nearly administration-free unique passwords. A Windows-based system called "Digital Delivery" from Digital Delivery Incorporated (www.digitaldelivery.com) has a patented encryption key database technology that allows secure distribution of any content with complete medium and network independence, including Internet distribution.