Metanorma now offers PDF protection mechanisms!
Introduction
Note
|
Features in this blog post are available from Metanorma v1.5.3. |
There are times when a Metanorma PDF document needs to be protected, such as:
-
when sharing confidential information;
-
to prevent direct copy and pasting of content;
-
to prevent printing the document; or
-
to prevent high quality print reproduction of a document.
ISO 32000-1:2008 (free copy at Adobe) defines PDF 1.7 which specifies several PDF protection mechanisms.
As several SDOs that use Metanorma have requested such functionality, we are happy to announce that the following Metanorma PDF protection features are now generally available:
-
Require password to open document (PDF whole-document encryption);
-
Disallow copying text or graphics;
-
Disallow inserting, deleting or rotating pages;
-
Disallow adding annotations or signatures;
-
Disallow printing;
-
Disallow high quality printing.
Warning
|
Not all PDF protection features are implemented in PDF viewers! See below. |
PDF owner and user passwords
Metanorma implements the PDF encryption mechanism specified in ISO 32000-1, 7.6, originally from PDF 1.1.
There are two passwords used in PDF protection mechanisms, namely:
-
the “owner password”, where when given, the conforming PDF reader application has unlimited access;
-
the “user password”, where when given, the conforming PDF reader application can access the contents of the PDF according to the “user access permissions” defined in the PDF file.
All PDF protection measures require the setting of these two passwords, and when unspecified, will be considered as empty (the default password).
The passwords are set by the following document attributes:
-
:pdf-owner-password: {password}
specifies the PDF "owner password". -
:pdf-user-password: {password}
specifies the PDF "user password".
= Please Don't Change Things
:pdf-allow-copy-content: false
:pdf-user-password: JustR34d4t
:pdf-owner-password: D0ntCh4ng3Th1ngs
...
PDF access permission: Require password to open document
This is the most popular protection measure where the entire PDF is “protected”, the reader cannot open the PDF file without the password given.
Typically, the PDF viewer will prompt the user to enter the password on loading the PDF file. If the password entered is correct, the PDF loads. Otherwise, the PDF load fails.
PDF encryption nowadays often relies on the AES algorithm, with either 256-bit or 128-bit security.
While the PDF standard originally allows for both RC4 and AES encryption algorithms, Metanorma only supports AES, as RC4 has been shown to have a number of weaknesses (Wikipedia).
Metanorma also defaults to using 256-bit for superior security. But you may find legacy PDF readers only supporting 128-bit due to US export restrictions previously in place.
In order to generate a encrypted Metanorma PDF output, you will need to provide the following document attributes:
-
:pdf-encrypt: true
to specify encryption of PDF output -
:pdf-encryption-length: {128,256}
to specify encryption strength (128-bit or 256-bit AES keys) -
:pdf-user-password: {password}
to specify the "user password" needed to open the encrypted PDF document.
= My Confidential Document
:pdf-encrypt: true
:pdf-encryption-length: 256
:pdf-user-password: C4nt0p3nW1th0utTh1s
:pdf-owner-password: ...
...
PDF user access permissions
General
Introduced in PDF 1.5, "user access permissions" are actions normally allowed with unprotected PDFs, but these actions can be selectively restricted by the author with an “owner password”.
From ISO 32000-1:2008, 7.6.3.1 NOTE 2:
This enables limited access to a document when a user is not able to respond to a prompt for a password.
If the reader enters the designated “owner password”, all restrictions can be bypassed.
These user access permissions do not require encryption of the document.
Note
|
Functionality permitted by particular permissions described in ISO 32000-1:2008, Table 22. |
Note
|
User access permissions can be circumvented by non-conformant PDF readers! |
Disallow copying text or graphics
A PDF file that is marked for copy production means its content is not to be copied from the reader view. Commercial publishers typically apply this out of concerns for copyright and content protection (other than DRM).
This makes the PDF generated something of a “your eyes only” document, where you can read but not copy out content.
This permission can be disallowed using the following document attribute:
-
:pdf-allow-copy-content: false
specifies that copying of content is disallowed.
= Copy Pasta
:pdf-allow-copy-content: false
:pdf-owner-password: D0nt700k4tM3
...
Disallow editing of content
Editing of PDF content can be disallowed to ensure that the document content remains as when it was originally published.
Editing can be disallowed using the following document attribute:
-
:pdf-allow-assemble-document: false
specifies that editing of PDF content is disallowed.
= No Edit
:pdf-allow-edit-content: false
:pdf-owner-password: D0nt700k4tM3
...
Disallow inserting, deleting or rotating pages
A PDF file that is marked to disallow page modification means an unauthorized user cannot modify its content by inserting, deleting or rotating pages.
This permission can be disallowed using the following document attribute:
-
:pdf-allow-assemble-document: false
specifies that copying of content is disallowed.
= No Page Shuffle
:pdf-allow-assemble-document: false
:pdf-owner-password: D0nt700k4tM3
...
Disallow adding annotations or signatures
Annotations and signatures are content that can be added to a PDF file. A PDF file can be marked to prevent annotating and signatures.
This permission can be disallowed using the following document attribute:
-
:pdf-allow-edit-annotations: false
specifies that annotations and signatures cannot be added.
= Copy Pasta
:pdf-allow-edit-annotations: false
:pdf-owner-password: D0nt700k4tM3
...
Disallow printing
A PDF file marked “not for printing” means exactly that, the PDF content cannot be printed on a printer.
Compliant PDF readers will block not only printing directly to a physical printer, they would also block printing to files (e.g. features like “print to PDF” or “save as image”).
This permission can be disallowed using the following document attribute:
-
:pdf-allow-print: false
specifies that the PDF document cannot be printed.
= Print Me, Will You?
:pdf-allow-print: false
:pdf-owner-password: D0nt700k4tM3
...
Disallow high quality printing
For these PDFs, low quality prints are allowed, but not high resolution prints. The intent for this limitation is to prevent an accurate physical reproduction of documents that could potentially mislead someone that a print out (from this file) was authentic.
The resulting print out is supposed to look like the original PDF but blurred and of poor resolution.
This feature can be enabled using the following document attribute:
-
:pdf-allow-print-hq: false
specifies that the PDF document can only be printed in low resolution.
To disallow high quality printing, the "allow print" action must still be allowed.
= Visual Transparency
:pdf-allow-print-hq: false
:pdf-owner-password: D0nt700k4tM3
// :pdf-allow-print: defaults to true
...
Other measures
Other protection measures are also supported by Metanorma but they are not further described in this post.
-
:pdf-allow-fill-in-forms: false
specifies that the forms within the PDF document cannot be filled in; -
:pdf-allow-access-content: false
disables text and graphics extraction for accessibility purposes; -
:pdf-encrypt-metadata: true
specifies the encryption of the metadata stream.
= Visual Transparency
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-encrypt-metadata: true
...
Non-standard PDF measures like DRM, which are popular with digital publishers are also not described here.
Preparing a fully "locked-down" document
The following example is a good profile to create a fully locked-down document (encrypted or not).
= Very Well Protected Document
:pdf-owner-password: 0wnerP4ss
:pdf-user-password: D0cR04d0n1y
:pdf-allow-print: false
:pdf-allow-copy-content: false
:pdf-allow-edit-content: false
:pdf-allow-edit-annotations: false
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-allow-assemble-document: false
:pdf-allow-print-hq: false
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-encrypt-metadata: true
Compatibility concerns and caveats
Potential caveats
The aforementioned features come with a caveat — not all PDF viewers today fully support these standard PDF features.
A sobering fact: out of the implemented PDF protection features, only whole-document encryption works across all the popular PDF viewers we have tested.
This is a limitation of the PDF standard and technology itself — the protection measures against content extraction and printing relies solely on the implementation of a PDF viewer. If a PDF viewer can view a document, a non-compliant viewer that did not implement protection would definitely be able to print it (screen rendering is by nature similar to printing).
Testing popular PDF viewers
In order to determine current compatibility of PDF protection measures against popular PDF viewers, we have run several tests against these applications.
PDF reader applications: standalone software applications that displays PDF files.
-
Adobe Reader. The authoritative implementation for PDF, since PDF was originally an Adobe proprietary format until they opened the specification to ISO. Available on Windows and macOS.
-
Preview. The default PDF viewer on macOS and iOS.
-
Foxit PDF Reader. A popular cross-platform reader.
-
Skim. A popular, open-source PDF viewer on macOS.
PDF reading browsers: web browser implementations that support reading of PDF files. Sounds strange but many modern browsers today support reading PDFs, especially since the advent of JavaScript PDF rendering engines.
-
Mozilla Firefox. The popular open-source, cross-platform browser known for its stability. Mozilla Thunderbird also uses the Firefox PDF component, so PDF behavior in Thunderbird should also offer the same results.
-
Safari. The macOS default web browser, which relies on Preview for PDF viewing.
Import readers: these are applications that can "import" PDFs but are not native PDF readers.
-
Microsoft Word. The Microsoft word processor.
Test results
Here are the results.
PDF viewer application | Note | Compatible? |
---|---|---|
Option: Whole PDF encryption with user-password (setting a user password) |
||
Adobe Reader |
Prompts for password |
✅ |
Foxit PDF Reader |
Prompts for password |
✅ |
Preview (macOS) |
Prompts for password |
✅ |
Skim (macOS) |
Prompts for password |
✅ |
Firefox (browser) |
Prompts for password |
✅ |
Safari (browser) |
Prompts for password |
✅ |
Microsoft Word |
Prompts for password |
✅ |
Option: Disable copying of content |
||
Adobe Reader |
Text cannot be copied; does not prompt password from user to unblock 'nocopy' feature |
✅ |
Foxit PDF Reader |
Text cannot be copied; does not prompt password from user to unblock 'nocopy' feature |
✅ |
Preview (macOS) |
Text cannot be copied |
✅ |
Skim (macOS) |
Text can be copied |
❌ |
Firefox (browser) |
Text can be copied |
❌ |
Safari (browser) |
Text cannot be copied |
✅ |
Microsoft Word |
Unable to open PDF ("We’re sorry, the author of this document has set permissions that don’t allow the content to be re-used in other application") |
✅ |
Option: Disallow printing |
||
Adobe Reader |
'Print' inactive, cannot be printed, does not prompt password from user |
✅ |
Foxit PDF Reader |
'Print' inactive, cannot be printed, does not prompt password from user |
✅ |
Preview (macOS) |
Prints properly |
❌ |
Skim (macOS) |
Prints properly |
❌ |
Firefox (browser) |
'Print' is active and can be printed, moreover user can choose 'Save to PDF' and resulted PDF will be re-saved without any security features (Firefox uses an internal PDF printer) |
❌ |
Safari (browser) |
Prints properly |
❌ |
Microsoft Word |
Opens PDF file and converts into Microsoft Word DOCX |
N/A |
Option: Disallow high-quality printing |
||
Adobe Reader |
Prints properly, resulting print out with reduced resolution |
✅ |
Foxit PDF Reader |
Prints properly, in high quality |
❌ |
Preview (macOS) |
Prints properly, in high quality |
❌ |
Skim (macOS) |
Prints properly, in high quality |
❌ |
Firefox (browser) |
Prints properly, in high quality |
❌ |
Safari (browser) |
Prints properly, in high quality |
❌ |
Microsoft Word |
Opens PDF file and converts into Microsoft Word DOCX |
N/A |
This means:
-
The only protection measure that works across the board is “PDF access permission: Require password to open document”.
-
Adobe Reader implements all PDF protection mechanisms properly, but the other popular viewers do not.
-
This means that other than “PDF access permission: Require password to open document”, all other PDF protection mechanisms can be circumvented easily by switching to another PDF viewer.
Summary
Metanorma now provides a full set of protection mechanisms for PDF outputs. These PDF protection measures support all Metanorma flavors and are generally available from Metanorma release 1.5.4 onwards.
TL;DR:
-
The only protection measure that works across the board is “PDF access permission: Require password to open document”.
-
Except for “PDF access permission: Require password to open document”, all other PDF protection mechanisms can be circumvented easily by switching to another PDF viewer.
-
When applying these PDF protection measures, please keep in mind:
-
whether your content risks are met by selected protection measures;
-
whether the protection measures impact accessibility.
-
Until next time!
References
-
ISO 32000-1:2008, the PDF 1.7 standard