Metanorma: Aequitate Verum

Metanorma now offers PDF protection mechanisms!

Author’s picture Ronald Tse Author’s picture Alexander Dyuzhev on 04 Dec 2021

Introduction

Note
Features in this blog post are available from Metanorma v1.5.3.

There are times when a Metanorma PDF document needs to be protected, such as:

  • when sharing confidential information;

  • to prevent direct copy and pasting of content;

  • to prevent printing the document; or

  • to prevent high quality print reproduction of a document.

ISO 32000-1:2008 (free copy at Adobe) defines PDF 1.7 which specifies several PDF protection mechanisms.

As several SDOs that use Metanorma have requested such functionality, we are happy to announce that the following Metanorma PDF protection features are now generally available:

  • Require password to open document (PDF whole-document encryption);

  • Disallow copying text or graphics;

  • Disallow inserting, deleting or rotating pages;

  • Disallow adding annotations or signatures;

  • Disallow printing;

  • Disallow high quality printing.

Warning
Not all PDF protection features are implemented in PDF viewers! See below.

PDF owner and user passwords

Metanorma implements the PDF encryption mechanism specified in ISO 32000-1, 7.6, originally from PDF 1.1.

There are two passwords used in PDF protection mechanisms, namely:

  • the “owner password”, where when given, the conforming PDF reader application has unlimited access;

  • the “user password”, where when given, the conforming PDF reader application can access the contents of the PDF according to the “user access permissions” defined in the PDF file.

All PDF protection measures require the setting of these two passwords, and when unspecified, will be considered as empty (the default password).

The passwords are set by the following document attributes:

  • :pdf-owner-password: {password} specifies the PDF "owner password".

  • :pdf-user-password: {password} specifies the PDF "user password".

= Please Don't Change Things
:pdf-allow-copy-content: false
:pdf-user-password: JustR34d4t
:pdf-owner-password: D0ntCh4ng3Th1ngs
...

PDF access permission: Require password to open document

This is the most popular protection measure where the entire PDF is “protected”, the reader cannot open the PDF file without the password given.

Typically, the PDF viewer will prompt the user to enter the password on loading the PDF file. If the password entered is correct, the PDF loads. Otherwise, the PDF load fails.

PDF encryption nowadays often relies on the AES algorithm, with either 256-bit or 128-bit security.

While the PDF standard originally allows for both RC4 and AES encryption algorithms, Metanorma only supports AES, as RC4 has been shown to have a number of weaknesses (Wikipedia).

Metanorma also defaults to using 256-bit for superior security. But you may find legacy PDF readers only supporting 128-bit due to US export restrictions previously in place.

In order to generate a encrypted Metanorma PDF output, you will need to provide the following document attributes:

  • :pdf-encrypt: true to specify encryption of PDF output

  • :pdf-encryption-length: {128,256} to specify encryption strength (128-bit or 256-bit AES keys)

  • :pdf-user-password: {password} to specify the "user password" needed to open the encrypted PDF document.

= My Confidential Document
:pdf-encrypt: true
:pdf-encryption-length: 256
:pdf-user-password: C4nt0p3nW1th0utTh1s
:pdf-owner-password: ...
...

PDF user access permissions

General

Introduced in PDF 1.5, "user access permissions" are actions normally allowed with unprotected PDFs, but these actions can be selectively restricted by the author with an “owner password”.

From ISO 32000-1:2008, 7.6.3.1 NOTE 2:

This enables limited access to a document when a user is not able to respond to a prompt for a password.

If the reader enters the designated “owner password”, all restrictions can be bypassed.

These user access permissions do not require encryption of the document.

Note
Functionality permitted by particular permissions described in ISO 32000-1:2008, Table 22.
Note
User access permissions can be circumvented by non-conformant PDF readers!

Disallow copying text or graphics

A PDF file that is marked for copy production means its content is not to be copied from the reader view. Commercial publishers typically apply this out of concerns for copyright and content protection (other than DRM).

This makes the PDF generated something of a “your eyes only” document, where you can read but not copy out content.

This permission can be disallowed using the following document attribute:

  • :pdf-allow-copy-content: false specifies that copying of content is disallowed.

= Copy Pasta
:pdf-allow-copy-content: false
:pdf-owner-password: D0nt700k4tM3
...

Disallow editing of content

Editing of PDF content can be disallowed to ensure that the document content remains as when it was originally published.

Editing can be disallowed using the following document attribute:

  • :pdf-allow-assemble-document: false specifies that editing of PDF content is disallowed.

= No Edit
:pdf-allow-edit-content: false
:pdf-owner-password: D0nt700k4tM3
...

Disallow inserting, deleting or rotating pages

A PDF file that is marked to disallow page modification means an unauthorized user cannot modify its content by inserting, deleting or rotating pages.

This permission can be disallowed using the following document attribute:

  • :pdf-allow-assemble-document: false specifies that copying of content is disallowed.

= No Page Shuffle
:pdf-allow-assemble-document: false
:pdf-owner-password: D0nt700k4tM3
...

Disallow adding annotations or signatures

Annotations and signatures are content that can be added to a PDF file. A PDF file can be marked to prevent annotating and signatures.

This permission can be disallowed using the following document attribute:

  • :pdf-allow-edit-annotations: false specifies that annotations and signatures cannot be added.

= Copy Pasta
:pdf-allow-edit-annotations: false
:pdf-owner-password: D0nt700k4tM3
...

Disallow printing

A PDF file marked “not for printing” means exactly that, the PDF content cannot be printed on a printer.

Compliant PDF readers will block not only printing directly to a physical printer, they would also block printing to files (e.g. features like “print to PDF” or “save as image”).

This permission can be disallowed using the following document attribute:

  • :pdf-allow-print: false specifies that the PDF document cannot be printed.

= Print Me, Will You?
:pdf-allow-print: false
:pdf-owner-password: D0nt700k4tM3
...

Disallow high quality printing

For these PDFs, low quality prints are allowed, but not high resolution prints. The intent for this limitation is to prevent an accurate physical reproduction of documents that could potentially mislead someone that a print out (from this file) was authentic.

The resulting print out is supposed to look like the original PDF but blurred and of poor resolution.

This feature can be enabled using the following document attribute:

  • :pdf-allow-print-hq: false specifies that the PDF document can only be printed in low resolution.

To disallow high quality printing, the "allow print" action must still be allowed.

= Visual Transparency
:pdf-allow-print-hq: false
:pdf-owner-password: D0nt700k4tM3

// :pdf-allow-print: defaults to true
...

Other measures

Other protection measures are also supported by Metanorma but they are not further described in this post.

  • :pdf-allow-fill-in-forms: false specifies that the forms within the PDF document cannot be filled in;

  • :pdf-allow-access-content: false disables text and graphics extraction for accessibility purposes;

  • :pdf-encrypt-metadata: true specifies the encryption of the metadata stream.

= Visual Transparency
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-encrypt-metadata: true
...

Non-standard PDF measures like DRM, which are popular with digital publishers are also not described here.

Preparing a fully "locked-down" document

The following example is a good profile to create a fully locked-down document (encrypted or not).

= Very Well Protected Document
:pdf-owner-password: 0wnerP4ss
:pdf-user-password: D0cR04d0n1y
:pdf-allow-print: false
:pdf-allow-copy-content: false
:pdf-allow-edit-content: false
:pdf-allow-edit-annotations: false
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-allow-assemble-document: false
:pdf-allow-print-hq: false
:pdf-allow-fill-in-forms: false
:pdf-allow-access-content: false
:pdf-encrypt-metadata: true

Compatibility concerns and caveats

Potential caveats

The aforementioned features come with a caveat — not all PDF viewers today fully support these standard PDF features.

A sobering fact: out of the implemented PDF protection features, only whole-document encryption works across all the popular PDF viewers we have tested.

This is a limitation of the PDF standard and technology itself — the protection measures against content extraction and printing relies solely on the implementation of a PDF viewer. If a PDF viewer can view a document, a non-compliant viewer that did not implement protection would definitely be able to print it (screen rendering is by nature similar to printing).

In order to determine current compatibility of PDF protection measures against popular PDF viewers, we have run several tests against these applications.

PDF reader applications: standalone software applications that displays PDF files.

  • Adobe Reader. The authoritative implementation for PDF, since PDF was originally an Adobe proprietary format until they opened the specification to ISO. Available on Windows and macOS.

  • Preview. The default PDF viewer on macOS and iOS.

  • Foxit PDF Reader. A popular cross-platform reader.

  • Skim. A popular, open-source PDF viewer on macOS.

PDF reading browsers: web browser implementations that support reading of PDF files. Sounds strange but many modern browsers today support reading PDFs, especially since the advent of JavaScript PDF rendering engines.

  • Mozilla Firefox. The popular open-source, cross-platform browser known for its stability. Mozilla Thunderbird also uses the Firefox PDF component, so PDF behavior in Thunderbird should also offer the same results.

  • Safari. The macOS default web browser, which relies on Preview for PDF viewing.

Import readers: these are applications that can "import" PDFs but are not native PDF readers.

Test results

Here are the results.

Table 1. Compatibility of PDF protection measures across popular PDF readers
PDF viewer application Note Compatible?

Option: Whole PDF encryption with user-password (setting a user password)

Adobe Reader

Prompts for password

Foxit PDF Reader

Prompts for password

Preview (macOS)

Prompts for password

Skim (macOS)

Prompts for password

Firefox (browser)

Prompts for password

Safari (browser)

Prompts for password

Microsoft Word

Prompts for password

Option: Disable copying of content

Adobe Reader

Text cannot be copied; does not prompt password from user to unblock 'nocopy' feature

Foxit PDF Reader

Text cannot be copied; does not prompt password from user to unblock 'nocopy' feature

Preview (macOS)

Text cannot be copied

Skim (macOS)

Text can be copied

Firefox (browser)

Text can be copied

Safari (browser)

Text cannot be copied

Microsoft Word

Unable to open PDF ("We’re sorry, the author of this document has set permissions that don’t allow the content to be re-used in other application")

Option: Disallow printing

Adobe Reader

'Print' inactive, cannot be printed, does not prompt password from user

Foxit PDF Reader

'Print' inactive, cannot be printed, does not prompt password from user

Preview (macOS)

Prints properly

Skim (macOS)

Prints properly

Firefox (browser)

'Print' is active and can be printed, moreover user can choose 'Save to PDF' and resulted PDF will be re-saved without any security features (Firefox uses an internal PDF printer)

Safari (browser)

Prints properly

Microsoft Word

Opens PDF file and converts into Microsoft Word DOCX

N/A

Option: Disallow high-quality printing

Adobe Reader

Prints properly, resulting print out with reduced resolution

Foxit PDF Reader

Prints properly, in high quality

Preview (macOS)

Prints properly, in high quality

Skim (macOS)

Prints properly, in high quality

Firefox (browser)

Prints properly, in high quality

Safari (browser)

Prints properly, in high quality

Microsoft Word

Opens PDF file and converts into Microsoft Word DOCX

N/A

This means:

Summary

Metanorma now provides a full set of protection mechanisms for PDF outputs. These PDF protection measures support all Metanorma flavors and are generally available from Metanorma release 1.5.4 onwards.

TL;DR:

Until next time!

References