PDF security – is it all it’s cracked up to be?
“Portable Document Format” or “PDF” was originally developed by the Adobe Corporation in 1991 to encapsulate all aspects of a document in a fixed format that was ready for print media, regardless of the system used to read the document. It has been generally accepted by the legal industry that PDF provides a layer of protection against document modification due to the perception of fixed format, and many consider that PDF documents cannot be modified.
This idea, unfortunately, is simply not true. This article provides some insights into the security issues with PDF and some helpful ways you can better protect your documents from unwanted modification.
The main issue
Many firms are under the misconception that PDF documents cannot be modified. They package the document (often a settlement agreement or other contractual agreement) into PDF, send it out and then await the other side to request any changes. There is an expectation of a cordial exchange and that discussion will occur about any changes. This assumption has worked well for the past ten or so years, where low experience with technology has been the norm for lawyers entering the field.
However, today’s lawyers are more savvy with technology and firms have made an effort to hire more technically experienced staff, with basic computer knowledge at the very least as a hiring requirement. Such basic knowledge, however, can come with some pitfalls based on erroneous assumptions, and lawyers can be caught unaware if they find their PDF documents returned to them with changes.
PDF security in 30 seconds or less
[Note: The information here is a very basic overview, as security is more complicated than space in this article allows. The recommendations below are not a detailed review of PDF security, nor do they provide a complete list of PDF security features and their possible implementations.]
Adobe PDF standards provide two main methods for enhancing security against document modification (separate to digitally signed authentication). Digitally signed authentication will not be dealt with in this article as its primary focus is to protect against third party access. While it can provide protection against modification, it requires a number of complicated steps as well as recognised Certificate Authority (CA) certificate signing, which has seen less adoption due to cost and greater technical expertise from both senders and receivers. For now, I will deal with some simple, inexpensive steps to assist with greater protection against modification.
The first of these is the built-in password level protection provided within PDF. This is known as “access level”, or “password security”. It provides two levels of protection and is built into Adobe X as well as third party programs such as Adobe PDF Creator (a free PDF creator application). This free authentication methodology is relatively easy to execute and requires little-to-no technical expertise. The password level of security allows for the protection against unauthorised opening of the document, as well as restrictions as to the change permissions allowed for editing, printing and access. The advantage of this level of security is that you can stipulate what you will allow, and you do not have to provide the other side with the password to simply read the document.
Let us take a simple walk through password implementation. First open a PDF document (any document will do, provided it is not already password protected). Next, click on “File -> Properties”. In Figure 1 below, you can set the changes you wish to allow for the reader.
If you do not want any changes made to your document, simply click “None” under “Changes Allowed” and enter your “Change Permissions Password”. Then click “OK”. You will then be asked to retype your password and then save the document. Protection is not executed until you save, so be sure to do so.
Remember to note your password for the document, otherwise you (or anyone to whom you provide the password) will be unable to make changes.
[Note: If you saved your PDF from Microsoft Word it must be noted that no security features are provided. This is the same for Adobe Reader. You must have Adobe Acrobat Writer or a third party PDF creator to add security to PDF files. The example above deals specifically with Adobe Writer and third party software may require different steps.]
Now that you know how to secure a document, let us look at some problems with this method. First, many third party PDF readers ignore these security settings, and programs like “PDF unlock”, “cutepdf” and others actively promote their ability to remove password security from PDFs. Their original intention was to assist Mac users when they had forgotten their password and needed to edit a PDF, but they have since been used by people to remove passwords in order to read, edit and modify documents. For these reasons, a PDF document in this form should not be considered secure and is only, at best, non-editable by a non-technical party.
A better suggestion
This leads on to the second (and my preferred) option for sending a document that you do not want edited. In my opinion, one of the best ways to secure a PDF is to save it as an image (see Figure 2). To do this, simply edit your Word document and select “Print to PDF” (this requires a PDF printer to be installed via Adobe PDF Writer or pdf Creator, for example).
This option creates greater security against editing, as when you print to PDF you create an image of the document rather than ISO text, which is the normal PDF document standard. This means that any changes will be clearly visible due to the requirement for changes to be added on top of the image in the form of a “sticky”, font text layer, or text overlay that shows clearly in the image. Furthermore, it requires a greater level of technical knowledge to execute the changes or extract and edit the image file and, despite it being an image, the image is saved within the PDF document, providing the same flexibility of PDF fixed layout, without the security issues of direct text manipulation.
[Note: If you want others to be able to fill out forms, then this option will not work as the image cannot be set to have form fields. I would accordingly recommend the password security method for forms.]
Although this method is better than the above option, it is not perfect. It must be stressed that a person who is familiar with PDF editing, Photoshop, or other image manipulation tools will still be able to edit these types of documents. However, the level of technical expertise and time required to do so, in my opinion, results in your documents being better secured against editing.
PDF security is limited and while this article provides some tips to better protect documents against editing, there is no guarantee against this when dealing with people with technical knowledge of Photoshop or other PDF editors. So, always be mindful of who your recipient is and the risk of PDF editing when choosing to send your documents by PDF.
If you have any other document security tips that you think would help firms, I would love to hear from you and I will provide updates in future articles as to the outcome of my testing of any other proposed solutions – you can contact me at firstname.lastname@example.org