Revoke document access with DRM security

Document Revocation & Expiry.

Document revocation is an important step in the information architecture coming somewhere between security and disposal.  You can either revoke documents automatically using document expiry controls, or manually by suspending users, documents, or individual user access to specific document(s).

Why do you need to revoke documents?

Not everything lasts for ever.  A practise guide can have an end date after which it must not be used.  The same is true of a pharmacopeia.  Only the latest one is valid and older ones must be withdrawn.  The use of a training course may be limited to weeks or months because it is being constantly updated.  With governmental information it may be embargoed for a period of time before becoming compulsorily available (in the UK the 30 year rule).  In the case of repair manuals they may have lives limited to the supported life of a product (not necessarily its physical life).  Where documents are provided that have to be subscribed for every quarter or year or access to them must cease.

So there are lots of reasons why documents could need to be revoked.  And a few more reasons why their status may have to be changeable, depending on changes in circumstances during their lifetime.

Normal access control mechanisms are not set up to try and manage this kind of complexity.  And simple encryption systems do not protect documents from being changed by authorized recipients.

The only way to have effective document revocation is to use Digital Rights Management (DRM) systems with the additional control features that they typically provide.  For document expiry these should include:

  • never revoke
  • on a given date
  • a given number of days after first use
  • after being viewed a number of times
  • after being printed a number of times

Some authorities would consider that revocation by automatic deletion should be included in this list.  I do not agree with that approach for several reasons:

  • it is highly risky if some other file ‘disappears’ at the same time
  • what date is going to be relied upon for deletion?
  • files can easily be copied and restored to another device so it serves little purpose

so we will consider the other options.

Never revoke document access

Never revoke is a critical option, making sure that authorized access continues and that the document never expires.  It is used when the document has been transferred irrevocably and cannot be recalled – like a book that effectively becomes the ‘property’ of the purchaser.

Revoke document access on a given date

This is the most frequent choice for document revocation.  There are several reasons for this.

Some documents have to be retained for statutory purposes.  Company accounts documents are like that.  And there are often reasons for making sure that once they are no longer needed they cannot be used.  Although document destruction may seem attractive it can be quite difficult to ensure that all copies have been processed and having a revocation date is an elegant answer to an otherwise difficult problem.

Some documents have fixed replacement dates that need to be enforced.  These would include such things as franchise documentation that must only be usable during the fixed term of a franchise and end when the contract ends.  If the franchise is extended the documentation can be given a new end date or new or updated information can be provided.

It is important that an end date can be changed by administrators, allowing particular users continuing access to documents that would otherwise be inaccessible.  This can be needed because the document is not being archived when it was originally expected, or because it is necessary to recover an older document for technical or legal reasons.

Revoke document access after a number of days from first use

Automatically revoking documents a number of days after they have been first used is a valuable tool when selling documents that are providing a service rather than being just a plain book.  This is because not everyone is going to purchase it on the same day, but everyone must have say 30 days access.  This could also apply to say training courses that you use and can later refer to for a period of time after the course had ended.

Revoke document access after a number of views

Documents may need to be revoked after they have been viewed a number of times.  The commonest requirement here is allowing documents to be evaluated prior to making a final delivery.  This may be a ‘try before you buy’ approach or it may be a consultancy report that is being provided for review/comment but is definitely not for collaboration.

Revoke document access after a number of prints

Finally there may be a need to allow for a specific number of printed copies to be made after which use is to stop.  This type of revocation facility is needed when a picture or a schematic is to be printed, perhaps at very high quality – a print of an artwork comes to mind.  There is a need to be able to see the document before it is printed to make sure it is the right one (if nothing else).  But once it is printed there is a requirement that it is no longer available for any reason.  Again, it may be a requirement that you can change the number of prints available in order to vary the end date and you should check that your DRM software is able to provide this control.

Manually revoking document access

As well as letting documents expire, you can manually suspend (revoke) access.  This might be because someone has left the company or you have distributed the wrong document to one or several people.

There are different ways you can manually revoke document access:

  • Suspend or delete a user – revokes access to all documents
  • Suspend or delete a document – revokes document access for all users
  • Revoke a user’s access to a specific document
  • Revoke a user’s access to a specific publication (group of documents)

You should be aware however that in order to manually revoke access, documents must connect to a licensing / admin server (the server where you have suspended the user or document) each time to verify access.  Otherwise the document will have no way of knowing that the user is no longer allowed to access it.  This is a control you should be able to select when protecting documents.

Document revocation and chargebacks

There may be times when you do not want to set a document to expire (say for an ebook or a report that the user has paid ‘lifetime’ access for) or force users to have to connect to a licensing server in order to use it.  However you might want to revoke access if say a payment has been made void (i.e. a chargeback has occurred).  If you had protected the ebook so that it could always be viewed offline (i.e. no contact with a DRM licensing system) then you would not be able to revoke access.

A flexible solution to this problem is to set a control when protecting documents that forces a connection to the licensing server once after a set number of days (i.e. 30, 45, 60) and then never again.  That way you can always revoke access if need be during a certain timeframe without inconveniencing the user’s future use.

Conclusions

So there is a lot more to document revocation than meets the eye.  And certainly a lot more than the rather dismissive view that it can be left to the architecture to sort out.  No doubt that was the view that pertained before Wikileaks got to be quite so effective at republishing information that obviously the original owners did not want to see on the streets.

There is a narrow borderline between the need, on the one hand, to make information available to those who need to know it, and on the other hand stopping the use of that information by people who are not authorised, or who were authorised and for whatever reason are no longer.

To achieve this requires the use of a complex series of DRM controls that allow you to selectively revoke access to documents in different ways, whilst retaining the ability, as the document owner, to change your mind and go back and make documents available again.

The Locklizard document DRM system enables you to set expiry controls when protecting documents (you can change fixed dates, number of days and prints available at a later date on the administration system) and those documents will expire regardless of whether the user connects to the Internet or not.  If you want to manually revoke access to a document then the Safeguard Viewer must connect to the Locklizard administration server to enforce this control so an Internet connection is required.