Document, email & PDF DRM honor systems.
Document, PDF and email DRM relying on the honor system is like putting up a sign asking a burglar nicely not to steal your property. In practise you need proper security (e.g. a decent lock) and some way of enforcing effective controls.
A few days ago Boingboing published a blog explaining that Google has been introducing Digital Rights Management (DRM) features into Gmail messaging and Google Docs – Google’s new ‘confidential mode’ for Gmail and Google Docs, which purports to allow you to send people documents without letting them print, copy or forward them.
They then proceeded to suggest ways of circumventing the DRM controls being introduced. At the time of writing the article could be found at Google DRM for email can be circumvented and another source at Archiving self-destructing Gmail messages with Firefox. These studies are, of course purely academic research into the adequacy of security controls.
It seems that underpinning the scheme are two factors:
- For emails, the original text is held on a Google server (Google Docs) and only linked through to the email
So the essence of the DRM protection is relying upon the browser to honor the commands that Google are relying on and hoping that our old adversary the Law of Unintended Consequences does not unleash too many disasters along the way. Indeed, it is not even a simple matter to send an encrypted email in Gmail – with end-to-end encryption requiring both parties’ organizations to have subscribed to have set up S/MIME.
Enforcing DRM controls
The first problem is that not all browsers implement controls in the same way. Firefox, for instance, has its own screenshots system that allows it to make copies of pages. More importantly, you can disable style sheets using its web console without having to leave the browser. You remove the style sheets that are preventing you from seeing what is really going on, allowing you to find the download link and download the text as HTML, where it can be saved.
As Grokprivacy point out, another aspect of the Google DRM implementation is that it allows the sender to recall the message by causing it to self-destruct at the recipient’s mailbox by ceasing access. This can be a problem if the email or document is awarding a contract or agreeing business terms, and the recipient is not aware that it is a DRM protected document.
But the fundamental issue is the manner of implementation of the “built-in Information Rights Management (IRM)” that is being used to “reduce, the risk of confidential information being accidentally shared with the wrong people.”
Instead of being designed and built with DRM or IRM enforcement in mind, the approach seems more to fit in with available tools and implementations in the expectation that the infrastructure and browser controls will honor the requirements being requested and cannot be subverted by the users.
Grokprivacy are rather sanguine about the ways around these controls using simple steps such as Save Page As, or removing the Style Sheet that prevents printing and then saving a ‘printed’ copy.
The honor system in DRM
The reason why it is so trivial to remove Adobe PDF permissions passwords (the restrictions that stop people from copying, modifying, printing a PDF) is because Adobe relies on the honor system for PDF password security (i.e. please obey the restrictions placed on this document). Ironically you can print a password protected PDF or permanently remove print restrictions with Google Drive – Print secured PDF files & remove restrictions passwords. So it is not like Google did not know that the honor system (or bad implementation if you prefer some different words) was a bad idea.
And there is the problem with the honor system – relying on components that you are going to plug in to (just the same as the plug-ins provided by suppliers such as FileOpen Systems that work with Adobe Acrobat). For instance, “When Acrobat DC is installed using Adobe Creative Cloud Desktop application, it removes Adobe XI along with all plug-ins” (source Acrobat Trial removed previous version plugins). This followed changing from 32 bit plug-ins to 64 bit on Mac computers. This article goes into further depth on the issues of PDF plugins and PDF plug in vulnerabilities.
I say honor system because when you use a system that relies on independent third-party software delivering an interface that is fixed and reliable in order that your system will also work, you are relying on other people to behave according to the (often unwritten) rules. These exist with IT manufacturers through published interfaces (APIs), but there is little if any testing of plug-ins to see if they obey the interface specification correctly or that they don’t mishandle data field lengths and corrupt data used elsewhere in the application. Often plug-ins are used as a means of gaining access to the code of the application they are plugged into so that they can manipulate other controls – a technique that doesn’t work very well if the application code is changed but the interface definition is not. After all, the application developer has no reason to think there is a problem – they haven’t changed the interface definition at all, so they aren’t the cause of the problem. And if data was being overwritten before, but in a way that caused no harm, but now has gone critical – it is still not their problem.
Do honor systems work in practice?
To answer philosophical questions we turn to the academe, who research complicated questions. Reading Harvard college adopts honor code, Harvard, along with other institutions, studied very carefully how to strengthen a “Culture of Academic Integrity ….excelling in scholarship as inseparable from excellence in character.” These are the aspirations of those of high principles committed to reversing “the largest recent case of suspected misconduct on an examination.”
What I take this to mean is that although you can have rules and regulations, they do not go far enough. There needs to be something extra to make the honor system work effectively. One of the interviewees at Harvard commenting on the approach noted, “Honor codes are a good idea,” says Allison Giebisch ’16, “but there has to be a combination of an honor code and enforceable rules—honor codes help to internalize these values, and rules provide external force.”
What secure alternatives are there for a document DRM system?
We only protect PDF files because the PDF document definition is a stable working environment even if the number of applications producing files in the PDF format has increased steadily since it was launched as an ISO standard format as ISO 32000-1 2008. Changing rarely allows for stability and reliability.
Using a specialised application to view protected PDF documents means not being exposed to attacks (intentional or not) against the integrity of your own system, and the ability to provide a strong shell to prevent hacking and mishandling of data fields and so on. It also means that you can develop systems that lack features that could be used to obtain unprotected copies. This is difficult to do if there is no Save function and the Print function is directly controlled by the Viewer and not easy to switch on or off.
So not having to rely on the honor system has some very powerful benefits when you are looking to apply security to digital documents. It also means that you are using applications that were specifically designed to secure PDF documents rather than applications that are trying to patch security into a system that was not designed for it in the first place. This does not necessarily mean that you have to give up your Google Workplace subscription, either. As covered in How to add PDF to Google Docs, it’s possible to embed a protected PDF into an existing Google Doc. You can also of course send your protected PDF via Gmail or Google Drive.