How to send PDFs securely by email

Using encryption & DRM to send PDF files securely.

When sending PDF files securely by email you need to think about protection in transit and ensuring only the correct recipients can view them.  Then consider controlling what users can do with those PDFs once they have received them to provide overarching security.

You have created a PDF that contains confidential information or information that you only want specific people to be able to view (say someone has purchased a report or ebook).  So how can you send PDFs securely by email to ensure that only the intended recipients are privy to the information they contain?  Here we look at how encryption and DRM can be used to achieve this and protect PDF documents against unauthorized use.

PDF encryption

We all know that encryption can protect PDF files in transit and at rest (whether this is an Adobe owner password or a file encryption product such as PGP), but what matters is what happens when a user receives your PDF file.  There are two issues to consider here:

  1. If you want someone to be able to decrypt secure PDF documents so that they can view them, then they must have a decryption key.  This could be a password, or in the case of PKI, a private key, or a secret key.  If the decryption key is made visible (say a password, or even a private key if the user is not that worried about disclosing it) then the key could be given along with the document to others who could then use it.
  2. Once a PDF has been decrypted it is at its most vulnerable because now the user has your unprotected PDF.  They don’t have to worry about giving the decryption key to others since they already have the decrypted document to give away.

So, it is correct to say you can use encryption to send PDFs securely by email, but once recipients have received those PDFs there is nothing you can do to prevent them from giving them away to others or changing them.  This is where PDF DRM fits in.

PDF DRM

PDF DRM goes much further than pure encryption, enabling you to send PDFs securely by email and preventing unauthorized users from viewing or changing them (perhaps representing the new document as the old (fake news?).

There are basically three components of a DRM system:

  • Encryption
    This is used to protect PDFs so that anyone without the decryption key can’t view them.  Keys must be protected from disclosure.
  • Licensing
    Enabling you to provide a secure key exchange mechanism so that decryption keys are not disclosed to users or readily available to hackers.  It also enables you to record and store machine specific information so that users can be locked to specific devices when using protected documents, and not able to install their license on any device they feel like.
  • DRM controls
    These specify what a user can do with the document – e.g. whether printing is allowed, whether a document expires on a specific date or expires after so many days use, whether documents are watermarked for higher security etc.

Which DRM controls should I apply so I can send PDFs securely by email?

The DRM controls you select will depend on the sensitivity of the content of the PDF document you want to send securely.  You probably don’t want an ebook for example to expire because books are forever, but you might want a time sensitive report, or the school class notes for the semester to.  You might want to lock sensitive internal company information to a specific office location on the network so it cannot be opened on a laptop or tablet in an employees home, or prevent printing of highly confidential materials such as merger or acquisition disclosures but allow printing for an ebook or a purchased training course or an analyst’s report.

Here are just some of the DRM controls that a PDF DRM system should provide to enable you to send PDFs securely by email.

  • Stopping screen grabbing
    You may not be able to prevent users from using their mobile phones to take pictures (although they do not get any links or bookmarks), but you can persuade users from casually using print screen and third-party screen grabbers to easily take image copies of documents.
  • Applying dynamic watermarks
    If you must allow printing but want to identify the source of any images made of your copyright documents, then applying dynamic watermarks (including user name, email address, date/time, etc.) dynamically to documents at view/print time can be very successful.  Dynamic watermarks have an advantage over static watermarks because you do not have to protect the same document with different user details for hundreds of users.  Adding watermarks identifying the source of the copier, whether they are copying the viewed screen or print out can be a powerful deterrent persuading authorised users not to share their documents with other users.
  • Stopping printing
    Unless there are economic reasons for providing printed copies you should consider preventing users from printing documents to ensure that photocopies cannot be made.  This is a better control than watermarking because it avoids print outs completely.
  • Expiring documents after a number of views, prints, days, or on a fixed date
    There are many reasons to want documents to expire.  Book sellers and high value report analysts may allow their works to be used ‘forever’ but that is not the case for everyone.
  • Locking documents to IP address or country
    For copyright reasons a publisher may not wish their work to be available in specific regions, or a corporate body wishes to restrict use to its internal networks, just as a library may restrict use to computers on its internal network to satisfy Copyright Collecting Agencies.
  • Logging document use
    One of the most important questions can be has the document ben used?  Normally it is almost impossible to say if an electronic document has been used or not.  An unused version can be stored, then used and then replaced by the untouched original.  But the secure collecting of document opens linked to installed identifiers can be invaluable.  It may be that it approaches the Post Office proof of delivery signature for forensic acceptability.

PDF Expiry

Any PDF DRM system that you use to send PDFs securely by email must provide flexible expiry options so that the document owner is able to expire documents in a wide variety of ways:

  • after a number of views
  • after a number of prints
  • fixed days from first opening or use
  • on a fixed date that may be varied

Expiry is useful in controlling document access end periods without manual intervention.  For corporate users it can age documents off the system so as to comply with data storage rules.  It can also ensure that out of date content is no longer accessible or that content is not used beyond a specific timescale or is only available during a specific subscription or valid use period (service manuals for complex equipment).  PDF expiry can therefore help enforce your document retention periods and regulatory compliance.

Document expiry needs to be enforceable at both the document and user level.  So you can have a situation where a document that expires on the one hand for one selection of users on the same date, and have the same document expire at different times for selected users (administrators, auditors and so on).  Similarly, you may need to expire documents after a specific number of views and configure this on a per user per document basis.  This allows book and report publishers to offer a ‘try before you buy’ approach where prospective customers are able to use a secured document for a short period of time before deciding if they wish to purchase.  It may also be used for time limited offers.

In a corporate environment, you may wish to make sure that individuals can only see documents on a very limited basis, for instance, may be once or twice simply to verify the content.  You may also want to expire PDF files after a number of views in conjunction with an expiry date or expiry n days after first use.  The document will then no longer be available for use depending on the expiry option that is reached first (i.e. 10 views or after 5 days of use).

PDF Revocation

There will be times when you have sent a PDF securely by email but the wrong document has been distributed, or a valid document has been sent to the wrong person (not an unknown problem in law firms who accidentally fax documents to the opposing side instead of to their own experts).  This is where document revocation comes in handy since you can simply revoke access to the document for that user, and they can no longer use it.  If users have not been given access to a document they won’t be able to view it anyway but even if access has been granted you can revoke that access at any stage.  And if the wrong version of a document is distributed to multiple users then you can revoke document access so that no one can view it.

Tracking PDFs & logging use

If you send a PDF securely by email you might well want to know if a user has viewed and/or printed it (assuming printing is allowed).  It may be a matter of necessity to show the document was used regardless of if it was read or not.  This is very similar to the delivery of a document by registered mail.  It is assumed that if it has been satisfactorily delivered it should have been read.  DRM controls take this a step further by saying that it was opened/printed.  Other useful information on the log is the location it was viewed/printed from and when this occurred.

Conclusions

Encryption is essential for sending PDFs securely by email to protect documents from being accessed/used by unauthorised people.  But DRM controls are an absolute essential for preventing the misuse of secured documents once they have been distributed.  In the practical world a large number of overlapping controls come into play.  These are essential to deliver the real-world security that meets commercial necessity and legal compliance.  So if you want to send your PDF files securely by email make sure you invest in a PDF DRM system that is capable of providing persistent security – protecting your documents continuously once they have been distributed.