Using encryption & DRM to email PDF files securely.
When sending PDF files securely by email you need to think about protection in transit and ensuring only the correct recipients can view them. Then consider controlling what users can do with those PDFs once they have received them to provide overarching security.
You have created a PDF that contains confidential information or information that you only want specific people to be able to view (say someone has purchased a report or ebook). So how can you send PDFs securely by email to ensure that only the intended recipients are privy to the information they contain? Here we look at how encryption and DRM can be used to achieve this and protect PDF documents against unauthorized use.
We all know that encryption can protect PDF files in transit and at rest (whether this is an Adobe owner password or a file encryption product such as PGP), but what matters is what happens when a user receives your PDF file. There are two issues to consider here:
- If you want someone to be able to decrypt secure PDF documents so that they can view them, then they must have a decryption key. This could be a password, or in the case of PKI, a private key, or a secret key. If the decryption key is made visible (say a password, or even a private key if the user is not that worried about disclosing it) then the key could be given along with the document to others who could then use it.
- Once a PDF has been decrypted it is at its most vulnerable because now the user has your unprotected PDF. They don’t have to worry about giving the decryption key to others since they already have the decrypted document to give away.
So, it is correct to say you can use encryption to send PDFs securely by email, but once recipients have received those PDFs there is nothing you can do to prevent them from giving them away to others or changing them. Though you can unsend an email in Outlook or Gmail, these features are rarely of use due to major limitations. This is where PDF DRM fits in.
PDF DRM goes much further than pure encryption, enabling you to send PDFs securely by email and preventing unauthorized users from viewing or changing them (perhaps representing the new document as the old (fake news?).
There are basically three components of a DRM system:
This is used to protect PDFs so that anyone without the decryption key can’t view them. Keys must be protected from disclosure.
Enabling you to provide a secure key exchange mechanism so that decryption keys are not disclosed to users or readily available to hackers. It also enables you to record and store machine specific information so that users can be locked to specific devices when using protected documents, and not able to install their license on any device they feel like.
These specify what a user can do with the document – e.g. whether printing is allowed, whether a document expires on a specific date or expires after so many days use, whether documents are watermarked for higher security etc.
Which DRM controls should I apply so I can send PDFs securely by email?
The DRM controls you select will depend on the sensitivity of the content of the PDF document you want to send securely. You probably don’t want an ebook for example to expire because books are forever, but you might want a time sensitive report, or the school class notes for the semester to. You might want to lock sensitive internal company information to a specific office location on the network so it cannot be opened on a laptop or tablet in an employees home, or prevent printing of highly confidential materials such as merger or acquisition disclosures but allow printing for an ebook or a purchased training course or an analyst’s report. After all, you never know who might be watching, and what threat to your online privacy is out there.
Here are just some of the DRM controls that a PDF DRM system should provide to enable you to send PDFs securely by email.
- Stopping screen grabbing
You may not be able to prevent users from using their mobile phones to take pictures (although they do not get any links or bookmarks), but you can persuade users from casually using print screen and third-party screen grabbers to easily take image copies of documents.
- Applying dynamic watermarks
If you must allow printing but want to identify the source of any images made of your copyright documents, then applying watermarks (including user name, email address, date/time, etc.) dynamically to documents at view/print time can be very successful. Dynamic watermarks have an advantage over static do not distribute watermarks because you do not have to protect the same document with different user details for hundreds of users. Adding watermarks identifying the source of the copier, whether they are copying the viewed screen or print out can be a powerful deterrent in persuading authorised users not to share their files or documents with other users.
- Stopping printing
Unless there are economic reasons for providing printed copies you should consider preventing users from printing documents to ensure that photocopies cannot be made. This is a better control than watermarking because it avoids print outs completely.
- Expiring documents after a number of views, prints, days, or on a fixed date
There are many reasons to want documents to expire. Book sellers and high value report analysts may allow their works to be used ‘forever’ but that is not the case for everyone.
- Locking documents to IP address or country
For copyright reasons a publisher may not wish their work to be available in specific regions, or a corporate body wishes to restrict use to its internal networks, just as a library may restrict use to computers on its internal network to satisfy Copyright Collecting Agencies.
- Logging document use
One of the most important questions can be has the document ben used? Normally it is almost impossible to say if an electronic document has been used or not. An unused version can be stored, then used and then replaced by the untouched original. But the secure collecting of document opens linked to installed identifiers can be invaluable. It may be that it approaches the Post Office proof of delivery signature for forensic acceptability.
- Changing security settings after sending
There may be times after you have sent an email when you need to change PDF security settings. These may be to allow printing, change an expiry date, or allow or block use from a location. The DRM solution you choose should enable you to change PDF security settings after sending as this gives you more flexible control over how your documents are used.
Any PDF DRM system that you use to send PDFs securely by email must provide flexible expiry options so that the document owner is able to expire documents in a wide variety of ways:
- after a number of views
- after a number of prints
- fixed days from first opening or use
- on a fixed date that may be varied
Expiry is useful in controlling document access end periods without manual intervention. For corporate users it can age documents off the system so as to comply with data storage rules. It can also ensure that out of date content is no longer accessible or that content is not used beyond a specific timescale or is only available during a specific subscription or valid use period (service manuals for complex equipment). PDF expiry can therefore help enforce your document retention periods and regulatory compliance.
Document expiry needs to be enforceable at both the document and user level. So you can have a situation where a document that expires on the one hand for one selection of users on the same date, and have the same document expire at different times for selected users (administrators, auditors and so on). Similarly, you may need to expire documents after a specific number of views and configure this on a per user per document basis. This allows book and report publishers to offer a ‘try before you buy’ approach where prospective customers are able to use a secured document for a short period of time before deciding if they wish to purchase. It may also be used for time limited offers.
In a corporate environment, you may wish to make sure that individuals can only see documents on a very limited basis, for instance, may be once or twice simply to verify the content. You may also want to expire PDF files after a number of views in conjunction with an expiry date or expiry n days after first use. The document will then no longer be available for use depending on the expiry option that is reached first (i.e. 10 views or after 5 days of use).
Some email services have expiry built-in expiry, such as Gmail’s Confidential mode, which removes the copy, download, and print options from the UI. However, these are browser-based controls and therefore cannot be effective. The browser is unable to prevent printing, screenshotting, or copying via other means due to its limited control over a user’s PC and does not protect attachments. It’s therefore a bad idea to rely on Confidential mode for security. For more information, see Gmail “Confidential” Mode vs Document DRM.
There will be times when you have sent a PDF securely by email but the wrong document has been distributed, or a valid document has been sent to the wrong person (not an unknown problem in law firms who accidentally fax documents to the opposing side instead of to their own experts). This is where document revocation comes in handy since you can simply revoke access to the document for that user, and they can no longer use it. If users have not been given access to a document they won’t be able to view it anyway but even if access has been granted you can revoke that access at any stage. And if the wrong version of a document is distributed to multiple users then you can revoke document access so that no one can view it.
Tracking PDFs & logging use
If you send a PDF securely by email you might well want to know if a user has viewed and/or printed it (assuming printing is allowed). It may be a matter of necessity to show the document was used regardless of if it was read or not. This is very similar to the delivery of a document by registered mail. It is assumed that if it has been satisfactorily delivered it should have been read. DRM controls take this a step further by saying that it was opened/printed. Other useful information on the log is the location it was viewed/printed from and when this occurred.
Conclusions – How to send PDF files securely by email
Encryption is essential for sending PDFs securely by email to protect documents from being accessed/used by unauthorised people. But DRM controls are an absolute essential for preventing the misuse of secured documents once they have been distributed. In the practical world a large number of overlapping controls come into play. These are essential to deliver the real-world security that meets commercial necessity and legal compliance.
So if you want to send your PDF files securely by email make sure you invest in a PDF DRM system that is capable of providing persistent security – protecting your documents continuously once they have been distributed.
Is Gmail encryption secure?
The communications channel of Gmail is always encrypted with TLS to protect emails in transit. The email is then decrypted when it reaches the mail server. As for end-to-end encryption, the short answer is: sometimes, provided the sender has a Google Workspace account and both recipients have S/MIME enabled. For the long answer, see the Is Gmail encrypted? section of our blog on Gmail encryption.
Does Gmail confidential mode prevent sharing?
Not at all. Sharing a confidential mode email is as easy as downloading the webpage and sending it to somebody. Users can also utilize their browser’s developer mode to enable copy and pasting or printing for email bodies. This lack of security extends to attachments, which can be downloaded, printed, shared, and modified either through the browser’s developer mode or by simply pressing the annotation button on a mobile device. See our blog on Gmail confidential mode for more details.
Can you send a secure PDF attachment via email?
Yes, you just need to protect it with another solution. A PDF DRM solution will offer the best security, as S/MIME or file encryption is not enough to stop editing, sharing, and copying after the recipient opens the file.
Is Google Drive a secure way to share files?
Not if the files aren’t DRM protected, as it’s easy to bypass document controls or share account details with others. Users also have a habit of sharing files as a link, which makes sharing files with unauthorized users even simpler. For more details, see Is Google Drive secure?.
Can you recall or unsend an email using Outlook or Gmail?
You can recall or unsend an email in both Outlook and Gmail, but with major limitations:
- Gmail’s “unsend” feature should really be called “cancel”, as all it does is give you a maximum of 30 seconds (5 seconds by default) to change your mind.
- Gmail confidential mode does let you unsend emails, but, as covered, it’s trivial to make a copy of a confidential mode email, and these copies will not be recalled.
- Outlook’s recall only works if you’re using a MAPI or POP account, the email has not been read, the recipient is using Outlook, and the recipient has a Microsoft 365/ Outlook/ Exchange account in the same organization as you.
In other words, these features are almost useless in practice.
Is it safe to send social security information in a PDF in an email?
No. We do not recommend sending your social security number through email unless it is encrypted and you trust the third party. There are too many ways for somebody to purposefully or accidentally leak it to others. Even Locklizard cannot stop somebody from manually copying your social security number from the screen to a piece of paper.
Is it safe to secure my PDF via WordPress and send it as a link?
WordPress secure file sharing is not possible unless you encrypt the file with a DRM solution before you upload it. WordPress’s built-in file security and its plugin security are unable to prevent unauthorized sharing or downloads.