Revoking Document Access, document expiry and remote file deletion

There will be many occasions when you need to revoke documents you have published:

• the information contained in the documents is no longer valid because it is out of date or wrong
• you feel your documents are being misused
• the wrong document was distributed to people in the first place

This guide examines some of the options in Safeguard PDF Security you can use to revoke document access, and explains why some approaches to revoking document access are not really helpful.

The PDF DRM and licensing controls in Safeguard PDF Security give you a number of ways of stopping documents from being used once they have been issued.

You can set documents to expire in specific circumstances.  This is done when a document is protected and is bound to the document at that time (although can be changed at a later date from the administration system):

• On a set date
• After a number of days from first use
• After a number of views
• After a number of prints

For company documents it is normal to have set an expiry end date, which is when they would normally be superseded.  The other expiry methods are more likely used to control documents used in training courses, and documents for evaluation.

It is possible to set a document expiry end date of ‘never’ so the document never expires, but if you do the end date cannot be changed.  You can however change document expiry settings at a later stage on the administration system if you set a fixed date or a number of days/views/prints.  This enables you to either extend or reduce document use, or instantly revoke access.

Apart from on a set date, the other methods require an online license check before the user can open the document.  As soon as the number is met access stops, although it is possible to change the number in the administration system for individual users after the document has been assigned and that will take effect next time the user opens the document.  You can therefore publish a document with a say a fixed expiry date for all users, but extend the access period for specific users if you so wish.

Document expiry happens automatically when the expiry criteria is met.  This is therefore an easy and automatic way of revoking document access without any administration intervention.

If you want to revoke document access straight away to all users then you can suspend or delete a document.  Access will be revoked when the user next tries to open the document if the document is set to check against the licensing server (online use).  If you have allowed the document to be used permanently offline (without ever checking with the server) then you cannot revoke access by suspending or deleting a document because there is nothing in place to enforce the document to connect to the licensing server to pick up the new controls.

With Safeguard Web Viewer you can always revoke document access straight away as documents are always viewed online.

If you use publications to manage your protected documents, then you can remove publication access from specific users or change the publication access period so that revocation or expiry takes place for a group of documents.  The same online/offline rules apply as to individual document revocation and expiry.

This approach stops a user from accessing any documents, but it only happens if there is a mandatory license check on the document being opened.  If you have set the license check to ‘never’ then revocation cannot be implemented.  One advantage of this approach is that you can reinstate the user rather than having to delete them and then add them again.

At the user account level you can revoke access to all license check documents by:

• Suspending the user account
• Setting the user account to expire after a certain date

You can change the fixed expiry date also, but again there must be a license check before the change is implemented.  If you do that, then you can keep altering the end date to suit changing requirements, and apply different end dates to the same file for different users.  But you must remember that it will be up to you to reconcile end dates manually since there is no provision in the administration system for showing different end dates by user.

Another approach used by some document DRM systems to preventing continuing access to documents is the ability to delete the document on the user’s computer.  Sometimes this includes the concept of being able to ‘delete’ a file ‘beyond recovery.’  Commonly this is claimed to be achieved by multiple overwrites of the file in its location.

Safeguard PDF Security does not support this feature as it is more of a marketing ploy than a security feature.

Now don’t take our word if this technique works or not – go and reference the work of Peter Gutmann, the noted computer scientist in New Zealand.  He points out that that, “the 35 pass overwrite technique …. a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques.”

Now that is talking about a system for trying to prevent any possible kind of recovery of a file stored on a hard drive.  Never mind about hosting files on remote servers or using RAID architectures or having system backups.

Everything sounds fine if everyone is playing by the rules.  But dishonest people have already established that they are not playing by your rules, and their rules are different.  It is trivial to set a file to ‘read only’ so an ordinary application cannot write to it no matter what it wants.  Now of course there are ways of getting round that, but they need code that gets around the operating system of the computer, and that is most definitely a ‘bad’ idea.  That is what hackers and viruses set out to do, and if anything goes wrong you generally don’t have any files to come home to.

Be aware that the UK agency CESG notes that if you want to be sure files cannot be recovered you need to physically destroy the disk drive.  Like burning it.  (Now I’m not saying everyone wants to go to that level of certainty, but you get the idea of what the agencies mean by data destruction.)

But to bypass the control, all the user has to do is make a copy of the file before using it, so they lose nothing except time if one gets deleted.  So you see that the idea of sudden deletion is interesting, but is less effective than expiring or revoking a file so that it can no longer be used.

Document expiry options in Safeguard Writer

You can set PDF documents to expire automatically when protecting them using Safeguard Writer.  You can change the document expiry settings for all or individual users at a later stage using the Safeguard administration system.

1.  Go to the Expiry & Validity Tab and from the ‘Document Expires’ section select either an expiry date or a number of days from first use.  If you select an expiry date then the document will expire on that date.  If you select a number of days from first use (say 30), then the document will expire 30 days from when it is first opened.  The document will expire at different dates for different users depending on when they first opened the document.

2.  If you want to expire documents after a number of prints or views then this can be achieved from the ‘Printing & Viewing’ tab.

To expire documents after a number of prints, select the number of copies you want to allow and check the ‘No access after print copies depleted’ checkbox.  Once the number of prints have been reached the document will automatically expire and can no longer be used.

To expire documents after a number of views, check the box ‘Limit number of views’ and enter a number in the scroller field.  Once the number of views has been reached the document expires.

Changing document expiry in the Safeguard Admin System

Once a protected document has been published you can change the expiry date from the Safeguard Admin System.  You can do this for the document (so the new expiry date affects all users) or for individual users.

To change the document expiry date for a specific document, go to the Documents Tab and select the document you want to edit.  Click on the Details button and enter the new document expiry date in the ‘Expires’ field.

To change the document expiry date for a specific user, go to the Documents Tab and select the document you want to edit.  Click on the Details button and then the ‘Grant or Revoke Access’ link.  Select the user you want to change the expiry date for and then from the ‘Grant Limited Access’ pull-down field enter a new document expiry date.

You can also change the start date of a document here.  Changing the start date of a document to a future date stops access to the document until that date is reached.  This is therefore another method of temporarily revoking document access for individual users, or ensuring that documents are not used before a certain date.