How to secure downloads & stop file copying
Most people associate the action of downloading a file to be making a copy of the file – and they are right. And in the world of Intellectual Property Rights (Copyright) we always talk about controlling of making copies. But are these two things incompatible?
Here we discuss some of the reasons why downloading is necessary and the impact if it is stopped, and then look at secure downloads – stopping use of downloaded content, or controlling use of downloaded content – to achieve a cost-efficient and secure approach.
Stopping downloads & file copying
As is so often the case in IT, it depends on what is actually happening at the technical level that decides success or failure. (Lessig’s Law says what you do is decided by the programmer.)
Let’s take the case of information being viewed in the browser.
Everything you view in a browser is automatically downloaded to a cache on your hard disk. The Temporary Internet Files (or cache) folder is used by browsers to store webpage content on the computer hard disk to speed up viewing. So the cache lets the browser download only content that has changed since you last viewed a web page, instead of downloading all of the content every time the page is displayed. That makes downloading much quicker!
Depending on the information you are trying to protect, however, you might not want to stop it anyway. For example, there are big overheads if you open a PDF on a server and then smooth scroll down the page with every single line of pixels being sent over the network. If you did this there could be major server overheads or response time problems, or likely both.
Stopping file copying with secure downloads
So if downloading is to solve a performance problem, why is controlling downloads (secure downloads) such a problem?
The Internet was made to facilitate sharing information, so it is difficult to stop people from being able to download files, especially if you want some people to be able to download them, but not just anybody or everybody.
If you have your information on a server in an unprotected form, there are several free tools available (do an Internet search on ‘download website’) that will transfer a publicly accessible web site onto someone’s hard drive, where they can be examined at leisure. So if you want to stop illegal downloading you will need to keep the information you want to protect in an encrypted form so it is of no use to anyone without information from you, or you put it on a server that is not publicly accessible. But then you must be sure that the recipient is not going to misuse it.
There have been some ingenious approaches to try and stop unauthorized downloads of content by using secure downloads:
- Providing a one-time access to a server that is not publicly accessible, so the link can only be used while the approved download takes place.
- Uploading the file to be downloaded into a temporary location that expires when the download finishes.
- Using specialist downloader applications that combine information in order to ‘make’ the downloaded file during the process, and controlling access to this downloader.
- Password access areas to content. Passwords however may be given away and are difficult to manage.
Of course, none of these will prevent the recipient, once they have downloaded the file(s) from then passing them on, or uploading them to one of the torrent download sites. It may have been a lot of work for nothing?
Stopping file copying with encryption
So if you want to prevent other people from making your files available for illegal downloads you have to do something more to protect them than just relying on secure download software. That will involve using encryption since that is the only really effective tool to stop people from using files they have got hold of when they should not. An encrypted file is no use to anyone without the software to decrypt the file (it need not be in a ‘standard’ format like OpenPGP), and also the keying information to go with it.
Now this all starts to get a bit complicated. Users have to be ‘authenticated’ in some way, keying information has to be given to them secretly (if they know what the information is they can give it away just like they could give away the unencrypted files) – that is why passwords are a useless method of protection because they can be given to others. Also the keying information must not be part of the protected file or it can be too easily recovered and all protected files compromised. Users also have to be prevented from being able to make uncontrolled copies or they can still compromise the system.
Stopping copying by preventing unauthorized use of downloaded files
Locklizard has implemented a number of security controls that prevent misuse of downloaded documents:
- Files are encrypted.
- Most importantly, decryption keys are not part of the downloaded file, so the system cannot be attacked through the key mechanism. Decryption keys are securely and transparently relayed to a keystore that is locked to individual computers so a keystore will not work if copied to another computer along with the encrypted files. This ensures that users cannot share encrypted files with others as they will only work on authorized devices.
- Locklizard products only decrypt content in memory, so that there are no temporary files left lying around with unprotected information in them for someone to copy.
- You can lock document use to specific locations on a global and user basis. This can be useful when you need to ensure that confidential documents on mobile devices (BYOD) can only be viewed at say an office location and not when taken home.
- Copies of documents cannot be made by screen grabbing software or by printing unless you allow this. Printing to file drivers (e.g. Adobe PDF Printer) is automatically prevented so that digital copies cannot be easily made.
- Documents can be dynamically watermarked with user identifiable information, so if you allow printing you can identify the source of any photocopies.
- Document use can be logged so you can identify any suspicious behavior.
- Access can be revoked at any time regardless of where documents reside.
So while you cannot stop downloaded files from being copied, they are of no use to anyone but the authorized user. Locklizard document DRM products therefore retain the efficiency of secure download without any loss of security and control over the downloaded file.