I've had reason lately to investigate Adobe Acrobat security for an unrelated side project that I'm involved with. More specifically, we were interested in being able to control access to documents based on a set of permissions that would be centrally stored. A password-protected file wouldn't suffice because a password can be shared, and sharing documents should not be permitted (unless the recipient had been granted the same permission). By the end, I had learned that not only does Adobe not have an Internet-based solution for this (though they do offer a LAN-based intra-company solution), the widely-available security seemed inherently flawed. We were able to find many examples of circumventing both passwords and access controls.
As a result of this investigation, a recent story about PDF security caught my attention that otherwise would have gone completely unnoticed. PC Magazine reported on Wednesday that a glitch in GMail's handling of pdf files allowed people to view PDF files as HTML files and thus circumvent both copy and print protection. What really strikes me as bone-headed in this is that a program can misinterpret the security settings and partially bypass the protection. Read on...
The PC Magazine article links to a blog post by the person who discovered the flaw, and the comments there are even more alarming, with stories of getting around PDF protection in a whole myriad of ways (most of them involving Linux). Most of these methods were extremely trivial, such as converting the files back to postscript format, seemingly avoiding all protection. Whose idea was it to create security bits that programs could simply blow right past and ignore? I realize many DRM schemes have weaknesses, but this just seems... sad.
I don't blame GMail for this vulnerability. How can you blame them for an oversight while complying with a system where the security is apparently optional? Geez. The better solution is a system where this isn't so easy, or better yet, a system where it's not even possible. It's not like we live in a world without encryption and public-private key pairs that could provide real security (if not admittedly a bit harder to manage). Sometimes a little extra overhead is worth getting the real protection that you need.
All this to get around to same bigger questions: Is DRM in any form a waste of time? Will every DRM scheme be broken? Are there fair uses for DRM to protect legitimate business models? These are not easy questions. My opinion? No, Maybe and Yes. DRM has just gotten a bum rap from being over-used and under-thought.
Adobe never cease to amuse me with their incompetence :)
The problem with DRM is that there's nothing to protect us from DRM. DRM is just fine to protect the rights of businesses but who's going to protect the consumer when DRM is used instead as restriction management? What mechanism is in place to protect the consumer's fair use rights when DRM attempts to squash it? DRM is not required to adhere to copyright exemptions such as public domain, fair use, and first-sale. DRM is also not effective when ownership of copyright changes hands. This is a problem.
It's not only the rights of business that matter. The rights of the people matter as much, if not more so. Securing these rights is the real problem that must be solved if DRM is to have any place in society.