Practice Tips

Securing PDF documents

by Dave Bilinsky, Practice Management Advisor

musical note  if you wanna be in my world
You’ve gotta know the password (password)
To make it right…

Recorded by Kylie Minogue, “Password.”

I recently learned of a situation where a client received an advice letter from a lawyer in Microsoft Word format, modified the contents and then attempted to claim that the law firm had given them erroneous advice.

Fortunately, the law firm was able to produce a copy of its original letter, which documented their (correct) advice. But this entire situation would have been avoided if the firm had sent out a secure Portable Document File (PDF) instead.

password screenHow does one secure a PDF? According to John Simek, computer forensics technologist, legal technology expert and frequent speaker at the Law Society’s Pacific Legal Technology Conference, securing a PDF is not complicated but it does have to be done correctly.

“Many people believe that setting a password using Adobe Acrobat will secure their document. But type ‘Adobe Password Cracker’ into Google and you will find a whole host of programs to break into them,” says Simek. For example:

[name of product] can be used to decrypt protected Adobe Acrobat PDF files, which have “owner” password set, preventing the file from editing (changing), printing, selecting text and graphics (and copying them into the Clipboard), or adding / changing annotations and form fields. Decrypted file can be opened in any PDF viewer (e.g. Adobe Acrobat Reader) without any restrictions — i.e. with edit/copy/print functions enabled.

These password hacking products work by removing the “flag” that Adobe’s password function applies to the document. It does not depend on the “strength” of your password. Once the “flag” is gone, the document is completely open to be edited, printed, etc.

In order to properly secure a PDF, Simek advises a two-step process. First, apply a “Change Permissions Password” to restrict any changes to the document. Second, apply an “Open Document” password to prevent anyone but the intended recipient from reading it.

Using this dual password method, the software used to “crack” the Adobe document password cannot get at the “flag” and therefore cannot break the security of the document (at least at this time).

This system also safeguards against the situation described above. By providing your client with the “Open Document” password but not “Change Permissions Password,” they can view the contents of the document but they have no ability to edit it.

Simek advises making both passwords robust i.e. not vulnerable to a “dictionary attack,” for example, to prevent someone trying to guess the passwords and defeat the security of the document. As Kylie Minogue might say, you gotta know the password(s) to make it right.