How easy or possible is it to track when/where a PDF file is transmitted or opened once it goes out into the wild?

image

Specifically, I’m looking for DRM software that:

  • Integrates seamlessly into a PDF (i.e. the user doesn’t need to download any additional software apart from a bog standard PDF reader)
  • Doesn’t overtly flag to the reader that there is DRM built into the PDF file, or that usage is being tracked
  • Still lets the PDF be opened by whoever, whenever without a password or code; i.e. places no restrictions on use

Does such a beast exist? And if so, how does it work?
———————————————————
What is your goal? Track or prevent piracy?

If you want to prevent it:
have password = credit card number
don’t allow password to be changed

Of course they could print and scan, but atleast you made it harder for them.
———————————————————
My goal is just to find out if it exists at the moment – I’ve heard companies claim they use such a system. Yes, its use would be to prevent or track piracy. I know about DRM approaches that use a password.

I’m specifically looking for something that fits the criteria above – or alternatively for an explanation of why it couldn’t exist.
———————————————————
The only way to track is to somehow access the internet. Basic PDFs can’t do that.

PDF could include JavaScript that could access the net. You could use a webbug to track usage (E.g., http://www.security-labs.org/fred/docs/pacsec08/samples/03-infoleak/webbug-js.pdf ) which would access a per-user URL (e.g., http://yoursite/usage.php?id=user-identifier)

So technically it’s possible but a minority of PDF readers don’t support JavaScript (basically only Adobe Acrobat supports JavaScript but others like Evince don’t). You can’t really prevent distribution, and the most you can hope is to track PDFs some of the time.

Alternatively you could not offer a PDF for download and just show rasterized bitmaps at various resolutions for people to view when they have an internet connection.
———————————————————
Thank you – really helpful. In your webbug example, does the user always see a message telling you that something is trying to load or access the internet or would the user experience be identical to opening up a normal PDF?
———————————————————
PDFs can’t access the internet unless the user explicitly gives permission. (At least with Adobe Acrobat reader)

The best way I’ve seen is to provide a web page with a flash or JS reader render the PDF inline so you have full control and the user doesn’t have access to the PDF file but can still read it.
———————————————————
would the user experience be identical to opening up a normal PDF?

I don’t know how PDF readers handle such requests (i.e. if they notify the user) — decent ones should, as such a system is explicitly built to compromise the users’ privacy.

However, such a request could still trip a (properly configured) firewall. The originator of the PDF might have to field questions from users, asking why their PDF is sneakily trying to connect to the internet and what information is being transmitted.

Furthermore, such a system would be trivial to reverse engineer and neuter, by redirecting the phone-home URL so the outgoing request does not reach its destination.
———————————————————
>>PDFs can’t access the internet unless the user explicitly gives permission. (At least with Adobe Acrobat reader)
>>This is correct. Essentially, the way to do this is to add an open action to the document that includes a URI action that pings a mothership, but URI actions are supposed to post a dialog requesting permission.

Even if this did exist, it’s not something that non-Adobe software is likely to allow. If people use any reader besides Adobe Reader it probably won’t work. Again, even if it exists in the first place.
———————————————————
VeryPDF DRM has more options to protect your documents, it allows you to block printing and copying, set printing, opening, IP address, expiry date limits and dynamic watermarks to your documents. You can also revoke access at any time. Online Center allows you to track user activities, include file opened date, IP address, and more.

http://drm.verypdf.com

Is it possible to track where a PDF file goes once in the wild?
Tagged on: