Re: PDF is blocked for printing, etc. OK for acroread (it behaves as expected), but KPDF allows me to print it, even if it is protected! Why?

[Russ Allbery <rra@debian.org>]

Gunnar Wolf <gwolf@gwolf.org> writes:
> Russ Allbery dijo [Mon, Apr 19, 2010 at 02:14:21PM -0700]:

>> I think people are not understanding why users use this feature in some
>> environments.
>> 
>> Yes, sometimes it's a misguided attempt at DRM, but I've more often seen
>> it inside a workplace as defense in depth against *mistakes*.  One might,
>> for instance, mark a document as not printable because it contains social
>> security numbers and salary information and it's corporate policy not to
>> create hard copies of the document beause of the risk of exposure of
>> personal information that might put the company at legal risk.
>> 
>> That's not to say that Debian PDF viewers should support this the way that
>> Acrobat does, but for that use case, the desired UI is probably something
>> like a dialog box that pops up and says that the document author has
>> marked this PDF as not printable and asking the user if they're sure they
>> want to override.  For this use case, such a warning would probably serve
>> the same purpose.

> The reasons not to want a document printed are quite easy to understand,
> but the mechanism is flawed.

Why?

> Given the setting you mention, you can just slap a red banner stating
> "Confidential, do not print". If it is on a corporate setting, just
> state it as a policy - and if somebody fails to comply with the policy,
> there should be sanctions.

An ounce of prevention is worth a pound of cure.  Finding ways to punish
employees for doing something stupid isn't nearly as interesting as
finding ways to use software to warn people against doing something stupid
in the first place.  We all do something stupid without thinking about it
occasionally.  If that thing has serious consequences, having multiple
levels of protection to ensure that we really want to do what we're doing
is useful and helpful.

Why not put both a banner on the document *and* set the no-print flag to
force a prompt at printing time?  Defense in depth is almost always a good
idea.

> Of course, somebody interested in printing the file will do it. Either
> by his own means or, like my users, by mailing the "techie" the document
> asking him to unprotect it. Or by sticking it on a USB key and taking it
> off-site to a location they can freely tinker with.

Yes, as I said explicitly, that's not the point.

> As I said on my previous mail: If you don't want it to be printed,
> distribute in a way that makes it hard to be useful when printed. Don't
> you trust somebody with social security numbers and salary information?
> Don't give it to them.

It's not a matter of trust.  It's a matter of using technology to help
protect against mistakes.

Do you configure your Git repositories to deny non-fastforward pushes?
That's just an artificial "fake" security measure to prevent an action
that someone can take in many other ways.  It won't stop anyone determined
do a non-fastforward push.  And yet almost all of us who run shared
repositories use that setting and like it, because it prevents us from
doing things that we didn't intend to do.  The solution to that problem
isn't to prevent anyone who one can't trust to only do fast-forward pushes
from doing git push at all.  It's to apply a simple technological measure
that makes sure that people doing something dangerous confirm that they
know what they're doing.

Hopefully the similarity is obvious.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>