interweb freedom

(formerly Stop Usage Based Billing)

No PDF Files Please

Posted by Laurel L. Russwurm on May 21, 2010

No Usage Based Billing

TECHNOLOGY ISSUE

It is a fallacy that PDF files maintain the integrity of the information.

The idea behind PDFs was that they would freeze your digital document so that it can’t be tampered with.
Correction of Fact: I’ve learned from a comment below that PDFs were actually not intended to be secure. (Thanks D.A.) And that they could just as easily be created in landscape mode. They were intended to preserve the formatting for printing. My problem is that very often information being given in PDFs is NOT stuff that needs to be printed… and in fact does NOT need to be printed.

That’s simply not true.

Except from almost the first moment PDFs appeared in the world, people figured out how to deconstruct them so that they COULD tamper with them.

After all, forgery has existed for as long as we’ve had documents. But the idea that PDFs are secure has taken hold. But it is not true.

Worse, PDFs are a pain to use. For a long time I thought that PDFs were proprietary software because you need a special reader to read them. I have this idea that the only person who determines what can be on my computer is me. Because it’s my computer. If you want me to have specific software on my computer, you can buy me a computer, and I’ll put the software you want on it. But as long as I pay for my computer I own it.

Yet government offices lock information I want or need — information that I am entitled to — into PDF files. And school boards. Even my bank wants to replace statements with PDFs. Well. No.

Because even though I know there is software to take PDFs apart I don’t have it because I am not planning on forging anything. I’m looking to get information. But before I can get it, I have to install a PDF reader on my computer.

Even so, PDFs are miserable to read on a computer screen, because computer screens are in Landscape mode while PDFs are locked in Portrait mode. Hello. PDFs are designed to be read on paper. The format does not translate well to computer screens which are currently more and more commonly in wide screen landscape format.

If you read it on your screen you can’t just scroll through the document. You scroll down the first page. But before you can go to the second page you have to scroll back to the top to be able to click the arrow. The only civilized way to read a PDF is if you print it out. Not exactly a good paperless solution, eh?

PDFs were designed by Adobe, and the idea was supposed to be that you had to get an Adobe Reader in order to read them. That’s what made them proprietary. Eventually Adobe made PDFs partially open source, which means that programs like Open Office can now create PDF documents. And you can use other readers to read PDFs. That’s what I do when I am forced to open one.

But PDF files are nowhere near universally accessible because it is necessary to have a PDF Reader to read them. That is a huge barrier to accessibility. It doesn’t have to be an Adobe Reader, but only the Adobe Reader accesses an Adobe PDF perfectly. Recently I was given a colour PDF, but because I don’t use the Adobe reader, it will only print for me in black and white.

So just as an ordinary person who uses a computer, I hate it when information I need is locked up in a PDF.

security

But recently I’ve learned that PDFs aren’t just awkward and difficult to use they are insecure.

Putting information in PDFs does not make the information secure. PDF Files and Adobe Readers are actually dangerous to our computers.

I will not have an Adobe Reader on my computer because of the security problems inherent in the Adobe Reader. Adobe itself tells us that:

“a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system”
http://www.adobe.com/support/security/bulletins/apsb10-07.html

There are always new warnings because the Adobe Reader is insecure.

Adobe: Security Updates available for Adobe Reader and Acrobat versions 9 and earlier

And there are others who advise against PDFs…

ars technica: Flash security vulnerability exploited in PDFs

ZD Net: Adobe warns of Flash, PDF zero-day attacks

engadget: Adobe’s Flash and Acrobat have ‘critical’ vulnerability, may allow remote hijacking

United States Computer Emergency Readiness Team: Adobe Reader and Acrobat customDictionaryOpen() and getAnnots() JavaScript vulnerabilities

So please, don’t give me a PDF.



If you haven’t already, sign the petition. There are only 10796 signatures.

If you have already signed, who else should you be asking to sign?

That’s easy: anyone who uses the Internet.

Because Usage Based Billing will harm both Canadians and our Economy.

http://dissolvethecrtc.ca/

STOP Usage Based Billing

STOP Usage Based Billing



Advertisements

16 Responses to “No PDF Files Please”

  1. […] #61 Why Do Bell and Rogers Have Customers? #62 Sign the Petition #63 Write Letters to Stop UBB #64 No PDF Files Please #65 #digicon #66 2010 is the new 1984 #67 New Business Models […]

  2. Devil’s Advocate: Before there were PDFs there was PostScript, a perfectly fine typographic language that preserved page layout. PDF files were simpler and required less computing resources than PostScript files, but with today’s computing power that should no longer be a concern. Everything you claim PDFs were designed to do was already being done by PostScript.

    Even if PDFs were not originally meant to secure data, securing data was certainly one of their purposes. I’ve worked for an organization that adopted PDFs in the early days in order to disable cut’n’paste of their material, especially galling because those PDFs contained public data (although copyrighted). Fortunately, even in those early days it was possible bypass that “security” with freely available applications. Of course, that will soon be illegal under Bill C-32…

    –Bob.

    • Devil's Advocate said

      The original postscript (.ps) files you speak of were strickly for output only, and could not be reliably viewed for examination. You could not realistically expect 2 computers to display the exact same result. The only way these files were proofed was to actually print them with the intended process.

      This was because they were pure postscript – a language only fully spoken by printers.

      You also couldn’t easily marry .ps files into a book layout.

      PDFs were introduced to provide the print industry with some much-needed reverse engineering and migration capabilities, as well as “front end” functionality for document sharers.

      As for the “security” aspect, it wasn’t exactly unique to Acrobat. The same feature was introduced to a number of other softwares, enabling the same “galling” practice of arbitrarily locking down content in the most unwarranted cases.

      And, that was my original point.
      It doesn’t matter what format you receive content as. ALL applications can facilitate the same kind of product lockdown.

      The only difference you’ll find with a PDF is that its intended appearance and print result is more likely to be consistent from its origin to whatever destinations it is displayed and/or printed.

      I’ve been in the print industry for about 35 years, and was also one of the first desktop publishers. I’ve been doing this work since before the existence of applications or operating systems like Windows. So, I don’t make these points lightly.

      I’ve banged my head against the desk many a time over the years because content I was being paid to manipulate, provided to me in ALL FORMATS (PDF, Word, Pagemaker, Quark, whatever) was being locked down the same way Laurel was complaining about, by all sorts of clueless bozos.

  3. Oh look: more PDF security warnings: engadget: Adobe’s Flash and Acrobat have ‘critical’ vulnerability, may allow remote hijacking

  4. RobertX said

    Sorry for the doublepost.

    In your Ubuntu OS, Evince is the program you’re looking for if you want to highlight things.

  5. […] Comments (RSS) « No PDF Files Please […]

  6. […] Sounds like they’d rather not get stuck in the PDF morass they had for copycon. Deconstructing all the PDF submissions is probably the chief reason why it took so long for all the submissions to be posted online. (I hate PDFs!) […]

  7. […] Sounds like they’d rather not get stuck in the PDF morass they had for copycon. Deconstructing all the PDF submissions is probably the chief reason why it took so long for all the submissions to be posted online. (I hate PDFs!) […]

  8. Devil's Advocate said

    Sorry, Laurel, I’m not quite sure I get this one from you.

    First of all, the Personal Document Format wasn’t originally designed to “lock up” the contents, or provide any sort of added “security” features. “Tamper-proofing” wasn’t even remotely the objective.

    The format was introduced for the printing world, to provide a means to unite various documents created in various applications, in order to compile the content into books, booklets, etc.

    A PDF was simply a POSTSCRIPT product, created by print drivers, that was intended to preserve the intended appearance and colours of any documents when viewed, printed, or RIPped by anyone else, regardless of whether the recipient(s) had the software or fonts that would normally have been necessary.

    The resulting postscript files were (originally) always generated in proper “CMYK” colours, which were compatible for offset printing, and greater compatibility between early colour printers.

    The intention was to produce something that, theoretically, WOULDN’T CHANGE when outsourced or shared by company employees, etc. This was important at the time, as documents produced with MS Office and an array of other softwares never seemed to redraw themselves the same from one machine to the other, even if the recipients did have the fonts! (You must remember this, as it was a wide-spread headache for anyone who had to work with computer-generated documents since they became mainstream.)

    Naturally, a company wanting to submit stuff to 3rd parties for printing, etc., wanted to maintain the integrity of company info, so the option appeared to place a password security on the ability to edit or print or both. The same was done for Office documents, and others. But, this feature, regardless of what application we’re talking about, was never, by any means, ever taken by anyone having any basic experience with computer software, as the ultimate piece of security!

    PDF wasn’t invented to allow its contents to be easily manipulated, as the goal was to MAINTAIN the intended PRINT product that was created. But, due to growing requirements from the same industry it was invented for (printing!), abilities to handle its contents, and even correct or change them, were summarily built into many other applications (i.e. Illustrator, CorelDraw, and Acrobat, of course).

    Since you’re spooling POSTSCRIPT information when you create a PDF,OF COURSE needed to be an application that everyone could use to view them. THAT was the idea. This software may have been “proprietary”, but it was provided for free, and was widely available online. In the beginning, Adobe Reader was a fairly small package, quickly downloaded and easily installed. I honestly can’t see the problem you think this created.

    It doesn’t matter what format data is saved in anymore, or whether a file has any security properties, such as a password, it can’t be secured as a digital product, period!

    Unless the bank statements you’re talking about are currently arriving to you as a hardcopy, it wouldn’t matter what form of electronic document they intend to start sending you – they’re ALL SUBJECT. (Hell, hardcopies were never secure in any sense of the word, either.) You also have to worry about any data you retrieve from that bank online yourself, even when just viewing your account. These dangers are known, and there’s lots of info available online on what to expect and how to deal with it safely. The truth is, the only information transfer that can be seen as truly safe would have to involved an action between two live people in the same room.

    And, there are “vulnerabilities” in ALL applications. Adobe Reader doesn’t have any more to worry about than MS Word. Any program that maintains an internet connection porthole and stands poised to execute code that comes from it, without the need for your approval, can be said to be “vulnerable”. These dangers, too, are known and there are things you can do to minimize or eliminate them. Such info is “Googleable”.

    Lastly, I don’t understand the “portrait/landscape dilemma” you’re expressing. Acrobat doesn’t create the documents! A PDF is merely the reflection of a document created in ANY OTHER APPLICATION. You always had to view ALL “portrait” documents with the same “landscape monitor”, regardless of the program used.

    I mean you no disrespect, Laurel, but your expectations about the PDF format seem to far exceed the actual PDF “agenda”.

    • What you say makes perfect sense, that PDFs are meant for printing. So if I was a printer it makes sense to give me the work in a locked down format. The problem is I’m not a printer.

      The main reason I hate PDFs because you can’t read them easily on a computer. Or cut and past the bits you need.

      The problem is that many websites… in my experience it is government websites, particularly school boards and municipalities… who are more and more locking information that I just want to read on the computer into PDF files. Maybe I might want to cut the relative information out and put it into another digital file, like say a calendar app. But what I do NOT want to do is print it.

      It is truly irritating to go to a website that is all HTML until you get to the bit that has the info you need and it is only available in a PDF. School board: almost everything is in pdfs. School: If I want to take 30 seconds to pop into the school website to check the schedule to see exactly when 2nd period ends, instead of finding it in HTML I have to first download a PDF. This is why I’m annoyed with PDFs.

      The reason that they do this more and more is because they think it makes it “secure”. That’s the perception. That’s why I assumed that PDFs were intended to be “secure”.

      But most people really think the PDF will “maintain the integrity of the information”. That phrase actually came from the bank guy who wants to give me PDF statements instead of mailing me paper statements, selling it as environmental because they don’t have to print it out. But it isn’t environmentally good for me… because it is a format that begs to be printed, and I have to use my ink to print it out. (Bubble jet ink is after all the most expensive liquid on the planet. Of course they want ME to print it out.) Of course switching will save them masses of money.

      Are they afraid I might change the numbers around on the statement… what, to make it look like I have more money? And if I bring a forged statement in to the bank will they give me more money? Not likely. The statement is for ME. It is something I the customer use to keep track of my records. The school info is for me, why can’t the info be in an accessible format? The municipality info that they would have had to print and mail in the old days is for me. The transit schedule is for me. Even if I print it out, who will it hurt if I were to mess with the layout? But they are not putting it into a universal format like html for my convenience.

      The websites are made of html but the information I want requires me to put a PDF reader on my computer. It isn’t that they aren’t capable of html — the rest of the website is html after all.

      Why should I have to put any software on my computer that I don’t want? Especially in these days of big brother on the one hand and malware on the other, well, I shouldn’t have to compromise my security.

      • RobertX said

        I believe there are free tools out there that can edit a PDF. Is that what you are looking for, Laurel?

      • No, I would like to see websites– especially government websites– stop using PDF files inappropriately.

      • Devil's Advocate said

        So, Laurel, are you saying you’d rather have content offered in Word, or any one of a number of formats that are not a PDF??

        This simply doesn’t make any sense.

        If I interpret you properly, you’re frustrated mostly because of a need to cut ‘n’ paste from the source. Obviously, you wouldn’t be interested in the formatting or appearance of this content, since you’re recycling it.

        Cut ‘n’ paste is the one task that is not straightforward directly from a PDF – if you haven’t got Acrobat, or any number of applications that were made to deal with PDF text!

        The same is true for Word, for example. If you don’t have Office or WordPerfect, you’d have a pretty hard time dealing with a Word doc directly as well.

        And, as I’ve already outlined about “lockdown”, if I place security on content in a Word document, you won’t have an easy time copying the text from that either.

        Same goes for stuff produced from a “content management” system – where the various bits of content are “recycled” by pulling them from a server and married by either a client-based authoring program or a server-based authoring program meant to serve the product to you via the webpage. Much of that is locked down, sometimes for a reason, often for no good reason.

        The only way to deal with such snags, if it’s important to you to be able to do so, is to arm yourself with both the applications that will solve as many as possible, and the knowledge associated with their use.

        It’s important to me, so I have everything I need from Office to CorelDraw to Adobe Creative Suite (and therefore, the full Acrobat), as well as literally hundreds of small “specialty” applications (most of them open source and free!) that each exist mainly to accomplish “that one task” that always gets in the way of something bigger.

        Those small freebies certainly illustrate one of the great things about the Internet – someone creates a solution for something and is able to share it with the world, by making it instantly accessible.

      • Yes, you have all those apps on your computer because you choose to have them there. And I have the apps I want on my computer.

        Remember not everyone can afford to purchase every program going. And even if you can, there is no point getting programs you won’t use.

        The thing is, when I go online to find information I find it in HTML not in .odt or .doc or whatever the Apple proprietary document format is. I have NEVER gone to a website for information and been offered it in a WordPerfect. The only non HTML documents I have come across are PDFs.

        I use Photoshop all the time, and I know lots of other people do too, but I’ve never found .psds online. WordPress won’t accept them for one thing. I use Photoshop a lot, I scan old family photos with it and after I’m done restoring them I print my photos from it. Actually I print all my digital photos from Photoshop too. But I wouldn’t put any .psds on my web page because then only people with Photoshop would be able to see them.

        Which is why I convert every image file before putting it online. Online image standards seem to be .jpg, .png or .gif

        Because the point of the internet (according to Lawrence Lessig) is sharing.

        I want people to see what I have online so I try to make it as accessible as possible. I faithfully fill in “alt” information to try to ensure people with disabilities can read my posts or web pages for instance. As you pointed out earlier PDF files are for printing. Websites are made of HTML.

    • Devil's Advocate said

      “The only non HTML documents I have come across are PDFs.”

      There are reasons for this mass adoption.

      1) PDF can be generated from any other software.
      2) PDF is a reliable format that can “cross over” between Mac and PC platforms.
      3) PDF readers are free.
      4) PDFs will display and print as designed, without the need of the software that created it, or the fonts (if generated correctly), moreso than any other format.
      5) PDFs can be compiled into many other products.
      6) There’s more, but I’ll stop. 🙂

      PDF is now, simply, the “accepted universal norm” for sharing formatted content. That’s what it was designed to be, and it’s living up to that expectation very well, despite the “bloat” that Adobe Acrobat now offers.
      ____________________________

      “…there is no point getting programs you won’t use.”

      Correct me if I’m wrong, but were your beefs about…?
      1) having to deal with PDF-supplied content; and
      2) content being locked without purpose.

      PDF is commonly selected because it is THE universal cross-platform delivery product, and can be created from any application. Nothing else can make that claim.

      PDF also allows high-end artwork to be tweaked by someone else (via Adobe CS, CorelDraw, Freehand, and a number of others, depending on the work), and return the revised product to the creator’s Creative Suite, Quark layout, or without the necessity of transmitting and relinking all the support files that often go with it.

      PDF is selected mostly by those who don’t care so much that the content can’t be easily grabbed for a blogger’s cut ‘n’ paste. They’re not concerned about others’ learning curves. All they worry about is that the content remains as created, and will print reliably from the most possible processes. The importance of this is certainly seen in the majority of those “government documents” you’re talking about, as well as anything with a legal or corporate flavour.

      You certainly can’t publish something as only HTML, when the “official product” is needed. Forms, in particular, need to stay as FORMS, and because of PDF, many of them can be completed in Acrobat Reader now, as interactive fields can be included.

      Since the format has achieved this kind of popularity, you’re kinda “stuck” installing the software that is needed to handle it, if you genuinely want that content.

      No, there’s no point in having software you won’t use. There’s also no point avoiding software you WILL/SHOULD use, either.
      ____________________________

      “…the point of the internet… is sharing.”

      Absolutely!!

      However, HTML can only share raw content, and not format. Even your webpage will display differently to some than it does to others.

      It’s nice to be able to share EVERYTHING. Formatted products allow this where HTML can’t.

      But, some of us don’t just need “the words”, or “that picture”. We need the PRODUCT, as it was created, and the means to propagate it in its purposed form.

      For instance, you may wish to sample words from a legal proceeding, however, I may need to have the entire document, and the parties involved need that document to reflect the true archive, particularly if the proceeding is high-profile and still in progress.

      Another case in point is the need to share the actual vector art. Converting it to a bitmap (JPG, PNG, GIF, etc.) would totally defeat this purpose. HTML may be able to deliver SVG, but there’s more people who can’t recycle it than in the case of PDF (which can actually be used to deliver the vector format back to a wider array of programs, I might add).

      I just find that you can share more things in a more useable format outside of HTML.

      I also find that some direct cut ‘n’ pastes from HTML also contain code that needs to be stripped out, before it can be recycled on another webpage. I would think that would level the playing field for creating headaches.
      ____________________________

      “…Remember not everyone can afford to purchase every program going.”

      It’s not necessary to purchase the full Acrobat program. The Reader is free, and other free PDF-handling software is widely available. Some of it runs over the web as well, which some people seem to like.
      ____________________________

      Anyway, I’ve badgered you enough on this topic, haven’t I?!

      This was not the intention, and I’m sorry if that’s how it came across, Laurel.

      🙂

      • Ordinarily I wouldn’t mind a bicker-fest D.A., but I’m under the gun to get my novel finished and UBB has been approved at the same time as the digital consultation and of course the Bill C-32 the Canadian DMCA. (Blogging about all of these things as well as documenting our robin’s nest has left me in the position of not having time for things like sleep or recreational arguing. After everything else settles down I’ll work my way though your arguments if you like.

        That said: the problem we are having here is that we are talking about apples and oranges. You are talking about documents (which can be uploaded/downloaded over the internet but not displayed on the internet without something like ScribD. PDFs are for printing, they are not a web format. (In fact I’m in the process of figuring out how to use PDFs, because I’m going to have to *gasp* create a PDF of my novel for CreateSpace)

        The internet is NOT print. THIS blog is in a flexible theme, which means that it displays differently depending on the user’s screen size, but all the screen “real estate is used.” I always check to see that it is displaying alright at 800 pixels across, because that’s part of making it accessible.

        HTML is a reliable format that can “cross over” between Mac and PC platforms… browsers are free… HTML can display and print as designed when combined with CSS, which is how web formatting is done….

        HTML/CSS is the way we share formatted content online.

        My biggest beef with PDFs is the cut & paste thing. My problem with this is not wearing my blogger hat — I was perfectly willing to manually deconstruct the SOCAN copyright consultation for inclusion in my blog and would have done the same for A.C.T.A. had not a tool user beaten me to it. (yay!) — but wearing my citizen hat:

        More and more governments are locking information we citizens are entitled to inside PDFs. If I just want to look at my kid’s schedule on the school website (paid for by my tax dollars and yours) should I really have to kill a tree to print out a PDF that is the only form it is available in on the school website?

        I can understand the TTC not wanting to print out Ride Guides anymore, but having transit maps locked in PDFs means that they must be printed. If they were done in HTML people could look up the info they needed at the time they need it on their cel phone when they are actually lost in Scarberia say. (Have you ever tried to read a PDF on a cel phone?)

        Anyway, my vision is blurring so I’ll cut to the chase:
        Government information should never be locked in PDFs. It belongs to us. It should be easy to cut and paste any info we need from government info. We should NOT have to put a reader we don’t want on our computer to read it, nor should we have to print it out.

        For a chuckle you might want to check out this article about World Cup PDFs…
        FST: World Cup 2010: the unforeseen security risks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: