How do I prevent someone from forwarding a PDF?

Attorneys are ethically bound to rigorously defend the confidentiality of clients.

For that reason, legal professionals often want to limit the distribution of documents. Accordingly, I received the following email from at attorney this week:

Is there any way I can prevent someone from forwarding a PDF I send to them?

While it is impossible to prevent someone from forwarding a file, you can prevent the next person from opening it.


Can’t I use passwords?

It is easy to password protect a PDF document. (See Password Security using Adobe Acrobat 8 or 9 ).

Anyone who enters the correct password can open the document. However, that does not prevent the recipient from giving the password to another party who could, in turn, open the document.

Public Key Cryptography

Public Key security is a great way to limit who can open PDF documents. Acrobat uses a mathematical algorithm to create a related pair of keys— a secret private key and a public key.

Public and Private Keys

Public Key security may also be called PKI (Public Key Infrastructure) or Certificate Security.

Here’s how it works in practice:

  1. The parties exchange public keys using Acrobat or Adobe Reader
  2. You encrypt a PDF using the public key of the recipient(s)
  3. The PDF can only be decrypted with the corresponding private key of your intended recipient

Read on to learn how to exchange PDF documents and prevent forwarding.

Coordinating Certificate Security

In order to prevent the recipient from forwarding the document, you will need to exchange Digital IDs (your public key) with them.

Acrobat offers Wizard-based processes that will allow you to do the following:

Step 1: Create a Digital ID

You’ll only need to create your Digital ID once. Here are the steps to create it.

  1. Choose Advanced > Security Settings
    A) Select Digital IDs on the left
    B) Click the Add ID button
  2. Creating a Digital ID
  3. Select “A new digital ID I want to create now” and click the Next button.
  4. Adding a digital ID
  5. Choose “New PKCS#12 digital ID file” and click the Next button.
  6. Choosing the PK12 Cert Type
  7. Enter your contact information and click the Next button.
  8. Contact Information for a Digital ID
  9. Type a password for your digital ID. You will need to re-enter the password for confirmation. Click Finish.
  10. Enter a password for your digital ID.

#### A note about your password …Use a good password that you will remember. Passwords are case-sensitive and must contain at least six characters. The following characters are not allowed in a password: "" : ! @ # $ % ^ & * , | \ ; < > _ .

Step 2: Exchange Digital IDs

Now that you have created a Digital ID, you’ll need to exchange your public key with your intended recipient(s).

Starting the Exchange

Follow these steps to send your digital ID and request one in return:

  1. Choose Advanced > Manage Trusted Identities and click the Request Contact button.
  2. Request a Contact
  3. Type your name, email address, and contact information.
    – Ensure that “Include Certificates” is checked
    – Click the Next button
  4. Exchanging Certificates
  5. Choose your Digital ID and click the Select button
  6. Choose a Digital ID to exchange
  7. A window opens which allows you to compose an email to the recipient. You may wish to customize the message with something more personal.
    – Click the Email button to send your Digital ID by email.
  8. Digital ID Email

#### Tip for Better CommunicationTalk to your intended recipient ahead of time about why you need to exchange Digital IDs. Most folks do not have experience with encryption, so you may need to explain the process.Acrobat will send an email with an FDF file which contains your Digital ID’s public key.

Adding the Recipient’s Digital ID

When your recipient receives your Digital ID, Acrobat will follow the same process below. If your recipient doesn’t already have a digital ID, they will be prompted to create one.

The end-result is that you will receive an email just like the one you sent from Acrobat with your recipient’s digital ID.

  1. Check your email. You should receive an email similar to the one below.
  2. Open the attachment (an FDF file) contained in the message.
  3. Certificate Email
  4. Switch to Acrobat. The following window will appear. Click the **Set Contact Trust **button.
  5. Import a Contact
  6. Enable the check box, “Use this certificate as a trusted root” and click the OK button.
  7. Set Contact Trust
  8. The certificates will be added to your Acrobat trust list.
  9. Success

Step 3: Encrypting a PDF that will only open for your intended Recipient

Now that you have exchanged certificates, you can encrypt a file so that only your recipient can open it.

#### Encrypt and Send a CopyYou may wish to encrypt a copy of the original file instead of your original one. See Backup Your Security Settings below for why . . .

  1. Open Acrobat and the PDF you wish to encrypt with a digital ID
  2. Click the Secure button in the main toolbar and choose “Encrypt with Certificate”
  3. Encrypt with certificate button
  4. Click Yes on the next screen . . .
  5. Confirmation for security
  6. Click the Next button
  7. Cert Choices
  8. Click the Search button. This will allow you to add recipients.
  9. Search for IDs
  10. The Search window opens. Here’s what to do:
    A) Deselect “Search all directories”
    B) Set Directories to “Trusted Identities”
    C) Locate your recipient(s) from the list
    D) Click OK
  11. Choose recipeints
  12. If you want to limit what your recipients can do with the PDF (e.g. no printing, etc.), choose a recipient, then click the Permissions button
  13. Getting to permissions
  14. Select the permissions each recipient may have on the document such as printing, commenting, etc. Each recipient may have a different set of permissions.
    – Click OK in the Permissions Settings window
    – Click Next when complete
    Permissions for each recipient
  15. Click the Finish button then click OK.

Your document may now be distributed to your intended recipients!

Backup your Security Settings!

The Digital ID you create is unique to you.

If you buy a new computer, or have to rebuild your existing one, you will need to re-install your Digital ID.

It is very important that you backup your certificates. Take note of this scary extract from the Acrobat 9 Help file:

If a self-signed digital ID is deleted, all PDFsthat were encrypted using the certificate from that ID are foreverinaccessible.

Here’s how to backup your Digital ID:

  1. Choose Advanced > Security > ExportSecurity Settings.
  2. Click OK to export all of your settings
  3. Click the Export button in the upper right of the window.
  4. Select Password Security and click OK.
  5. Enter a password you will remember and click OK.
    You will need to confirm the password. Password for backup
  6. Enter the password for your Digital ID to certify the file.
  7. Click Sign.
  8. Give the file a name and save in the location of your choice.
  9. Move the BACKUPNAME.acrobatsecuritysettings.pdf file to a thumbdrive or other safe place.