Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Tracking On the Way

Posted by timothy on from the drown-baby-in-the-bathwater dept.

(el)Capitan.Nick writes "PDFzone reports that the company Remote Approach has launched a service to track the movement of PDF documents with its tool Map-Bot. The purpose of this service is to allow PDF publishers the ability to measure their audience, as web publishers can already. Though personal information is not gathered from machines, IP addresses are. PDFs can require users to be connected to the Internet in order to read them, and every person you email the PDF to is subject to the service. As PDFzone's opinion article states, while 'the chances of running into a Remote Approach PDF right now -- and in the near future -- are pretty remote ... the potential for the technology to tarnish PDF's image [of security] is staggering.'"

21 of 248 comments (clear)

  1. Okay.... by Balthisar · · Score: 4, Informative

    Okay... Print, Save as PDF on the Mac, or Print, select PDF Writer on Windows, or print to ps and "distill" with gs on anything else, and there goes the tracking. Not right?

    --
    --Jim (me)
    1. Re:Okay.... by FreeLinux · · Score: 2, Informative

      Correct me if I am wrong but, I believe that these features rely on the reader for enforcement. That means that readers such as Ghost Script can ignore the "feature". This makes them non-trackable, printable and copyable, no?

    2. Re:Okay.... by Lehk228 · · Score: 4, Informative

      ghostscript can read encrypted PDF's, however it does honor the creator settings for disabled features, you will have to go in and recompile it with whatever function checking if it is set to disable features to always return no features disabled.

      --
      Snowden and Manning are heroes.
  2. Disable PDF Javascript by user9918277462 · · Score: 5, Informative

    The remote logging is done through embedded Javascript in the PDF file. Most free viewers such as gpdf, xpdf and kpdf don't support Javascript so you're safe with them.

    Adobe Acrobat Reader starting supporting embedded Javascript with version 7.0, although you can disable it in the preferences dialog. Apparently it bugs you every time you start the program to re-enable it, though.

    Bottom line: Stick with free software.

    1. Re:Disable PDF Javascript by mr_shifty · · Score: 2, Informative

      Apparently it bugs you every time you start the program to re-enable it, though.

      It was that stupid nag-message that caused me to uninstall Adobe Reader 7 and reinstall Adobe Reader 6 on my Windows machines.

      I would pop up the "This document contains Javascripts. Do you want to enable Javascripts from now on? The document may not behave correctly if they're disabled." message even on PDFs that I created that I know don't have Javascripts in them.

      Feh.

      --
      And the circle of life continues to spin, occasionally wobbling on its axis thanks to the weighty presence of dumb.
  3. Discussed on LWN concerning Adobe Acrobat 7 by nick_urbanik · · Score: 5, Informative
    • Article is subscribers only (worthwhile)
    • Article will be readable by guests 1 week after publishing
    • Solution in Linux is to disable Javascript in acroread 7
    1. Re:Discussed on LWN concerning Adobe Acrobat 7 by Isthistakenyet? · · Score: 5, Informative

      There is a bug (in my opinion) in Acrobat Reader 7 when you disable JavaScript that causes this warning to appear when exiting the program:

      This document contains JavaScripts. Do you want to enable JavaScripts from now on? This document may not behave correctly if they're disabled.

      This happens even if you do not have a document loaded, since Adobe Reader tries to run some internal JavaScripts when it exits. If JavaScript is disabled, this warning comes up. I've created patches that prevent this from happening on both Linux and Windows. They may also prevent the warning from coming up with documents that actually contain JavaScript.

  4. Re:PDF by jcr · · Score: 4, Informative

    IIRC, it's "Portable Document Format".

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  5. Rather pointless by hweimer · · Score: 5, Informative

    PDFs can require users to be connected to the Internet in order to read them,

    No, they can't, PDF is nothing but a data format. Some broken PDF viewers (especially those from Adobe) may do this, but since PDF is an open format, there will always be some other viewers that don't promote spying on their users. Basically, this is the same nonsense as the "no printing" option.

    --
    OS Reviews: Free and Open Source Software
    1. Re:Rather pointless by NetNifty · · Score: 3, Informative

      Depends how it's done though, if it just plain PDF but with javascript as has been suggested so far, then you are correct.

      However, if for example the document is encrypted and they key is on a server which the PDF points to (and the server logs all IP addresses connecting to it to retrieve the key) then it will work at least for the first time you open it (unless of course we create another server or even p2p network with the keys on it for ebooks which the PDF viewer visits instead).

      --
      Linux Wireless Hardware in the UK
    2. Re:Rather pointless by Isthistakenyet? · · Score: 2, Informative
      Basically, this is the same nonsense as the "no printing" option.

      I've found that ps2pdf from the ghostscript package is useful in this situation. If you try saving a PDF with document restrictions as a PostScript file, it embeds some extra code in the PostScript file. This code has a stern warning that removing the code is illegal, and it causes ps2pdf to not work right. However, ps2pdf also happily accepts PDF files as input, it doesn't check the document restrictions, and all of the features are allowed in the PDF files it creates.

  6. Re:Thankfully by GigsVT · · Score: 4, Informative

    Not likely, the last change to the PDF license was the ludricrous requirement that all those who implement PDF also implement the "evil bit".. that is the useless tags that forbid you from printing/saving/etc in acrobat (reader).

    No one else paid attention to it. Since earlier versions of the spec didn't have the requirement, there's no way they can enforce it. Other than that stupid requirement, the spec has an open and free license.

    Besides, only Adobe products implement javascript in PDFs to start with, so Adobe brought this on themselves. No other reader will allow this to happen.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  7. Re: Fixing anoying bug in Adobe Acrobat 7 by nick_urbanik · · Score: 2, Informative
    I tried it and it works. Nice Perl program. Must have anoyed you, since it may have taken some time to track it down!

    Thank you.

  8. Re:Acrobat is trouble, how about Foxit? by Anonymous Coward · · Score: 1, Informative

    Foxit is awesome, makes Acrobat look like the bloated piece of shit it is
    it hasnt got any of the crap acrobat has and is faster than fast, sometime docs can display a bit funny but 99/100 have been fine for me

    i seriously doubt foxit has any TCP components inside at all, you could always ask the developers in their forum, unlike Adobe their dev team will talk to you

  9. A little technical info by Anonymous Coward · · Score: 5, Informative

    Ok, so I downloaded the demo document, and captured the packets.
    There's a POST to remoteapproach.com (you could block all traffic going to remoteapproach.com, or just repoint remoteapproach.com to 127.0.0.1 or something in your hosts file.
    The POST message looks like:
    POST /remoteapproach/logging.asp?type=view&DocID=123456 7890&GroupID=123456789&ChannelID=123456789 HTTP/1.1

    The thing that gets me is that the content of the request also contains this:
    1 0 obj]/F(/C/Documents and Settings/Administrator/Desktop/MBRemote Approach Manual.pdf)>>>>

    As you can see, it contains the full system path to the file that I opened. This seems like a big privacy issue. After all, Acrobat didn't ASK if it could open the URL.

    The .PDF files can be opened with Ghostscript, and (obviously) do not send tracking information. Simply re-saving the document as PDF doesn't remove the tracking, but converting it (File--Convert) via pdfwrite APPEARS to remove the tracking.

    Some technology.

    1. Re:A little technical info by Anonymous Coward · · Score: 1, Informative

      Goto http://www.remoteapproach.com/remoteapproach/login .asp.

      Username/password = rademo
      Click 'Documents' at the top
      Click on one of the 'down' arrows on the main page.

  10. Re:Just one more reason by Seather · · Score: 3, Informative

    That PDF sucks. Use HTML. well, html also has javascript; it can also track you. actually just by including a remote image in html you can be tracked, no javascript required, though i'm not sure if pdfs can use remote images about what kind of network connections can be produced to verify certificates. though i must say that i am rather supprised that standard pdfs(adobes reader) allows for this, when i(and assume many others too) see a pdf i see a document, a standardized text file, not something with a mind of its own, it was rather nasty for adobe to sneak in something like this after previosly providing a clean and trusted standard, i guess i should have taken that animated banner as a warning to what has and will become. yes, you can use open source readers but look at all the joe averages that have been led to adobes reader by more tech savy people, joe average isn't reading slashdot and doesn't like change. and no you can't really disable javascript as it will bother about it everytime you close until you give in.

  11. another DRM defeated by the shift key by gblues · · Score: 2, Informative

    As a long-time user of Acrobat, I know you can disable plugins (which includes JavaScript) by holding the Shift key at the splash screen. Just hold Shift while opening the PDF, and voila.

    Nice try, though!

    Nathan

  12. PDF is an Open Format by Saeed+al-Sahaf · · Score: 2, Informative
    I also choose not to buy content with DRM "strings" attached, such as PDF files...

    By the way, PDF is an open format. There are MANY non-Adobe applications, some of them open source (many not), that both read and write PDF files.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  13. Re:IP harvesting by MntlChaos · · Score: 3, Informative

    Also, I definitely do not want to risk exposing my static IP to anyone, especially in a way that involves new technology that may be quite exploitable, just by clicking on a PDF link on google

    Wait a minute... clicking on ANY link on Google exposes your static IP to the content provider anyway.

  14. Re:Simple... by SeanAhern · · Score: 2, Informative

    [S]imply block out connection to the tracking protocol. If Personal Internet firewalls were not so dufus designed they would make it easy to say 'this program has no business connecting to the Internet, silently disable all connection attempts without notice'.

    The point was that the PDF would not be displayed if the tracking server could not be contacted. If you blocked the outgoing connection, you now have a useless PDF.

    Or did I misread something in your argument...