Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Tracking On the Way

Posted by timothy on from the drown-baby-in-the-bathwater dept.

(el)Capitan.Nick writes "PDFzone reports that the company Remote Approach has launched a service to track the movement of PDF documents with its tool Map-Bot. The purpose of this service is to allow PDF publishers the ability to measure their audience, as web publishers can already. Though personal information is not gathered from machines, IP addresses are. PDFs can require users to be connected to the Internet in order to read them, and every person you email the PDF to is subject to the service. As PDFzone's opinion article states, while 'the chances of running into a Remote Approach PDF right now -- and in the near future -- are pretty remote ... the potential for the technology to tarnish PDF's image [of security] is staggering.'"

12 of 248 comments (clear)

  1. Okay.... by Balthisar · · Score: 4, Informative

    Okay... Print, Save as PDF on the Mac, or Print, select PDF Writer on Windows, or print to ps and "distill" with gs on anything else, and there goes the tracking. Not right?

    --
    --Jim (me)
    1. Re:Okay.... by Lehk228 · · Score: 4, Informative

      ghostscript can read encrypted PDF's, however it does honor the creator settings for disabled features, you will have to go in and recompile it with whatever function checking if it is set to disable features to always return no features disabled.

      --
      Snowden and Manning are heroes.
  2. Disable PDF Javascript by user9918277462 · · Score: 5, Informative

    The remote logging is done through embedded Javascript in the PDF file. Most free viewers such as gpdf, xpdf and kpdf don't support Javascript so you're safe with them.

    Adobe Acrobat Reader starting supporting embedded Javascript with version 7.0, although you can disable it in the preferences dialog. Apparently it bugs you every time you start the program to re-enable it, though.

    Bottom line: Stick with free software.

  3. Discussed on LWN concerning Adobe Acrobat 7 by nick_urbanik · · Score: 5, Informative
    • Article is subscribers only (worthwhile)
    • Article will be readable by guests 1 week after publishing
    • Solution in Linux is to disable Javascript in acroread 7
    1. Re:Discussed on LWN concerning Adobe Acrobat 7 by Isthistakenyet? · · Score: 5, Informative

      There is a bug (in my opinion) in Acrobat Reader 7 when you disable JavaScript that causes this warning to appear when exiting the program:

      This document contains JavaScripts. Do you want to enable JavaScripts from now on? This document may not behave correctly if they're disabled.

      This happens even if you do not have a document loaded, since Adobe Reader tries to run some internal JavaScripts when it exits. If JavaScript is disabled, this warning comes up. I've created patches that prevent this from happening on both Linux and Windows. They may also prevent the warning from coming up with documents that actually contain JavaScript.

  4. Re:PDF by jcr · · Score: 4, Informative

    IIRC, it's "Portable Document Format".

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  5. Rather pointless by hweimer · · Score: 5, Informative

    PDFs can require users to be connected to the Internet in order to read them,

    No, they can't, PDF is nothing but a data format. Some broken PDF viewers (especially those from Adobe) may do this, but since PDF is an open format, there will always be some other viewers that don't promote spying on their users. Basically, this is the same nonsense as the "no printing" option.

    --
    OS Reviews: Free and Open Source Software
    1. Re:Rather pointless by NetNifty · · Score: 3, Informative

      Depends how it's done though, if it just plain PDF but with javascript as has been suggested so far, then you are correct.

      However, if for example the document is encrypted and they key is on a server which the PDF points to (and the server logs all IP addresses connecting to it to retrieve the key) then it will work at least for the first time you open it (unless of course we create another server or even p2p network with the keys on it for ebooks which the PDF viewer visits instead).

      --
      Linux Wireless Hardware in the UK
  6. Re:Thankfully by GigsVT · · Score: 4, Informative

    Not likely, the last change to the PDF license was the ludricrous requirement that all those who implement PDF also implement the "evil bit".. that is the useless tags that forbid you from printing/saving/etc in acrobat (reader).

    No one else paid attention to it. Since earlier versions of the spec didn't have the requirement, there's no way they can enforce it. Other than that stupid requirement, the spec has an open and free license.

    Besides, only Adobe products implement javascript in PDFs to start with, so Adobe brought this on themselves. No other reader will allow this to happen.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  7. A little technical info by Anonymous Coward · · Score: 5, Informative

    Ok, so I downloaded the demo document, and captured the packets.
    There's a POST to remoteapproach.com (you could block all traffic going to remoteapproach.com, or just repoint remoteapproach.com to 127.0.0.1 or something in your hosts file.
    The POST message looks like:
    POST /remoteapproach/logging.asp?type=view&DocID=123456 7890&GroupID=123456789&ChannelID=123456789 HTTP/1.1

    The thing that gets me is that the content of the request also contains this:
    1 0 obj]/F(/C/Documents and Settings/Administrator/Desktop/MBRemote Approach Manual.pdf)>>>>

    As you can see, it contains the full system path to the file that I opened. This seems like a big privacy issue. After all, Acrobat didn't ASK if it could open the URL.

    The .PDF files can be opened with Ghostscript, and (obviously) do not send tracking information. Simply re-saving the document as PDF doesn't remove the tracking, but converting it (File--Convert) via pdfwrite APPEARS to remove the tracking.

    Some technology.

  8. Re:Just one more reason by Seather · · Score: 3, Informative

    That PDF sucks. Use HTML. well, html also has javascript; it can also track you. actually just by including a remote image in html you can be tracked, no javascript required, though i'm not sure if pdfs can use remote images about what kind of network connections can be produced to verify certificates. though i must say that i am rather supprised that standard pdfs(adobes reader) allows for this, when i(and assume many others too) see a pdf i see a document, a standardized text file, not something with a mind of its own, it was rather nasty for adobe to sneak in something like this after previosly providing a clean and trusted standard, i guess i should have taken that animated banner as a warning to what has and will become. yes, you can use open source readers but look at all the joe averages that have been led to adobes reader by more tech savy people, joe average isn't reading slashdot and doesn't like change. and no you can't really disable javascript as it will bother about it everytime you close until you give in.

  9. Re:IP harvesting by MntlChaos · · Score: 3, Informative

    Also, I definitely do not want to risk exposing my static IP to anyone, especially in a way that involves new technology that may be quite exploitable, just by clicking on a PDF link on google

    Wait a minute... clicking on ANY link on Google exposes your static IP to the content provider anyway.