Office/Word not a good tool for read-only emailed docs?

I'm wondering if .pdf would be better. That's what the government
uses mostly it seems. Word docs are too difficult to protect (make
read-only): requires IRM which requires Server 2003 or passport
accounts for recipients and browser client and doubles file size.
Does it really take that much technology to make a doc readonly??!!

Is PDF the simpler solution to sending protected documents
outside of a company (to clients, for example: contracts)?

Tony

Hi Tony

This topic is often discussed in the newsgroups.

You're correct... sort of. Word was always designed to be an *editor*
-- a program for creating and modifying documents. Any efforts to make
Word documents uneditable are really fighting the nature if the thing.

PDF was designed as a display/print format. Unless you have the full
Acrobat authoring program, it is (or was, until recently) fairly hard
to modify an existing PDF file. There are now a number of programs,
mostly optical character recognition (OCR), that can easily turn a PDF
file into a Word file, making PDF considerably less secure than you
think. And it was always possibly to print the PDF and then scan/OCR
the paper copy.

The rule to remember is "if I can read your document, I can alter it."
The only electronic document that's really safe from tampering is the
one you never send to anyone. If it's a matter of legal proof, use
paper or escrow the documents with a third party.

"tony" wrote:

I'm wondering if .pdf would be better. That's what the government
uses mostly it seems. Word docs are too difficult to protect (make
read-only): requires IRM which requires Server 2003 or passport
accounts for recipients and browser client and doubles file size.
Does it really take that much technology to make a doc readonly??!!

Is PDF the simpler solution to sending protected documents
outside of a company (to clients, for example: contracts)?

Tony



--
Regards,
Jay Freedman
Microsoft Word MVP FAQ: http://www.mvps.org/word

"Jay Freedman" wrote in message
...
Hi Tony

This topic is often discussed in the newsgroups.

You're correct... sort of. Word was always designed to be an *editor*
-- a program for creating and modifying documents. Any efforts to make
Word documents uneditable are really fighting the nature if the thing.

PDF was designed as a display/print format. Unless you have the full
Acrobat authoring program, it is (or was, until recently) fairly hard
to modify an existing PDF file. There are now a number of programs,
mostly optical character recognition (OCR), that can easily turn a PDF
file into a Word file, making PDF considerably less secure than you
think. And it was always possibly to print the PDF and then scan/OCR
the paper copy.

The rule to remember is "if I can read your document, I can alter it."
The only electronic document that's really safe from tampering is the
one you never send to anyone. If it's a matter of legal proof, use
paper or escrow the documents with a third party.

So you're saying that the following scenario cannot be had:

I create a contract of some sort, protect it, email it to a client, have them
print it out, sign it and send it back to me via snail mail. I have no way of
knowing if an "or" was changed to "and" somewhere in the document by
any means available. OK, understood.

But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable, especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult and
so imposing on authors and recipients (I need a service to send a read-only
doc or receive one? Ouch!).

I'm trying to give a client of mine this functionality and am now looking at
conversion to PDF via a print driver as a simpler solution than IRM to
get read-only functionality. If I would have known this would become an
issue, I may have chosen Acrobat to begin with rather than Word.
Certainly I'm going to be asked by the client why I selected Word in the
first place if we end up converting to PDF in then end.

Tony


"tony" wrote:

I'm wondering if .pdf would be better. That's what the government
uses mostly it seems. Word docs are too difficult to protect (make
read-only): requires IRM which requires Server 2003 or passport
accounts for recipients and browser client and doubles file size.
Does it really take that much technology to make a doc readonly??!!

Is PDF the simpler solution to sending protected documents
outside of a company (to clients, for example: contracts)?

Tony



--
Regards,
Jay Freedman
Microsoft Word MVP FAQ: http://www.mvps.org/word

"tony" wrote in message
...

"Jay Freedman" wrote in message
...
Hi Tony

This topic is often discussed in the newsgroups.

You're correct... sort of. Word was always designed to be an *editor*
-- a program for creating and modifying documents. Any efforts to make
Word documents uneditable are really fighting the nature if the thing.

PDF was designed as a display/print format. Unless you have the full
Acrobat authoring program, it is (or was, until recently) fairly hard
to modify an existing PDF file. There are now a number of programs,
mostly optical character recognition (OCR), that can easily turn a PDF
file into a Word file, making PDF considerably less secure than you
think. And it was always possibly to print the PDF and then scan/OCR
the paper copy.

The rule to remember is "if I can read your document, I can alter it."
The only electronic document that's really safe from tampering is the
one you never send to anyone. If it's a matter of legal proof, use
paper or escrow the documents with a third party.

So you're saying that the following scenario cannot be had:

I create a contract of some sort, protect it, email it to a client, have them
print it out, sign it and send it back to me via snail mail. I have no way of
knowing if an "or" was changed to "and" somewhere in the document by
any means available. OK, understood.

But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable, especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult and
so imposing on authors and recipients (I need a service to send a read-only
doc or receive one? Ouch!).

I'm trying to give a client of mine this functionality and am now looking at
conversion to PDF via a print driver as a simpler solution than IRM to
get read-only functionality. If I would have known this would become an
issue, I may have chosen Acrobat to begin with rather than Word.
Certainly I'm going to be asked by the client why I selected Word in the
first place if we end up converting to PDF in then end.

Tony

Actually, the functionality I want is available for NON-FORM documents
by including a non-editable form field and then protecting the form. The
problem is that I want that kind of protection for FORMS. What good
would sending a "protected" invoice doc with editable form fields be?!
Is there a way to get the functionality? Is this a bug/oversight in Word?

Tony

Well, you choose Word because you can't (practically) *create* documents in
Acrobat.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA
Word MVP FAQ site: http://word.mvps.org
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

"tony" wrote in message
...

"Jay Freedman" wrote in message
...
Hi Tony

This topic is often discussed in the newsgroups.

You're correct... sort of. Word was always designed to be an *editor*
-- a program for creating and modifying documents. Any efforts to make
Word documents uneditable are really fighting the nature if the thing.

PDF was designed as a display/print format. Unless you have the full
Acrobat authoring program, it is (or was, until recently) fairly hard
to modify an existing PDF file. There are now a number of programs,
mostly optical character recognition (OCR), that can easily turn a PDF
file into a Word file, making PDF considerably less secure than you
think. And it was always possibly to print the PDF and then scan/OCR
the paper copy.

The rule to remember is "if I can read your document, I can alter it."
The only electronic document that's really safe from tampering is the
one you never send to anyone. If it's a matter of legal proof, use
paper or escrow the documents with a third party.

So you're saying that the following scenario cannot be had:

I create a contract of some sort, protect it, email it to a client, have
them
print it out, sign it and send it back to me via snail mail. I have no way
of
knowing if an "or" was changed to "and" somewhere in the document by
any means available. OK, understood.

But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable,
especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult
and
so imposing on authors and recipients (I need a service to send a
read-only
doc or receive one? Ouch!).

I'm trying to give a client of mine this functionality and am now looking
at
conversion to PDF via a print driver as a simpler solution than IRM to
get read-only functionality. If I would have known this would become an
issue, I may have chosen Acrobat to begin with rather than Word.
Certainly I'm going to be asked by the client why I selected Word in the
first place if we end up converting to PDF in then end.

Tony


"tony" wrote:

I'm wondering if .pdf would be better. That's what the government
uses mostly it seems. Word docs are too difficult to protect (make
read-only): requires IRM which requires Server 2003 or passport
accounts for recipients and browser client and doubles file size.
Does it really take that much technology to make a doc readonly??!!

Is PDF the simpler solution to sending protected documents
outside of a company (to clients, for example: contracts)?

Tony



--
Regards,
Jay Freedman
Microsoft Word MVP FAQ: http://www.mvps.org/word

A document doesn't have to have form fields to be protected as a form, but
this type of protection is easily defeated merely by using Insert | File to
insert it into a new blank document.

--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA
Word MVP FAQ site: http://word.mvps.org
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.

"tony" wrote in message
...

"tony" wrote in message
...

"Jay Freedman" wrote in message
...
Hi Tony

This topic is often discussed in the newsgroups.

You're correct... sort of. Word was always designed to be an *editor*
-- a program for creating and modifying documents. Any efforts to make
Word documents uneditable are really fighting the nature if the thing.

PDF was designed as a display/print format. Unless you have the full
Acrobat authoring program, it is (or was, until recently) fairly hard
to modify an existing PDF file. There are now a number of programs,
mostly optical character recognition (OCR), that can easily turn a PDF
file into a Word file, making PDF considerably less secure than you
think. And it was always possibly to print the PDF and then scan/OCR
the paper copy.

The rule to remember is "if I can read your document, I can alter it."
The only electronic document that's really safe from tampering is the
one you never send to anyone. If it's a matter of legal proof, use
paper or escrow the documents with a third party.

So you're saying that the following scenario cannot be had:

I create a contract of some sort, protect it, email it to a client, have
them
print it out, sign it and send it back to me via snail mail. I have no
way of
knowing if an "or" was changed to "and" somewhere in the document by
any means available. OK, understood.

But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable,
especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult
and
so imposing on authors and recipients (I need a service to send a
read-only
doc or receive one? Ouch!).

I'm trying to give a client of mine this functionality and am now
looking at
conversion to PDF via a print driver as a simpler solution than IRM to
get read-only functionality. If I would have known this would become an
issue, I may have chosen Acrobat to begin with rather than Word.
Certainly I'm going to be asked by the client why I selected Word in the
first place if we end up converting to PDF in then end.

Tony

Actually, the functionality I want is available for NON-FORM documents
by including a non-editable form field and then protecting the form. The
problem is that I want that kind of protection for FORMS. What good
would sending a "protected" invoice doc with editable form fields be?!
Is there a way to get the functionality? Is this a bug/oversight in Word?

Tony

But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable,
especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult
and
so imposing on authors and recipients (I need a service to send a
read-only
doc or receive one? Ouch!).

I can't speak for MS, but the fundamental issue is that there's no point
trying to create a truly read-only document. For most purposes, 'sort-of'
security is worse than none at all. As MS have learnt to their cost, giving
users a false sense of security is unwise. In any case, no matter what you
do, if someone wants to create a changed version of your document they can
always retype the damned thing and make any changes they like. Or OCR it, or
print it to a file, or make it a point of pride to defeat your security. If
you need to check if a document was changed by the reader, you need to
compare versions with your original.

"Suzanne S. Barnhill" wrote in message
...
A document doesn't have to have form fields to be protected as a form, but
this type of protection is easily defeated merely by using Insert | File to
insert it into a new blank document.

Even that is better than having the document directly editable though.
Anyone changing a doc with the insert trick would have a tough time
saying it was an accident. The question becomes though why this
loophole is in Word to begin with.

Tony

"Suzanne S. Barnhill" wrote in message
...
Well, you choose Word because you can't (practically) *create* documents in
Acrobat.

I thought it was just another word processor (?).

Tony

"Jezebel" wrote in message
...


But what if I just wanted it to be NOT SO EASY to exploit? Couldn't it
be made much more simpler than IRM? What does IRM get me that
some kind of password read-only protection couldn't get me? The problem
with "read-only" in Word is that it's still copyable and saveable,
especially
form fields are hard to protect. Why can't MS implement real read-only
where no caret would even show up in the doc and no cut-n-paste or save
as another file would be allowed without the password? Isn't this very
fundamental (sending a contract or other document to someone outside
of the company!)? I just don't understand why it has to be so difficult
and
so imposing on authors and recipients (I need a service to send a
read-only
doc or receive one? Ouch!).

I can't speak for MS, but the fundamental issue is that there's no point
trying to create a truly read-only document. For most purposes, 'sort-of'
security is worse than none at all.

That's what is there though.

As MS have learnt to their cost, giving
users a false sense of security is unwise.

I don't see anything wrong with providing read-only as long as the level of
security is documented (it could even be build into a wizard or something
so there would be no chance of anyone misapplying it). Certainly there's
a whole bunch of people doing the convert-to-pdf thing and that doesn't
reflect well on Word since it appears incomplete.

In any case, no matter what you
do, if someone wants to create a changed version of your document they can
always retype the damned thing and make any changes they like. Or OCR it, or
print it to a file, or make it a point of pride to defeat your security.

Yeah, but that would be extreme and take time and would probably be
prosecutable.
What recourse does a creator have if he sends an editable document: none! It's
easily editable, the recipient could say, so you must have INTENDED for me to
make
modifications as I see fit! See, there is a place for read-only.

you need to check if a document was changed by the reader, you need to
compare versions with your original.

Yep. And that may be a missing link in Word too: OCR and then verification
of the result or something like that. People now DO the "send it away and
get it back in the mail and then hold it up to the light against the original"
thing
so why not get that process under control?

The whole discussion may be moot anyway though because Word file sizes
are so large. Even if MS "fixed" the read-only problems, conversion to PDF
would probably still be a better solution. I'm investigating that alternative
now.
I may have to look at digital signature technology and stuff before this is all
over, but I think that would again impose too much upon the creator and
recipient for the level of "security" required here.

Tony