Document tracking is something that can be valuable in a variety of business use cases. With it, you can check whether vital documents have been viewed or check whether a document has been viewed in unexpected locations. Or determine whether a document has been printed, and how many times that has happened.
Without document tracking, you are essentially blind the second the file leaves your IT environment. You’re unable to verify where the document resides, who is viewing it, or whether it is being misused. You risk hitting operational or even regulatory hurdles as a result.
There is, however, a worse scenario than having no tracking at all — having tracking that you cannot trust. If a user can bypass or even modify tracking, you’re left with a false sense of security even as misuse happens in the background. We’re going to talk about some of the challenges of document tracking and how to address them.
Duplication and bypassing
Tracking can be made unreliable by creating a duplicate document and making any changes, prints, or edits there. As soon as an unprotected copy has been created, it can be distributed to anybody without your knowledge, including regions or countries where it is not meant for publication.
The methods to duplicate content are both numerous and easy. A user can print the file to a PDF, screenshot it, use OCR character recognition, copy-paste it into a different document, or upload it to cloud storage. Without the relevant protections in place to prevent this, your tracking is next to useless.
However, the user may not even have to copy a document to avoid tracking. Browser-based document tracking opens the door to modification of the viewing environment via browser developer tools or plugins and extensions. If a document is delivered to a user online, they may also be able to access an unrestricted, untracked document via their temporary files.
The other big challenge when it comes document tracking is identity. How do you tell that a user is who they say they are and is allowed to access your documents? Some would say that the best solution is facial recognition or some other biometric system.
However, questions arise when such a system is used outside of your organization. As well as a time-consuming enrolment process, you’re asking third parties to hand over their facial recognition data during a time where data privacy is a growing concern. The chances are many won’t be too happy about it and that your organisation will face its own regulatory hurdles. If you use inside your organisation, meanwhile, you project to your employees that you don’t trust them.
Of course, you can lock documents behind accounts with passwords and two-factor authentication, but if the account is shared or compromised (and they often are) you’re back to square one. Conditional access policies, which verify a user’s identity based on several factors (device, location, Wifi network, browser, etc.) are more successful but typically come with a lot of management and overhead.
Some systems track and record IP data, but how reliable is that? Users IP addresses change regularly, and users can share the same IP using VPN and proxies.
Using DRM for tracking
In many cases, you’re better off verifying not identity, but the machine the user works from. This is the path DRM document protection takes. A machine is registered against a user identity via a license file, with the option to allow multiple machines per authorised user if necessary.
This system still isn’t perfect. If the machine of the user is not secure, it’s possible for somebody else to come along and view the document. Though most organisations will take steps to keep their devices secure, it’s important to use a DRM with additional controls as a backup.
A good DRM solution will allow you to expire documents after a certain number of opens or prints so that they’ll be indecipherable once they’ve served their use. It will also allow you to effectively prevent documents from being copied or modified through strong encryption, a secure viewer application, and screen grabbing, copy-pasting, and printing controls. Further layers of security can be added by locking documents to IP addresses and locations to prevent access outside of their typical viewing environment (such as when a device is stolen).
For this reason, a document DRM solution that incorporates tracking is the best choice for most organisations. The combination of detailed tracking, controls, and identify verification ensures that tracking remains reliable and therefore useful to the customer. Ultimately, by choosing solutions that fail to enforce their controls, organizations are only giving the illusion of security.