02 June 2007

Microsoft Information Rights Management (IRM)

A manager at my work writes me to ask if there is a way to restrict access to an MS Excel workbook so that viewers may not print the document. Readers probably know this can be done in Acrobat PDF writer, but that's not a real solution.

(An important caveat, incidentally, is that any protection/restriction that disallows printing, but allows copying and pasting, is obviously unsatisfactory. Acrobat allows both, but in many cases I've noticed document owners forget to prevent copying.)

Strictly speaking, the short answer is "no." A scrutiny of the protection and security options for both Excel and Word demonstrate that, while the latest releases allow "fine-grained" protection, they don't restrict printing. ("Fine-grained" means fine distinctions can be made; in this context, that we can protect a range of cells from some users, and another range from another, etc.) But no such control over permissions exists.

Here's a view of the security options (Tools/Options/Security):

Yes, yes, there I've got Protection highlighted but suppose I pick Options.

Nothing. So let's check Protection and chose "Allow Users to Edit Ranges":

Just for thoroughness I thought I should include a screen capture of the "protect sheet" menu.

Well, it's just not there. There's no control over printing rights, and I suspect the reason is that Excel has a highly integrated system of macros. Disable text copying, and you have a lot of code overhead to disallow a lot of macros... Disallow printing without disallowing text copy, and you've got an utterly useless system of document security.

There is help, though. This is called "Information Rights Management," and it's a plug-in from Microsoft.

Information Rights Management (IRM) allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.
IRM can be used to protect MS Word, MS Excel, and MS Powerpoint files.

In order to use IRM, you have to have another plug-in, Windows Rights Management Services (RMS) Client Service Pack 1. This is bundled with MS Windows Vista (not that I would recommend getting Vista, but that's another story). For the installation of RMS on other versions of Windows, instructions are to be found here.

Basically, RMS is a client program that works over a company network. That means that you have to have the protected file stored on a server (which is running IRM), whereas the access-ee is going to be viewing the document from a client running RMS. Then, when the access-ee attempts to open the Word/Excel/Powerpoint file with the restricted permission, she must connect to the server and download a use-license which says what level of access she has to the file. The author of the document can modify access permissions using a dialog box like this one:

After changes are made, the author saves the document and the new permissions are in force.

The New Zealand e-Government commissioned a study of the technology (PDF), which is interesting because it describes the technology and its effectiveness. It's quite thorough, to the extent of barring access to screen captures on restricted documents (the reviewer resorted to photographing the computer monitor!). The reviewing team also tested IRM using Redhat Linux clients. The study is exceptionally through, running to 87 pages, and the testing team established that the IRM does appear to perform as designed and advertised. But:
[...] The limitations and risks of using the technology need to be carefully considered before it is adopted into mainstream use in Government. The current implementation is still unproven and may have significant flaws or vulnerabilities; the IRM technology solution highly integrates the adopting organisation into the Microsoft technology and operational frameworks; and it appears to be generally limited to sharing documents within the content-producer’s organisation. IRM does appear to be Microsoft’s first step into a largely untapped market, that of providing the technology for consumers to process commercial content such as movies, music and electronic books.
That was four years ago. What's happened since then?

Naturally, at least one other company has gotten into the act: Hewlett-Packard. HP doesn't exactly compete with MS IRM; rather, it offers a product called ProtectTools E-mail Release Manager (ERM) that is supposed to enhance IRM for e-mails and possibly for non-MS Office files. Aside from that, surprisingly little. Articles posted by MS or affiliated tech manuals do not mention any additional functionality. On the upside, this suggests that IRM was not so immature a technology that it required a lot of patches. On the downside, it's received very little attention. But most of that appears to be positive.

UPDATE: "Government wary of 'trusted computing'" Computerworld, New Zealand, 21 May, 2007.

The point of this article is that document recovery management (DRM) technologies are bound to be controversial when implemented. Apparently there's a concern that MS IRM may one of those DRM's that "phones home" to MS whenever it's used, which has some significance because of Operation Shamrock. Another concern is, conversely, that the IRM may push or subvert New Zealand's public laws on transparency.
The fear is that by allowing protections that are enforced by an outside party (such as a computer or software vendor) to act on documents that are in government agencies’ possession, agencies could lose a measure of control over these documents. They could find, for example, that they can’t copy, store, retrieve or print documents as they wish — or as government policy and practice requires..
I think this is an inherent problem of digital government.
SOURCES: "New Office locks down documents," CNet Review, September 2, 2003; "Information Rights Management in the 2007 Microsoft Office system," MS Office Online; "Enabling Information Protection in Microsoft Office 2003 with Rights Management Services and Information Rights Management, " MS Technical White Paper, December 1, 2003;
"Review of Microsoft Information Rights Management,"Jay Garden, e-government, December 1, 2003;

Labels: ,


Post a Comment

<< Home