Just How Secure IS your PDF Appraisal Report?

Recently, we received very disturbing news from one of our appraiser comrades who indicated that he was sent PDF copies of his own appraisals BUT, the final value had been modified upwards significantly. Pretty frightening stuff, no?

I’m writing this topic to dispel the myths that about document security, because quite simply, it does not exist.  Having been a top IT Consultant for many, many years prior to entering the appraisal profession, I say this:

"Every bank, every lender and anyone else that receives a copy of your appraisal has the ability to reverse engineer your document into their automated underwriting system. I was the senior designer for such a system and there was no file format that stood a chance against our team."

The file standard created by Adobe, the Portable Document Format (or “PDF”) has long been recognized as the defacto standard of cross-platform electronic document storage. Regardless of the operating system, a PDF document can be opened and read and for the most part, provides a level of protection from modifications. Although many assumptions are made regarding the security of this format, the PDF, indeed, any electronic (binary) file, is not truly secure.

If the file is password protected, it must be secure, right? While this meets the requirements of the GLB Act of ‘99, these feeble attempts at file security loll us into the belief that a) our documents are truly secure, and b) the file cannot be modified under any circumstance.

Do not be alarmed but: Under no circumstance is any file stored in electronic format truly secure nor is there existing technology now or planned for the next 10 years that will offer a level of security truly capable of total document security.

This is not the fault of the software maker but is the fault of nearly all commercially available computer operating systems sold in today’s market. Let me explain. . . .

There are two types of document security:

1. Interface Security; enforcement occurs when a user launches the software program that created the document. The user is typically asked for a user name or password or some sort of encryption key before the document is opened and displayed and;
2. File System Security; enforcement occurs when a user navigates to a ‘folder’ or directory where the document is stored; if a user authorized for read only access, modifications are not permitted; if access is not authorized, the user is not permitted to open the file at all. Sounds pretty secure, doesn’t it?  But –

Interface Security: Who says I need to use Acrobat to open a PDF? As long as I can read the 0’s and 1’s on a hard drive (binary format) your PDF file can be opened in ANY program specifically one with a hexadecimal interpreter. A quick scan to find the bits and bytes that need to be modified and a file save are all that is required. Don’t be fooled! Folks that modify PDF files don’t use Acrobat!

Try this out: using Word, Notepad, Wordpad, find a PDF file and click ‘open’; does it ask you for the Adobe file password? No! The file opens, doesn’t look pretty but, that’s beside the point.

File System Security: Ultimately, UNIX operating systems have the best file security in the universe, hands down. Do you know anyone who runs UNIX at home? That being said, what happens when I send you an attachment via e-mail? Well, I suppose I save a copy to my desktop so’s that I can open it later. Does anyone know who the administrator is for your machine? (Careful, this could be a trick question…) In most cases, 98 out of 100, YOU are. That means I can send you a file in read only format and all you have to do is right click, select ‘properties’ and turn the read only attribute off. Why? Because YOU’re the boss! The problem is simple: as soon as the file leaves its host, the file system access privileges do not go along for the ride. Not even UNIX has this one figured out yet.

The only full-proof method of keeping your documents secure and free from modification within the limits of today’s technology is to simply not deliver (email) them to anyone. Period. To make matters worse, anyone can go online today and find tools for free, cheap and easy that can crack any file format, anywhere, anytime.

I hope then that I’ve done well to increase awareness that your documents are not secure because, they’re NOT!

AUTHOR: Dennis Jorgenson of Express Appraisal Group. Express Appraisals provides residential and commercial valuation services, litigation support, and educational seminars on a variety of topics.