Save as pdf - should we embed the document?

Wed Jun 8 23:37:31 UTC 2016

I know developers love to add bells and whistles, and aiui when you 
"save as pdf" from LO it can now embed the original document in the pdf 
to make it easy to get the document back into editable form, but the 
attached email below makes me think "is this wise?".

As I've learnt from Groklaw, the amount of information leaked in 
documents because people did not know how to properly redact documents, 
makes me think that embedding an editable version in a pdf is not 
(certainly as a default) a wise thing to do.

I will add, I've never actually used the feature so I don't know what 
the defaults are, but if LO is like most other projects, it just hasn't 
crossed anybody's mind to think about it ... (having just looked at 
"export with pdf" I can't see any mention of including the document, so 
either LO doesn't which is fine, or it does and doesn't give the user 
the option, which imho is extremely dangerous ...)

Actually, I don't know how we'd do it, but this implies there could be a 
killer feature in here - a setting that warns about hidden data and 
possible security leaks. Probably not best enabled by default, but a nag 
feature that could be switched on to warn about hidden fields etc.

Cheers,
Wol

Date: Wed, 1 Jun 2016 12:09:59 +0100
From: "Patrick O'Beirne"<pob at sysmod.com>
Subject: An expensive Pivot Table

Recently discussed on the Eusprig (European Spreadsheet Risk Interest Group)
mail list:

A hospital trust in Blackpool (pop. 145,000) in the UK was fined 185,000 GBP
for leaking sensitive information via an Excel Pivotable.

https://ico.org.uk/media/action-weve-taken/mpns/1624118/blackpool-nhs-trust-monetary-penalty-notice.pdf

It is a problem of the sorcerer's apprentice - knowing enough to be
dangerous.  To paraphrase Barry Boehm, "[EUC gives] many who have little
training or expertise in how to avoid or detect high-risk defects tremendous
power to create high-risk defects. "

The key point is "The Trust knew or ought to have envisaged those risks and
it did not take reasonable steps to prevent the contravention."  So: if they
OUGHT to have known, by what means were they expected to envisage those
risks? What guidance is available that describes that issue? Is it part of
any accredited training materials? The answer I think is here:

"It is worth noting that the Commissioner' s office issued two monetary
penalty notices on 30 July 2012 (Torbay NHS Trust) and 20 August 2013
(Islington Council) which raised awareness about the issue of data that
could be hidden in pivot tables. The Commissioner's office also
published a blog on 28 June 2013 entitled The Risk of Revealing Too Much.

https://iconewsblog.wordpress.com/2013/06/28/ico-blog-the-risk-of-revealing-too-much/
This shows the pivot table feature in question.
Just to explain, if the pivotcache is present then even if the original data
sheet is deleted, the data can be recreated by a simple double-click on a
pivotable cell.

They reference:
https://iconewsblog.wordpress.com/2015/11/13/the-dangers-of-hidden-data/
https://www.mysociety.org/2013/06/13/whatdotheyknow-team-urge-caution-when-using-excel-to-depersonalise-data/

Read the "Five Key Messages" at the end.

This is of course just one such example. The hidden rows in the Barclay's
bid for Lehman assets, or the summary chart in a paper on hospital
treatments which had the entire Excel spreadsheet embedded in it, are more.

Patrick O'Beirne, Systems Modelinghttp://www.sysmod.com
http://ie.linkedin.com/in/patrickobeirne