Home Home

DRM, custom hardware and technical solutions to human problems

Arseni Mourzenko
Founder and lead developer, specializing in developer productivity and code quality
January 8, 2018

A now closed question on SoftwareEngineering.SE asked about a way to prevent the users from getting screenshots of an application. The context is an application showing sensitive documents in a bank. While the document is encrypted, it remains safe. When it's shown to the user, it can be compromised.

The person was therefore interested by the technical means to prevent screenshots capturing. The answer I posted seems interesting enough to be cloned here. Here it is.

No matter how many millions of dollars you're ready to throw at this, it is a known problem which has no solution. And it's not just about PrtScr, but all the applications which let you record and transmit still pictures or videos of your monitor. This includes someone who streams the content of the screen to another machine with Google Hangouts and presses PrtScr there. And of course, no matter what you do on the PC itself, the person can still take a simple photo of the monitor.

The situation is very well explained in a TheDailyWTF article.

When it comes to copying digital content, DRM could work if you do control the devices used to access data. And by control, I mean you develop them yourself, and you make sure they are tamper-proof. The device receives encrypted data, decrypts it with a private key kept in secret by the hardware itself, and then shows it. As soon as you want to show the content on anything else than your hardware, it won't work. By the way, designing hardware which withstands tampering attempts is hard (but since you have millions of dollars, it can work).

The problem is when you want to prevent the approximate copying as well, i.e. a photo of your DRM-enabled screen shot with a smartphone (or a very expensive high-res camera) is not acceptable. The only way to be safe is to make your hardware be used in your secure location, and search every person who would have access to it to prevent getting a camera in or out. This is very similar to the situation where someone wanted to protect the source code from being copied.

Is it technically possible? In theory, yes.

Is it doable in real life? I let you answer the question yourself.

In real life, technical solution won't work, because you're facing a human problem. Therefore, you need a non-technical solution. In your case, since you're dealing with banking employees who are expected to behave properly, a simple warning message should be enough:

You are not authorized to make copies of the current screen. [...] prosecuted to the fullest extent of the law [...]

And then, you need to train your users. Instead of blocking PrtScr, let them do it, but when they press it on this particular screen, make the app send a notification to the security officer. As soon as one or two users would see the security officers come asking them questions about the reason why they took a picture of a screen showing sensitive information, most users would be very unwilling to try.