Secure view - Prevent your shared files from getting downloaded

Originally published at: https://nextcloud.com/blog/secure-view-prevent-your-shared-files-from-getting-downloaded/

Sometimes you want to share a file, but you don’t want the recipient to actually download it. Since Nextcloud 15, secure view (or ‘Hide download’) allows you to remove the download button so that confidential files can’t be downloaded so easily anymore.

How secure view works

When sharing a public link to a third party to view material on your Nextcloud there is a ‘Hide download’ option available to check. When ‘Hide download’ is enabled, PDF documents and images will appear on the viewers screen without the menu options to download the file(s) or add them to their own private cloud.

Note that this feature will prevent most normal users from downloading the content but keep in mind how the web works: If you can see something on it – it is there and it can be copied by users with more technical skills. Secure view restricts the ability to download the file but this can be worked around with screenshots and browser tricks. Moreover, it has to be supported by Nextcloud apps, and most don’t support this yet. Think of the PDF viewer, gallery app and so on. Collabora and ONLYOFFICE have both implemented support for this, however, see below.

Secure view not enabled.

Secure view enabled.

Collabora online introducing support today

Collabora Online lets you view, edit and download documents. Our update of the Collabora Online integration app from last week combined with at least version 4.0 will hide the download option also from Collabora’s menu items. It also disables printing and copy/pasting out of the document, leaving screenshots and the ‘read and type in another document’ as the only possible ways of copying.

Collabora Online’s document model ensures that the document is retained on the server, under your control, while providing the pixels you see to the browser. Short of scripting your own Optical Character Recognition (OCR) on screenshots – Secure view makes it extremely hard to automatically extract data from documents.

If you want the viewer to still be able to edit a document you shared, it is up to you to combine ‘Hide download’ with the ‘Allow editing’ option.

Note that ONLYOFFICE also added support for this feature last March!

Secure view enhancements

Collabora provides a way to watermark the documents with a configurable text, font and other properties. This feature is integrated in Nextcloud so you can configure Collabora to block copying of text, printing and downloading when hide download is enabled, while the view is watermarked.When ‘Hide download’ is enabled, even screenshots of shared documents will be marked with a preconfigured watermark showing the name of the user who shared the file, the IP address of the person who opens it or showing the date and time at which the document was opened. Users can still edit documents, if edit rights are given, providing a great way of keeping documents secure while still providing limited access! When needed, Collabora can be configured to open PDF documents and images, applying these security features to all documents on the server.

This is an example of how we’re always working with our partners to enable you more control over your data and give you more ways to protect the confidentiality of your documents! A good reason to stay tuned, discover our newest features and always update to the latest release!

Pretty cool!
Although, for this feature it is more important than for others that people/customers really understand this feature and its “security”.

Shared pps file with download button hidden:

grafik.png840×341 10.7 KB

Clicked that little preview image:

grafik.png832×500 20 KB

Media-File shared with hidden button:

grafik.png833×456 12.6 KB

The most secure is a shared txt-File with hidden Download button :

Yes, it actually contains some text

Security through obscurity?

I’ve the same feeling… It isn’t really preventing files from getting downloaded. It has nothing to do with security. It makes it only harder to download the file for not so technical people.
I only fear that it might give users a false sense of security.

Though, this is good because it ignites these kind of discussions!

I completely agree with @Schmu and @davidbe when it comes to security. It is the typical “Security through obscurity” thing. As a dry feature though - namely, not showing the download button - it is just an extension of use cases and options for Nextcloud, which is good! So all in all, I appreciate this additional feature, because it was surely requested by a customer or users!
BUT, it is represented and advertised in the wrong way. I’ve already realized that the Nextcloud “strategy/marketing section” was overshooting a couple of times in the last one or two years. Or at least they seem to have trouble to precisely define and explain features to the public in a broader context. Do not understand me wrong, the more technical and really important informations about features can be found somewhere and thus are almost always openly communicated! The problem are not the small letters, the problem are the big ones:
Secure view - Prevent your shared files from getting downloaded
After this, it does not even matter, what you were writing below in the text or if you find the whole thing detailed in the documentation. In a way, the name of this feature and how it is presented can be almost named as “cheap or wrong promises”. There will - for sure - be misconceptions and further misinformation (e.g. in media and in IT departments) and complains will arise, when the hacky customer/user can still download the document. And all this, can be easily prevented, if just marketing would step a little bit on the break and improves in advertising NC’s features by finding better names and words, like:
Presentation view/mode - Signal your customer, that this document is just for showing content

EDIT: typo and refinement

right. so who do you guys think uses nextcloud usually in the majority? only computernerds? i mean they, of course use nc as well and right, it wouldnt be any major problem for them to get the data if they want it. but for the broad majority it would cause some problem to get the file downloaded. if there is no download-button.

we had this discussion here on the forum before… and it went the same way as it’s going just now (for apparent reasons). i’d say that’s a first step into the right direction. more could come later (as this is a very simple to install trick).
having this new feature means that devs are reading the forum. even if they don’t always comment. and you kno what? i think this is ok as it is.

btw: the text itself says that it’s not preventing some nerd to get those files downloaded, though.

@JimmyKater gets it completely. We make very clear in the UI that this hides the download - hence the name. We’re expanding it, the blocking editing, copying and downloading in Collabora is new, which is what we termed Secure View - and we will take it further and further over the coming releases. Next up is the watermark, and after that we’ll probably use collabora with its watermarking for PDF’s and text files too, when this feature is enabled. And we look at how we can limit downloading the result further.

It’s an incremental process, as development always is. Help is of course welcome!

Hi,

I didn’t want to comment again actually, but I feel the need right now
Of course I understand that this is work in progress and there is more to come, to deliver further improvements and make this feature actually work.

The thing is: this feature is massively advertised right now. Not only here in the Forum but on the blog and on Twitter/ Mastodon over and over again.
And the big issue here for me is actually the wording:

“Secure” and “prevent download” are right there in the headline and in the text. For most files this is simply not true however.

You don’t need to be an advanced user to get some of the files.
My example with the powerpoint presentation file: the presentation was not shown and there was only this preview icon. What will an inexperienced user do? Hover the mouse over the preview image (not even noticing the mouse cursor changes to a hand) and click it. Voila: Download.

PDF-File?

grafik708×303 42.3 KB

And the photo which is shown in the news above …
well, yeah, maybe the inexperienced user did not realize he can right-click in websites or can take screenshots with the print button on his keyboard, haven’t noticed the Snipping Tool Microsoft advertised when it was first released and that user will then only take a photo. Okay yeah, I give you that one, that’s not the same then.

But downloads which easily happen by accident are neither secure nor prevented. In many cases it only increased the required effort to download a file or rather say reduced the comfort.

In regards to Collabora it seems to be a whole different story and that should be focused on right now. That could really work right now (can’t test because I don’t use Collabora). The other things don’t work right now and are false promises.

My actual issue with that is this: I love the Nextcloud project and support wherever I can. I advertise is like crazy with friends, colleagues and everybody I get to talk about cyber security, Google software usage and stuff. I even talked out IT admin to install NC as file share in our company. What I often see though: as soon as there is a feature promise which doesn’t stand in a real-world scenario and fails in any way, the whole tool is called to be in a Beta state and not really work. That, unfortunately, happened with our File sharing server. I was so proud I got NC to be the Software we use in our company as well and after 2 months it was uninstalled again. This is just sad.
I for myself love honesty. If something doesn’t work, just tell me and I can accept and work around it. The surprises when a feature doesn’t work as everybody understood it from the adverts are the reason for arising frustration - at least I believe that.

I still love NC, the community and everything and I believe the project is open-minded enough to give room for discussions, ideas and criticism which is intended to be constructive.

It is all true - but I think we don’t promise in the blog that it is perfect, we point to the direction we’re going and show where we are… Watermarking comes soon, the other things will come, too, especially of course if other contributors care and contribute. The less demand from customers or the less contributions, the longer it takes, as with everything: we work based on demand of our customers and contributions from the community.

FYI, the PDF viewer was changed for 17 so that it won’t let you download when ‘hide download’ is enabled as promised, we improve this feature further (more is planned for 17). I’ve also updated the text a little to be more clear about the limitations.

As Clint Eastwood said :
« You’re never too old to learn something new. »
Great that there is still improvement on this feature.

secure view/ hide download don’t work sharing *.m4a files in version 18.06. unfortunatly the download is still available in chrome, mozilla hide the download. you know the issue…in ver 19 the bug is still present? thx for your comments

Secure view should also disable the “print” option, as the user can print the PDF to a PDF file

Another useful addition would be to add a watermark to the view, so even if the user takes screenshots, there can be traces.

If using collaborea or onlyoffice there is watermarks available

2021-02-11 12:15 skrev Ediazcomellas via Nextcloud community:

Thanks for answering @SmallOne

Yes. I am aware. We are using collabora here. But collabora has several drawbacks for PDF:

• It can’t rotate the PDF
• Pages are shown individually, in a sense that you just cant push “Next page” or “Prev. Page” and make it work. The mouse wheel doesn’t help too, as it has no effect on PDFs
• It takes a lot of resources, just to view a PDF. My impression is that PDFviewer is much lighter.

Besides, I think collabora is better suited for office files (doc, odt, ods, xls…) and that using it for simple PDF display is an overkill.

nexcloud 20.0.05
I confirm, Vivaldi, which is based on Chrome, has the same behavior if you share a file but if you share the folder that contain the file, then it works.

So (sorry to dredge up an older post), this feature is actually quite cool and we really thought it would be a pretty useful way of setting a “view only” feature for some of our more confidential files - however, a couple things I noticed during testing along with another question occurred to me:

1. There does not appear to be a way to enforce this in any way other than through a share link - when sharing with other Nextcloud users (or via a third-party’s email address), there does not appear to be any way to enforce a “view only” policy.
2. How does this propagate via Nextcloud Desktop? Does Desktop respect this somehow, or not?

To other local users you can set a read only share and prevent reshare. You can also turn on watermark for sensitive files.

If you have the desktop client that can always copy or save as. So for the desktop client this is not useful.

It is more intended to be used for sharing files via a link.

There are other security settings to apply to secure a set of files a tad more.