Is Adobe's Ebook Reader Spying On You? Yes. Yes It Is.
#1
Ebooks have many advantages, but as Techdirt has reported in the past, there are dangers too, particularly in a world of devices routinely connected to the Net. Back in 2010, we wrote about how Amazon was remotely uploading information about the user notes and highlights you took on your Kindle. More recently, we reported on how a school was using electronic versions of textbooks to spy on students as they read them. Against that background, you would have thought by now that companies would be sensitive to these kinds of issues. But if Nate Hoffelder is right, there's a big privacy problem with Adobe's Digital Editions 4, its free ebook reading app. Here's what Hoffelder writes on his blog, The Digital Reader:
Quote:Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)
Specifically:
Quote:Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.
Yes, not only is the app spying on you, but it is sending personal information unencrypted over the Net. And it seems that this is not just about the ebook you are currently reading:
Quote:Adobe isn't just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
These are all serious accusations, and completely unacceptable if confirmed. At the very least, an independent investigation by Ars Technica has now confirmed all of the important details, though Adobe has still stayed silent. However, this also highlights why many people prefer to use pirated editions without DRM, which can be read on any suitable software: not because they're free, but because they're better products in just about every way -- for example, in respecting your privacy.

Originally Published: Tue, 07 Oct 2014 17:12:00 GMT
source
Reply
#2
If true, this is absolutely outrageous.
Reply
#3
Adobe’s Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries—actively logs and reports every document readers add to their local “library” along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers’ shoulders.

Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply.

Update, 6:23 PM ET: An Adobe spokesperson now says the company is working on an update. "In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue," the spokesperson said in an email to Ars Technica. "We will notify you when a date for this update has been determined."

Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books (particularly with the Overdrive e-book lending system), because it can enforce digital rights management rules on how long a book may be read for. But DE also reports back data on e-books that have been purchased or self-published. Those logs are transmitted over an unencrypted HTTP connection back to a server at Adobe—a server with the Domain Name Service hostname “adelogs.adobe.com”—as an unencrypted file (the data format of which appears to be JSON).

The behavior is part of Adobe's way of managing access to e-books borrowed from a library or "lent" by other users through online bookstores supporting the EPUB book format, such as Barnes & Noble. If you've "activated" Digital Editions with an Adobe ID, it uses that information to determine whether a book has been "locked" on another device using the same ID to read it or if the loan has expired. If the reader isn't activated, it uses an anonymous unique ID code generated for each DE installation.

Below is the data transmitted by Digital Editions when we opened an EPUB file of Yotam Ottolenghi’s cookbook, Jerusalem:

[Image: datacapture-de-640x474.png]

DE reported back each EPUB document opened and the navigation within the document, recording each page number viewed in a stream of activity data back to an application called “datacollector.” The XML data is logged locally by the application, and then transmitted each time the application is opened—likely as part of Adobe’s DRM enforcement within DE. No data was transmitted for PDF documents opened.

A review of Adobe's terms of use for DE found no mention of the logging feature or how long the data was stored by Adobe. While checking the license data for books in DE’s local library is certainly part of the application’s core functionality, the fact that this data is broadcast in the clear could create a significant privacy issue for readers. It's not clear how the data collected by Adobe is stored, but it is associated with a unique identifier for each Digital Editions installation that can be associated with an Internet Protocol address when logged. And the fact that the data is broadcast in the clear by Digital Editions is directly in conflict with the privacy guidelines of many library systems, which closely guard readers' book loan data.

Update, 4:45 PM: The unencrypted transmission of reader data, along with an apparent lack of coverage of the collection of that data in Adobe'e terms of service, may be in violation of a recently passed New Jersey Law, the Reader Privacy Act. And the collection has also raised concern among librarians. The American Library Association's Code of Ethics states, "We protect each library user's right to privacy and confidentiality with respect to information sought or received, and resources consulted, borrowed, acquired or transmitted."

In a phone interview with Ars Technica, Deorah Caldwell-Stone, the deputy director of the American Library Association's Office for Intellectual Freedom, said that the ALA was still investigating the issue. "We are looking at this, and very concerned about this," she said, and If the data were to pertain to any library transactions, "we would want this information encrypted and private."

An Adobe spokesperson provided the following statement:

Adobe Wrote:Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.


Here's what Adobe says they collect:

User ID: this is the user's Adobe ID or an anonymous ID for an unactivated version of DE.

Device ID: a unique identifier for the computer running DE, "collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on," Adobe's spokesperson said.

Certified App ID: a key that allows DE to open documents protected by DRM from being opened with unauthorized software.

Device IP address: for geo-location, "since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication," Adobe's spokesperson said.

Duration for Which the Book was Read: "This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read," said Adobe's spokesperson.

Percentage of the Book Read: Believe it or not, some publishers charge based on how much you read of a book—you may be only charged a percentage of the total if you don't finish it.

The end-user license for Digital Editions states that "The Software may cause Customer’s Computer, without additional notice and on an intermittent or regular basis, to automatically connect to the Internet to facilitate Customer’s access to content and services that are provided by Adobe or third parties...In addition, the Software may, without additional notice, automatically connect to the Internet to update downloadable materials from these online services so as to provide immediate availability of these services even when Customer is offline." The EULA also refers to Adobe's privacy policy, which states that the company will "provide reasonable administrative, technical, and physical security controls to protect your personal information."

It's clear from testing that data is sent on more than just the book currently being read—in our test, data was provided from a "scan" of all documents currently in the library. Additionally, it's not clear why all this data is sent regardless of the source of the book—even EPUB documents that are DRM free get all their data shipped back to Adobe.

source: http://arstechnica.com/security/2014/10/...lain-text/
Reply
#4
Adobe's clear admission in the source you provided (last updated Oct 7 2014, 7:00pm EST):

Update, 6:23 PM ET: An Adobe spokesperson now says the company is working on an update. "In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue," the spokesperson said in an e-mail to Ars Technica. "We will notify you when a date for this update has been determined."
Reply
#5
Yesterday, we mentioned the reports kicked off by Nate Hoffelder's research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here's Adobe's mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:
Quote: Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.
Some of the research into what's going on contradicts the claims of it only looking at books "currently being read," but even if that's true, it doesn't make the snooping any less disturbing. And while it may be true that Adobe has not violated its privacy policy (though, that's arguable), it really just highlights the stupidity of the concept of privacy policies. As we've noted in the past, the only way you get in trouble on privacy is if you violate your own privacy policy. And thus, the incentives are to write a policy that says "we collect absolutely everything, and do whatever we want with it, nyah, nyah, nyah," because that way you won't ever violate it. Since no one reads the policy anyway, and most people assume having a "policy" means protecting privacy (even if it says the opposite), privacy policies (and laws that require them) are often counterproductive. This situation appears to be a perfect example of that in action.

Either way, the response is tone deaf in the extreme. Even if it's "in line" with the privacy policy, does that make it right or acceptable? Adobe makes no effort to respond to the concerns about this snooping on reading habits -- which can be quite revealing. It makes no effort to respond to the serious problems of sending this info in plaintext, creating a massive security hole for private information.

While Adobe has told some that it is working on an update to "address" the issue of transmitting the data in plaintext, it's a bit late in the process to be recognizing that's an issue. The Ars Technica article notes that this may, in fact, violate New Jersey's Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe's efforts here completely undermine that law.

Since Adobe's Digital Editions are commonly used by libraries (my local library uses it, which I've used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we've had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the "library records" provision (even though it was eventually twisted into much more).

And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it's all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.

Originally Published: Wed, 08 Oct 2014 16:05:13 GMT
source
Reply
#6
If you don't already have PeerBlock the IP address is 192.150.16.235
Add "0.0.0.0 adelogs.adobe.com" to your HOSTS cache too. [Image: tongue3.gif]
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  WTF is going on with Adobe ? Ladyanne3 0 1,031 Jun 13, 2024, 18:17 pm
Last Post: Ladyanne3
  You do not die or get addicted to ANY drug if you do not abuse it. vonRicht 97 159,014 Feb 23, 2021, 16:47 pm
Last Post: dueda
  How does adobe know that I pirated? pongo3010 9 17,098 Nov 09, 2019, 01:41 am
Last Post: waregim
  How do you feel when you SEED or UPLOAD a torrent? paooleole 10 27,380 Jan 17, 2018, 17:03 pm
Last Post: RobertX
  What could you do if you went self Employed WW3hasstarted 10 26,021 Dec 29, 2017, 13:43 pm
Last Post: politux



Users browsing this thread: 1 Guest(s)