More like this

Security

Adobe spies on reading habits over unencrypted web because your 'privacy is important'

Is Adobe facing its Sony rootkit moment?

Adobe confirmed its Digital Editions software insecurely phones home your ebook reading history to Adobe – to thwart piracy.

And the company insisted the secret snooping is covered in its terms and conditions.

Version 4 of the application makes a note of every page read, and when, in the digital tomes it accesses, and then sends that data over the internet unencrypted to Adobe.

This Orwellian mechanism was spotted by Nate Hoffelder of The Digital Reader blog; the plaintext information transmitted also includes the title, publisher, and other metadata about the ebooks. This data is needed, we're told, for enforcing the usage licenses covering the books.

"All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers," Adobe said in a statement.

"Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy."

This statement raised a number of questions – chiefly that if privacy is so important, why is the information is being sent in plaintext so that anyone along the network can read it? Adobe responded by saying this was due to be changed and the company will be issuing an update to fix it.

Adobe explained that the data it collects is for digital rights management (DRM) mechanisms that may be demanded by publishers to combat piracy, and gave a detailed list of what and why it needs such specific information:

  • User ID: The user ID is collected to authenticate the user.
  • Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
  • Certified app ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
  • Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
  • Duration for which the book was read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
  • Percentage of the book read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.

    Additionally, the following data is provided by the publisher as part of the actual license and DRM for the ebook:

    • Date of purchase or download
    • Distributor ID and Adobe content server operator URL
    • Metadata of the book provided by publisher (including title, author, publisher list price, ISBN number)

Hoffelder claimed Digital Editions 4 slurped and leaked the metadata of all the ebooks on his system – not just the ones read using the application. Adobe said this shouldn't be possible, but has its developers checking again to make sure this isn't a bug.

All of this data collection is something the user signs up to when he or she downloads the software, Adobe says, and is covered in section 14.1 of the end user license agreement (EULA), which states:

The Software may cause Customer’s Computer, without notice, to automatically connect to the Internet and to communicate with an Adobe website or Adobe domain for purposes such as license validation and providing Customer with additional information, features, or functionality.

While the EULA does appear to give Adobe the authority to collect this data, it's clear from our comments section that readers aren't happy with the situation. Neither is the EFF, which is calling ADE 4 spyware.

"Sending this information in plaintext undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers," said Corynne McSherry, the EFF's intellectual property director.

"Indeed, in 2011 EFF and a coalition of companies and public interest groups helped pass the Reader Privacy Act, which requires the government and civil litigants to demonstrate a compelling interest in obtaining reader records and show that the information contained in those records cannot be obtained by less intrusive means. But if readers are using Adobe's software, it’s all too easy for folks to bypass those restrictions."

But, she says, there may be a silver lining to Adobe's data grab. It's possible that Adobe could be facing the kind of PR fiasco that followed Sony's 2005 decision to build a rootkit into its CDs for DRM purposes.

Sony initially said the installation of the rootkit was an acceptable way of running a DRM system to stop piracy. Thomas Hesse, president of Sony BMG's global digital business division, at first stoutly defended the practice.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" he memorably said, earning himself a foot-in-mouth prize.

In the end, Sony backed down and ended up paying out millions of dollars in compensation to music buyers after it was shown the rootkit would allow an attacker to subvert the computer of someone who had the software installed.

As a result, the cause of DRM in music was set back significantly and music companies backed away from using it on CDs. Purely digital downloads rarely use the technology these days. It's possible Adobe's decision could have a similar effect for the written word. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016