Adobe spies on reading habits over unencrypted web because your 'privacy is important'

Is Adobe facing its Sony rootkit moment?


Adobe confirmed its Digital Editions software insecurely phones home your ebook reading history to Adobe – to thwart piracy.

And the company insisted the secret snooping is covered in its terms and conditions.

Version 4 of the application makes a note of every page read, and when, in the digital tomes it accesses, and then sends that data over the internet unencrypted to Adobe.

This Orwellian mechanism was spotted by Nate Hoffelder of The Digital Reader blog; the plaintext information transmitted also includes the title, publisher, and other metadata about the ebooks. This data is needed, we're told, for enforcing the usage licenses covering the books.

"All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers," Adobe said in a statement.

"Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy."

This statement raised a number of questions – chiefly that if privacy is so important, why is the information is being sent in plaintext so that anyone along the network can read it? Adobe responded by saying this was due to be changed and the company will be issuing an update to fix it.

Adobe explained that the data it collects is for digital rights management (DRM) mechanisms that may be demanded by publishers to combat piracy, and gave a detailed list of what and why it needs such specific information:

  • User ID: The user ID is collected to authenticate the user.
  • Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
  • Certified app ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
  • Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
  • Duration for which the book was read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
  • Percentage of the book read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.

    Additionally, the following data is provided by the publisher as part of the actual license and DRM for the ebook:

    • Date of purchase or download
    • Distributor ID and Adobe content server operator URL
    • Metadata of the book provided by publisher (including title, author, publisher list price, ISBN number)

Hoffelder claimed Digital Editions 4 slurped and leaked the metadata of all the ebooks on his system – not just the ones read using the application. Adobe said this shouldn't be possible, but has its developers checking again to make sure this isn't a bug.

All of this data collection is something the user signs up to when he or she downloads the software, Adobe says, and is covered in section 14.1 of the end user license agreement (EULA), which states:

The Software may cause Customer’s Computer, without notice, to automatically connect to the Internet and to communicate with an Adobe website or Adobe domain for purposes such as license validation and providing Customer with additional information, features, or functionality.

While the EULA does appear to give Adobe the authority to collect this data, it's clear from our comments section that readers aren't happy with the situation. Neither is the EFF, which is calling ADE 4 spyware.

"Sending this information in plaintext undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers," said Corynne McSherry, the EFF's intellectual property director.

"Indeed, in 2011 EFF and a coalition of companies and public interest groups helped pass the Reader Privacy Act, which requires the government and civil litigants to demonstrate a compelling interest in obtaining reader records and show that the information contained in those records cannot be obtained by less intrusive means. But if readers are using Adobe's software, it’s all too easy for folks to bypass those restrictions."

But, she says, there may be a silver lining to Adobe's data grab. It's possible that Adobe could be facing the kind of PR fiasco that followed Sony's 2005 decision to build a rootkit into its CDs for DRM purposes.

Sony initially said the installation of the rootkit was an acceptable way of running a DRM system to stop piracy. Thomas Hesse, president of Sony BMG's global digital business division, at first stoutly defended the practice.

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" he memorably said, earning himself a foot-in-mouth prize.

In the end, Sony backed down and ended up paying out millions of dollars in compensation to music buyers after it was shown the rootkit would allow an attacker to subvert the computer of someone who had the software installed.

As a result, the cause of DRM in music was set back significantly and music companies backed away from using it on CDs. Purely digital downloads rarely use the technology these days. It's possible Adobe's decision could have a similar effect for the written word. ®

Similar topics


Other stories you might like

  • Adobe lowers 2022 forecast, blames Ukraine war, strong dollar
    Extended 'summer season' also at fault, says software slinger as share price slides

    Creative software slinger Adobe booked in double-digit revenues rises in its latest quarter but lowered forecasts due to conflict in Ukraine and and currency challenges. As such, Wall Street frowned and the share price went down.

    The Photoshop maker reported turnover from sales of $4.39 billion for Q2 ended June 3, up 14 percent year-on-year. The vast bulk of this, some $4.07 billion, was subscription-based, something other software vendors must eye with some envy because investors love recurring revenues.

    The Digital Media division, which includes Creative Cloud and Document Cloud products, jumped 15 percent to $3.20 billion, higher than analysts had estimated. The Digital Experience wing was $1.1bn, up 17 per cent, again trumping analysts' projections of $1.08 billion.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Adobe apologizes for repeated outages of its Creative Cloud video collaboration service
    Frame.io admits it was 'slow to scale as demand rose

    Adobe-owned cloudy video workflow outfit Frame.io has apologized and promised to do better after a series of lengthy outages to its service, which became part of Adobe's flagship Creative Cloud in 2021.

    Frame.io bills itself as "The fastest, easiest, and most secure way to automatically get footage from cameras to collaborators – anywhere in the world" because its "Camera to Cloud" approach "eliminates the delay between production and post" by uploading audio and video "from the set to Frame.io between each take." In theory, that means all the creatives involved in filmed projects don't have to wait before getting to work.

    In theory. Customers say that's not the current Frame.io experience. Downdetector's listing for the site records plenty of complaints about outages and tweets like the one below are not hard to find.

    Continue reading

Biting the hand that feeds IT © 1998–2022