Updated Adobe's Digital Editions 4 ebook reader software collects detailed information about the reading habits of its users – and sends it back to the company in a format that's easy for others to slurp.
An investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which pages of ebooks were being read, and in which order. This included the title, publisher, and other metadata, which was then sent to the company's mothership – a server called adelogs, no less – in plain text over the internet.
Benjamin Daniel Mussler, the researcher who spotted security flaws in Amazon's Kindle software, told The Register he had confirmed the data slurping was going on by setting up a dummy system using the software and monitoring traffic as a book was read.
"I started a fresh Windows system and installed Wireshark to capture any traffic and ADE 4. I then navigated through the Getting Started... ebook that comes with ADE 4. For example, I flipped to page 7, then 8, 7 again, 8, 7, 8. During the next launch, ADE sent this data unencrypted to http://adelogs.adobe.com/datacollector/receiver?id=com.adobe.rmsdk.nocert.dewin," he said.
More worryingly, Hoffelder claimed ADE 4 wasn't just collecting this data for its own ebooks, but was also scanning the host computer for all ebooks and sending back information on those as well.
Here at The Register we've conducted our own tests on the software and had similar results – information about ebooks opened on the computer were noted and later sent back to Adobe corporate servers in unencrypted form. The data is sent over plaintext HTTP to the IP address 192.150.16.235, which belongs to Adobe Systems in California.
What was sent over the wire ... Adobe leaking data about Alice's Adventures in Wonderland – we couldn't get hold of Nineteen Eighty Four quickly enough
Creepy ... exactly when you turned each page is also blabbed over the web
From our quick look at the exchanged packets, Digital Editions 4 sends a HTTP POST request to...
http://adelogs.adobe.com/ping?id=com.adobe.rmsdk.nocert.dewin
...or...
http://adelogs.adobe.com/ping?id=com.adobe.rmsdk.nocert.demac
...depending on your operating system – Windows or OS X. The client then sends over a hash value, and starts pumping information about the user's books and pages read, in real time, to Adobe's server. You can watch a video of the transfers in action, here, recorded by Andromeda Yelton.
Since Adobe doesn't actually sell ebooks, this makes the slurping of the data very strange indeed. It's also a possible breach of the software's terms and conditions, which state:
"We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services. Actions reasonably necessary to perform the Services may include (but are not limited to) (a) responding to support requests; (b) detecting, preventing, or otherwise addressing fraud, security, unlawful, or technical issues; and (c) enforcing these terms."
We've asked Adobe for an explanation of what exactly is going on and the firm has said that it's looking into the matter. With a lot of staff currently attending the AdobeMAX conference in Los Angeles this may take some time. ®
Updated to add
Adobe says it simply has to log every page you turn to tackle piracy.
