Adobe Spying On Its Customers
from the now-that's-just-not-very-nice dept
It's not all that surprising these days to hear about software companies having their software "phone home" in some manner or another, though it's often quite annoying. However, it looks like Adobe has taken this to a new level. As highlighted by Valleywag, Adobe's CS3 design software includes a system to provide your usage data quietly to a "behavioral analytics" firm named Omniture. Of course, it does this without ever asking you if you want some random company knowing every time you use this piece of software. While it may not be doing anything nefarious, this certainly has all the hallmarks of spyware, including the fact that it tries to (weakly) disguise the connection to Omniture by making it look like it's simply pinging your local network. It's really amazing that companies keep doing this type of thing thinking that people won't catch on. There may be plenty of legitimate reasons for tracking the usage of a piece of software -- but if so, why not be upfront about it and let the user of the software opt-in to sharing his or her data? Yet another reason to use a firewall that catches these sorts of sneaky outbound connections. Update: John Dowdell, an Adobe employee (and long time Techdirt reader) has replied in the comments, noting that he's talking to folks at Adobe to find out the whole story, but he thinks it's the "live update" function. I'm not sure I understand why a live update function would call an analytics firm -- or why the ping to that analytics firm should be disguised as a local network ping, but that's the story coming out of Adobe right now. Will update again if any more details become clear. Update 2: Further response from Adobe here. It explains what the connection does and also admits that the company should have done a better job making it clear.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Air Gap
This is easily done when you have two separate computers.
[ link to this | view in chronology ]
Re: Air Gap
Two separate computers? To be safe you really need a separate computer for each proprietary application program you run. Either that or use open source software.
[ link to this | view in chronology ]
Air Gap - agreed
I believe that US military regards a connected computer as "unsecure". No possibility that a computer is totally secure if connected to other computers.
[ link to this | view in chronology ]
Air Gap - agreed
I believe that US military regards a connected computer as "unsecure". No possibility that a computer is totally secure if connected to other computers.
[ link to this | view in chronology ]
Re: Air Gap - disagree
[ link to this | view in chronology ]
[ link to this | view in chronology ]
But you're right- to be completely secure, unplug all the networks. And if you need a network, turn off the bits you don't use. Exsosus is right- A firewall would be lovely. This doesn't even only apply to computers! I've seen a good number of PSP's, Nintendo DS's, and cellphones bricked because people didn't turn off the WiFi or Bluetooth or whatever, and a virus got in. Those things aren't secure at all.
[ link to this | view in chronology ]
Re: Comments #1, #2, & #4
Quit blaming the wrong side of the problem.
*And if you bring up the old argument, "Well, it's in page 231 Sec. Whatever of the end-user agreement. You should have read more closely."... that's not good enough. It may work in a court of law to hide critical details like this in licensing jargon, but that doesn't make it any better.
[ link to this | view in chronology ]
Re: Re: Comments #1, #2, & #4
I do expect it.
In addition, when you exit the Adobe process (and others) there is a FNPLicensingService that is probably still running. I recommend setting this to service to manual.
[ link to this | view in chronology ]
Re: Re: Comments #1, #2, & #4
In this case, the software is CS3. That stuff runs several hundred dollars. A few thousand for all of them. If the person has that software, they have the money to get a second computer.
Also, the second computer needs only be around 200 USD including EVERYTHING.
[ link to this | view in chronology ]
Re: Re: Re: Comments #1, #2, & #4
And why should I have the bother of using two alternate computers for anything? I agreed to pay money in return for for software. I *might* have agreed to give up some market research, but I read my EULAs pretty carefully, and I sure don't remember seeing anything like that. I don't even set my programs to update w/o me. (Except my antivirus...)
If they want statistical iformation from me, they are welcome to it - if they ask me up front and want to offer me a damn discount. After all, the kids in the mall and paid for market research. E-rewards and every other market research company pays for market reseach. It is a marketable commodity and it is mine. Taking it without permission is stealing. And don't give me crap about it not being tangible. Everyone on a website like this should damn well know that information can, in fact, equate money.
[ link to this | view in chronology ]
Blocked conversation
http://weblogs.macromedia.com/jd/archives/2007/12/republishing_co.cfm
I've managed to talk with some Adobe staff over the holidays, and the early consensus seems to be that dan@uneasysilence.com was indeed referring to live updates available through the start screen pinging adobe.com (which uses Omniture). It's easy to turn off. But I'd like to get a fuller consensus from my colleagues as well.
jd/adobe
[ link to this | view in chronology ]
I'm sorry...
Collecting data on the other hand, with out the users permission, is a big can of worms.
-Matt
ps. There's software out there that is specifically built to stop applications from phoning home. Search on Macupdate.com or other places.
[ link to this | view in chronology ]
Re: I'm sorry...
Yes, and it's called the ISS 'BlackIce' firewall with Application protection. It will block or terminate any application from accesing the network/internet.
[ link to this | view in chronology ]
Tomorrow, I'm going to go and sell my car, so no one can steal it. That'll show 'em.
The issue here isn't about viruses and hackers and whatever, which will always be a problem. It's about supposedly legit software doing stuff without telling you. You should be able to trust this stuff.
[ link to this | view in chronology ]
Re:
Your car analogy is totally wrong because if you don't own a car, you don't have one to steal.
With computers, if you want a SECURE computer you have to limit access to it. If you plug your computer into the internet, ANYONE with an internet connection can potentially enter your system. Hell, some SOFTWARE can do it automatically (read: worms).
People need to stop trying to troll when they don't have the knowledge to do so.
[ link to this | view in chronology ]
I have a simple solution
[ link to this | view in chronology ]
live updates and tips
Anyone could use just one computer and have different IP addresses depending on the type of Internet service they have.
Also a laptop users can be at numerous places during the course of freelancing.
The info given to adobe would have to include MAC addresses and other vital systems info to be of any use for catching pirate software users.
But do the right thing and get a comment from Adobe - this is a high profile blog, surely they will cooperate.
[ link to this | view in chronology ]
What I really don't like about all this is
If Adobe software didn't phone home I'd suddenly be shocked and suspect a problem if one day my firewall alerted me to Adobe connecting to the net. I'd suspect a virus, a trojan, or some other compromise of the Adobe software on my system.
With Adobe connecting for reasons like this the typical user might say "ok, let it connect from now on," when the firewall notifies them the first time. Now that user's security and privacy is at risk. If an attacker exploits a security hole in the Adobe software itself to drop malware then the user will never see, or not be suspect, when the compromised Adobe product connects to the net and does the dirty.
Likewise, what happens when Adobe decides they need more extensive information to aid them. What apps are your running? How many users on your system? What's your directory structure? What are your hardware serial numbers? What are the names of the last 10 documents you edited? What data was contained in the document or image that crashed as you were editing? The average user will never know and likely the change will have been pushed by Adobe update.
What if someone redirects the Adobe connection to their site via an edit of the hosts file? How many would catch that?
Even worse, what if Adobe itself is compromised by an internal or external black hat who pushes out some altered software? No one will suspect a problem because at worst "Adobe always connects to the net when I run it."
Trust Adobe do you? Well, multiply this by the number of vendors who think this behavior is ok. Then multiply again by the number of vendors who jump on the bandwagon in coming months. The security hole grows a lot doesn't it. Do you still trust Adobe? The behavior?
Now multiply again to account for all the application vendors you don't know and can't trust who'll include this in their software but will go farther and deliberately send personal, identifying, worrysome data back because they can and because you've come to expect all apps to connect.
Connections like this should be presented to the user, with reasons explicitly spelled out, transmitted data presented, sent only periodically, and require permisson each and every time.
[ link to this | view in chronology ]
What possible reason . . .
Not only did it take more money to create and implement this aspect of the software, it looks like its going to cost them more customers. This is part of whats wrong with DRM too. People need to think ideas through all the way before they do something this stupid.
[ link to this | view in chronology ]
Update, from Adobe sources
Adobe Photoshop Product Manager John Nack has been pursuing this too, and he has some info from Doug Miller, who I believe handles all Omniture analytics at adobe.com.
http://blogs.adobe.com/jnack/2007/12/adobe_ate_me_ba.html
Summary: The Welcome screen (example) in Creative Suite 3 applications does definitely get live updated material from adobe.com, and these go through site analytics just as any other web material does. Clicking the "Don't show again" checkbox will stop this vector of updated material. Doug describes at least two other scenarios where CS3 apps contact adobe.com for resources.
jd/adobe
[ link to this | view in chronology ]
Re: Update, from Adobe sources
Thanks for the update. Does Adobe give any reason for the obfuscation of the connection and why they do not inform the user of the connection in an obvious fashion?
[ link to this | view in chronology ]
How high up is John?
How high up is John? Unless he's very high up (corporate officer level or close to it) he may never get a straight answer. I company I used to work for purposely put time bombs disguised to look like "bugs" into their software in order to keep customers on expensive "support and update" plans. This activity was a very closely kept secret known by only a few within the company (so as to keep word from leaking out and angering the customers). The company then lied to it's own employees about the source of these mysteriously appearing bugs. The moral of the story is, unless John is very high up in the company, he may not get the truth even if he asks.
[ link to this | view in chronology ]
re: How high up is John?
I don't think that Adobe offers an overall guide to Omniture analytics. Most websites are in the same situation, although few also offer desktop applications as Adobe does.
But like John Nack, I think Adobe would benefit from doing better, in clearly advising of all issues which might be perceived as privacy or security issues. We'll be able to get better and more inclusive info after the holidays.
(I don't speak for all Adobe, or even know all Adobe. I come out of Macromedia Tech Support, and a lot of what I do today is in helping customers get heard inside the company.)
jd/adobe
[ link to this | view in chronology ]
spyware?
Omniture does not track how people use Adobe's software, contrary to the uneducated 'guess' above. It tracks anonymous activity as it pertains to the online functionality that may be utilized from the software. How many bad web sites are out there today? TOO MANY!! I see so many well known brand names put up utter garbage for web sites. Kudos to Omniture and other like firms for help the internet become a more user-friendly place.
[ link to this | view in chronology ]
Re: spyware?
You may have a point there, however I think the issue here is whether this activity was adequately communicated to the user.
[ link to this | view in chronology ]
Re: Re: spyware?
do you have to inform someone that when they enter your brick n mortar store, a manager will be watching what items they browse vs those they buy? this same logic applies to web analytics and use of anonymous data.
[ link to this | view in chronology ]
Re: Re: Re: spyware?
And I have to say that, as a web designer, I do place surveys on my sites, and they are very helpful. People don't generally lie about that crap. In fact, they are very blunt about exactly what they do and don't like. People aren't stupid, shy idiots, ya know. Well, not in America, at least.
[ link to this | view in chronology ]
Re: spyware?
[ link to this | view in chronology ]
Re: Re: spyware?
[ link to this | view in chronology ]
Re: spyware?
It's always nice when people who disagree with you start out by insulting you. It makes the conversation that much more productive.
First, understand what Omniture and other web analytics firms do, then write your article.
I understand what Omniture does and I wrote the article. Your point?
The lack of research put forth before this public opinion was released displays a major lack of education
And what do your insults display?
Web analytics firms track web usage so to help companies make better websites.
Indeed. They do. Why should that matter for a desktop application?
Need online help from within Photoshop?....oh, but you don't like the usability of the online help function, huh? ....well how do you expect Adobe to learn how to make their online help and update wizards more user friendly?
Perhaps the same way desktop software companies have for ages: user testing.
It tracks anonymous activity as it pertains to the online functionality that may be utilized from the software.
You left out "without telling the person" and "while hiding it by pretending it looks like a local network ping".
How many bad web sites are out there today? TOO MANY!!
Again, I'm unclear on how that matters for desktop software.
Kudos to Omniture and other like firms for help the internet become a more user-friendly place.
By tracking usage of a DESKTOP app surreptitiously and hiding that tracking? Sorry... I don't see how you can conclude one from the other... but, unlike you, I'll refrain from questioning your mental abilities.
[ link to this | view in chronology ]
Re: Re: spyware?
Second, see my above response to Alfred E. Neuman, i.e. anonymous web data collection is able to be conducted, legally, without notification to the users. If Adobe were to collect any PII, or personally identifiable information, then they would need to disclose it within their privacy policy.
Thirdly, User Testing is the most inaccurate form of testing in the world. 2% of the total population is representative of the whole? Why not track the whole?....i.e. what web analytics can do....which provides the most accurate representation of what YOUR total web audience is interested in. There's too many flaws in user testing, Comscore, and NetRatings. Very soon, you will see NetRatings head towards extinction due to audience sampling becoming a thing of the past. For the first time ever, set-top boxes will be tracked in much the same fashion of web sites so that an advertiser will know exactly how many people viewed a tv show, how many times their commercial was actually viewed, etc. no personally identifiable data passed...just aggregated usability data.
so in summary, i think there is confusion in responding to this topic largely due to the question posed in the original blog being off the mark. Adobe does not track the desktop app, but when someone within the desktop app accesses a web page/resource, then that web behavior IS being tracked. in understanding this basic principle, most people here should be able to formulate intelligent opinions.
[ link to this | view in chronology ]
Re: Re: Re: spyware?
Mike, the only time Omniture's tracking takes place is when a web resource is accessed, so the desktop app IS NOT being tracked. please make note.
But this includes the splash screen... so while it may be going out and accessing a web resource, it's the equivalent of happening while just opening the desktop app.
Second, see my above response to Alfred E. Neuman, i.e. anonymous web data collection is able to be conducted, legally, without notification to the users. If Adobe were to collect any PII, or personally identifiable information, then they would need to disclose it within their privacy policy.
No one suggested what Adobe was doing was illegal. The question was simply about how ethical (or not) it was.
Thirdly, User Testing is the most inaccurate form of testing in the world. 2% of the total population is representative of the whole?
A representative sample can tell you quite a bit. Don't brush off 2%. If it's a representative sample it can be quite useful. And the reason you might track 2% rather than the whole is because that 98% didn't sign up to be tracked and would prefer not to be tracked.
[ link to this | view in chronology ]
Re: spyware?
A "major lack" of education?
BTW, perhaps they should "utter" that they're doing this in the first place.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Seeing as how we both understand how important it is to have "essential data" in order to help people, I'll make you the same offer I made to Steve. I can start "helping" you just as soon as you post the "essential data" I need.
[ link to this | view in chronology ]
Leave the conspiracy thoeries to the pros
http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses
[ link to this | view in chronology ]
Re: Leave the conspiracy thoeries to the pros
We all know what our LAN addresses are.
Omniture is obscuring their probes by using 192...and ending it with 2O7.net, which ISN"T OUR LAN, DUMBASS.
[ link to this | view in chronology ]
Re: Leave the conspiracy thoeries to the pros
[ link to this | view in chronology ]
Adobe used to be good.
subsequent updates, starting back with PS 2.0.
For me the release of CS was the beginning of the
end. I will not purchase it. Also consider how
horribly bloated Acrobat has become.
One of the down sides of success is it leads to
corporate rot. So you get knuckle head managers
that while away their time thinking up clever
ways of increasing revenue rather than improving
products.
Here's some essential data for you...
I used to be a loyal paying customer, now I'm not.
[ link to this | view in chronology ]
Now this part is strange: The enhancement was to be uploaded to my DSL modem. I could turn the modem off. I could unplug it from my computer. I could could unplug the power. All I needed to do was make sure the modem was still connected to the wall phone jack. I guess all they needed to upload the "firmware" was the power in the phone line.
When you unplug - physically disconnect.
Ever since then, I unplug my modems from the wall jack every time I power down.
Also note, if you use XP, you have a QoS (Quality of Service) channel that reserves a percentage of bandwidth for so called "Background network traffic (or maintenance)". Zero that guy out. Turn off your update and error reporting and remote help features. And, never allow (for you IE users) your browser to install an ActiveX Object.
Google for tweaks. And remember, just because your network icon in the task bar is NOT BLINKING - it does not that NOTHING is going on. Don't put anything past our owners!
[ link to this | view in chronology ]
Our Constitution has been sold out, vote Ron Paul
Final link (before Google Books caves to pressure and drops the title):
America Deceived (book)
[ link to this | view in chronology ]
Zone Alarm is now owned by a bunch of Israelis. Why do they need our info?
[ link to this | view in chronology ]
"America Deceived (book)" in #27 is a load of crap. Promises one thing. Reads like a high-school scam. Unreadable. Meandering. Makes no point.
And Amazon is not banning it. Urban Legend
[ link to this | view in chronology ]
[ link to this | view in chronology ]
same shit another day
It's Mac only but that is Adobe's core market... still.
I use both Mac+Adobe everyday at work, FWIW.
And, yes, Adobe is a tool. Not as pervasiveley back-doored as Microshit or those online "secure" services, but still a tool.
Open source, when possible, is superior!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Osama Bin Laden was right about this one.
The world spied everyone with their own privacy thru Internet nowadays. Al Qaeda leader Osama Bin Laden was right about that because he always believes that old medieval way is much better off than today’s corrupted and wicked modern technology! He is so clever to avoid using today's technology (with hidden surveillance tools) in order to evade from overworking US troops and frustrated bounty hunters who are still searching for him in several years without any luck!
[ link to this | view in chronology ]
Re: Osama Bin Laden was right about this one.
[ link to this | view in chronology ]
free software the only answer
[ link to this | view in chronology ]
free software / activity tracking
ran under BSD and SUN OS. Try Googling
Morris and Worm.
All software has security problems. Just
as all licensing managers can be broken.
Also I don't buy the user testing argument.
Through pre-release QC testing, then beta
testing with knowlegable users, followed by
feedback from USER GROUPS is how things are
properly tested.
Tracking web page resource use sounds more
like a marketing activity to me... unless
you're testing the web pages but then you
won't need to doctor up the application
to do that.
In any case- feedback is given openly,
tracking implies covert data collection.
I think the inital blog is spot on.
[ link to this | view in chronology ]
Making it look like a 192.168 addy is dishonest an
[ link to this | view in chronology ]
Adobe Spying
There's other reason, I hate Adobe: When they bought Macromedia, they paid Google to get rid of all links to DVD Decrypter.
By By Adobe, Viva The Gimp!
[ link to this | view in chronology ]
Block it!
Any program that tries to make an outgoing connection without my explicitly having told it to do so, or requiring one as part of its normal functioning, gets blocked. If it requires an outgoing connection to function, but tries to phone home, I will specifically block outgoing connections to its parent company. I don't even let my software check for new version automatically. I'll check for new versions when *I* want to.
[ link to this | view in chronology ]
Adobe Spying On Its Customers
[ link to this | view in chronology ]
Use a HOST file
[ link to this | view in chronology ]
I get my Adobe ware for free off of P2P. Sure beats the hell out of paying the thousands Adobe wants for it. ZoneAlarm is free too. Once Adobe asks for net access, ZoneAlarm asks you to allow or deny it. Click on the "remember" box and then click Deny. Enjoy your free Adobe programs now! Woo hoo!
[ link to this | view in chronology ]
I get my Adobe ware for free off of P2P. Sure beats the hell out of paying the thousands Adobe wants for it. ZoneAlarm is free too. Once Adobe asks for net access, ZoneAlarm asks you to allow or deny it. Click on the "remember" box and then click Deny. Enjoy your free Adobe programs now! Woo hoo!
[ link to this | view in chronology ]
[ link to this | view in chronology ]