Adobe's Half-Assed Response To Spying On All Your eBooks

from the that's-not-gonna-do-it dept

Yesterday, we mentioned the reports kicked off by Nate Hoffelder's research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here's Adobe's mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:
Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.
Some of the research into what's going on contradicts the claims of it only looking at books "currently being read," but even if that's true, it doesn't make the snooping any less disturbing. And while it may be true that Adobe has not violated its privacy policy (though, that's arguable), it really just highlights the stupidity of the concept of privacy policies. As we've noted in the past, the only way you get in trouble on privacy is if you violate your own privacy policy. And thus, the incentives are to write a policy that says "we collect absolutely everything, and do whatever we want with it, nyah, nyah, nyah," because that way you won't ever violate it. Since no one reads the policy anyway, and most people assume having a "policy" means protecting privacy (even if it says the opposite), privacy policies (and laws that require them) are often counterproductive. This situation appears to be a perfect example of that in action.

Either way, the response is tone deaf in the extreme. Even if it's "in line" with the privacy policy, does that make it right or acceptable? Adobe makes no effort to respond to the concerns about this snooping on reading habits -- which can be quite revealing. It makes no effort to respond to the serious problems of sending this info in plaintext, creating a massive security hole for private information.

While Adobe has told some that it is working on an update to "address" the issue of transmitting the data in plaintext, it's a bit late in the process to be recognizing that's an issue. The Ars Technica article notes that this may, in fact, violate New Jersey's Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe's efforts here completely undermine that law.

Since Adobe's Digital Editions are commonly used by libraries (my local library uses it, which I've used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we've had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the "library records" provision (even though it was eventually twisted into much more).

And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it's all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: copyright, digital reader, drm, ebooks, encryption, libraries, privacy, snooping
Companies: adobe


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 8 Oct 2014 @ 7:53am

    Good, it's within my right NOT to use their software as well. So they can keep their stupid DRM to themselves and we are all good. And if needed there are plenty of ways to circumvent said DRM.

    Piracy: letting you choose what to do, where to do and when to do whatever you want with your legally-bought, drm-ridden content.

    link to this | view in thread ]

  2. identicon
    Michael, 8 Oct 2014 @ 9:23am

    All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.

    "solely for purposes such as"? What does that mean? Isn't that a bit like saying "up to 50% off and more"? They have given us two reasons and left it open to AS MANY MORE REASONS AS THEY WANT. Nice.

    Not to mention, I don't care why you are f***ing me, I care THAT you are f***ing me.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 8 Oct 2014 @ 9:25am

    This is seriously focusing on the wrong issues. The only problem with this - and I say this as a MAJOR critic of basically all of Adobe's past and present business practices - is that the data is sent in plaintext. Sending the data itself serves a really obvious purpose. Amazon does this as well, it's a feature not a bug. It's actually pretty great to be able to read a book on my tablet in bed or wherever and then keep reading it at the same point I left off on my smartphone later in the cafeteria.

    ...Okay, who am I kidding. When I say "cafeteria" I mean "on the toilet."

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 8 Oct 2014 @ 9:26am

    All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader.

    Hey, hey, relax. Adobe is only spying on everything you do, not everything you could do! Just think, they could totally have their program go through your entire hard drive and collect information on everything in it to facilitate more comprehensive anti-piracy measures (not Adobe (TM) DRM'd? You'd best prove you ain't pirating!) instead, so isn't this current solution much better?

    Oh, and don't worry, as they've only talked about hypothetical examples ("purposes such as"), they can leave the door open to discussing deals with advertis *cough* partners to put ... uhh ... consumer-relevant information on a convenient sidebar. This will obviously benefit consumers since they'll get to learn about additional goods while enjoying their book.

    link to this | view in thread ]

  5. identicon
    David, 8 Oct 2014 @ 9:27am

    Re:

    Yes, the "such as" implies that this is a non-exhaustive list. It's used for those purposes, plus a variety of other unlisted purposes as well.

    Also, note that they are going to take care of the encryption issue, which only means we REALLY won't know what all kinds of information they are sending home. I'm starting to fail to see how this is better.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 8 Oct 2014 @ 9:27am

    ...Time to file a lawsuit, methinks.

    link to this | view in thread ]

  7. icon
    John Fenderson (profile), 8 Oct 2014 @ 9:33am

    Re:

    That's not the only problem. The other serious problem was that Adobe didn't tell anyone that the data was being collected, what data is being collected, and why.

    "it's a feature not a bug"

    Well, since it's intentional, it's technically a feature. However, in terms of effect, I consider it a bug of the showstopper variety. If it were a feature, it would be op-in, not silently always on.

    link to this | view in thread ]

  8. icon
    John Fenderson (profile), 8 Oct 2014 @ 9:35am

    Re:

    Based on what? I don't see any grounds for a successful lawsuit here. A better response is to just avoid Adobe like the plague.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 8 Oct 2014 @ 9:37am

    No reason to worry... Adobe is just collecting business records... (that are now collectible by the NSA).

    link to this | view in thread ]

  10. identicon
    Chris Brand, 8 Oct 2014 @ 9:40am

    Re: Re:

    To be fair, sending the data encrypted would mean that only Adobe and the people they choose to share it with get the data, rather than anyone with a packet sniffer. That is clearly an improvement (assuming they don't just stick it on their website).

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 8 Oct 2014 @ 9:41am

    Re:

    It's actually pretty great to be able to read a book on my tablet in bed or wherever and then keep reading it at the same point I left off on my smartphone later in the cafeteria.

    Is it worth the invasion of privacy involved, like feeding your reading habits straight to the NSA?

    link to this | view in thread ]

  12. icon
    Roger Strong (profile), 8 Oct 2014 @ 10:06am

    As other have pointed out, it's time to start renaming your ebooks with file names like:

    "William Shakespeare - Hamlet) ; DROP TABLE Books ; --.epub"

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 8 Oct 2014 @ 10:12am

    Re: Re:

    Didn't you read the article? They may be violating New Jersey's reader privacy law.

    Also, many libraries' digital collections contain Adobe DRM protected works. If your library were sending your reading habits to a third party, would your solution be "avoid the public library like the plague"?

    link to this | view in thread ]

  14. identicon
    Anonymous Hero, 8 Oct 2014 @ 10:13am

    DRM...?

    Note that the page-by-page data collected has no info related to licensing:

    "msg_NavigatedToPage": {
    "Navigated To Page": {
    "atTime":1412619383042,
    "PageNumber":8,
    "TotalPages":9}}},

    Also:

    {"atTime":1412619397026,"userID":"","operatorURL":"","licenseURL":"","distrib utorID":"","resourceID":"","fulfillmentID":""}}},
    {"msg_DocumentScanned":{"Document Scanned":{"atTime":1412619397026,"Title":"Getting Started with Adobe Digital Editions 4.0","Creator":"Adobe Systems Incorporated","Subject":"Getting Started","Description":"","Publisher":"Adobe Systems Incorporated","Contributor":"","Date":"2012-06-05T07:00:00+00:00","Language":"en","Format":"","Type" :"","Identifier":"","Source":"","Relation":"","Coverage":"","Rights":""}}},

    Contains no identifying information or anything that could prove that the owner purchased the book, unless the author removed values for userID, licenseURL, etc, because those fields are blank. Not that it would matter, because it's all sent in the clear, anyone could just spoof it.

    link to this | view in thread ]

  15. icon
    John Fenderson (profile), 8 Oct 2014 @ 10:24am

    Re: Re: Re:

    "Didn't you read the article?"

    Missed that. My bad.

    "If your library were sending your reading habits to a third party, would your solution be "avoid the public library like the plague"?"

    No, that's just silly. Why throw the baby out with the bathwater? Personally, I'd just remove the DRM and use a different reader. Or, if I couldn't do that for some reason, I'd simply not check out those digital works.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 8 Oct 2014 @ 10:52am

    ✤ Many years ago, Adobe was voted the most easily hacked software. Not just one year but for consecutive years.

    ✤ According to Fox 31 news and CBS, 33 million Adobe user credentials were stolen. The hack went on to effect other places such as Facebook, leaving many security sites to recommend a changing of passwords once it was patched.

    ✤ Adobe's source code was hacked into and stolen.

    ✤ One of the easiest ways to obtain passwords was by third party data passage without encryption, still part of the problem with Adobe software after all these years.

    ✤ Many security sites were recommending that removal of Adobe software was needed for your computer and on line security.

    This has been going on for many years. I long ago gave up on Abode as being anything but an invitation to be hacked if it was on your computer. So all this 'in the clear' is not something new nor something just revealed. It is their method of operation and has been for ages. This is why data being passed in the clear is such an issue.

    link to this | view in thread ]

  17. identicon
    Trevor, 8 Oct 2014 @ 10:59am

    PUBLIC SERVICE ANNOUNCEMENT

    People:

    Privacy policies do not protect the consumer. They protect the company.

    link to this | view in thread ]

  18. icon
    Mason Wheeler (profile), 8 Oct 2014 @ 11:08am

    Librarians and readers should be up in arms over this, and looking for alternatives.

    I've been looking for an alternative for seven years now, and the alternative is: let's call a spade a spade. Give DRM a legal status to match reality: it's a hacking tool, nothing but malware, and creating and distributing it should be subject to the exact same legal restrictions as viruses, trojans, etc.

    link to this | view in thread ]

  19. identicon
    Fred the Fourth, 8 Oct 2014 @ 11:13am

    Re: PUBLIC SERVICE ANNOUNCEMENT

    It's always the case that contracts are written, first and foremost, to protect the interests of the contract author.
    There is a legal theory that contract ambiguities should be resolved in favor of the party who did not write the contract, but this is a) risky to rely on and 2) no help if there is no ambiguity.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 8 Oct 2014 @ 11:14am

    Re: Re: Re: Re:

    But that's the key issue - the public libraries are only being permitted to use ADE-equipped books.

    So, yeah, I think it's time for a lawsuit.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 8 Oct 2014 @ 11:36am

    Besides DRM, the potential for this kind of thing is one of the reasons i've never borrowed an ebook from my library. As soon as a third party is involved, all trust and accountability goes out the window.

    DRM urgently needs to abolished in public libraries. Publishers should never have been allowed to have this much control over a public resource.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 8 Oct 2014 @ 11:39am

    Re: Re: Re:

    " sending the data encrypted would mean that only Adobe and the people they choose to share it with get the data "

    And so without any oversight at all they could snarf up the entire listing of connected devices, plus any content they choose, and send them encrypted so that no-one will be able to verify whether they do what they say they do.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 8 Oct 2014 @ 11:39am

    Re:

    >the data is sent in plain text

    Even if it's encrypted, the amount of information collected still a violation of privacy. Any data transferred should be the absolute minimum necessary. There is no reason reading behavior should be tracked.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 8 Oct 2014 @ 11:43am

    Re: Re:

    "There is no reason reading behavior should be tracked."

    As someone pointed out (somewhere..) some licensing deals relate payment to number of pages read. I am going to guess that knowing which pages is possibly used to allow publishers to see which pages are most popular/least popular and they could make a case for knowing which parts of a book are least popular might help them improve it (eg custom produced textbooks) (all statistics aggregated and anonymous). Which arguably has some merit if informed consent is given.

    link to this | view in thread ]

  25. icon
    gluejar (profile), 8 Oct 2014 @ 11:49am

    NJ Privacy laws

    The NJ "Reader Privacy Act" is not law yet, as far as I can tell. I think it's badly drafted.

    http://go-to-hellman.blogspot.com/2014/09/online-bookstores-to-face-stringent.html
    http://go-to-hellm an.blogspot.com/2014/09/emergency-governor-christie-could-turn.html

    Nonetheless, there are library records privacy laws in place in NJ that should apply.

    EFF is misleading; I don't think the California Reader Privacy Act applies to this case, though the CA library records privacy law Cal Gov Code § 6267 should make this illegal.

    link to this | view in thread ]

  26. icon
    John Fenderson (profile), 8 Oct 2014 @ 12:05pm

    Re: Re: Re:

    Informed consent are key words here. I suspect that the outrage over what Adobe's done would be a bit more muted if they had actually told people what they were doing before they started using the software.

    link to this | view in thread ]

  27. icon
    John Fenderson (profile), 8 Oct 2014 @ 12:08pm

    Re: Re: Re: Re: Re:

    "the public libraries are only being permitted to use ADE-equipped books."

    Not true. Libraries can continue to to have actual, physical books. Those are DRM-free. As I said, my response would be to break the DRM and, failing that, to avoid checking out digital books. Admittedly, not a huge change for me since I've never "checked out" a digital book from the library anyway.

    link to this | view in thread ]

  28. icon
    Easily Amused (profile), 8 Oct 2014 @ 12:34pm

    Re:

    that feature only applies to content you are using the app to read. According to the research it is gobbling up all kinds of other non-related data and phoning home.

    That's why this is bullshit.

    link to this | view in thread ]

  29. identicon
    Chris Brand, 8 Oct 2014 @ 12:48pm

    Re: Re: Re: Re:

    Right. But that's still better than all those people PLUS anyone with a packet sniffer having access to that data, which was the point I was making.

    "better than the status quo" is not the same as "acceptable".

    link to this | view in thread ]

  30. icon
    anti-antidirt (profile), 8 Oct 2014 @ 12:53pm

    And this is why I've been avoiding Adobe like Ebola for a long long time.

    Shotty software, always bad PR, inflated prices for certain countries, etc. Why haven't they been on the Consumerist list for Corst Company in America yet? They'd be a good contender.

    Years ago I was mad that Flash was being killed on mobile. Adobe took a hit with that. Now I look at Adobe and am glad they are where they are. Their DRM has always sucked, and they obviously don't care. They seem to have the corporate mentality of Electronic Arts.

    If anything, this should make people hate privacy policies, it should make people read them, and it should make people really think twice about using programs they would guess have no reason to, "phone home".

    link to this | view in thread ]

  31. icon
    Get off my cyber-lawn! (profile), 8 Oct 2014 @ 1:06pm

    Thank you for using our cable tv box

    we're not going to tell you that it is going to run through your house at night while you sleep and indescriminately index everything you own and then phone it back to us later.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 8 Oct 2014 @ 1:43pm

    Re: Re: Re: Re: Re: Re:

    I guess as long as it doesn't impact you, it isn't worth complaining about.

    Unlike you, the only books I've checked out of the library in the past two years are ebooks.

    link to this | view in thread ]

  33. icon
    batch (profile), 8 Oct 2014 @ 1:45pm

    Ars Technica is a biased, agenda driven shit-rag. Please stop using them as a source. Evidence can be found in their biased, agenda driven writing concerning the GamerGate consumer movement which they continue to insist, in wide generalizations is about misogyny. If they cannot even be bothered with understanding a somewhat complex story such as GamerGate, how can they possibly understand any other subject that has a whiff of complexity?

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 8 Oct 2014 @ 1:46pm

    Re: Re: Re: Re: Re: Re: Game theory?

    As digital distribution becomes the standard, I foresee a good deal of titles that will never be in print, or printed in such low quantities it will be hard to get a hold of in physical form.

    Just because a relative few currently have the ability unshackle themselves from the current restrictions doesn't mean the masses who lack that capacity deserve to suffer for that lack of knowledge/ability.

    The attitude of "It's ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks" is ultimately self-defeating.

    link to this | view in thread ]

  35. icon
    Groaker (profile), 8 Oct 2014 @ 5:34pm

    Privacy is just so 19th century.

    link to this | view in thread ]

  36. icon
    Zoleen (profile), 9 Oct 2014 @ 12:32am

    That is why I prefer hard cover books.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 9 Oct 2014 @ 1:31am

    Well I'm glad that when I use windows, which is about 1/4 of the time I boot my desktop, I've been using Foxit Reader. No I do not work for Foxit Corp but not only is it a super lightweight reader, it is very safe (it's in a "safe mode" by default when you install it so that harmful pdf files are left in a sandbox.

    I've been removing Adobe PDF Reader and installing Foxit on other's computers since a long time too, over 9 years. I think it's obvious that Adobe is a useless company, Premiere? I'll take Avidemux/Handbrake even Transmaggedon instead. Virtualdub and its forks can also work with all recent codecs. You got to be a fool or forced into it by a school to buy Adobe products.

    link to this | view in thread ]

  38. icon
    John Fenderson (profile), 9 Oct 2014 @ 7:57am

    Re: Re: Re: Re: Re: Re: Re:

    "I guess as long as it doesn't impact you, it isn't worth complaining about."

    Please show me where I've said anything remotely close to this.

    link to this | view in thread ]

  39. identicon
    ryuugami, 9 Oct 2014 @ 1:37pm

    Re:

    Recent versions of Foxit Reader seem to be bloated and adware-infested (see e.g. AlternativeTo comments).

    I'd suggest using an older version (you can get them from OldApps.com).

    Personally, I'm still on v3.0 from 2008. The installer is one tenth the size of the newest version (3.7 vs 36 MB), and there are no ads or extraneous crap. Just a fast, simple, lightweight PDF reader.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 10 Oct 2014 @ 7:48am

    Avoid tracking, avoid Adobe and other proprietary software. Use free and open-source software.

    link to this | view in thread ]

  41. icon
    John Fenderson (profile), 10 Oct 2014 @ 8:56am

    Re: Re: Re: Re: Re: Re: Re: Game theory?

    "The attitude of "It's ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks" is ultimately self-defeating."

    I never said it was OK. I said it's not a battle I choose to fight right now. I can't fight them all at the same time, after all.

    link to this | view in thread ]

  42. identicon
    Irina, 11 Oct 2014 @ 12:25am

    I do in fact avoid the public library like the plague exactly for that reason. Ever since they started keeping records FOREVER without any possibility for the patron to erase or even see them.

    link to this | view in thread ]

  43. identicon
    don'tBother2login, 27 Oct 2014 @ 12:29am

    It's amazing how ppl still use Adobe software, from time to time of its screw up, major!

    I've been avoiding it all along, it's an unfortunate fact that it acquired Macromedia and screwed up all its product, including Flash. But then, I only allow Flash on youtube...

    mates, search for alternatives!

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.