Adobe Discovers Encryption, Cuts Back On Its eBook Snooping A Bit
from the drm-is-bad,-mmkay? dept
The whole DRM for ebooks effort is still pretty braindead all around. It's amazing to me that everyone hasn't realized what the music industry figured out years ago (after many earlier years of kicking and screaming): DRM doesn't help the creators or the copyright holders in the slightest. It pisses off end users and tends to help give platform providers a dominant position by creating lock-in with their users. Time and time again we see copyright holders demanding DRM, not realizing that this demand actually gives all the leverage to the platform provider. And, of course, there are all the technical problems with DRM, from making "purchased" content disappear once DRM servers are turned off, to making it more difficult to actually use legitimately authorized content, to the fact that DRM tends to lead to privacy and security problems as well.A few weeks ago, Nate Hoffelder discovered that Adobe's ebook reader, Digital Editions 4, was spying on your ebooks, collecting a ton of information about them, and then uploading it all to Adobe's servers in an unencrypted format, potentially revealing a lot of information about users of the product. Adobe came out with a ridiculously mealy-mouthed response that clearly had been worked over by a crisis team PR person, when what it should have done is say, "Uh, we screwed up."
Now, a couple of weeks later, Adobe has quietly updated Digital Edition, complete with encryption... and with greatly reduced snooping. It no longer does anything on non-DRM'd ebooks, only contacting the server for DRM'd books (which, as explained, is a dumb idea, but...). So, Adobe has corrected the egregious errors of its original snooping (though, frankly, the company should also (1) apologize to the public and (2) thank Hoffelder for pointing out the company's crappy practices).
Hoffelder goes even further, arguing that what Adobe should really do is stop the data collection entirely:
This is less a case of a company screwing up in supporting users than it is one of a major tech company grabbing more user info than is required and then, when they are caught, trying to write it off with a “My bad” and a promise to add encryption.From all appearances, the real problem here is... DRM. Adobe's designed a DRM system that requires a server check-in to make it work. This is dumb for a variety of reasons, and also means that when -- inevitably -- the server goes away, those "purchased" works are likely to disappear as well.
That is entirely the wrong response. What they should have said was that they would stop the spying, not that they would make it more difficult for the world to listen in.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: digital editions, drm, ebooks, encryption
Companies: adobe
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
And there's another aspect of this that deserves a mention: who else has access to all the data being collected? After all, Adobe has already been quite thoroughly hacked at least once that we know of (see https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/): why should we believe that that was the first time and the only time?
One of the problems that rarely gets any attention -- but certainly deserves a lot more -- is secondary data acquisition via security breaches. Adobe may think they're building a nifty analysis and tracking and licensing and whatever tool, but what they're really building is a target. A massively attractive, very dangerous target that is surely on the radar screens of a LOT of people by now, and one that I strongly doubt Adobe has the ability to defend.
The solution to that isn't encryption and isn't restriction: it's "don't do it in the first place".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Used to be that Windows was the target for hackers. Lots of holes and zero days. But over the years Windows has been tightening security a little. It has become easier to target 3ʳᵈ party software to get in. Adobe has had the dubious distinction of being voted the most easily cracked software for a couple of years running in the past.
Now add to this the idea that Adobe products are always asking permission to phone home 2 or 3 times a week. No one updates their software that often, so it isn't for the claimed checking for updates. It's for spying on what's on your computer.
So why would I let an obviously poorly constructed software that is a security issue from the get go, coupled with it being well known for years as being spyware access my computer?
The answer is I don't.
[ link to this | view in chronology ]
Weak sauce
It would be interesting if someone monitors what files the reader is accessing to confirm or deny that the spying is still happening.
[ link to this | view in chronology ]
I really don't care if they think they're 'leasing' the content to me because according to my personal EULA, any purchase I make from [insert name] becomes my personal property with which I hold full digital and physical rights to from the time of the purchase until the end of my bloodline.
[ link to this | view in chronology ]
But Adobe's concern is not just copy-protection; as with all spyware, Adobe is creating and exploiting a new revenue stream. For adobe, a person's reading habits now become valuable, marketable data.
We can argue that Facebook made a fortune by monitoring and selling people's reading habits, but the chief difference being that because people are reading things off Facebook's servers, then spying on them is supposed to be perfectly OK.
Maybe if Adobe had created some kind of "cloud" reader instead, then people's reading habits could have been secretly logged, sold, and whatever else, and no one would have suspected anything. Kind of like Facebook.
[ link to this | view in chronology ]
Re:
Actually, I would say that the chief reason why it's OK is because Facebook tells you that they're spying, what they're spying on, and what they're doing with the data they collect. People who use Facebook aren't being tricked.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Adobe DRM
This is why the first thing I do when I get something in Adobe's DRM format is to strip off the DRM. You can do that, because it's tied to the customer's key.
For library loans, I don't bother, but anything I've "purchased" goes into plain text, epub and pdf right away.
[ link to this | view in chronology ]
Re: Adobe DRM
[ link to this | view in chronology ]
Just take Adobe's word for it?
Since the data is now encrypted, we only have Adobe's word on what data is being sent. One might be able to infer something from the amount of data, but still, the encryption seems to protect Adobe more than it protects their user base.
[ link to this | view in chronology ]
I think it is referred to in acronym form as a DEAD format.
[ link to this | view in chronology ]
[ link to this | view in chronology ]