Adobe's Half-Assed Response To Spying On All Your eBooks

from the that's-not-gonna-do-it dept

Yesterday, we mentioned the reports kicked off by Nate Hoffelder’s research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here’s Adobe’s mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices?whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user?s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

Some of the research into what’s going on contradicts the claims of it only looking at books “currently being read,” but even if that’s true, it doesn’t make the snooping any less disturbing. And while it may be true that Adobe has not violated its privacy policy (though, that’s arguable), it really just highlights the stupidity of the concept of privacy policies. As we’ve noted in the past, the only way you get in trouble on privacy is if you violate your own privacy policy. And thus, the incentives are to write a policy that says “we collect absolutely everything, and do whatever we want with it, nyah, nyah, nyah,” because that way you won’t ever violate it. Since no one reads the policy anyway, and most people assume having a “policy” means protecting privacy (even if it says the opposite), privacy policies (and laws that require them) are often counterproductive. This situation appears to be a perfect example of that in action.

Either way, the response is tone deaf in the extreme. Even if it’s “in line” with the privacy policy, does that make it right or acceptable? Adobe makes no effort to respond to the concerns about this snooping on reading habits — which can be quite revealing. It makes no effort to respond to the serious problems of sending this info in plaintext, creating a massive security hole for private information.

While Adobe has told some that it is working on an update to “address” the issue of transmitting the data in plaintext, it’s a bit late in the process to be recognizing that’s an issue. The Ars Technica article notes that this may, in fact, violate New Jersey’s Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe’s efforts here completely undermine that law.

Since Adobe’s Digital Editions are commonly used by libraries (my local library uses it, which I’ve used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we’ve had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the “library records” provision (even though it was eventually twisted into much more).

And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it’s all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.

Filed Under: , , , , , , ,
Companies: adobe

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Adobe's Half-Assed Response To Spying On All Your eBooks”

Subscribe: RSS Leave a comment
43 Comments
Michael (profile) says:

All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.

“solely for purposes such as”? What does that mean? Isn’t that a bit like saying “up to 50% off and more”? They have given us two reasons and left it open to AS MANY MORE REASONS AS THEY WANT. Nice.

Not to mention, I don’t care why you are f***ing me, I care THAT you are f***ing me.

David says:

Re: Re:

Yes, the “such as” implies that this is a non-exhaustive list. It’s used for those purposes, plus a variety of other unlisted purposes as well.

Also, note that they are going to take care of the encryption issue, which only means we REALLY won’t know what all kinds of information they are sending home. I’m starting to fail to see how this is better.

Anonymous Coward says:

Re: Re: Re: Re:

” sending the data encrypted would mean that only Adobe and the people they choose to share it with get the data “

And so without any oversight at all they could snarf up the entire listing of connected devices, plus any content they choose, and send them encrypted so that no-one will be able to verify whether they do what they say they do.

Anonymous Coward says:

This is seriously focusing on the wrong issues. The only problem with this – and I say this as a MAJOR critic of basically all of Adobe’s past and present business practices – is that the data is sent in plaintext. Sending the data itself serves a really obvious purpose. Amazon does this as well, it’s a feature not a bug. It’s actually pretty great to be able to read a book on my tablet in bed or wherever and then keep reading it at the same point I left off on my smartphone later in the cafeteria.

…Okay, who am I kidding. When I say “cafeteria” I mean “on the toilet.”

John Fenderson (profile) says:

Re: Re:

That’s not the only problem. The other serious problem was that Adobe didn’t tell anyone that the data was being collected, what data is being collected, and why.

“it’s a feature not a bug”

Well, since it’s intentional, it’s technically a feature. However, in terms of effect, I consider it a bug of the showstopper variety. If it were a feature, it would be op-in, not silently always on.

Anonymous Coward says:

Re: Re: Re:

“There is no reason reading behavior should be tracked.”

As someone pointed out (somewhere..) some licensing deals relate payment to number of pages read. I am going to guess that knowing which pages is possibly used to allow publishers to see which pages are most popular/least popular and they could make a case for knowing which parts of a book are least popular might help them improve it (eg custom produced textbooks) (all statistics aggregated and anonymous). Which arguably has some merit if informed consent is given.

Anonymous Coward says:

All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader.

Hey, hey, relax. Adobe is only spying on everything you do, not everything you could do! Just think, they could totally have their program go through your entire hard drive and collect information on everything in it to facilitate more comprehensive anti-piracy measures (not Adobe (TM) DRM’d? You’d best prove you ain’t pirating!) instead, so isn’t this current solution much better?

Oh, and don’t worry, as they’ve only talked about hypothetical examples (“purposes such as”), they can leave the door open to discussing deals with advertis *cough* partners to put … uhh … consumer-relevant information on a convenient sidebar. This will obviously benefit consumers since they’ll get to learn about additional goods while enjoying their book.

Anonymous Coward says:

Re: Re: Re:

Didn’t you read the article? They may be violating New Jersey’s reader privacy law.

Also, many libraries’ digital collections contain Adobe DRM protected works. If your library were sending your reading habits to a third party, would your solution be “avoid the public library like the plague”?

John Fenderson (profile) says:

Re: Re: Re: Re:

“Didn’t you read the article?”

Missed that. My bad.

“If your library were sending your reading habits to a third party, would your solution be “avoid the public library like the plague”?”

No, that’s just silly. Why throw the baby out with the bathwater? Personally, I’d just remove the DRM and use a different reader. Or, if I couldn’t do that for some reason, I’d simply not check out those digital works.

John Fenderson (profile) says:

Re: Re: Re:3 Re:

“the public libraries are only being permitted to use ADE-equipped books.”

Not true. Libraries can continue to to have actual, physical books. Those are DRM-free. As I said, my response would be to break the DRM and, failing that, to avoid checking out digital books. Admittedly, not a huge change for me since I’ve never “checked out” a digital book from the library anyway.

Anonymous Coward says:

Re: Re: Re:4 Game theory?

As digital distribution becomes the standard, I foresee a good deal of titles that will never be in print, or printed in such low quantities it will be hard to get a hold of in physical form.

Just because a relative few currently have the ability unshackle themselves from the current restrictions doesn’t mean the masses who lack that capacity deserve to suffer for that lack of knowledge/ability.

The attitude of “It’s ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks” is ultimately self-defeating.

John Fenderson (profile) says:

Re: Re: Re:5 Game theory?

“The attitude of “It’s ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks” is ultimately self-defeating.”

I never said it was OK. I said it’s not a battle I choose to fight right now. I can’t fight them all at the same time, after all.

Anonymous Hero says:

DRM...?

Note that the page-by-page data collected has no info related to licensing:

“msg_NavigatedToPage”: {
“Navigated To Page”: {
“atTime”:1412619383042,
“PageNumber”:8,
“TotalPages”:9}}},

Also:

{“atTime”:1412619397026,”userID”:””,”operatorURL”:””,”licenseURL”:””,”distributorID”:””,”resourceID”:””,”fulfillmentID”:””}}},
{“msg_DocumentScanned”:{“Document Scanned”:{“atTime”:1412619397026,”Title”:”Getting Started with Adobe Digital Editions 4.0″,”Creator”:”Adobe Systems Incorporated”,”Subject”:”Getting Started”,”Description”:””,”Publisher”:”Adobe Systems Incorporated”,”Contributor”:””,”Date”:”2012-06-05T07:00:00+00:00″,”Language”:”en”,”Format”:””,”Type”:””,”Identifier”:””,”Source”:””,”Relation”:””,”Coverage”:””,”Rights”:””}}},

Contains no identifying information or anything that could prove that the owner purchased the book, unless the author removed values for userID, licenseURL, etc, because those fields are blank. Not that it would matter, because it’s all sent in the clear, anyone could just spoof it.

Anonymous Coward says:

✤ Many years ago, Adobe was voted the most easily hacked software. Not just one year but for consecutive years.

✤ According to Fox 31 news and CBS, 33 million Adobe user credentials were stolen. The hack went on to effect other places such as Facebook, leaving many security sites to recommend a changing of passwords once it was patched.

✤ Adobe’s source code was hacked into and stolen.

✤ One of the easiest ways to obtain passwords was by third party data passage without encryption, still part of the problem with Adobe software after all these years.

✤ Many security sites were recommending that removal of Adobe software was needed for your computer and on line security.

This has been going on for many years. I long ago gave up on Abode as being anything but an invitation to be hacked if it was on your computer. So all this ‘in the clear’ is not something new nor something just revealed. It is their method of operation and has been for ages. This is why data being passed in the clear is such an issue.

Fred the Fourth says:

Re: PUBLIC SERVICE ANNOUNCEMENT

It’s always the case that contracts are written, first and foremost, to protect the interests of the contract author.
There is a legal theory that contract ambiguities should be resolved in favor of the party who did not write the contract, but this is a) risky to rely on and 2) no help if there is no ambiguity.

Mason Wheeler (profile) says:

Librarians and readers should be up in arms over this, and looking for alternatives.

I’ve been looking for an alternative for seven years now, and the alternative is: let’s call a spade a spade. Give DRM a legal status to match reality: it’s a hacking tool, nothing but malware, and creating and distributing it should be subject to the exact same legal restrictions as viruses, trojans, etc.

Anonymous Coward says:

Besides DRM, the potential for this kind of thing is one of the reasons i’ve never borrowed an ebook from my library. As soon as a third party is involved, all trust and accountability goes out the window.

DRM urgently needs to abolished in public libraries. Publishers should never have been allowed to have this much control over a public resource.

gluejar (profile) says:

NJ Privacy laws

The NJ “Reader Privacy Act” is not law yet, as far as I can tell. I think it’s badly drafted.

http://go-to-hellman.blogspot.com/2014/09/online-bookstores-to-face-stringent.html
http://go-to-hellman.blogspot.com/2014/09/emergency-governor-christie-could-turn.html

Nonetheless, there are library records privacy laws in place in NJ that should apply.

EFF is misleading; I don’t think the California Reader Privacy Act applies to this case, though the CA library records privacy law Cal Gov Code § 6267 should make this illegal.

anti-antidirt says:

And this is why I’ve been avoiding Adobe like Ebola for a long long time.

Shotty software, always bad PR, inflated prices for certain countries, etc. Why haven’t they been on the Consumerist list for Corst Company in America yet? They’d be a good contender.

Years ago I was mad that Flash was being killed on mobile. Adobe took a hit with that. Now I look at Adobe and am glad they are where they are. Their DRM has always sucked, and they obviously don’t care. They seem to have the corporate mentality of Electronic Arts.

If anything, this should make people hate privacy policies, it should make people read them, and it should make people really think twice about using programs they would guess have no reason to, “phone home”.

batch (profile) says:

Ars Technica is a biased, agenda driven shit-rag. Please stop using them as a source. Evidence can be found in their biased, agenda driven writing concerning the GamerGate consumer movement which they continue to insist, in wide generalizations is about misogyny. If they cannot even be bothered with understanding a somewhat complex story such as GamerGate, how can they possibly understand any other subject that has a whiff of complexity?

Anonymous Coward says:

Well I’m glad that when I use windows, which is about 1/4 of the time I boot my desktop, I’ve been using Foxit Reader. No I do not work for Foxit Corp but not only is it a super lightweight reader, it is very safe (it’s in a “safe mode” by default when you install it so that harmful pdf files are left in a sandbox.

I’ve been removing Adobe PDF Reader and installing Foxit on other’s computers since a long time too, over 9 years. I think it’s obvious that Adobe is a useless company, Premiere? I’ll take Avidemux/Handbrake even Transmaggedon instead. Virtualdub and its forks can also work with all recent codecs. You got to be a fool or forced into it by a school to buy Adobe products.

ryuugami says:

Re: Re:

Recent versions of Foxit Reader seem to be bloated and adware-infested (see e.g. AlternativeTo comments).

I’d suggest using an older version (you can get them from OldApps.com).

Personally, I’m still on v3.0 from 2008. The installer is one tenth the size of the newest version (3.7 vs 36 MB), and there are no ads or extraneous crap. Just a fast, simple, lightweight PDF reader.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...