Adobe Discovers Encryption, Cuts Back On Its eBook Snooping A Bit

from the drm-is-bad,-mmkay? dept

The whole DRM for ebooks effort is still pretty braindead all around. It’s amazing to me that everyone hasn’t realized what the music industry figured out years ago (after many earlier years of kicking and screaming): DRM doesn’t help the creators or the copyright holders in the slightest. It pisses off end users and tends to help give platform providers a dominant position by creating lock-in with their users. Time and time again we see copyright holders demanding DRM, not realizing that this demand actually gives all the leverage to the platform provider. And, of course, there are all the technical problems with DRM, from making “purchased” content disappear once DRM servers are turned off, to making it more difficult to actually use legitimately authorized content, to the fact that DRM tends to lead to privacy and security problems as well.

A few weeks ago, Nate Hoffelder discovered that Adobe’s ebook reader, Digital Editions 4, was spying on your ebooks, collecting a ton of information about them, and then uploading it all to Adobe’s servers in an unencrypted format, potentially revealing a lot of information about users of the product. Adobe came out with a ridiculously mealy-mouthed response that clearly had been worked over by a crisis team PR person, when what it should have done is say, “Uh, we screwed up.”

Now, a couple of weeks later, Adobe has quietly updated Digital Edition, complete with encryption… and with greatly reduced snooping. It no longer does anything on non-DRM’d ebooks, only contacting the server for DRM’d books (which, as explained, is a dumb idea, but…). So, Adobe has corrected the egregious errors of its original snooping (though, frankly, the company should also (1) apologize to the public and (2) thank Hoffelder for pointing out the company’s crappy practices).

Hoffelder goes even further, arguing that what Adobe should really do is stop the data collection entirely:

This is less a case of a company screwing up in supporting users than it is one of a major tech company grabbing more user info than is required and then, when they are caught, trying to write it off with a ?My bad? and a promise to add encryption.

That is entirely the wrong response. What they should have said was that they would stop the spying, not that they would make it more difficult for the world to listen in.

From all appearances, the real problem here is… DRM. Adobe’s designed a DRM system that requires a server check-in to make it work. This is dumb for a variety of reasons, and also means that when — inevitably — the server goes away, those “purchased” works are likely to disappear as well.

Filed Under: , , ,
Companies: adobe

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Adobe Discovers Encryption, Cuts Back On Its eBook Snooping A Bit”

Subscribe: RSS Leave a comment
14 Comments
Rich Kulawiec (profile) says:

Re: Re:

Absolutely right.

And there’s another aspect of this that deserves a mention: who else has access to all the data being collected? After all, Adobe has already been quite thoroughly hacked at least once that we know of (see https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/): why should we believe that that was the first time and the only time?

One of the problems that rarely gets any attention — but certainly deserves a lot more — is secondary data acquisition via security breaches. Adobe may think they’re building a nifty analysis and tracking and licensing and whatever tool, but what they’re really building is a target. A massively attractive, very dangerous target that is surely on the radar screens of a LOT of people by now, and one that I strongly doubt Adobe has the ability to defend.

The solution to that isn’t encryption and isn’t restriction: it’s “don’t do it in the first place”.

Anonymous Coward says:

Re: Re: Re:

You’re kinda late in the game to just now be deciding to boycott Adobe. I absolutely not allow Adobe on my computers and haven’t for years.

Used to be that Windows was the target for hackers. Lots of holes and zero days. But over the years Windows has been tightening security a little. It has become easier to target 3ʳᵈ party software to get in. Adobe has had the dubious distinction of being voted the most easily cracked software for a couple of years running in the past.

Now add to this the idea that Adobe products are always asking permission to phone home 2 or 3 times a week. No one updates their software that often, so it isn’t for the claimed checking for updates. It’s for spying on what’s on your computer.

So why would I let an obviously poorly constructed software that is a security issue from the get go, coupled with it being well known for years as being spyware access my computer?

The answer is I don’t.

John Fenderson (profile) says:

Weak sauce

Encrypting the data is good — it solves one part of the problem. However, given the amount of data the new reader sends, it’s likely that the spying continues when you are using a DRM’d ebook. This reader still falls squarely in the “don’t use this” category.

It would be interesting if someone monitors what files the reader is accessing to confirm or deny that the spying is still happening.

Anonymous Coward says:

And this is why I strip the DRM from the ebooks I’ve purchased followed by filing it away on an encrypted drive…

I really don’t care if they think they’re ‘leasing’ the content to me because according to my personal EULA, any purchase I make from [insert name] becomes my personal property with which I hold full digital and physical rights to from the time of the purchase until the end of my bloodline.

Anonymous Coward says:

Most DRM systems don’t even require ongoing server access, as the primary function is to lock the content to the specific device, so then the server is only required when hardware/software/firmware gets changed.

But Adobe’s concern is not just copy-protection; as with all spyware, Adobe is creating and exploiting a new revenue stream. For adobe, a person’s reading habits now become valuable, marketable data.

We can argue that Facebook made a fortune by monitoring and selling people’s reading habits, but the chief difference being that because people are reading things off Facebook’s servers, then spying on them is supposed to be perfectly OK.

Maybe if Adobe had created some kind of “cloud” reader instead, then people’s reading habits could have been secretly logged, sold, and whatever else, and no one would have suspected anything. Kind of like Facebook.

John Fenderson (profile) says:

Re: Re:

“t the chief difference being that because people are reading things off Facebook’s servers, then spying on them is supposed to be perfectly OK. “

Actually, I would say that the chief reason why it’s OK is because Facebook tells you that they’re spying, what they’re spying on, and what they’re doing with the data they collect. People who use Facebook aren’t being tricked.

Anonymous Coward says:

Adobe DRM

“This is dumb for a variety of reasons, and also means that when — inevitably — the server goes away, those “purchased” works are likely to disappear as well.”

This is why the first thing I do when I get something in Adobe’s DRM format is to strip off the DRM. You can do that, because it’s tied to the customer’s key.

For library loans, I don’t bother, but anything I’ve “purchased” goes into plain text, epub and pdf right away.

Whoever says:

Just take Adobe's word for it?

Now, a couple of weeks later, Adobe has quietly updated Digital Edition, complete with encryption… and with greatly reduced snooping.

Since the data is now encrypted, we only have Adobe’s word on what data is being sent. One might be able to infer something from the amount of data, but still, the encryption seems to protect Adobe more than it protects their user base.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...