Adobe Discovers Encryption, Cuts Back On Its eBook Snooping A Bit
from the drm-is-bad,-mmkay? dept
The whole DRM for ebooks effort is still pretty braindead all around. It’s amazing to me that everyone hasn’t realized what the music industry figured out years ago (after many earlier years of kicking and screaming): DRM doesn’t help the creators or the copyright holders in the slightest. It pisses off end users and tends to help give platform providers a dominant position by creating lock-in with their users. Time and time again we see copyright holders demanding DRM, not realizing that this demand actually gives all the leverage to the platform provider. And, of course, there are all the technical problems with DRM, from making “purchased” content disappear once DRM servers are turned off, to making it more difficult to actually use legitimately authorized content, to the fact that DRM tends to lead to privacy and security problems as well.
A few weeks ago, Nate Hoffelder discovered that Adobe’s ebook reader, Digital Editions 4, was spying on your ebooks, collecting a ton of information about them, and then uploading it all to Adobe’s servers in an unencrypted format, potentially revealing a lot of information about users of the product. Adobe came out with a ridiculously mealy-mouthed response that clearly had been worked over by a crisis team PR person, when what it should have done is say, “Uh, we screwed up.”
Now, a couple of weeks later, Adobe has quietly updated Digital Edition, complete with encryption… and with greatly reduced snooping. It no longer does anything on non-DRM’d ebooks, only contacting the server for DRM’d books (which, as explained, is a dumb idea, but…). So, Adobe has corrected the egregious errors of its original snooping (though, frankly, the company should also (1) apologize to the public and (2) thank Hoffelder for pointing out the company’s crappy practices).
Hoffelder goes even further, arguing that what Adobe should really do is stop the data collection entirely:
This is less a case of a company screwing up in supporting users than it is one of a major tech company grabbing more user info than is required and then, when they are caught, trying to write it off with a ?My bad? and a promise to add encryption.
That is entirely the wrong response. What they should have said was that they would stop the spying, not that they would make it more difficult for the world to listen in.
From all appearances, the real problem here is… DRM. Adobe’s designed a DRM system that requires a server check-in to make it work. This is dumb for a variety of reasons, and also means that when — inevitably — the server goes away, those “purchased” works are likely to disappear as well.
Filed Under: digital editions, drm, ebooks, encryption
Companies: adobe
Comments on “Adobe Discovers Encryption, Cuts Back On Its eBook Snooping A Bit”
Encryption solves nothing. When the data was unencrypted at least we could tell what was being collected. Because the source code is secret and the data is scrambled we have to take Adobe at their word.
Re: Re:
Absolutely right.
And there’s another aspect of this that deserves a mention: who else has access to all the data being collected? After all, Adobe has already been quite thoroughly hacked at least once that we know of (see https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/): why should we believe that that was the first time and the only time?
One of the problems that rarely gets any attention — but certainly deserves a lot more — is secondary data acquisition via security breaches. Adobe may think they’re building a nifty analysis and tracking and licensing and whatever tool, but what they’re really building is a target. A massively attractive, very dangerous target that is surely on the radar screens of a LOT of people by now, and one that I strongly doubt Adobe has the ability to defend.
The solution to that isn’t encryption and isn’t restriction: it’s “don’t do it in the first place”.
Re: Re:
Well, I guess it’s time to boycott Adobe; Which is long overdue if you ask me…
Re: Re: Re:
You’re kinda late in the game to just now be deciding to boycott Adobe. I absolutely not allow Adobe on my computers and haven’t for years.
Used to be that Windows was the target for hackers. Lots of holes and zero days. But over the years Windows has been tightening security a little. It has become easier to target 3ʳᵈ party software to get in. Adobe has had the dubious distinction of being voted the most easily cracked software for a couple of years running in the past.
Now add to this the idea that Adobe products are always asking permission to phone home 2 or 3 times a week. No one updates their software that often, so it isn’t for the claimed checking for updates. It’s for spying on what’s on your computer.
So why would I let an obviously poorly constructed software that is a security issue from the get go, coupled with it being well known for years as being spyware access my computer?
The answer is I don’t.
Weak sauce
Encrypting the data is good — it solves one part of the problem. However, given the amount of data the new reader sends, it’s likely that the spying continues when you are using a DRM’d ebook. This reader still falls squarely in the “don’t use this” category.
It would be interesting if someone monitors what files the reader is accessing to confirm or deny that the spying is still happening.
And this is why I strip the DRM from the ebooks I’ve purchased followed by filing it away on an encrypted drive…
I really don’t care if they think they’re ‘leasing’ the content to me because according to my personal EULA, any purchase I make from [insert name] becomes my personal property with which I hold full digital and physical rights to from the time of the purchase until the end of my bloodline.
Most DRM systems don’t even require ongoing server access, as the primary function is to lock the content to the specific device, so then the server is only required when hardware/software/firmware gets changed.
But Adobe’s concern is not just copy-protection; as with all spyware, Adobe is creating and exploiting a new revenue stream. For adobe, a person’s reading habits now become valuable, marketable data.
We can argue that Facebook made a fortune by monitoring and selling people’s reading habits, but the chief difference being that because people are reading things off Facebook’s servers, then spying on them is supposed to be perfectly OK.
Maybe if Adobe had created some kind of “cloud” reader instead, then people’s reading habits could have been secretly logged, sold, and whatever else, and no one would have suspected anything. Kind of like Facebook.
Re: Re:
“t the chief difference being that because people are reading things off Facebook’s servers, then spying on them is supposed to be perfectly OK. “
Actually, I would say that the chief reason why it’s OK is because Facebook tells you that they’re spying, what they’re spying on, and what they’re doing with the data they collect. People who use Facebook aren’t being tricked.
Re: Re: Re:
Facebook has frequently been caught breaking its own promises. It’s a company with a long history of testing the waters and pushing the limits, until users rebelled and forced FB to backtrack. Again and again.
Adobe DRM
“This is dumb for a variety of reasons, and also means that when — inevitably — the server goes away, those “purchased” works are likely to disappear as well.”
This is why the first thing I do when I get something in Adobe’s DRM format is to strip off the DRM. You can do that, because it’s tied to the customer’s key.
For library loans, I don’t bother, but anything I’ve “purchased” goes into plain text, epub and pdf right away.
Re: Adobe DRM
Which still leads Adobe to think DRM is accepted by customers. As long as you buy this, DRM will exist.
Just take Adobe's word for it?
Since the data is now encrypted, we only have Adobe’s word on what data is being sent. One might be able to infer something from the amount of data, but still, the encryption seems to protect Adobe more than it protects their user base.
I have read about this DRM Electronic Access Document format.
I think it is referred to in acronym form as a DEAD format.
Adobe Flash must die!