Like an Open Book

Adobe patches a security vulnerability in its ereader software, but some users still regard the data Digital Editions collects about them with suspicion.

October 27, 2014

Adobe now encrypts the information its ebook and PDF reader collects about users, but librarians and readers say the recent patch to address that privacy issue has spawned a new problem: They no longer know how they are being monitored.

Before Thursday’s patch, Adobe Digital Editions monitored the books users downloaded to their personal libraries, which digital pages they flipped to and how long they read each title, along with personal and location data. The software then sent an unencrypted log of the findings -- easily readable to anyone with rudimentary network monitoring skills -- back to the company. The software is available for computers, smartphones and a range of ereaders.

Nate Hoffelder, editor of the ereading blog The Digital Reader, first reported the privacy issues earlier this month, prompting outrage from many librarians and ebook enthusiasts.

The American Library Association denounced Adobe’s actions, calling the data collection a “gross privacy violation” and the unencrypted transmission “egregious, [as] it sidesteps state laws around the country that protect the privacy of library reading records.”

Libraries urged users to downgrade to an earlier version of Digital Editions to protect their data, as the vulnerability only seemed to affect the 4.0 version of the software.

“The library values our users’ right to privacy, and we have expressed concern and alarm to our ebook vendor, and asked them to advocate on our behalf,” wrote Cecile Farnum, communications and liaison librarian at Ryerson University in Canada. “We are investigating whether Adobe’s actions are a violation of provincial privacy laws and will be contacting Adobe directly to demand that they address this vulnerability immediately.”

Ebook use in academe is already a point of contention between academic libraries and publishers, as the titles are licensed, not owned. Those licensing agreements often come with restrictions that dictate how readers can access the titles, which in turn challenges traditional library values, said Andromeda Yelton, who has previously written on the topic.

"We have all these different values, including access to information, including privacy, and with paper books, they’re not in conflict," Yelton said in an interview. "With ebooks, ... the technology we have to put in place to enforce [digital rights management] and contractual requirements requires a fair amount of surveillance of infrastructure."

After the story was picked up by mainstream technology websites such as Ars Technica, Adobe issued a clarification.

“All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” the company said in a statement. “Additionally, this information is solely collected for the ebook currently being read by the user and not for any other ebook in the user’s library or read/available in any other reader.”

Still, Adobe pledged to patch how that data was being transmitted, and on Thursday, the company updated Digital Editions to version 4.0.1. The patch included “Enhanced security for transmitting rights management and licensing validation information,” according to the changelog.

In a Thursday afternoon post, Hoffelder suggested Adobe may have patched the vulnerability.

The good news, he wrote, is that the software only sends a log -- which is now encrypted -- when users open ebooks with digital rights management (DRM) safeguards. “The bad news is that we don’t know for sure whether Adobe is still spying on users, because ... they say that they are now encrypting the data uploaded to their servers,” he added.

Hoffelder expanded on the post in an email to Inside Higher Ed.

“I wouldn't go so far as to say that Adobe is doing enough, but they are meeting the bare minimums of what they should have done in the first place,” Hoffelder wrote. “They don't appear to be uploading data on DRM-free ebooks, and what data is uploaded concerning DRM-ed ebooks is encrypted. This is all well and good, but I am not going to cheer on Adobe for meeting the minimum requirements set by privacy laws and basic standards of conduct.”

In a more thorough analysis, library software developer Galen Charlton monitored the network traffic generated by the software when he opened a number of different ebooks. The software connected to Adobe whenever it launched (“presumably to verify that the DRM authorization was in good shape,” Charlton wrote), but it didn’t send a log to the company unless he opened a DRM-protected book downloaded from the Kobo ebook store.

But like Hoffelder, Charlton also maintained suspicions about the data collected by Adobe.

“Adobe appears to have closed a hole -- but there are still important questions left open,” he wrote. “Librarians need to continue pushing on this.”

Asked to assuage librarians’ fears, an Adobe spokeswoman pointed to the page on privacy the company launched along with the patch.

“Also, while all data collection in Adobe Digital Editions 4 has been in line with the end user license agreement and the Adobe Privacy Policy, recent discussions made it clear that we could be more explicit,” the spokeswoman said in an email. She reiterated that the data collection is meant to enable “license validation and to facilitate the implementation of different licensing models by publishers and distributors.”

The ALA has yet to comment on the patch. 


Back to Top