Adobe's Half-Assed Response To Spying On All Your eBooks
from the that's-not-gonna-do-it dept
Yesterday, we mentioned the reports kicked off by Nate Hoffelder’s research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here’s Adobe’s mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:
Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices?whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user?s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.
Some of the research into what’s going on contradicts the claims of it only looking at books “currently being read,” but even if that’s true, it doesn’t make the snooping any less disturbing. And while it may be true that Adobe has not violated its privacy policy (though, that’s arguable), it really just highlights the stupidity of the concept of privacy policies. As we’ve noted in the past, the only way you get in trouble on privacy is if you violate your own privacy policy. And thus, the incentives are to write a policy that says “we collect absolutely everything, and do whatever we want with it, nyah, nyah, nyah,” because that way you won’t ever violate it. Since no one reads the policy anyway, and most people assume having a “policy” means protecting privacy (even if it says the opposite), privacy policies (and laws that require them) are often counterproductive. This situation appears to be a perfect example of that in action.
Either way, the response is tone deaf in the extreme. Even if it’s “in line” with the privacy policy, does that make it right or acceptable? Adobe makes no effort to respond to the concerns about this snooping on reading habits — which can be quite revealing. It makes no effort to respond to the serious problems of sending this info in plaintext, creating a massive security hole for private information.
While Adobe has told some that it is working on an update to “address” the issue of transmitting the data in plaintext, it’s a bit late in the process to be recognizing that’s an issue. The Ars Technica article notes that this may, in fact, violate New Jersey’s Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe’s efforts here completely undermine that law.
Since Adobe’s Digital Editions are commonly used by libraries (my local library uses it, which I’ve used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we’ve had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the “library records” provision (even though it was eventually twisted into much more).
And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it’s all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.
Filed Under: copyright, digital reader, drm, ebooks, encryption, libraries, privacy, snooping
Companies: adobe
Comments on “Adobe's Half-Assed Response To Spying On All Your eBooks”
Good, it’s within my right NOT to use their software as well. So they can keep their stupid DRM to themselves and we are all good. And if needed there are plenty of ways to circumvent said DRM.
Piracy: letting you choose what to do, where to do and when to do whatever you want with your legally-bought, drm-ridden content.
All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.
“solely for purposes such as”? What does that mean? Isn’t that a bit like saying “up to 50% off and more”? They have given us two reasons and left it open to AS MANY MORE REASONS AS THEY WANT. Nice.
Not to mention, I don’t care why you are f***ing me, I care THAT you are f***ing me.
Re: Re:
Yes, the “such as” implies that this is a non-exhaustive list. It’s used for those purposes, plus a variety of other unlisted purposes as well.
Also, note that they are going to take care of the encryption issue, which only means we REALLY won’t know what all kinds of information they are sending home. I’m starting to fail to see how this is better.
Re: Re: Re:
To be fair, sending the data encrypted would mean that only Adobe and the people they choose to share it with get the data, rather than anyone with a packet sniffer. That is clearly an improvement (assuming they don’t just stick it on their website).
Re: Re: Re: Re:
” sending the data encrypted would mean that only Adobe and the people they choose to share it with get the data “
And so without any oversight at all they could snarf up the entire listing of connected devices, plus any content they choose, and send them encrypted so that no-one will be able to verify whether they do what they say they do.
Re: Re: Re:2 Re:
Right. But that’s still better than all those people PLUS anyone with a packet sniffer having access to that data, which was the point I was making.
“better than the status quo” is not the same as “acceptable”.
This is seriously focusing on the wrong issues. The only problem with this – and I say this as a MAJOR critic of basically all of Adobe’s past and present business practices – is that the data is sent in plaintext. Sending the data itself serves a really obvious purpose. Amazon does this as well, it’s a feature not a bug. It’s actually pretty great to be able to read a book on my tablet in bed or wherever and then keep reading it at the same point I left off on my smartphone later in the cafeteria.
…Okay, who am I kidding. When I say “cafeteria” I mean “on the toilet.”
Re: Re:
That’s not the only problem. The other serious problem was that Adobe didn’t tell anyone that the data was being collected, what data is being collected, and why.
“it’s a feature not a bug”
Well, since it’s intentional, it’s technically a feature. However, in terms of effect, I consider it a bug of the showstopper variety. If it were a feature, it would be op-in, not silently always on.
Re: Re:
Is it worth the invasion of privacy involved, like feeding your reading habits straight to the NSA?
Re: Re:
Re: Re: Re:
“There is no reason reading behavior should be tracked.”
As someone pointed out (somewhere..) some licensing deals relate payment to number of pages read. I am going to guess that knowing which pages is possibly used to allow publishers to see which pages are most popular/least popular and they could make a case for knowing which parts of a book are least popular might help them improve it (eg custom produced textbooks) (all statistics aggregated and anonymous). Which arguably has some merit if informed consent is given.
Re: Re: Re: Re:
Informed consent are key words here. I suspect that the outrage over what Adobe’s done would be a bit more muted if they had actually told people what they were doing before they started using the software.
Re: Re:
that feature only applies to content you are using the app to read. According to the research it is gobbling up all kinds of other non-related data and phoning home.
That’s why this is bullshit.
Hey, hey, relax. Adobe is only spying on everything you do, not everything you could do! Just think, they could totally have their program go through your entire hard drive and collect information on everything in it to facilitate more comprehensive anti-piracy measures (not Adobe (TM) DRM’d? You’d best prove you ain’t pirating!) instead, so isn’t this current solution much better?
Oh, and don’t worry, as they’ve only talked about hypothetical examples (“purposes such as”), they can leave the door open to discussing deals with advertis *cough* partners to put … uhh … consumer-relevant information on a convenient sidebar. This will obviously benefit consumers since they’ll get to learn about additional goods while enjoying their book.
…Time to file a lawsuit, methinks.
Re: Re:
Based on what? I don’t see any grounds for a successful lawsuit here. A better response is to just avoid Adobe like the plague.
Re: Re: Re:
Didn’t you read the article? They may be violating New Jersey’s reader privacy law.
Also, many libraries’ digital collections contain Adobe DRM protected works. If your library were sending your reading habits to a third party, would your solution be “avoid the public library like the plague”?
Re: Re: Re: Re:
“Didn’t you read the article?”
Missed that. My bad.
“If your library were sending your reading habits to a third party, would your solution be “avoid the public library like the plague”?”
No, that’s just silly. Why throw the baby out with the bathwater? Personally, I’d just remove the DRM and use a different reader. Or, if I couldn’t do that for some reason, I’d simply not check out those digital works.
Re: Re: Re:2 Re:
But that’s the key issue – the public libraries are only being permitted to use ADE-equipped books.
So, yeah, I think it’s time for a lawsuit.
Re: Re: Re:3 Re:
“the public libraries are only being permitted to use ADE-equipped books.”
Not true. Libraries can continue to to have actual, physical books. Those are DRM-free. As I said, my response would be to break the DRM and, failing that, to avoid checking out digital books. Admittedly, not a huge change for me since I’ve never “checked out” a digital book from the library anyway.
Re: Re: Re:4 Re:
I guess as long as it doesn’t impact you, it isn’t worth complaining about.
Unlike you, the only books I’ve checked out of the library in the past two years are ebooks.
Re: Re: Re:5 Re:
“I guess as long as it doesn’t impact you, it isn’t worth complaining about.”
Please show me where I’ve said anything remotely close to this.
Re: Re: Re:4 Game theory?
As digital distribution becomes the standard, I foresee a good deal of titles that will never be in print, or printed in such low quantities it will be hard to get a hold of in physical form.
Just because a relative few currently have the ability unshackle themselves from the current restrictions doesn’t mean the masses who lack that capacity deserve to suffer for that lack of knowledge/ability.
The attitude of “It’s ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks” is ultimately self-defeating.
Re: Re: Re:5 Game theory?
“The attitude of “It’s ok if I support companies that utilize DRM because I know where to find the information to break the current set of locks” is ultimately self-defeating.”
I never said it was OK. I said it’s not a battle I choose to fight right now. I can’t fight them all at the same time, after all.
Re: Re: Re:2
I do in fact avoid the public library like the plague exactly for that reason. Ever since they started keeping records FOREVER without any possibility for the patron to erase or even see them.
No reason to worry… Adobe is just collecting business records… (that are now collectible by the NSA).
As other have pointed out, it’s time to start renaming your ebooks with file names like:
“William Shakespeare – Hamlet) ; DROP TABLE Books ; –.epub”
DRM...?
Note that the page-by-page data collected has no info related to licensing:
“msg_NavigatedToPage”: {
“Navigated To Page”: {
“atTime”:1412619383042,
“PageNumber”:8,
“TotalPages”:9}}},
Also:
{“atTime”:1412619397026,”userID”:””,”operatorURL”:””,”licenseURL”:””,”distributorID”:””,”resourceID”:””,”fulfillmentID”:””}}},
{“msg_DocumentScanned”:{“Document Scanned”:{“atTime”:1412619397026,”Title”:”Getting Started with Adobe Digital Editions 4.0″,”Creator”:”Adobe Systems Incorporated”,”Subject”:”Getting Started”,”Description”:””,”Publisher”:”Adobe Systems Incorporated”,”Contributor”:””,”Date”:”2012-06-05T07:00:00+00:00″,”Language”:”en”,”Format”:””,”Type”:””,”Identifier”:””,”Source”:””,”Relation”:””,”Coverage”:””,”Rights”:””}}},
Contains no identifying information or anything that could prove that the owner purchased the book, unless the author removed values for userID, licenseURL, etc, because those fields are blank. Not that it would matter, because it’s all sent in the clear, anyone could just spoof it.
✤ Many years ago, Adobe was voted the most easily hacked software. Not just one year but for consecutive years.
✤ According to Fox 31 news and CBS, 33 million Adobe user credentials were stolen. The hack went on to effect other places such as Facebook, leaving many security sites to recommend a changing of passwords once it was patched.
✤ Adobe’s source code was hacked into and stolen.
✤ One of the easiest ways to obtain passwords was by third party data passage without encryption, still part of the problem with Adobe software after all these years.
✤ Many security sites were recommending that removal of Adobe software was needed for your computer and on line security.
This has been going on for many years. I long ago gave up on Abode as being anything but an invitation to be hacked if it was on your computer. So all this ‘in the clear’ is not something new nor something just revealed. It is their method of operation and has been for ages. This is why data being passed in the clear is such an issue.
PUBLIC SERVICE ANNOUNCEMENT
People:
Privacy policies do not protect the consumer. They protect the company.
Re: PUBLIC SERVICE ANNOUNCEMENT
It’s always the case that contracts are written, first and foremost, to protect the interests of the contract author.
There is a legal theory that contract ambiguities should be resolved in favor of the party who did not write the contract, but this is a) risky to rely on and 2) no help if there is no ambiguity.
I’ve been looking for an alternative for seven years now, and the alternative is: let’s call a spade a spade. Give DRM a legal status to match reality: it’s a hacking tool, nothing but malware, and creating and distributing it should be subject to the exact same legal restrictions as viruses, trojans, etc.
Besides DRM, the potential for this kind of thing is one of the reasons i’ve never borrowed an ebook from my library. As soon as a third party is involved, all trust and accountability goes out the window.
DRM urgently needs to abolished in public libraries. Publishers should never have been allowed to have this much control over a public resource.
NJ Privacy laws
The NJ “Reader Privacy Act” is not law yet, as far as I can tell. I think it’s badly drafted.
http://go-to-hellman.blogspot.com/2014/09/online-bookstores-to-face-stringent.html
http://go-to-hellman.blogspot.com/2014/09/emergency-governor-christie-could-turn.html
Nonetheless, there are library records privacy laws in place in NJ that should apply.
EFF is misleading; I don’t think the California Reader Privacy Act applies to this case, though the CA library records privacy law Cal Gov Code § 6267 should make this illegal.
And this is why I’ve been avoiding Adobe like Ebola for a long long time.
Shotty software, always bad PR, inflated prices for certain countries, etc. Why haven’t they been on the Consumerist list for Corst Company in America yet? They’d be a good contender.
Years ago I was mad that Flash was being killed on mobile. Adobe took a hit with that. Now I look at Adobe and am glad they are where they are. Their DRM has always sucked, and they obviously don’t care. They seem to have the corporate mentality of Electronic Arts.
If anything, this should make people hate privacy policies, it should make people read them, and it should make people really think twice about using programs they would guess have no reason to, “phone home”.
Thank you for using our cable tv box
we’re not going to tell you that it is going to run through your house at night while you sleep and indescriminately index everything you own and then phone it back to us later.
Ars Technica is a biased, agenda driven shit-rag. Please stop using them as a source. Evidence can be found in their biased, agenda driven writing concerning the GamerGate consumer movement which they continue to insist, in wide generalizations is about misogyny. If they cannot even be bothered with understanding a somewhat complex story such as GamerGate, how can they possibly understand any other subject that has a whiff of complexity?
Privacy is just so 19th century.
That is why I prefer hard cover books.
Well I’m glad that when I use windows, which is about 1/4 of the time I boot my desktop, I’ve been using Foxit Reader. No I do not work for Foxit Corp but not only is it a super lightweight reader, it is very safe (it’s in a “safe mode” by default when you install it so that harmful pdf files are left in a sandbox.
I’ve been removing Adobe PDF Reader and installing Foxit on other’s computers since a long time too, over 9 years. I think it’s obvious that Adobe is a useless company, Premiere? I’ll take Avidemux/Handbrake even Transmaggedon instead. Virtualdub and its forks can also work with all recent codecs. You got to be a fool or forced into it by a school to buy Adobe products.
Re: Re:
Recent versions of Foxit Reader seem to be bloated and adware-infested (see e.g. AlternativeTo comments).
I’d suggest using an older version (you can get them from OldApps.com).
Personally, I’m still on v3.0 from 2008. The installer is one tenth the size of the newest version (3.7 vs 36 MB), and there are no ads or extraneous crap. Just a fast, simple, lightweight PDF reader.
Avoid tracking, avoid Adobe and other proprietary software. Use free and open-source software.
It’s amazing how ppl still use Adobe software, from time to time of its screw up, major!
I’ve been avoiding it all along, it’s an unfortunate fact that it acquired Macromedia and screwed up all its product, including Flash. But then, I only allow Flash on youtube…
mates, search for alternatives!