Adobe will update e-reader to mop up clear-text data spillage

Adobe logoAdobe is working on an update to fix the latest iteration of its e-book reader, which has a gluttonous appetite for readers’ data and the slovenly habit of reporting our reading habits back to Adobe – in plain text.

As The Digital Reader’s Nate Hoffelder first reported on Monday and Ars Technica confirmed, Adobe’s Digital Editions 4 (DE4) e-book app/PDF reader, which is used by thousands of libraries to enable patrons to borrow e-books, actively logs and reports every document that readers add to their devices’ libraries, along with what users do with the files – down to the number of pages they manage to read.

Of course, uploading data about how far a reader’s gotten is integral to synching devices to the furthest point read.

But DE4’s a security and privacy danger because the app sends logs over the internet in plain text, clearly readable by anybody who’s monitoring network traffic to see what users are reading.

As Ars’s Sean Gallagher points out, that can include ISPs, cable companies, people sharing a Wi-Fi network, or the National Security Agency (NSA).

Adobe isn’t the first company to pull the plain text blunder, that’s for sure.

Last November, it emerged that LG, for one, was guilty of doing that with Smart TV data.

A UK blogger discovered in November that his TV was sending data about his family’s viewing habits back to the South Korean manufacturer – again, in plain text.

Adobe responded on Tuesday, admitting that yes, DE4 does track users’ activities, but no, it doesn’t scrape a user’s library or flip through libraries in other readers on a given device, as Hoffelder had wondered might be happening.

This is the statement Adobe put out on the issue:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices - whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

Adobe says this is the content DE4 collects:

  • User ID: The user ID is collected to authenticate the user.
  • Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
  • Certified App ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
  • Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
  • Duration for Which the Book was Read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
  • Percentage of the Book Read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.
  • Additionally, the following data is provided by the publisher as part of the actual license and DRM for the eBook:
    • Date of Purchase/Download
    • Distributor ID and Adobe Content Server Operator URL
    • Metadata of the Book provided by Publisher (including title, author, publisher list price, ISBN number)

While the transmission of such data might well be, in most/many cases, part of licensing and Adobe’s Digital Rights Management (DRM) efforts, transmitting them in plain text violates many library systems’ privacy policies.

In addition, unencrypted transmission of reader data, paired with the fact that Adobe’s terms of service don’t address the collection of that data, may be in violation of the law, such as the recently passed Reader Privacy Act in New Jersey – Ars reports.

Adobe said in an email that it’s working on a fix for the security hole, but it didn’t give a timeline on when we’ll see it:

In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue. We will notify you when a date for this update has been determined.