Adobe updates its e-reader – DRM data no longer transmitted insecurely

Adobe has published an update to its cryptographically-challenged Digital Editions 4 e-reader software.

Digital Editions lets you read eBooks, but thanks to the exigencies of Digital Rights Management (DRM), it also keeps track of a fair chunk of information about your reading habits.

If an eBook makes use of DRM, for example to charge you for reading it, then Adobe collects the following information, amongst other fields:

  • User GUID. A number unique to your username.
  • Device GUID. A number unique to your device.
  • Certified App ID. A number unique to Adobe Digital Editions.
  • IP number. The IP number used by your device or network.
  • Time spent reading.
  • Percentage of eBook Read.
  • Metadata of eBook. E.g. ISBN, title, author.

We shan’t dig too deeply here into whether it really ought to be Adobe’s business how many pages you’ve turned or how fast you can read.

Some eBook publishers apparently use time-to-read and how many pages you’ve actually looked at as metrics to decide how much to charge you.

So Adobe and other DRM-capable e-reader vendors need to support those charging systems, and that’s that.

In theory you can avoid this data collection altogether by sticking to eBooks that don’t use DRM; but in practice that may be hard to do all the time.

For example, there may be books you need to consult for research purposes that are only available in DRM-protected form, meaning that from time to time, your DRM-free lifestyle may end up with dents in it.

That’s not the end of the world, provided that the DRM-related metadata about your reading progress is treated with respect for your privacy.

→ You may be thinking, “But surely it doesn’t matter what you read, and when, and who knows it?” Indeed, it shouldn’t matter, and in democratic countries with a tradition of free speech and tolerance, perhaps it doesn’t. On the other hand, if it genuinely doesn’t matter what you read, then it’s not important to keep track of your reading, is it?

Adobe didn’t seem to agree about the privacy aspects, at least in Version 4.0 of Digital Editions: when the software called home with your reading habits, it used plain old HTTP.

That made things easier for snoopers, of both the legal and the illegal sort.

Loosely speaking, HTTP traffic is an unencrypted free-for-all all the way from your computer or mobile device to the web server at the other end, and back.

The difference between HTTP and HTTPS is like the difference between open Wi-Fi and WPA-encrypted Wi-Fi.

The latter isn’t impermeable to surveillance, but enjoys some protection along the way; the former is utterly unprotected, and can effectively be sniffed and recorded by anyone who happens to be in the right place.

So, to cut a long story short, Adobe Digital Editions 4.0.1 now uses HTTPS when it reports your reading progress to Adobe’s cloud.

Adobe rather proudly describes the update as offering:

Enhanced security for transmitting rights management and licensing validation information.

Privacy activists will be pleased, although cynics will quibble with the use of the word “enhanced” in that sentence.

A better choice of words might have been to say that rights management and licensing validation information “is no longer transmitted insecurely.”

Nevertheless, it’s a useful and important update, and therefore recommended.