Sophos Cloud Optix
Adobe has published an update to its cryptographically-challenged Digital Editions 4 e-reader software.
Digital Editions lets you read eBooks, but thanks to the exigencies of Digital Rights Management (DRM), it also keeps track of a fair chunk of information about your reading habits.
If an eBook makes use of DRM, for example to charge you for reading it, then Adobe collects the following information, amongst other fields:
- User GUID. A number unique to your username.
- Device GUID. A number unique to your device.
- Certified App ID. A number unique to Adobe Digital Editions.
- IP number. The IP number used by your device or network.
- Time spent reading.
- Percentage of eBook Read.
- Metadata of eBook. E.g. ISBN, title, author.
We shan’t dig too deeply here into whether it really ought to be Adobe’s business how many pages you’ve turned or how fast you can read.
Some eBook publishers apparently use time-to-read and how many pages you’ve actually looked at as metrics to decide how much to charge you.
So Adobe and other DRM-capable e-reader vendors need to support those charging systems, and that’s that.
In theory you can avoid this data collection altogether by sticking to eBooks that don’t use DRM; but in practice that may be hard to do all the time.
For example, there may be books you need to consult for research purposes that are only available in DRM-protected form, meaning that from time to time, your DRM-free lifestyle may end up with dents in it.
That’s not the end of the world, provided that the DRM-related metadata about your reading progress is treated with respect for your privacy.
→ You may be thinking, “But surely it doesn’t matter what you read, and when, and who knows it?” Indeed, it shouldn’t matter, and in democratic countries with a tradition of free speech and tolerance, perhaps it doesn’t. On the other hand, if it genuinely doesn’t matter what you read, then it’s not important to keep track of your reading, is it?
Adobe didn’t seem to agree about the privacy aspects, at least in Version 4.0 of Digital Editions: when the software called home with your reading habits, it used plain old HTTP.
That made things easier for snoopers, of both the legal and the illegal sort.
Loosely speaking, HTTP traffic is an unencrypted free-for-all all the way from your computer or mobile device to the web server at the other end, and back.
The difference between HTTP and HTTPS is like the difference between open Wi-Fi and WPA-encrypted Wi-Fi.
The latter isn’t impermeable to surveillance, but enjoys some protection along the way; the former is utterly unprotected, and can effectively be sniffed and recorded by anyone who happens to be in the right place.
So, to cut a long story short, Adobe Digital Editions 4.0.1 now uses HTTPS when it reports your reading progress to Adobe’s cloud.
Adobe rather proudly describes the update as offering:
Enhanced security for transmitting rights management and licensing validation information.
Privacy activists will be pleased, although cynics will quibble with the use of the word “enhanced” in that sentence.
A better choice of words might have been to say that rights management and licensing validation information “is no longer transmitted insecurely.”
Nevertheless, it’s a useful and important update, and therefore recommended.
“if it genuinely doesn’t matter what you read, then it’s not important to keep track of your reading, is it?”
If I am reading in the privacy (I hope) of my home, do I then have to inform the ereader when I take a break if I have gone to the toilet, for a smoke, to open the door for a visitor…?
The system (companies? governments?…) want us to use the ebooks same as real books, so to pay the same price (even if no printing is done, saving there quite a lot of money), not being able to keep it if we lend it to a friend, etc.. however they want to use the new technology to do things they could not do before (if I borrow a physical book from a library the most they can know is when I took it and when I returned it, so why shouldn’t it be the same if I borrow an ebook?)
“We shan’t dig to deeply here…”
Should be “too deeply”.
Otherwise, good article (-:
Good spot! Fixed now, thanks 🙂
Because of the security scares about DE4, we’ve stayed with v3. So is it now safer to use DE4? Perhaps, but still need convincing that it is not tracking users in a way that is unwarranted and insecure. Using HTTPS helps but doesn’t stop the tracking data that many consider an intrusion.