Adobe is Spying on Users, Collecting Data on Their eBook Libraries

13844066275_2ea2f384e0[1]Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.

A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe's DRm for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe's Epub app, seemed to be sending an awful lot of data to Adobe's servers.

My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)  Edit: Adobe responded Tuesday night.

Update Timeline

And just to be clear, I have seen this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own eyes.

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe's server in clear text.

I am not joking; Adobe is not only logging what users are doing, they're also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything.

But wait, there's more.

Adobe isn't just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe's servers.

In. Plain. Text.

And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.

Update: Further testing has revealed that the files being scanned were actually on my ereader, not my HD. I had not used ADE to load the files on to the ereader, and yet the app scanned them, made a list, and uploaded the list to Adobe.

And just to show that I am neither exaggerating nor on drugs, here is proof.

The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.

The above two files were generated using data collected by an app called Wireshark. This nifty little app can be used to log all of the information that is sent or received by your computer over a network. Muussler and I both saw that data was being sent to 192.150.16.235, one of Adobe's IP addresses. Wireshark logged all of the data sent to Adobe, and on request spat out the text files.

3478950798_ac6ae2344e[1]

This is a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects.

On a technical level, this kind of mistake is not new. Numerous apps have been caught sending data in clear text, and others have been caught scraping data without permission (email address books, for example). What's more, LG was caught in a very similar privacy violation last November when one of their Smart TVs was shown to be uploading metadata from a user's private files to LG's servers - and like Adobe, that data was sent in clear text.

I am sharing these details not to excuse or justify Adobe, but to show you that this was a massively boneheaded stupid mistake that Adobe would have seen coming had they had the brains of a goldfish.

As for the legal aspects, I am still unsure of just how many privacy laws have been violated. Most states have privacy laws about library books, so if this app was installed in a library or used with a library ebook then those laws may have been violated. What's more, Adobe may have also violated the data protection sections of FERPA, the Family Educational Rights and Privacy Act, and similar laws passed by states like California. (I'm going to have to let a lawyer answer that.)

And then there are the European privacy laws, some of which make US laws look lax.

Speaking of Europe, the Frankfurt Book Fair is coming up later this week. Adobe will be exhibiting at the trade show, and something tells me they will not be having a nice trip. (I for one hope that the senior management is detained for questioning.)

In any case, I would highly recommend that users avoid running Adobe's apps for the near future - ever again, for that matter. Luckily for us there are alternatives.

Rather than use Adobe DE 4, I would suggest using an app provided by Amazon, Google, Apple, or Kobo. Amazon uses the Kindle format, and each of the last three ebook platforms uses their own unique DRM and Epub (-ish) file format inside their apps. (While Google and Kobo will let you download an ebook which can be read in Adobe DE, that DRM is not used internally by either Kobo or Google.)

None of those 4 platforms are susceptible to Adobe's security hole.

Of course, I can't say for sure whether those platforms are more secure and private than Adobe's, but I'm sure they will be made more secure in the next few weeks.

images by arturodonateukCWCS

About Nate Hoffelder (11590 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader:"I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

78 Comments on Adobe is Spying on Users, Collecting Data on Their eBook Libraries

  1. So, it only looks at epubs?
    So it targets Kobo, Google, and Nook, but not Amazon?

    Heh.

    “Kahn!!!!”

  2. Nasty thought: are they looking for “disinfected” versions of DRM’ed ebooks?

    • I’m not really a tinfoil hat guy but that thought occurred to me as well. There’s absolutely no reason for any program to sift through your computer, especially since permission wasn’t asked. I didn’t have a particularly high opinion of Adobe but this caper has lowered it quite a bit more.

      “Adobe DE 4, special SW version! Spyware from a company you (don’t) trust!”

  3. Is it only in Adobe DE 4 or can we see the same thing with earlier version of the software?

  4. That said, I guess all ebooks sellers are “spying” on their users somehow. They all collect data of what we read. But maybe it’s more “secure”.

  5. The only way to avoid is not to buy DRM infested content.

    • Except Adobe was indexing my DRM-free content as well.

      • Yes but you would not have the Adobe Digital Editions on your system if it wasn’t for their DRM.

        • That’s not true. On Mac, there are only a few good ePub readers and Adobe Digital Editions was one of them. I installed it just to proof my ePubs before uploading to B&N, Kobo, etc., not because I had to read something that had DRM on it. Now I have deleted ADE, and I guess I’ll use the iBooks app for the time being.

          • Actually, did you know iBooks on OSX (since Mavericks) can read arbitrary ePub files? I use it all the time despite never purchasing a single ePub from Apple. It’s my favorite OSX ePub reader.

          • Have you tried Calibre yet? It’s an ebook management platform that can let you read ebooks in many formats as well as convert many formats to many other formats.

            http://calibre-ebook.com/about

          • I just use iBooks for proofing now. I use Calibre sometimes to convert files, but I find it frustrating as a user with the way it stores file both inputted and outputted.

          • @wrecks I use calibre probably more than any other single program except my browser, but you still have to use Adobe if you buy DRM books. Nate’s pushing Google and Kobo, but even IF you use Kobo, you use ADE internally (perhaps not with the same “features”, but the software — RMSDK — is purchased from Adobe), and I don’t like using either of those in ways that tie me to a platform or vendor. So I download to ADE, and then sideload to my ereader.

            I’m a bit surprised that there are people here using ADE 2, still, as mine stopped working (would no longer get a valid authentication from their server) and I was forced to upgrade to ADE 3. So one day, I expect something similar will force me to move to ADE4.

            Telling people not to buy DRM books is not a solution: as long as publishers use DRM, not buying DRM books is letting them choose my reading (there aren’t many books that are legally available in both a DRM and non-DRM format). We have to campaign to force them to stop using DRM: preferably by educating authors and agents to stop agreeing to publishing contracts that insist on it.

          • I was only pushing Kobo because many readers will want ebooks that only come with DRM. I myself strip the DRM.

            “even IF you use Kobo, you use ADE internally”

            Not really, no. I have been told by a several expert Kobo users that they have 2 rendering engines, one for their own content and one for external Epubs.

          • Kobo’s kepubs use a different rendering engine, but they’re still using Adobe’s RMSDK afaik — which, to be fair, isn’t invading our privacy like ADE4, but still means you’re encumbered by DRM and Adobe’s got their hands on your data.

          • @derek

            Doesn’t kePub use kobo’s own DRM if necessary?

            (Because yeah, Kobo manages two formats and two DRM schemes)

  6. ADE 3.0 is still available on their website. I wonder if that version collects the same info.

  7. So what are we supposed to do about .acsm files from our local Libraries? It’s unreal that ADE is the *only* software available for checking books out. UG.

    • A few users further up say that ADE2 & possibly ADE3 don’t have this problem, and that you can still download these older versions from the adobe website – as long as you make sure you use the old versions, you and other students should be okay.

      I suggest letting your local libraries know, though, because librarians can be very militant about user privacy and they’ll be well placed to advise or kick up a stink.

  8. From my own experimentation, it looks like the best way to thwart this in the short-term is by editing the hosts file and directing adelogs.adobe.com to either 0.0.0.0 or 127.0.0.1. I hope we can expect Adobe to address this issue quickly. I sent them an e-mail about my own concerns a little while ago.

    • Wouldn’t that also tend to block the DRM authentication? It might render ADE4 unusable.

      • No, that’s just the logging server. The licensing server is separate, and fortunately they do communicate with that one over an encrypted connection.

        Perhaps this lovely snooping feature was designed to facilitate syncing bookmarks and notes between multiple devices, but if so Adobe never bothered to ask my permission first. Apart from debugging code inadvertently shipped with the final release, that’s the only innocuous use I can think of.

        I reinstalled ADE to read the terms, and I can’t find any place such behavior is consented to. Unfortunately I do need ADE 4 installed for the work I do, so for now blocking the connection to the logging server will have to suffice.

        • * “innocuous” in the sense of providing value to some users. Syncing isn’t something I would need or consent to. I expect a company to make clear what data they are collecting and why, and when transmitting approved data to handle it responsibly, not send it in clear text like this.

        • The way they would be logging bookmarks in this particular case (at X page turn, location Y. at Z, page turn, location A… instead of at last use, location X). Either it is incompetence* or something quite different.

          * Could be incompetence. After all, ADE is developed in India on a tiny budget and it seems they are out-sourcing in China (could) and Romania (is for sure).

  9. Congratulations for the scoop Nate.
    Looks like your soapbox got a little taller overnight 😉

  10. May be you made a typo of some sort. An IP-adress starting with 192 is an unroutable, i.e. local(on your computer) ip-adress. But it could be of course that the information is gathered first on your computer and then sent to Adobe.
    My guess is that it’s a debugging remnant, left by one of Adobe’s programmers.

    • I don’t think that’s true. If you look up that IP address on thw web you’ll see that it belongs to Adobe. It’s clearly labeled.

    • 192.168.x.x is unroutable.

      • Correct. It’s only the 192.168.0.0/24 subnet that’s for local addresses, not the entire 192.0.0.0/36 subnet.

        • Thanks. This would explain why several of my routers offered an access page in that subnet, right?

        • Well strictly speaking 192.0.2.0/24 is also unroutable.

          If you look at Adobe’s AS (Autonomous System) they have a number of subnets – http://bgp.he.net/AS44786#_prefixes

          I did some other digging and it looks like Adobe has had this domain also resolve to 193.104.215.99 – that looks to be Adobe Europe in Ireland. I’m guessing that’s classic geographical routing to the closest IP so that European data doesn’t leave Europe
          Interestingly I did a quick check from Japan and it looks like I have a 50% chance of going to Europe or the US.

          In both cases adelogs.adobe.com is CNAMEd to adelogs.wip4.adobe.com and that is the FQDN that can resolv e to one of the two IPs.

          Someone upthread worried that blocking “adelogs.adobe.com” would block some of the DRM activation bits of ADE. As far as I can tell from a cursory scan this is unlikely to be the case. Adobe also has hosts like “activate.adobe.com” which seems more likely to be the activation server. Since there is also “update.adobe.com” and “download.adobe.com” and so I I think adelogs really is just a logging server.

          If you do want to block all of Adobe then *.wip4.adobe.com would probably work wonders, but I suspect that really WILL break anything you have from Adobe that tries to call home, including, say, flash for update checking.

          • According to ARIN:

            “Addresses starting with “192.0.2.”, “198.51.100.”, or “203.0.113.” are reserved for use in documentation and sample configurations. They should never be used in a live network configuration. No one has permission to use these addresses on the Internet.”

            192.0.2.0/24 is reserved for documentation and examples and ARIN tells network operators that they SHOULD block those addresses in their routers, not MUST. The comment from ARIN ends with:

            “These blocks are not for local use, and the filters may be used in both local and public contexts.”

        • Your subnet mask isn’t quite right. 192.168.0.0/16 isn’t publicly routed. In other words, 192.168.anything.anything is a private address.

          192.anything except 168.anything.anything is, by convention, a public address.

  11. Another reason not to buy any books with DRM, ever (as this will bind you to Adobe’s platform). I will uninstall this software as soon as I’m home today, and good riddance.

  12. Adobe developers smell of wee.

  13. Companies are still thinking they can pull this sort of stunt and here they are getting caught out again. Even better is the ‘no comment’ from the supplier, I bet they will be coming out with the excuses shortly and they will be lame.

    Great work in getting to the bottom of this. In any case, another reason to buy a real book instead of drm ridden ebooks.

    • That’s silly. There are no good reasons to buy (and waste) paper. e-books are fine as long as they have no DRM and don’t need Adobe.

  14. Lennart-pottering // 7 October, 2014 at 5:41 am // Reply

    USE opensource/free softwares always.

    http://www.kde.org

  15. Thanks for this Nate.

    We have thousands of publisher books on our production workstations, many under non-disclosure agreements. Fortunately we have not yet rolled ADE4 out for testing (because it can’t handle inline images amongst other silly things).

    This is a timely warning of corporate irresponsibility. We will ensure our publisher production contacts are all made aware of this. From a production facility perspective this is somewhat intimidating. If someone wants to ADE4 test a book under non-disclosure it will have to be on an isolated workstation modified as Michael mentioned. For us that will become a production services sales feature!

    On a last note: It’s one thing that they are sending this private and privileged content back to their servers in clear-text, but really, their JSON sucks. If they are going to steal private information, couldn’t they do it with professional flair and sensible key names rather than this schoolboy code!

  16. Post subtitle: Or, Nate tells us what he’s reading.

    Interesting list, by the way. 😉

  17. That’s what you get for paying.

    The pirate versions don’t do that.

    • It’s not the books that are phoning home. It’s the ereader software, which is a free download, and it’s collecting data on all epubs, regardless of source, on a user’s system.

      • And, one suspects, in line with their comment about “for purposes such as license validation”, for checking whether books that shouldn’t be available without DRM exist on your system with the DRM stripped…

  18. Does Adobe have a privacy policy and is this covered? Who knows, maybe we all agreed to the tracking.

  19. Install it inside a virtual machine if you have to, with nothing else and no books at all.

  20. Okay, I’m done with Adobe then. Amazon is cheaper than Kobo anyway. Anyone know if Amazon does the same thing?

  21. Swâmi Petaramesh // 7 October, 2014 at 9:33 am // Reply

    Adobe is (unfortunately) not the only one…

    Let’s read the « licence » file displayed by my « Pocketbook Touch Lux 2 » reader (that also comes with AdobeViewer inside, that makes things a little funnier…)

    Now Go Read And Despair :

    1/ The licence comes in english, which probably makes it plain illegal here in France, coming with a “general public” device that my Grand’Ma can purchase.

    2/ It reads : « POCKETBOOK RESERVES THE RIGHT TO AMEND THE TERMS AND CONDITIONS OF THIS LICENSE FROM TIME TO TIME BY PLACING NEW EDITIONS HEREOF AT: http://www.pocketbook-int.com/legal/SLA. EACH NEW EDITION OF THE LICENSE AGREEMENT SHALL COME TO EFFECT AT THE DATE OF PLACEMENT AT THE MENTIONED WEB PAGE AND THIS IS THEREFORE RECOMMENDED THAT YOU PERIODICALLY VISIT THAT PAGE… »

    => Wow. They can change without notice the rights you have to use an hardware device that you have puchased and own ? And you’d be supposed to go and check every other week ? A clause that allows one part to unilaterally modify a contract after it has been “concluded” is most certainly illegal…

    3/ But the finest still is to come :

    « Information Received. The software will provide Pocketbook with data about your Pocketbook reading device and its interaction with the Service (such as available memory, up-time, log files, and signal strength). The Software will also provide Pocketbook with information related to the Digital Content on your Pocketbook reading device and Supported Devices and your use of it (such as last page read and content archiving). Information provided to Pocketbook, including annotations, bookmarks, notes, highlights, or similar markings you make using your Pocketbook reading device or Reading Application, may be stored on servers that are located outside the country in which you live. […] BY USING THE POCKETBOOK READING DEVICE YOU AUTOMATICALLY ACKNOWLEDGE AND AGREE THAT POCKETBOOK MAY COLLECT, STORE, PROCESS, TRANSMIT, PROVIDE AND/OR SELL ANY INFORMATION AVAILABLE ABOUT YOU AND THE READING DEVICE(S) THAT YOU ARE USING TO ANY THIRD PARTIES. THIS INFORMATION MAY BE USED BY POCKETBOOK AT ITS SOLE DISCRETION FOR ANY LAWFUL PURPOSES AND IN ANY MANNER OTHER THAN PROHIBITED BY APPLICABLE LAWS, WITHOUT LIMITATION.
    Pocketbook reading device and software preinstalled or subsequently installed on it provides Pocketbook with details of the Pockebook reading device used by you and certain actions performed by you on it such as: – Orientation of the Pocketbook reading device (portrait or landscape); – the language of Digital Content; – file size in bytes; – DRM type (Adobe, Pocketbook, none); – Digital Content opened for the first time or not; – the application that you use for reading; – time between the opening starts and finishes in milliseconds; – functions of keys; – the interface language; – the reading device model; – the identifier of the Pockebook reading device to establish whether data have been collected from one or different Pocketbook reading devices (not the serial number); – version of software installed;
    […] Your agreement to be bound by these Terms of Use is voluntary and implies your unconditional consent to all and any data processing conditions estyablished herein; […] »

  22. What about apps like Bluefire and axisReader? I know that they are licensed to be compatible with Adobe DRM, but do they have this same problem?

  23. Well done bringing this to light, Nate.

    Perhaps this fuckup, coming as close as it does to the FBF, will make the big publishing houses reconsider their relationship with Adobe. After all, they’ve been laying on the whole “guardians of the enlightenment” shtick pretty thick recently as part of their fight against Amazon. It will be hard to reconcile that stance with complicity in a system that effectively hands oppressive governments the world over a list of people’s seditious reading habits.

  24. Amazon, Google, Apple and Kobo are listed here as safe(r).

    May I assume that B&N Nook devices are using some version of Adobe DRM?

  25. For the moment, I suggest following @ALALibrary and @oitp on Twitter. A couple individuals to interact with if you have quesitons about the process are @ThatAndromeda and @mciszek.

    I’ll also try to remember to post a comment when a statement is released — but note that it may take a couple days or so; ALA is not always the fastest-moving of organizations.

  26. I am glad I have stayed with ADE 2.0, right now. And that I strip DRM. That said, I am seriously considering ditching ADE and going with Bluefire instead. Especially since they have just launched a Windows version.

1 2 3 7

4 Trackbacks & Pingbacks

  1. Big Brother: Adobe Digital Edition späht Nutzer aus, scannt Festplatte
  2. Adobe weiß, was du im letzten Sommer gelesen hast » lesen.net
  3. Adobe is Spying on Users, Collecting Data on Their eBook Libraries | The Passive Voice | A Lawyer's Thoughts on Authors, Self-Publishing and Traditional Publishing
  4. Kaufen, kaufen, kaufen Sie! | Die Töchter Regalias

Leave a comment

Your email address will not be published.


*