Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements

adobe-logoThey may be a day late and a dollar short, but Adobe has finally responded to yesterday's news that they were using the Digital Editions 4 app to spy on users. Adobe hasn't addressed all of the evidence against them, but they did admit that they were gathering info from users. They won't admit to scraping my library, but they did admit to tracking a user's activities. Adobe claims that it was covered by the their privacy policy and by the TOS for the app:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

I don't know about you, but I don't see how sending a user's reading history in clear text over the web could possibly be in line with a privacy policy.

On a related note, I took some time today to read the TOS for Adobe Digital Edition 4, and I do not see where it gives them permission to track user behavior, much less upload said tracking data in the clear. What's more, I have also heard from a couple other techies who also read the TOS and were unable to find mentions of this program.

Update: Robert has pointed out in the comments the relevant section of Adobe's privacy policy, which you had to find on the Adobe website, and not the TOS I agreed to when I installed ADE 4.

I have asked Adobe for an explanation on this last issue, and I will update this post if they respond. Sadly, I don't expect that to occur; Adobe has not responded to my emails on this issue (I got this statement second-hand from Rich Bellis of DBW).

Update: I am in discussion with Adobe on this and other issues.

 

About Nate Hoffelder (11387 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader: "I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

51 Comments on Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements

  1. “…is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.”

    Which does not apply at all to 99.9% of my epub files, which are DRM-free and are only ever opened in ADE for the purposes of testing compatibility.

    “Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library…”

    Um, nope. It tries to send statistics on my entire library after I open the app, right after I choose a book to open.

  2. My experience doesn’t confirm that it’s scanning my entire library, but rather what I think is happening is this: any book you’ve opened in ADE at any point is logged, and that log is added to and retransmitted. I did a test with a fresh install. Added 3 books to my library, and when I opened one, it sent* info on just that one book. Closed the app, launched again, and opened a different title. This time it sent info on both the open book and the previously opened one. Closed, launched again, and opened the third. That time it sent info on all three. Finally, I removed one of the books from the library, closed and relaunched, and upon opening one of the remaining titles, info was sent on all three, including the one no longer there.

    Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?

    * Actually, by send my I mean tried to send, since I blocked the outgoing connection.

    • So when I say it tries to send my entire library, I mean anything I’ve opened in ADE previously. As far as I know it doesn’t include anything added to the library but never opened, or which is elsewhere on your drive but has never been read in ADE. I may be wrong though.

    • “Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?”

      That’s just not possible. There are at least a dozen titles listed which I know without a doubt that I did not open in DE4. There is a handful from HC which I have not even opened on my computer. They sat in my download folder, and were copied to whatever device I was reading on.

      • That’s extra disturbing then. Standard Windows Downloads folder? I haven’t tried placing epubs in that folder specifically, but can do so to see if I can corroborate.

      • It may share the history with ADE 3 or even 2, did you ever have the books open in them? Did you browse to a folder in ADE4 that contained the books you never read in 4? It might be opening them to display info in its file open dialogue box.

        • Nope. I kept ADE around for much the same reason as a pro would; to check for compatibility. I didn’t use it much. And I certainly didn’t browse to my calibre folder with ADE.

          Furthermore, do you seen the HarperCollins books in the list in the other post? Those were never opened on my computer at all. I can also state with absolute certainty that the Baen titles listed were never opened in ADE – ever. The same goes for the ones bought from Fictionwise.

          • Timothy Wilhoit // 8 October, 2014 at 1:38 pm //

            If you’ve never opened those books in any version of ADE and you didn’t open a book located inside the Calibre folder, it’s a cinch the program was searching for any ePub it could find on your hard drive. That’s completely contrary to Adobe’s statement…The only books scanned were ones opened in ADE. Considering that they said they were attacking piracy, who the heck would open a pirated book with ADE? If their stated goal was fighting pirates, they won’t do any good unless they’re looking at the whole hard drive and I’m sure the Adobe folks are well aware of Calibre’s capabilities using special plugins. They might very well have programmed their app to look for it. That might be too conspiratorial, but who knows.

          • This would be a good technical explanation of how Adobe might have come to scan my HD, but it doesn’t justify the invasion of privacy. And I now have word from Adobe that they insist they didn’t scan my computer.

  3. Okay, I’m spinning up a VM to start over from scratch with a controlled environment. I’ll place epubs on the desktop, in Documents and in Downloads, load Calibre and stick a few in its library, then do another install of ADE4 and see what happens. My main folders are on a different drive than I had ADE on, because I have a small boot drive, so it’s possible it didn’t find my other stuff for that reason. If I can confirm it’s pulling info on books outside its own library, I’ll e-mail you a copy of the log.

      • Logs and report sent to your Gmail account. Couldn’t confirm scanning outside of its own library, but one of the logs does show it sending info on all 4 epubs in the test library, not just the one currently open as Adobe claims. Further logs show that ADE sends them info on what’s been deleted as well.

  4. I don’t see how sending user info in clear text over the web could possibly be in line with a privacy policy

    Can you please elaborate on what “user info” you think is being sent? As I noted in a recent comment on your original post, meta-data about books – titles, publisher, licensing info – isn’t really user info. The data you shared earlier doesn’t contain anything that would seem to qualify as “user info” (e.g. email addresses, real names, or other personally identifiable information).

    • That is a reasonable nit to pick. I’ll go rephrase.

      • BTW, this the relevent section from the Adobe privacy policy that you agree to (in section 14.1.2 of the DE4 Software licensing agreement). It allows Adobe to collect both personally identifiable and non-identifiable information.

        Not that this is a good thing, but it does mean Adobe is complying with terms that users have agreed to (but probably haven’t read.)

        • I stand corrected.

          But I still don’t see where sending the info in the clear is covered, nor sending info from other ebooks.

          • Which, BTW you have to find and read by yourself as no link is provided when you download the app. Even the licence in the installer, which is the only one you actually accept, doesn’t mention it.

            Now, it some countries, only the installer’s licence will be considered valid and the EULA + Privacy Policy (which have to be considered a whole as they mention one another quite often) will not, which means the way Adobe manages EULA + Privacy Policy is ILLEGAL—and they could be punished for that.

            And BTW2, if you do read the Privacy Policy and the EULA, you see the stuff is so vague that it covers anything happening here.

            In short, users agreed in countries where the governing body doesn’t give a damn about customers (that is to say visiting the site = accepting EULA/Privacy Policy), users could sue and win in countries where it is illegal.

            PS: KasThomas being a former Adobe employee, he is biased and EVIL to the bone. He will do anything to defend his former company.

      • Examination of one of the Wireshark logs shows that the userId key can have a non-blank value. Where does it this come from? I can’t say for sure, but I think it a reasonable guess that it might identify, to Adobe, the user account registered with their license server.

        If so, that would allow Adobe to directly associate book reading information with users. That may or may not have been the case with earlier versions of DE, as it is not clear to me how much information about an DRM ebook got communicated back to Adobe during a license transaction (as opposed to the publisher or distributor running Adobe Content Server).

        However, as far as anybody intercepting the information is concerned, that userId also provides a way to collocate reading activity. For that matter, the user’s IP address, while not of course a surefire way to identify a given individual, could help law enforcement or other determined attackers get close or all the way towards connecting a reading history with a person. And as Mihai points out, simply the combination of books may with effort be sufficient to identify a person.

        So no, DE isn’t passing along names or email addresses back home to Adobe — but somebody intercepting that traffic or gaining access to Adobe’s logs doesn’t necessarily need that.

    • Depends on the definition of “personally identifiable.” Given a sufficiently large sample of books (say, 50 or so out of a total of, say, 1000000 tracked by Adobe’s content server), it’s very reasonable to assume that the particular combination of books you have lying around can uniquely identify you. While this might not be illegal (however questionable it might be from a moral standpoint), *not disclosing* this to users might be very illegal indeed, at least in the EU.

  5. As I put it in my piece on TeleRead:

    The statement effectively reads like the kind of boilerplate provided to low-level peons who don’t have any actual knowledge but have to say something so people know they’re aware of the issue. (Remember how Amazon’s first response when someone self-published a pedophilia manual was to issue a statement about how “Amazon believes it is censorship not to sell certain books simply because we or others believe their message is objectionable” before finally pulling the book a few hours later when someone with authority actually looked at it? Same kind of thing.) The idea that sending information about what you’re reading in the clear is in line with any information-age privacy policy is ludicrous.

  6. The data appears consistent with what I would expect from a service that offers cross device synchronization. I would be surprised if WhisperSync/Kindle and Apple iBooks didn’t send essentially the same information back up to their respective mother ships. iBooks, at least, offers synchronization of reading position and annotations on any epub regardless of origin. You need some kind of key to identify whose bits you are synchronizing. The implication that users will escape this “spying” by using apps from Google, Amazon, Apple, Kobo, etc. is laughable.

    The alarming and inexcusable thing here is sending this over the wire sans https. Somebody clearly didn’t get the memo on that basic expectation. I would hope Google, Amazon, Apple, Kobo, etc. have this base covered, but I haven’t verified.

    The lack of transparency is deplorable, but hardly alarming.

    • “The data appears consistent with what I would expect from a service that offers cross device synchronization.”

      Yes, and that’s why I speculated in another post that Adobe could be planning this feature so readers can sync between Adobe DE4 and the new iPad app which I have been told is in the works.

      But that still doesn’t explain why Adobe transmitted all of the reading data, even for non-DRM ebooks. Those should not have been touched.

      • Do you have any Alf-ie plugins in Calibre?
        (For testing purposes, of course.)

        According to a report at the Register,
        http://www.theregister.co.uk/2014/10/08/adobe_says_it_slurps_ebook_data_in_plain_text_because_privacy_is_important/

        One of the things ADE 4 now tests for is “certified app ID”. Which implies it looks for non-certified apps. If it is looking for plug-ins and reporting back on installations with them…

        They do say in the article that “piracy” is one of the things they scan for.

          • Might it be why it scraped your calibre library?

          • Perhaps, but how would it know that I had a plugin if it hadn’t first looked for the plugins?

          • Timothy Wilhoit // 8 October, 2014 at 11:52 am //

            I’d say when the app found books that were supposed to coated with their wonderful DRM showed signs of “tampering,” then the presence of the AA plugin might be assumed. The Register article said Adobe claimed they were looking for signs of piracy…they might make the leap that an unDRMed book is a pirated book. I noticed “Calibre” was stamped all over the Baen and Fictionwise books but not on the TradPub books. Interesting…don’t know what it means.

          • @Timothy: The Calibre marker is from the epub metadata itself, and is inserted by Calibre automatically during certain operations. In this case it would just show that some publishers like Baen use it as part of their production.

            I suspect if Adobe found that marker in the metadata of an epub normally sold with DRM, and didn’t see it present in the metadata of the publisher’s original, they’d flag this as potential piracy in their system. I have little doubt, given their intense interest in protecting the monetary value of their DRM system, that this is why they’re sending data on non-DRMed epubs in the first place.

          • Did you have Calibre server running? I’m wondering if it did a scan for ODPS catalogs and found your Calibre server instance. That might be why others haven’t reproduced it.

          • I meant to say “might just show”, since it’s possible that file came from Nate’s Calibre library. I’ve found that a number of pubs do use Calibre in their workflow, so I’m never surprised when I see it there even on a brand-spanking new download.

          • @Bob: Excellent hypothesis! I did some testing of my own yesterday and couldn’t reproduce the Calibre scanning aspect. I hadn’t thought to check if it’s looking for a server instance. I’m going to try that now.

          • I didn’t have one running, but there’s a chance it was running in the background. (I don’t know how it works.)

          • I set up a new VM with Calibre’s server on and installed a fresh copy of ADE4, and didn’t detect any probing of the library.

          • Timothy Wilhoit // 8 October, 2014 at 12:42 pm //

            I wonder what happens if you open a single book located within the Calibre folder? I was curious if the program sifts through the rest of the folder once given access.

      • Well, if they’re doing cross-device last-place-you-read synchronization of all books (like Google Play Books does), they would have to send back that data about all books.

  7. Amazon and Apple already collect this kind of information, and more. Are you picking on Adobe because they didn’t warn you in Terms of Service (even though, actually, they did: section 14.1.2 of the DE4 Software licensing agreement)? Are you outraged simply because of them not using HTTPS? (Something tells me you would have written about it even if they were using HTTPS.) Why is it Amazon and Apple can do this every day but you jump all over Adobe for doing it?

    Google is sucking keywords out of every email you send on Gmail. Surely this is an even greater privacy violation?

    With its Omniture suite, Adobe collects truly massive amounts of analytics info on website customers. (Some of the largest web properties in the world run on top of Adobe Experience Manager, with its SiteCatalyst integration.) No mention of that?

    • “Amazon and Apple already collect this kind of information, and more.”

      That’s not entirely accurate. But just as importantly, I have mentioned that aspect in both of the previous posts on this story. I didn’t mention it here because I wanted to focus on Adobe’s response.

      Apple only collects this kind of info on ebooks you buy from them. Amazon only collects info on ebooks you hand to them or buy from them. And neither company scrapes your hard disk, and then uploads the information in the clear.

      Adobe, on the other hand, made a list of all of the ebooks sitting on my computer, and then transmitted all of the data in the clear. That is hugely different. Adobe then proceeded to defend their actions by claiming that it was covered by their privacy policy.

      And as for Google email, the scanning is limited to what is sent and received inside the service. That is a big difference from what I caught Adobe doing.

      And as for Omniture, I don’t like that either, so I use plugins like Ghostery to protect my provacy.

      • You’ll need to protect your job more than your privacy if you continue posting articles without verifying the”facts” you assert first.

  8. Can we confirm that those testing in a VM are using the same release of ADE4? Adobe hasn’t quietly replaced the installer since the story broke have they?

    • At least one person is using the install file I started from. He still has not duplicated my feat.

      At this point there are multiple people who are trying to duplicate my work but cannot. TBH if I didn’t have the file as proof I would have retracted by now.

  9. Did you ever plug a hardware reader in that had these books on it? Since that’s the recomended way to get a DRMed epub onto the reader. I know calibre will suck the metadata out of a reader if it’s configured that way. Maybe ADE sucked the metadata from a plugged in reader rather than from your HD? I pitched ADE 4 off my system and will not install it again to test this.

  10. Does the HD scan list match what’s in your Adobe manifest log?

  11. I will never upgrade my adobe again. I have had enough of these big company’s over stepping the bounds of privacy. Who exactly do you guys think you are? You can think you have rights to my information? FUCK YOU! YOU have ruined my buying of digital books. I will buy hard copies now. I will never use a cloud to store info. I will never buy an ipad or iphone.
    Want to buy a kindle?
    Pamela

  12. Adobe also own Omniture, which is used extensively by various organisations to send information back to the database for who knows what.

    Also Adobe own Flash, which is regarded as a security risk.

6 Trackbacks & Pingbacks

  1. Say Yes No Maybe So To Privacy | Agnostic, Maybe
  2. SIAMO GEEK - Sperimentatori, entusiasti della tecnologia | Il DRM di Adobe spia gli utenti
  3. Adobe is Spying on Users, Collecting Data on Their eBook Libraries - The Digital Reader
  4. Adobe Responds to ALA on Spying Scandal With Fictitious and Misleading Statements - The Digital Reader
  5. Adobe Updates Digital Edition, Stops Sharing User Info With the Internet - The Digital Reader
  6. Am I The Only One Who Doesn't Care About Adobe "Spying"?

Leave a comment

Your email address will not be published.


*