Adobe is Spying on Users, Collecting Data on Their eBook Libraries

Adobe is Spying on Users, Collecting Data on Their eBook Libraries Adobe Security & Privacy Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.

A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe's DRM for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe's Epub app, seemed to be sending an awful lot of data to Adobe's servers.

My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)  Edit: Adobe responded Tuesday night.

Update Timeline

And just to be clear, I have seen this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own eyes.

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe's server in clear text.

I am not joking; Adobe is not only logging what users are doing, they're also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything.

But wait, there's more.

Adobe isn't just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe's servers.

In. Plain. Text.

And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.

Update: Further testing has revealed that the files being scanned were actually on my ereader, not my HD. I had not used ADE to load the files on to the ereader, and yet the app scanned them, made a list, and uploaded the list to Adobe.

And just to show that I am neither exaggerating nor on drugs, here is proof.

The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.

The above two files were generated using data collected by an app called Wireshark. This nifty little app can be used to log all of the information that is sent or received by your computer over a network. Muussler and I both saw that data was being sent to 192.150.16.235, one of Adobe's IP addresses. Wireshark logged all of the data sent to Adobe, and on request spat out the text files.

Adobe is Spying on Users, Collecting Data on Their eBook Libraries Adobe Security & Privacy

This is a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects.

On a technical level, this kind of mistake is not new. Numerous apps have been caught sending data in clear text, and others have been caught scraping data without permission (email address books, for example). What's more, LG was caught in a very similar privacy violation last November when one of their Smart TVs was shown to be uploading metadata from a user's private files to LG's servers - and like Adobe, that data was sent in clear text.

I am sharing these details not to excuse or justify Adobe, but to show you that this was a massively boneheaded stupid mistake that Adobe would have seen coming had they had the brains of a goldfish.

As for the legal aspects, I am still unsure of just how many privacy laws have been violated. Most states have privacy laws about library books, so if this app was installed in a library or used with a library ebook then those laws may have been violated. What's more, Adobe may have also violated the data protection sections of FERPA, the Family Educational Rights and Privacy Act, and similar laws passed by states like California. (I'm going to have to let a lawyer answer that.)

And then there are the European privacy laws, some of which make US laws look lax.

Speaking of Europe, the Frankfurt Book Fair is coming up later this week. Adobe will be exhibiting at the trade show, and something tells me they will not be having a nice trip. (I for one hope that the senior management is detained for questioning.)

In any case, I would highly recommend that users avoid running Adobe's apps for the near future - ever again, for that matter. Luckily for us, there are alternatives.

Rather than use Adobe DE 4, I would suggest using an app provided by Amazon, Google, Apple, or Kobo. Amazon uses the Kindle format, and each of the last three ebook platforms uses their own unique DRM and Epub (-ish) file format inside their apps. (While Google and Kobo will let you download an ebook which can be read in Adobe DE, that DRM is not used internally by either Kobo or Google.)

None of those 4 platforms are susceptible to Adobe's security hole.

Of course, I can't say for sure whether those platforms are more secure and private than Adobe's, but I'm sure they will be made more secure in the next few weeks.

images by arturodonateukCWCS

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader: He's here to chew bubble gum and fix broken websites, and he is all out of bubble gum. He has been blogging about indie authors since 2010 while learning new tech skills at the drop of a hat. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

274 Comments

  1. fjtorres6 October, 2014

    So, it only looks at epubs?
    So it targets Kobo, Google, and Nook, but not Amazon?

    Heh.

    “Kahn!!!!”

    Reply
    1. Nate Hoffelder6 October, 2014

      Google doesn’t download apps to your PC, so it’s out. And for all I know it might be able to scrape Kindle files as well.

      Reply
      1. JM Hatch8 October, 2014

        Reception of eBooksStore at launch was mixed. Reviewers noted that it was still glitchy, and that books lacked reviews even for those that were centuries old.[6] Also others remarked that Google touted the EBookStore as “open”, but that it was still using Adobe’s Adept eBooks Digital rights management.[7]

        https://en.wikipedia.org/wiki/Google_eBooks

        Reply
        1. Nate Hoffelder8 October, 2014

          This is one of those complicated technical points which are difficult to explain.

          For one thing, Google doesn’t have a Play Books app for Windows, so you read the ebooks in a web browser. Each ebook is sent in chunks, and is encrypted in Google’s own DRM.

          For the record, Google doesn’t use Adobe DRM internally. They will sell you an ebook and let you download an Epub file, but if you read that ebook in a Play Books app you won’t be reading an Epub file; it will be something different:
          http://the-digital-reader.com/2014/01/31/google-play-books-doesnt-support-epub-crazy-possibilities/

          And so any ebook read inside a Google Play Books app is safe from Adobe’s snooping.

          Weird, isn’t it?

          Reply
  2. fjtorres6 October, 2014

    Nasty thought: are they looking for “disinfected” versions of DRM’ed ebooks?

    Reply
    1. Timothy Wilhoit6 October, 2014

      I’m not really a tinfoil hat guy but that thought occurred to me as well. There’s absolutely no reason for any program to sift through your computer, especially since permission wasn’t asked. I didn’t have a particularly high opinion of Adobe but this caper has lowered it quite a bit more.

      “Adobe DE 4, special SW version! Spyware from a company you (don’t) trust!”

      Reply
  3. Claude6 October, 2014

    Is it only in Adobe DE 4 or can we see the same thing with earlier version of the software?

    Reply
    1. Nate Hoffelder6 October, 2014

      I don’t know, but now that I know what to look for I plan to check earlier versions of the app.

      Reply
    2. Greyhawk7 October, 2014

      DE 3 does not do this, we tested DE 3 extensively for exactly that before deploying.

      Reply
      1. Nate Hoffelder7 October, 2014

        I didn’t find this leak in ADE3 either.

        I’m not surprised to learn that you tested the app; I am more surprised that Adobe didn’t expect that someone would run security tests on the app and find this issue.

        Reply
  4. Claude6 October, 2014

    That said, I guess all ebooks sellers are “spying” on their users somehow. They all collect data of what we read. But maybe it’s more “secure”.

    Reply
    1. Brian7 October, 2014

      They collect data on books bought from them to some extent or another. Books aren’t bought from Adobe (they aren’t a seller), plus Adobe is collecting info on books not even associated with their app.

      Wonder what they ALA will think. They’re pretty big on eBook reader privacy IIRC and most library systems use ADE as a download method.

      Reply
      1. Glinda Harrison7 October, 2014

        I was wondering the same thing about the libraries.

        Reply
        1. Galen Charlton7 October, 2014

          This blew up on library Twitter this morning, and several folks who I know are involved in leadership positions at ALA are now getting the wheels turning. I would expect some sort of statement, at the very least, relatively soon.

          Reply
          1. Nate Hoffelder7 October, 2014

            Who should I contact to get a copy of that statement?

            Reply
      2. Galen Charlton7 October, 2014

        This blew up on library Twitter this morning, and several folks who I know are involved in leadership positions at ALA are now getting the wheels turning. I would expect some sort of statement, at the very least, relatively soon.

        Reply
      3. Andromeda Yelton7 October, 2014

        I am a member of the board of LITA, the technology division of ALA, and brought this issue to the board this morning. It is also being discussed by ALA Council right now. I suspect there are numerous other groups within ALA that will have an opinion, and that we’ll be wanting to speak with a coordinated voice.

        Thank you for bringing this to everyone’s attention. Stay tuned 🙂

        Reply
        1. Nate Hoffelder7 October, 2014

          Thank you for the heads up.

          On an unrelated note, I just posted an article about 3M Cloud Library’s new hardware program. Can you read the post and tell me if my concerns are well founded? Thanks!
          http://the-digital-reader.com/2014/10/07/3m-cloud-library-launches-new-hardware-lending-program-nook-glowlight/

          Reply
          1. Andromeda Yelton7 October, 2014

            I am not an expert in the cases here (I mean, I followed them from a distance, but IANAL), but I would have the same concerns as you, and I would want to consult someone who IS an expert if I were in a decision-making role for a program like this.

            Reply
  5. Feda6 October, 2014

    The only way to avoid is not to buy DRM infested content.

    Reply
    1. Nate Hoffelder6 October, 2014

      Except Adobe was indexing my DRM-free content as well.

      Reply
      1. Feda7 October, 2014

        Yes but you would not have the Adobe Digital Editions on your system if it wasn’t for their DRM.

        Reply
        1. S. J. Pajonas7 October, 2014

          That’s not true. On Mac, there are only a few good ePub readers and Adobe Digital Editions was one of them. I installed it just to proof my ePubs before uploading to B&N, Kobo, etc., not because I had to read something that had DRM on it. Now I have deleted ADE, and I guess I’ll use the iBooks app for the time being.

          Reply
          1. Jonathan Badger7 October, 2014

            Actually, did you know iBooks on OSX (since Mavericks) can read arbitrary ePub files? I use it all the time despite never purchasing a single ePub from Apple. It’s my favorite OSX ePub reader.

            Reply
          2. Wrecks8 October, 2014

            Have you tried Calibre yet? It’s an ebook management platform that can let you read ebooks in many formats as well as convert many formats to many other formats.

            http://calibre-ebook.com/about

            Reply
          3. S. J. Pajonas8 October, 2014

            I just use iBooks for proofing now. I use Calibre sometimes to convert files, but I find it frustrating as a user with the way it stores file both inputted and outputted.

            Reply
          4. derek8 October, 2014

            @wrecks I use calibre probably more than any other single program except my browser, but you still have to use Adobe if you buy DRM books. Nate’s pushing Google and Kobo, but even IF you use Kobo, you use ADE internally (perhaps not with the same “features”, but the software — RMSDK — is purchased from Adobe), and I don’t like using either of those in ways that tie me to a platform or vendor. So I download to ADE, and then sideload to my ereader.

            I’m a bit surprised that there are people here using ADE 2, still, as mine stopped working (would no longer get a valid authentication from their server) and I was forced to upgrade to ADE 3. So one day, I expect something similar will force me to move to ADE4.

            Telling people not to buy DRM books is not a solution: as long as publishers use DRM, not buying DRM books is letting them choose my reading (there aren’t many books that are legally available in both a DRM and non-DRM format). We have to campaign to force them to stop using DRM: preferably by educating authors and agents to stop agreeing to publishing contracts that insist on it.

            Reply
            1. Nate Hoffelder8 October, 2014

              I was only pushing Kobo because many readers will want ebooks that only come with DRM. I myself strip the DRM.

              “even IF you use Kobo, you use ADE internally”

              Not really, no. I have been told by a several expert Kobo users that they have 2 rendering engines, one for their own content and one for external Epubs.

          5. derek8 October, 2014

            Kobo’s kepubs use a different rendering engine, but they’re still using Adobe’s RMSDK afaik — which, to be fair, isn’t invading our privacy like ADE4, but still means you’re encumbered by DRM and Adobe’s got their hands on your data.

            Reply
          6. bangbango9 October, 2014

            @derek

            Doesn’t kePub use kobo’s own DRM if necessary?

            (Because yeah, Kobo manages two formats and two DRM schemes)

            Reply
  6. Mike J6 October, 2014

    ADE 3.0 is still available on their website. I wonder if that version collects the same info.

    Reply
    1. Nate Hoffelder6 October, 2014

      I can tell you that ADE2 does not.

      Reply
      1. Claude6 October, 2014

        Lucky, I still have version 2.

        Reply
    2. Nate Hoffelder6 October, 2014

      ADE3 sends similar minimal amounts of data.

      Reply
    3. Rob Siders7 October, 2014

      2.0 is still available to download from Adobe.

      http://www.adobe.com/support/digitaleditions/downloads.html

      Reply
  7. cakezula7 October, 2014

    So what are we supposed to do about .acsm files from our local Libraries? It’s unreal that ADE is the *only* software available for checking books out. UG.

    Reply
    1. ZiGraves7 October, 2014

      A few users further up say that ADE2 & possibly ADE3 don’t have this problem, and that you can still download these older versions from the adobe website – as long as you make sure you use the old versions, you and other students should be okay.

      I suggest letting your local libraries know, though, because librarians can be very militant about user privacy and they’ll be well placed to advise or kick up a stink.

      Reply
  8. Michael7 October, 2014

    From my own experimentation, it looks like the best way to thwart this in the short-term is by editing the hosts file and directing adelogs.adobe.com to either 0.0.0.0 or 127.0.0.1. I hope we can expect Adobe to address this issue quickly. I sent them an e-mail about my own concerns a little while ago.

    Reply
    1. Nate Hoffelder7 October, 2014

      Wouldn’t that also tend to block the DRM authentication? It might render ADE4 unusable.

      Reply
      1. Michael7 October, 2014

        No, that’s just the logging server. The licensing server is separate, and fortunately they do communicate with that one over an encrypted connection.

        Perhaps this lovely snooping feature was designed to facilitate syncing bookmarks and notes between multiple devices, but if so Adobe never bothered to ask my permission first. Apart from debugging code inadvertently shipped with the final release, that’s the only innocuous use I can think of.

        I reinstalled ADE to read the terms, and I can’t find any place such behavior is consented to. Unfortunately I do need ADE 4 installed for the work I do, so for now blocking the connection to the logging server will have to suffice.

        Reply
        1. Michael7 October, 2014

          * “innocuous” in the sense of providing value to some users. Syncing isn’t something I would need or consent to. I expect a company to make clear what data they are collecting and why, and when transmitting approved data to handle it responsibly, not send it in clear text like this.

          Reply
        2. bangbango9 October, 2014

          The way they would be logging bookmarks in this particular case (at X page turn, location Y. at Z, page turn, location A… instead of at last use, location X). Either it is incompetence* or something quite different.

          * Could be incompetence. After all, ADE is developed in India on a tiny budget and it seems they are out-sourcing in China (could) and Romania (is for sure).

          Reply
  9. Name Required7 October, 2014

    Congratulations for the scoop Nate.
    Looks like your soapbox got a little taller overnight 😉

    Reply
  10. […] gemieden haben. Das wird in Zukunft aber wohl nicht mehr so einfach möglich sein, wenn man einem Bericht von The Digital Reader glauben schenken […]

    Reply
  11. redsun7 October, 2014

    May be you made a typo of some sort. An IP-adress starting with 192 is an unroutable, i.e. local(on your computer) ip-adress. But it could be of course that the information is gathered first on your computer and then sent to Adobe.
    My guess is that it’s a debugging remnant, left by one of Adobe’s programmers.

    Reply
    1. Nate Hoffelder7 October, 2014

      I don’t think that’s true. If you look up that IP address on thw web you’ll see that it belongs to Adobe. It’s clearly labeled.

      Reply
    2. Bob W7 October, 2014

      192.168.x.x is unroutable.

      Reply
      1. Steve7 October, 2014

        Correct. It’s only the 192.168.0.0/24 subnet that’s for local addresses, not the entire 192.0.0.0/36 subnet.

        Reply
        1. Nate Hoffelder7 October, 2014

          Thanks. This would explain why several of my routers offered an access page in that subnet, right?

          Reply
        2. FrancisT7 October, 2014

          Well strictly speaking 192.0.2.0/24 is also unroutable.

          If you look at Adobe’s AS (Autonomous System) they have a number of subnets – http://bgp.he.net/AS44786#_prefixes

          I did some other digging and it looks like Adobe has had this domain also resolve to 193.104.215.99 – that looks to be Adobe Europe in Ireland. I’m guessing that’s classic geographical routing to the closest IP so that European data doesn’t leave Europe
          Interestingly I did a quick check from Japan and it looks like I have a 50% chance of going to Europe or the US.

          In both cases adelogs.adobe.com is CNAMEd to adelogs.wip4.adobe.com and that is the FQDN that can resolv e to one of the two IPs.

          Someone upthread worried that blocking “adelogs.adobe.com” would block some of the DRM activation bits of ADE. As far as I can tell from a cursory scan this is unlikely to be the case. Adobe also has hosts like “activate.adobe.com” which seems more likely to be the activation server. Since there is also “update.adobe.com” and “download.adobe.com” and so I I think adelogs really is just a logging server.

          If you do want to block all of Adobe then *.wip4.adobe.com would probably work wonders, but I suspect that really WILL break anything you have from Adobe that tries to call home, including, say, flash for update checking.

          Reply
          1. js7 October, 2014

            According to ARIN:

            “Addresses starting with “192.0.2.”, “198.51.100.”, or “203.0.113.” are reserved for use in documentation and sample configurations. They should never be used in a live network configuration. No one has permission to use these addresses on the Internet.”

            192.0.2.0/24 is reserved for documentation and examples and ARIN tells network operators that they SHOULD block those addresses in their routers, not MUST. The comment from ARIN ends with:

            “These blocks are not for local use, and the filters may be used in both local and public contexts.”

            Reply
        3. paul delys7 October, 2014

          Your subnet mask isn’t quite right. 192.168.0.0/16 isn’t publicly routed. In other words, 192.168.anything.anything is a private address.

          192.anything except 168.anything.anything is, by convention, a public address.

          Reply
  12. Miron Schmidt7 October, 2014

    Another reason not to buy any books with DRM, ever (as this will bind you to Adobe’s platform). I will uninstall this software as soon as I’m home today, and good riddance.

    Reply
  13. Joe Blo7 October, 2014

    Adobe developers smell of wee.

    Reply
  14. Simon Wang7 October, 2014

    Companies are still thinking they can pull this sort of stunt and here they are getting caught out again. Even better is the ‘no comment’ from the supplier, I bet they will be coming out with the excuses shortly and they will be lame.

    Great work in getting to the bottom of this. In any case, another reason to buy a real book instead of drm ridden ebooks.

    Reply
    1. derek7 October, 2014

      That’s silly. There are no good reasons to buy (and waste) paper. e-books are fine as long as they have no DRM and don’t need Adobe.

      Reply
  15. Lennart-pottering7 October, 2014

    USE opensource/free softwares always.

    http://www.kde.org

    Reply
  16. Richard7 October, 2014

    Thanks for this Nate.

    We have thousands of publisher books on our production workstations, many under non-disclosure agreements. Fortunately we have not yet rolled ADE4 out for testing (because it can’t handle inline images amongst other silly things).

    This is a timely warning of corporate irresponsibility. We will ensure our publisher production contacts are all made aware of this. From a production facility perspective this is somewhat intimidating. If someone wants to ADE4 test a book under non-disclosure it will have to be on an isolated workstation modified as Michael mentioned. For us that will become a production services sales feature!

    On a last note: It’s one thing that they are sending this private and privileged content back to their servers in clear-text, but really, their JSON sucks. If they are going to steal private information, couldn’t they do it with professional flair and sensible key names rather than this schoolboy code!

    Reply
  17. Rob Siders7 October, 2014

    Post subtitle: Or, Nate tells us what he’s reading.

    Interesting list, by the way. 😉

    Reply
    1. Nate Hoffelder7 October, 2014

      Well, no, I told you what I am buying. (And maybe I should have scrubbed that list, LOL.)

      Reply
  18. Brutal Honesty7 October, 2014

    That’s what you get for paying.

    The pirate versions don’t do that.

    Reply
    1. Rob Siders7 October, 2014

      It’s not the books that are phoning home. It’s the ereader software, which is a free download, and it’s collecting data on all epubs, regardless of source, on a user’s system.

      Reply
      1. derek7 October, 2014

        And, one suspects, in line with their comment about “for purposes such as license validation”, for checking whether books that shouldn’t be available without DRM exist on your system with the DRM stripped…

        Reply
  19. […] gemacht wurde die Datensammelwut am gestrigen Dienstag von The Digital Reader. Demnach überträgt Version 4 von Adobe Digital Editions folgende Informationen vom […]

    Reply
  20. DaveZ7 October, 2014

    Does Adobe have a privacy policy and is this covered? Who knows, maybe we all agreed to the tracking.

    Reply
    1. Nate Hoffelder7 October, 2014

      I’ve heard from someone who actually read it that this isn’t covered.

      Reply
    2. Andromeda Yelton8 October, 2014

      Adobe has a privacy policy, as well as the ADE EULA, and has issued a statement on them: http://www.infodocket.com/2014/10/07/new-and-old-serious-reader-privacy-concerns-both-inside-and-outside-the-library/

      I’ve glanced at both and…hell if I know if I agreed to it, honestly. This information isn’t all specifically referenced. You could make a case it’s covered anyway. That case would go against some people’s moral intuitions. I really have no idea.

      Reply
  21. Name Required7 October, 2014

    Install it inside a virtual machine if you have to, with nothing else and no books at all.

    Reply
  22. Andrew7 October, 2014

    Okay, I’m done with Adobe then. Amazon is cheaper than Kobo anyway. Anyone know if Amazon does the same thing?

    Reply
    1. Nate Hoffelder7 October, 2014

      With the ebooks they sell you, yes, but they kinda have to do that so they can sync your reading position across your account. And so far as I know the data is at least obscured (I will be checking).

      Reply
      1. TheSFReader7 October, 2014

        And it’s the retailer that gets the data, not a third party as is the case with Adobe DRM encumbered ebooks.

        Adobe is a third party, I wonder how much of the data it shares whith the e-booksellers…

        Reply
    2. Name Required7 October, 2014

      Check their user agreement for Kindle.
      You might be very surprised what rights they reserve ;-).

      Reply
    3. Swâmi Petaramesh7 October, 2014

      About Amazon Kindle, you might want to check http://www.defectivebydesign.org/amazon

      Reply
  23. […] Security Praxis, hat heute jemand gepostet, dass die neue Version von Adobe Digital Editions im großen Stil nachhause telefoniert. Das wird zwar gerne mit “wen überrascht’s?” kommentiert, aber das Ausmaß mit […]

    Reply
  24. Swâmi Petaramesh7 October, 2014

    Adobe is (unfortunately) not the only one…

    Let’s read the « licence » file displayed by my « Pocketbook Touch Lux 2 » reader (that also comes with AdobeViewer inside, that makes things a little funnier…)

    Now Go Read And Despair :

    1/ The licence comes in english, which probably makes it plain illegal here in France, coming with a “general public” device that my Grand’Ma can purchase.

    2/ It reads : « POCKETBOOK RESERVES THE RIGHT TO AMEND THE TERMS AND CONDITIONS OF THIS LICENSE FROM TIME TO TIME BY PLACING NEW EDITIONS HEREOF AT: http://www.pocketbook-int.com/legal/SLA. EACH NEW EDITION OF THE LICENSE AGREEMENT SHALL COME TO EFFECT AT THE DATE OF PLACEMENT AT THE MENTIONED WEB PAGE AND THIS IS THEREFORE RECOMMENDED THAT YOU PERIODICALLY VISIT THAT PAGE… »

    => Wow. They can change without notice the rights you have to use an hardware device that you have puchased and own ? And you’d be supposed to go and check every other week ? A clause that allows one part to unilaterally modify a contract after it has been “concluded” is most certainly illegal…

    3/ But the finest still is to come :

    « Information Received. The software will provide Pocketbook with data about your Pocketbook reading device and its interaction with the Service (such as available memory, up-time, log files, and signal strength). The Software will also provide Pocketbook with information related to the Digital Content on your Pocketbook reading device and Supported Devices and your use of it (such as last page read and content archiving). Information provided to Pocketbook, including annotations, bookmarks, notes, highlights, or similar markings you make using your Pocketbook reading device or Reading Application, may be stored on servers that are located outside the country in which you live. […] BY USING THE POCKETBOOK READING DEVICE YOU AUTOMATICALLY ACKNOWLEDGE AND AGREE THAT POCKETBOOK MAY COLLECT, STORE, PROCESS, TRANSMIT, PROVIDE AND/OR SELL ANY INFORMATION AVAILABLE ABOUT YOU AND THE READING DEVICE(S) THAT YOU ARE USING TO ANY THIRD PARTIES. THIS INFORMATION MAY BE USED BY POCKETBOOK AT ITS SOLE DISCRETION FOR ANY LAWFUL PURPOSES AND IN ANY MANNER OTHER THAN PROHIBITED BY APPLICABLE LAWS, WITHOUT LIMITATION.
    Pocketbook reading device and software preinstalled or subsequently installed on it provides Pocketbook with details of the Pockebook reading device used by you and certain actions performed by you on it such as: – Orientation of the Pocketbook reading device (portrait or landscape); – the language of Digital Content; – file size in bytes; – DRM type (Adobe, Pocketbook, none); – Digital Content opened for the first time or not; – the application that you use for reading; – time between the opening starts and finishes in milliseconds; – functions of keys; – the interface language; – the reading device model; – the identifier of the Pockebook reading device to establish whether data have been collected from one or different Pocketbook reading devices (not the serial number); – version of software installed;
    […] Your agreement to be bound by these Terms of Use is voluntary and implies your unconditional consent to all and any data processing conditions estyablished herein; […] »

    Reply
  25. df7 October, 2014

    What about apps like Bluefire and axisReader? I know that they are licensed to be compatible with Adobe DRM, but do they have this same problem?

    Reply
    1. Nate Hoffelder7 October, 2014

      I have assurances from one developer that his app does not. I can’t name him here, though; I don’t want his name to get mixed in by mistake.

      Reply
  26. Ben Hollingum7 October, 2014

    Well done bringing this to light, Nate.

    Perhaps this fuckup, coming as close as it does to the FBF, will make the big publishing houses reconsider their relationship with Adobe. After all, they’ve been laying on the whole “guardians of the enlightenment” shtick pretty thick recently as part of their fight against Amazon. It will be hard to reconcile that stance with complicity in a system that effectively hands oppressive governments the world over a list of people’s seditious reading habits.

    Reply
  27. rocketride7 October, 2014

    Amazon, Google, Apple and Kobo are listed here as safe(r).

    May I assume that B&N Nook devices are using some version of Adobe DRM?

    Reply
  28. Galen Charlton7 October, 2014

    For the moment, I suggest following @ALALibrary and @oitp on Twitter. A couple individuals to interact with if you have quesitons about the process are @ThatAndromeda and @mciszek.

    I’ll also try to remember to post a comment when a statement is released — but note that it may take a couple days or so; ALA is not always the fastest-moving of organizations.

    Reply
  29. Mikaela7 October, 2014

    I am glad I have stayed with ADE 2.0, right now. And that I strip DRM. That said, I am seriously considering ditching ADE and going with Bluefire instead. Especially since they have just launched a Windows version.

    Reply
  30. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries […]

    Reply
  31. […] pe care le adun? orice companie de software din domeniu. Din cele spuse de Nate Hoffelder de la The Digital Reader, DRM-ul (modulul de verificare al Digital Rights Management) Adobe din ultima versiune Epub, […]

    Reply
  32. […] has been some 16 hours since I first broke the news that Adobe was spying on anyone who installed and ran Digital Editions 4, Adobe’s latest and greatest ebook app, […]

    Reply
  33. Adobe colecteaz? o mul?ime de informa?ii din software-ul pentru eBook-uri | 1iT.ro – Stiri IT, noutati si tehnologie7 October, 2014

    […] pe care le adun? orice companie de software din domeniu. Din cele spuse de Nate Hoffelder de la The Digital Reader, DRM-ul (modulul de verificare al Digital Rights Management) Adobe din ultima versiune Epub, […]

    Reply
  34. Paul7 October, 2014

    Thanks for this! I’d love to see a couple screen captures in Wireshark to know what I’m looking for as I scan my own system!

    Reply
  35. […] files comes a boneheaded revelation about Adobe’s Digital Editions 4, their epub app. Nate Hoffelder over on The Digital Reader blogged about verifying this privacy breach. The software is scraping info about the ebooks a customer reads, how they read it, in addition to […]

    Reply
  36. Name (required)7 October, 2014

    Nate, you have just been featured on BoingBoing.net
    http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html

    Reply
    1. Nate Hoffelder7 October, 2014

      Also, 4Chan.

      Reply
  37. […] Adobe is doing some pretty despicable stuff – logging EVERY book (whether or not you are using Adobe Digital Editions) and sending it back to a server. (Here’s the guy who first discovered it). […]

    Reply
  38. […] 1. Adobe is Spying on Users, Collecting Data on Their eBook Libraries (via The Digital Reader) […]

    Reply
  39. […] 1. Adobe is Spying on Users, Collecting Data on Their eBook Libraries (via The Digital Reader) […]

    Reply
  40. Nicolas7 October, 2014

    Let’s send fake data to this ip! A lot of it!

    Reply
    1. Nate Hoffelder7 October, 2014

      Indeed. Someone on Slashdot suggested encoding death and bomb threats into the data sent to Adobe.

      Reply
      1. Nicolas7 October, 2014

        Haha
        I wouldn’t go that far
        But fake data about random and imaginary books that would ruin any big data analysis

        Reply
        1. Nate Hoffelder7 October, 2014

          I wouldn’t either, but it did make me laugh.

          Reply
  41. […] ontdekte een bron van The Digital Reader, dat het verzamelen van data met eigen onderzoek heeft […]

    Reply
  42. […] breach was first reported by Nate Hoffelder at the Digital Reader on Monday night. Following a tip from a hacker, he used the network tracking app Wireshark and […]

    Reply
  43. mathew7 October, 2014

    Unfortunately, Google uses Adobe Digital Editions DRM. I’ve downloaded books from Google Play and ended up with acsm files.

    Google also sell DRM-free books, but it’s not easy to browse for just those or even determine which books have DRM, so I end up buying from Amazon.

    Reply
    1. Nate Hoffelder7 October, 2014

      Yes, but Google does not use Adobe DRM internally. They use something else:
      http://the-digital-reader.com/2014/01/31/google-play-books-doesnt-support-epub-crazy-possibilities/

      That is why I mentioned them.

      Reply
    2. derek7 October, 2014

      Same with Kobo: you don’t know whether a book you buy is DRM’d until you’ve bought it.

      Reply
      1. Liz7 October, 2014

        On Kobo, if you save a preview to your library, you can see what type of file it is. It’s usually listed as EPUB (DRM-free) or Adobe DRM EPUB.

        Reply
        1. derek8 October, 2014

          Ah! Good suggestion, though one shouldn’t have to go to so much trouble…

          Reply
          1. Liz8 October, 2014

            Yep. It should be listed as part of the product info on the book page. If only…

            Reply
          2. TheSFReader10 October, 2014

            When I asked them about it at the Paris Book Fair, their answer was roughly “We don’t want to give people reason to fear ebooks due to technical details such as DRM. Anyway, every publisher uses DRM, so…”… 🙁

            Reply
  44. […] The new version of Adobe’s popular reader software has significant privacy and security concerns: http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/ […]

    Reply
  45. […] primera noticia ha saltado en The Digital Reader y Ars Technica lo ha confirmado: Digital Editions envía los libros que has abierto, qué páginas […]

    Reply
  46. […] – Adobe is Spying on Users, Collecting Data on Their eBook Libraries – The Digital Reader Nate Hoffelder […]

    Reply
  47. […] Adobe Digital Editions 4 monitors your eBook reading habits, sends unencrypted, plain text data to A… If you’ve downloaded an EPUB from a public library in the United States recently, you’ve probably used Adobe Digital Editions. [The Digital Reader] […]

    Reply
  48. […] the title of this article is enough to get this librarian’s blood a-boiling: “Adobe is Spying on Users, Collecting […]

    Reply
  49. Robert7 October, 2014

    The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.

    I’ve pretty-printed the ADE-4 data collector> and the data from adobe files you provide for easier reading.

    This data doesn’t look like “user tracking” to me. It looks more like diagnostic data to be used in understanding bugs and crashes. I.e. Adobe isn’t monitoring their users so much as they’re monitoring the behavior of their own application. I know this is arguing semantics – and I’m not saying this data isn’t sensitive – but statements like “Adobe is tracking their users!” may be unfairly representing what’s actually taking place. Odds are this stuff is going into a “bug tracking database” rather than a “user tracking database”. Semantics, I know. :-/

    The file scanning behavior is interesting, but also debatable. It doesn’t seem that unreasonable for an e-book reader to index a users hard-drive looking for books. I would say it mostly depends on where on your hard-drive it’s looking for those books. There’s no file paths listed in the data you provide though, so I won’t comment further here.

    As for sending this data in clear text… technically there’s no personally identifiable information in the files you’ve provided. No email addresses or user IDs, nor credit card information or street addresses – it’s simply generic data about user actions (e.g. “navigated to page”) and meta-data about books (title, creator, subject, publisher). Is this sensitive information? Perhaps, but it’s certainly not on the level of bank account credentials or anything like that. Again, debatable.

    Reply
    1. Galen Charlton7 October, 2014

      This data doesn’t look like “user tracking” to me. It looks more like diagnostic data to be used in understanding bugs and crashes. I.e. Adobe isn’t monitoring their users so much as they’re monitoring the behavior of their own application. I know this is arguing semantics – and I’m not saying this data isn’t sensitive – but statements like “Adobe is tracking their users!” may be unfairly representing what’s actually taking place. Odds are this stuff is going into a “bug tracking database” rather than a “user tracking database”. Semantics, I know. :-/

      Who is to say how the odds fall? And even if your scenario is correct and Adobe’s intention was simply to gather data for bug reporting purposes, that at best establishes an upper bound on the magnitude of Adobe’s misbehavior here.

      The data is being gathered and sent to Adobe’s servers without explicit consent on the part of the user — not even the public release notes and the license agreement for the software do not seem to give any hint that DE 4.0 is doing this. That’s bad enough: if you don’t need data on user behavior for your software to work, you shouldn’t be collecting it in the first place. And if you do need it — there is no excuse to ever transmit it to the clear.

      True, reading data is not bank data — but there are plenty of governments that ban books, censor books, or otherwise have an interest in what their citizens are reading — including, at times, the US. Protecting the freedom to read what one wants — which necessarily includes protecting privacy — is a core professional value of librarians, which is why librarians are among the groups that are rather concerned by this news.

      Reply
      1. Robert7 October, 2014

        if you don’t need data on user behavior for your software to work, you shouldn’t be collecting it in the first place

        And there’s the rub. There are certain categories of problems where it’s extremely helpful to have a log of what [application] activity happened prior to a bug or crash occurring. And often (especially in the case of crashes) there’s no way to gather that data retroactively – meaning the only way to get this data for users that experience such problems is to gather it for all users.

        but there are plenty of governments…

        Non-sequitur. Adobe is not the Government.

        protecting privacy — a core professional value of librarians

        From the Adobe Privacy Policy page that the Digital Editions 4.0 Software License Agreement links to (in Sec 14.1.2, “Internet Connectivity and Privacy”), we have the following (This is what you are agreeing to when you install DE4, btw – emphasis mine) …

        Adobe websites and applications
        We collect information about how you use our websites and applications, including when you use a desktop product feature that takes you online (such as a photo syncing feature). We may collect information that your browser or device typically sends to our servers whenever you visit an Adobe website, or when an Adobe desktop product feature takes you online. For example, your browser or device may tell us your IP address (which may tell us generally where you are located) and the type of browser and device you used. When you visit an Adobe website, your browser may also tell us information such as the page that led you to our website and, if applicable, the search terms you typed into a search engine that led you to our website. Adobe may collect information about how you use our websites and applications by using cookies and similar technologies, and our servers may collect similar information when you are logged in to the website or application. Depending on the website or application, this information may be anonymous (for example, see the Adobe Product Improvement Program) or it may be associated with you (for example, see the Creative Cloud FAQ).

        This is what you agree to when you use or install any Adobe product. Even if Adobe is gathering personal information (which hasn’t been established yet), they’re still acting within the bounds of their privacy policy.

        Reply
        1. derek8 October, 2014

          It’s not a non-sequitur to suggest that governments might care what we’re reading. Knowing that Adobe has that information, the Department of Homeland Security may very well ask for it (well, demand it…). Except that, since it’s transmitted in the clear, the NSA already has it.

          When they start scanning books outside your ADE library, they are going well beyond the terms of their EULA. And it’s moot anyway if collecting the information they do is illegal where you live: and I’d venture to say that for a private company to collect that much is illegal in most countries.

          Reply
        2. Ben8 October, 2014

          “And often (especially in the case of crashes) there’s no way to gather that data retroactively – meaning the only way to get this data for users that experience such problems is to gather it for all users.”

          This statement is technically incorrect. Any programmer capable of logging to the network is also able to writing that same log to memory. Plenty of applications will write the last ten to hundred actions to an in-memory journal. If the application triggers a crash handler then resulting crash dump will still contain the journal. Not only does the crash handler get the actions “retroactively” but only sends it if the application crashes instead of continually. A well written crash handler also gets consent from the user while making them aware of what information will be transmitted and why.

          What is even more damning is that ADE4 includes cryptography functions as part of it’s DRM. It should have been trivial to encrypt the logging. Instead it is announcing to the entire network what is being read. That means if the device is associated with a public wifi such as at a public library or Starbucks, then anyone that cares to listen is notified of what you are using ADE4 to read. Even if the public wifi itself uses encryption such as WPA, anyone else has the password to join the wifi still gets access to the ADE4 log packets. This is not acceptable even if being able to debug the application and “improve” the customer experience is the goal.

          Reply
          1. derek8 October, 2014

            Of course, if they’d encrypted the data they were stealing from us, we wouldn’t know what they were stealing!

            Reply
  50. […] article blackandwhitefield submitted from The Digital Reader.com. A hacker recently noticed that Adobe’s e-publishing software seemed to be sending a large amount of data to Adobe’s ser…. Apparently Adobe’s Digital Editions 4 is gathering data on which ebooks that have been […]

    Reply
  51. […] new version of Adobe’s popular reader software has significant privacy and security concerns:http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/ > > Older versions apparently are fine, so maybe hold off on updates until these issues are […]

    Reply
  52. […] confirms some details of recent reports by The Digital Reader and Ars Technica that Adobe Digital Editions 4, the latest version of the widely used ebook […]

    Reply
  53. […] They may be a day late and a dollar short, but Adobe has finally responded to yesterday’s news that they were using the Digital Editions 4 app to spy on users. […]

    Reply
  54. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries – If you’re using the most recent version of Adobe Digital Editions – ADE4 – you should read this post about how it’s collecting your data. […]

    Reply
  55. […] Adobe was flagged by the Digital Reader for tracking and uploading data related to various books opened in DE, such as how long a book has […]

    Reply
  56. […] investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which […]

    Reply
  57. […] Adobe was flagged by the Digital Reader for tracking and uploading data related to various books opened in DE, such as how long a book has […]

    Reply
  58. Adobe in Massive eBook Readers' Privacy & Security Breach - tbreak.ae8 October, 2014

    […] 4, the company’s latest version of the widely popular ebook platform. Nate Hoffeolder, of The Digital Reader has first posted details about the breach, saying he was tipped to Adobe’s violation by an […]

    Reply
  59. […] Technica e The Digital Reader hanno scoperto che l’ultima versione di Adobe Digital Editions tiene traccia di ogni tipo di […]

    Reply
  60. […] Quelle: http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/#.VDTmdL… […]

    Reply
  61. […] Pettarin, che si mescola a feedback sull’operato di IDPF, agli update di Adobe (che spesso assomigliano a degli spyware più che veri update), al lavoro di W3C sulle pubblicazioni digitali (tenuto sempre […]

    Reply
  62. […] A brief history of the Adobe book spying story   Nate Hoffelder at The Digital Reader reported Monday, “Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text…   “Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.”   Adobe responded, “All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers… User privacy is very important to Adobe…”   Hoffelder commented, “I don’t know about you, but I don’t see how sending a user’s reading history in clear text over the web could possibly be in line with a privacy policy.”   “Update: [from Digital Book World] Adobe acknowledges that transmitting unencrypted data could pose a security risk: “In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue.” Adobe says further that more information on when that update will be in place and of what it will consist is forthcoming.”   And Adobe used to be such a nice company. The Digital Reader: http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/ […]

    Reply
  63. […] problème, mis en avant par The Digital Reader (et relayé par Aldus), repose sur le composant ADE4 (Adobe Digital Edition 4). Il s’agit du […]

    Reply
  64. KindleUser8 October, 2014

    Amazon’s Kindle does the same thing.

    Reply
    1. Nate Hoffelder8 October, 2014

      What, transmit the user’s reading data in the clear? Upload details about every ebook opened, including ones which aren’t in Amazon’s system?

      That is a no to both counts.

      Reply
  65. […] am Montag publizierte Bericht von The Digital Reader schlug hohe Wellen. Neben weltweit Hunderten Tech-Medien griffen auch […]

    Reply
  66. […] Digital Reader and its editor Nate Hoffelder has made the accusation, claiming he was tipped by a ‘hacker’ associate and has confirmed its authenticity after testing. […]

    Reply
  67. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries The Digital Reader (Olivier L) […]

    Reply
  68. […] Hoffelder told us yesterday that Adobe is collecting data about the ebooks you read through the Digital Editions 4, which was confirmed by several other […]

    Reply
  69. […] reports surfaced this week that Adobe Digital Editions 4, the latest version of the popular ebook platform, […]

    Reply
  70. […] ein Profil des Lesers. Es werden weit mehr Daten übertragen, als für Adobe notwendig sind. Wie The Digital Reader schreibt, werden aber nicht nur eBooks aus Adobe Digital Editions von Adobe gescannt und […]

    Reply
  71. Adobe’s e-book reader sends your logs to Adobe in plain text8 October, 2014

    […] the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no […]

    Reply
  72. Sarah8 October, 2014

    Is this only with Adobe Digital Editions for the desktop? Are readers using the Bluefire Reader app or reading ePub ebooks in a browser affected?

    Reply
    1. Nate Hoffelder8 October, 2014

      It’s just Adobe. Other apps like FBReader and Bluefire, don’t have this issue.

      Reply
  73. […] user data and eBook metadata and send them to Adobe’s servers unencrypted, according an investigation by The Digital […]

    Reply
  74. Sigh8 October, 2014

    “I for one hope that the senior management is detained for questioning”

    Talk about losing the plot. What kind of psychotic, statist are you??? Get a grip.

    Reply
    1. Nate Hoffelder8 October, 2014

      One who knows how to tell when something is a joke.

      Reply
      1. derek8 October, 2014

        I could tell it was a joke, too, but surely if Adobe is violating privacy laws (and, imo, they are), somebody should be taken in for questioning? How is that “psychotic” and “statist”?

        Reply
        1. Nate Hoffelder8 October, 2014

          I have no idea.

          Reply
  75. EBooks: Adobe-App spioniert angeblich Leser aus » Computer Wissen Information8 October, 2014

    […] unverschlüsselt an Adobe. Das ungewöhnliche Verhalten der Anwendung hat die Seite “The Digital Reader” […]

    Reply
  76. […] – by Jim L. Yesterday, Nate Hoffelder, the editor of The Digital Reader blog reported that the newest version of the Adobe Digital Editions software (ADE 4) appears to be transm…. […]

    Reply
  77. […] came to light on Monday that the latest version of Adobe Digital Editions is sending metadata on ebooks that are […]

    Reply
  78. […] The Digital Reader, which appears to have been first in breaking the story […]

    Reply
  79. […] likes looking at your library  (Adobe is tracking users in the app and uploading the data to their […]

    Reply
  80. Kyle8 October, 2014

    The OverDrive app for libraries recently dropped the Adobe ID sign-up process (thank god). Now you set up an OverDrive account the first time you open the app. But does anyone know if OverDrive is still connected with Adobe or if they are collecting metadata themselves?

    Reply
    1. Nate Hoffelder8 October, 2014

      And to think, librarians objected to the move. I wonder how many changed their minds after this story broke?

      Reply
      1. M-Jo Baker8 October, 2014

        Unfortunately some libraries, including mine (Seattle Public Library) are still locked into Adobe Epub editions of all of their ebooks and audiobooks (with a few exceptions). So even though OverDrive has dropped this requirement it may not help?

        Reply
        1. Nate Hoffelder8 October, 2014

          The earlier versions of Adobe DE don’t spy on you:
          http://the-digital-reader.com/2014/10/07/adobe-digital-editions-3-probably-safe-adobes-spying-experts-say/

          Version 3 is still downloadable from Adobe.

          Reply
        2. Kyle8 October, 2014

          Our library (Cottonwood Public Library in Arizona) is the same. I’m curious to know still what OverDrive’s relationship with Adobe is. Does this breach mean that library users using the OverDrive app are having their metadata collected as well?

          Reply
  81. […] die übermittelten Informationen per Wireshark und fand darin enorm viele Details und Metadaten. Liza Daly stellte sogar fest, dass auch importierte EPUB-eBooks ohne DRM-Schutz in der Nutzung analysiert und […]

    Reply
  82. […] TheDigitalReader nous alerte sur la politique suivie par Adobe avec sa version ADE4. Il serait enfin temps que les éditeurs européens agissent enfin solidairement pour clarifier les conditions dans lesquelles Adobe utilise les données de millions de lecteurs à travers toute l’Europe. C’est aussi à la Commission Européenne de se pencher sur ce problème, tant l’échelle est importante aujourd’hui avec le développement de la lecture numérique dans tous les pays. […]

    Reply
  83. Cherez8 October, 2014

    Come on people, this is nothing new. All the big companies that make money off of meta data are doing this. What’s even scarier is that some companies that are supposed to be providing security to users are also skimming data without the users knowing it.

    Do a Google search on “RSA Security backdoor” or just visit this link:

    http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

    Let’s just hope that these companies that are monetizing our usage habits don’t get in bed with the security companies that are supposed to be protecting us! Just imagine the room for trouble if that happens.

    Reply
    1. derek8 October, 2014

      That’s not true. “all the big companies” certainly track my usage of their websites. They don’t all track my usage of software I’ve installed on my computer without telling me, and the few that do don’t call home in clear-text. And nobody is, legally, scanning my drive to see what other files I have that they may be interested in.

      Reply
  84. […] in the wake of the news that Adobe was tracking users’ activities and then uploading the data to their servers without encryption, many ebook users, including […]

    Reply
  85. Bill Smith8 October, 2014

    There is no reason to do business with Adobe — there are plenty of free ebook readers that do not spy on you: Calibre, FBReader, the Epub reader extension/web app for Firefox, IE and Safari.

    Stick to DRM-free books that you can direct download to your computer — Smashwords, Weightless, RobotTradingCompany, RebellionStore, DriveThruFiction, BookViewCafe, and many other small vendors.

    The selection on these sites is large and of very high quality…with none of the hassles.

    Reply
    1. derek8 October, 2014

      The selection of those does NOT generally include anything new by established authors. I’m sorry, but I’m not going to stick to reading books that were published a century ago, or self-published recently by unknowns (though I read a LOT of those), just to make a point.

      Reply
      1. Nate Hoffelder8 October, 2014

        Considering that Tor Books went DRM-free, and Baen Books has always been DRM-free, that is not at all true.

        Reply
        1. derek8 October, 2014

          Of course it’s “at all true.” That’s two publishers in a niche market. I’m sure there are others, but still the vast majority of books I want to read are only legally available with DRM — and I’m even primarily interested in SF. If you read bestsellers, tough luck.

          Reply
  86. […] Nate Hoffelder at the Digital Reader broke the story […]

    Reply
  87. […] al dunque. Hoffelder avrebbe scoperto che il software “Digital Editions e-book and PDF reader” registra tut… e spedisce le relative informazioni ad Adobe, casa produttrice dell’applicazione. Una volta […]

    Reply
  88. Adobe legge dentro a chi legge | Lucatarik Ict Tech Blog and News9 October, 2014

    […] dei lettori di ebook sono certe funzioni integrate nel software Adobe Digital Editions 4. Lo ha dimostrato per primo Nate Hoffelder di The Digital Reader, lo ha confermato un'analisi indipendente di […]

    Reply
  89. […] das Blog The Digital Reader am Montag berichtete, gibt es datenschutzrechtliche Bedenken bei der Nutzung der Software Adobe […]

    Reply
  90. […] dei lettori di ebook sono certe funzioni integrate nel software Adobe Digital Editions 4. Lo ha dimostrato per primo Nate Hoffelder di The Digital Reader, lo ha confermato un'analisi indipendente di Ars […]

    Reply
  91. […] collecting and sending data back to Adobe on the e-book usage without any encoding of that data. Nate Hoffelder of The Digital Reader first reported on the issue, followed quickly by Ars Technica. Adobe has subsequently confirmed the […]

    Reply
  92. […] werd ontdekt door Nate Hoffelder van The Digital Reader. Ondertussen werkt Adobe aan een update om hetg euvel op te […]

    Reply
  93. […] The Digital Reader's Nate Hoffelder first reported on Monday and Ars Technica confirmed, Adobe's Digital Editions 4 (DE4) e-book app/PDF reader, which […]

    Reply
  94. Timothy Wilhoit9 October, 2014

    “Further testing has revealed that the files being scanned were actually on my ereader, not my HD. I had not used ADE to load the files on to the ereader, and yet the app scanned them, made a list, and uploaded the list to Adobe.”

    What?? Was this an ereader that was previously authorized to ADE or did the program automatically recognize it before it started hoovering data? I’m no computer whiz but that doesn’t sound like a bug. It also doesn’t jive with Adobe’s statement that the program doesn’t phone home with book information unless the book was actually opened by ADE. So did the program get curious, do a Max Headroom thing and say to itself, “Ooh, a cable? I wonder where it leads?”

    Reply
    1. Nate Hoffelder9 October, 2014

      It was not previously authorized to ADE, no. It just happened to be plugged in when I ran one of the test on ADE4.

      I’m going to do a post, but at the moment I am working with the EFF to document this and understand it better.

      Reply
  95. […] The Digital Reader’s Nate Hoffelder first reported on Monday and Ars Technica confirmed, Adobe’s Digital Editions 4 (DE4) e-book app/PDF reader, […]

    Reply
  96. […] than you’d want to or expect. Earlier this week, a writer from the eBook community published an article on his blog claiming that the eBook and PDF reading software is logging every single document its […]

    Reply
  97. […] has been working with the author of the original report, The Digital Reader’s Nate Hoffelder and others to do more in-depth research about what is or is not going […]

    Reply
  98. […] Two independent reports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to their local “library,” tracks what happens with those files, and then sends those logs back to the mother-ship, over the Internet, in the clear. In other words, Adobe is not only tracking your reading habits, it’s making it really, really easy for others to do so as well. […]

    Reply
  99. […] October 6, Nate Hoffelder wrote a post on The Digital Reader: “Adobe is Spying on Users, Collecting Data on Their eBook Libraries.” (He has updated the post over the past couple days.) Why is this privacy-violating spying […]

    Reply
  100. […] /in plain text/, back to an Adobe IP address. This blatant lack of security was first displayed at The Digital Reader by its author, Nate Hoffelder, and was later confirmed at Ars Technica by its own author, Sean […]

    Reply
  101. Adobe Spyware Reveals (Again) the Price of DRM: Your Privacy and Security | Mountain Finch Post9 October, 2014

    […] publishing world may finally be facing its “rootkit scandal.” Two independent reports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to […]

    Reply
  102. […] “Adobe is Spying on Users, Collecting Data on Their E-book Libraries.” This was the title of an article by Nate Hoffelder at The Digital Reader on October 6, and though there have been updates since then, the privacy breach has not been resolved just yet. […]

    Reply
  103. […] bloggers and journalists, including Nate Hoffelder, who broke the story at The-Digital-Reader.com, described Adobe’s activities as spying. However, to put the matter in perspective, many […]

    Reply
  104. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries […]

    Reply
  105. […] that it plans to soon patch a privacy hole in its Digital Edition 4 e-reader software. Researcher Nate Hoffelder disclosed earlier this week that data from the e-reader on a user’s reading habits are sent […]

    Reply
  106. […] Tuesday morning, OverDrive became aware of the story regarding Adobe collecting user information via the use of their desktop reading software, Adobe […]

    Reply
  107. […] According to The Digital Reader, the producer in question is Adobe. […]

    Reply
  108. […] From The Digital Reader, HERE. […]

    Reply
  109. Adobe ADE 4 schendt mogelijk privacy wetgeving | Swink webservicesSwink webservices10 October, 2014

    […] 6 oktober plaatste blogger Nate Hoffelder een bericht over de hoeveelheid gegevens die ADE4 naar servers van Adobe stuurt. De (technologie nieuws-)site Ars Technica heeft dit geverifieerd, en laat duidelijk zien wat voor […]

    Reply
  110. […] Adobe is Spying on their Users, Collecting Data on Their eBook Libraries (the original story from Nate Hoffelder at The Digital Reader) […]

    Reply
  111. HLS Weekly Round Up | hls10 October, 2014

    […] This isn’t […]

    Reply
  112. […] this week, news emerged that Adobe tracks the unencrypted reading history of those accessing ebooks using the Adobe […]

    Reply
  113. The Control Culture10 October, 2014

    […] 10/10/2014 – eBook user? Adobe monitors your reading behaviour […]

    Reply
  114. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries | The Digital Reader (October 6): “Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.” […]

    Reply
  115. […] Neoliberalism rewards hypocrisy, so why should we be surprised to find that same tendency towards irresponsible behaviour on the Net.  After all the authorities (NSA, BND, DGSE, GCHQ) and the biggest Internet corporations like Google and Facebook are leading as a negative example. Also Adobe is now spying on its users by collecting data on their eBook libraries. […]

    Reply
  116. […] primera noticia ha saltado en The Digital Reader y Ars Technica lo ha confirmado: Digital Editions envía los libros que has abierto, qué páginas […]

    Reply
  117. […] which data add to users local library, which pages were read, and in what order. Hoffelder also claimed that the application also scanned the files on his ereader, made a list, and uploaded the list to […]

    Reply
  118. […] 4 (ADE4), the latest update for the popular ereading software, your days of gloating are over: ADE4 collects data not just on the book you are currently reading, but on all books in the digital library on your […]

    Reply
  119. […] onderzoek wees uit dat Adobe’s e-reader software heel wat informatie verzamelt zonder je medeweten. De […]

    Reply
  120. Adobe Digital Edition 4 te espía sin tu consentimiento | BlogCZ12 October, 2014

    […] y sin advertirlo en los términos de uso, por supuesto. Debemos agradecerle el descubrimiento a un hacker que estudiaba el sistema DRM de Adobe con fines educativos, descubriendo que la última versión del software envía una gran […]

    Reply
  121. […] Hoffelder on The Digital Reader blog has broken a story about how Adobe is Spying on Users, Collecting Data on Their eBook Libraries. He and Arts Technica report that the Adobe’s Digital Editions 4 send data home about what […]

    Reply
  122. […] En tout début de semaine, un rédacteur faisant partie de la communauté de eBook a publié un article sur son blog où il a déclaré qu’eBook et le logiciel de lecture en PDF se connectaient sur […]

    Reply
  123. […] mentioned, there are (at least) three sides to the problem discovered by security researcher Benjamin Daniel Mussler with the way the current version (4) of Adobe Digital Editions (ADE) manages the ebook experience […]

    Reply
  124. […] in plain text, using unencrypted channels, so just about anyone could access that information. Nate Hoffelder of The Digital Reader made the discovery on October 6, 2014, but the violation is believed to have started with the […]

    Reply
  125. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries (The Digital Reader) […]

    Reply
  126. […] The American Library Association reported yesterday that Adobe has responded to the ALA’s concerns about the recent revaluations of Adobe spying on users. […]

    Reply
  127. […] has been much concern regarding the recent reports of Adobe Digital Editions (ADE) collecting and sending unencrypted user data back to Adobe for […]

    Reply
  128. […] various sources reported that the latest version of the program, Digital Editions 4, is guilty of heinous violations of user privacy. Digital Editions 4 sends to Abode servers extensive unencrypted information about what every […]

    Reply
  129. […] has recently come to our attention that the software used to access some of the Library’s ebook collections, Adobe Digital […]

    Reply
  130. […] Nate Hoffelder van weblog The Digital Reader ontdekte dat de beheersoftware voor e-books verschillende persoonlijke gegevens verzamelt en naar […]

    Reply
  131. Medienerziehung in der FamilieMeinungsaustausch 2.0 | blogparade | ampersand16 October, 2014

    […] & Zweife am Beispiel Datensicherheit: Sie kennen dich! Sie haben dich! Sie steuern dich! Adobe is Spying on Users,Collecting Data on Their eBook Libraries Was macht ihr mit meinen […]

    Reply
  132. TopicsOnTech | Adobe’s e-book reader sends your reading logs back to Adobe—in plain text [Updated]16 October, 2014

    […] the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no […]

    Reply
  133. […] week, several library- and tech-world sites reported that Adobe Digital Editions Reader, version 4 (ADE4), was doing two […]

    Reply
  134. […] of the 21st century finds technology may render those ambitions obsolete. As The Digital Reader reported, the latest version of Adobe Digital Editions (ADE) for library collections is able to collect and […]

    Reply
  135. […] Information: Adobe is Spying on Users, Collecting Data on Their eBook Libraries “Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what […]

    Reply
  136. […] NaNoWriMo approaching, I shared a disturbing article about surveillance — “Adobe is Spying on Users, Collecting Data on Their eBook Libraries” on one of the NaNoWriMo boards I visit. This got me an acknowledgement that yes, we are being […]

    Reply
  137. Adobe Digital Editions 4.0 too lax with reader data - Maple Books18 October, 2014

    […] a scandal around Adobe recently. Ten days ago, Nate Hoffelder of The Digital Reader revealed that Adobe is collecting user data from its application Adobe Digital Editions. To be precise, a hacker friend of Nate Hoffelder realized that the new version of Adobe’s […]

    Reply
  138. Ce que le livre numérique va changer au secteur du livre en France | cultures numériques18 October, 2014

    […] sollicité…) des éditeurs, constructeurs de tablettes, et autres opérateurs de réseaux ? La rumeur selon laquelle Adobe analyserait nos usages illustre bien cette inquiétude que partagent les libraires et leurs […]

    Reply
  139. Adobe’un E-kitap okuyucu uygulamas? kullan?c? bilgilerini toplay?p firman?n sunucular?na gönderiyor - SECURITY INFORM TR20 October, 2014

    […] ekledi?i kitaplar?n bilgisini toplay?p Adobe’un sunucular?na gönderdi?i ortaya ç?kt?.  Daha da kötüsü, uygulaman?n kullan?c?n?n e-kitap okuyucusunda bulunan dosyalar? taray?p […]

    Reply
  140. […] a new thread of privacy discussions going on surrounding a recent uncovering of user activity data being collected by Adobe Digital Editions soft…. This software is used by most ebook platforms that libraries provide to their patrons. (TU has it […]

    Reply
  141. Christopher Slager21 October, 2014

    Whoever wrote this piece is officially my favorite journalist. You provided timely an effective updates. You explained to us where you received your information, you provided data and links to further reading. You cited previous work. You corrected yourself when you may have been seen as wrong. The only problem is when I went to see what other work you did on this website you’ve been 404’ed. Please have them reinstate your articles so I can read the rest.

    Reply
    1. Nate Hoffelder21 October, 2014

      The links work for me, darnit.

      Reply
  142. […] Nate Hoffelder at The Digital Reader discovered that Adobe Digital editions is keeping an ongoing record of any items that have checked […]

    Reply
  143. […] However, an issue has come up in the meantime that is more timely and urgent, so I’m putting off the “noisy vs. important” column until next time. This month I want to address the issue of patron privacy in the context of the recent revelations about privacy incursions in the latest version of Adobe Digital Editions (ADE)—specifically, the fact that version 4 of the e-reader software gathers highly specific data about individual users’ reading behavior and transmits it, unencrypted and with all identifying information included as well as other data culled from the user’s machine, back to Adobe. (A very useful running summary of the issue and details about how the situation is quickly evolving can be found at the Digital Reader blog.) […]

    Reply
  144. […] bad news is that we don’t know for sure whether Adobe is still spying on users, because (and here’s the okay news) they say that they are now encrypting the data uploaded […]

    Reply
  145. […] Digital Reader blog reported on Oct. 6 that Adobe’s Digital Editions 4 software, used for downloading and reading e-books, […]

    Reply
  146. […] couple weeks ago I read an article about how Adobe is spying on its users with Digital Editions 4. Am I the only one who isn’t outraged by this? I actually couldn’t care […]

    Reply
  147. […] gesammelt und an Adobe übermittelt. Die Sache wurde kurz vor der Frankfurter Buchmesse von The-Digital-Reader entdeckt und hat sich in der Technikszene schnell verbreitet. Besonders in der Post-Edward-Snowden Ära war […]

    Reply
  148. […] publishing world may finally be facing its “rootkit scandal.” Two independentreports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to […]

    Reply
  149. Adobe’s e-book reader sends your reading logs back to Adobe—in plain text [Updated] - Yahusu Technology28 October, 2014

    […] the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no […]

    Reply
  150. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries […]

    Reply
  151. […] Details. Confirmation. […]

    Reply
  152. […] to address the cleartext data transmission. [NBCNews] [Ars Technica] [The Register] [The Register] [The Digital Reader] A tip from a hacker prompted a journalist to use a network tracking app to discover Adobe Digital […]

    Reply
  153. Rodger31 October, 2014

    I’ve known for years that Adobe is up to no good. I remember the Flash cookies that you couldn’t remove in a decent way.

    I removed Flash a couple of years so I don’t know how it’s managed now but for a very long time if you wanted to disable all Flash cookies… wel that wasn’t possible! You could only disable Flash cookies per website (opt-out). But how do you know which websites you will be visiting tomorrow or next week or next year? Well you don’t so by default cookies are created and then you need to disable them per website. And how do you disable them per website? Well by visiting the online Adobe configurator website of course that’s hosted on one of their domains that configures files on YOUR local computer.

    Reply
  154. […] were also able to reproduce the results of the experiment run by The Digital Reader. To perform these tests we again used Wireshark. We plugged a Sony Reader PRS-600 into a computer […]

    Reply
  155. […] weighed in for the second time on the Adobe spying scandal, offering a belated confirmation of both my initial report as well as a confirmation that Adobe has updated Digital Editions and stopped the […]

    Reply
  156. Adobe reportedly spying on its users: Data transfer occurs un-encrypted ! - Securethelock12 November, 2014

    […] Earlier this month when this news was out, Nate Hoffelder wrote on his blog, The Digital Reader: […]

    Reply
  157. Blog do Editor12 November, 2014

    […] qual livro] também podem ser expostos. Os riscos de tais posturas ficaram claras com o escândalo Adobe Digital Editions – onde padrões de leitura específicos de usuários eram enviados de volta […]

    Reply
  158. Hondana | From Frankfurt to Recife: Books in 202019 November, 2014

    […] data (who read what book) can also be exposed. The risks of such approaches were clear with the Adobe Digital Editions scandal — where user-specific reading patterns were sent back in unencrypted text to a centralized […]

    Reply
  159. Hondana | De Frankfurt a Recife: Livros em 202019 November, 2014

    […] (quem lê qual livro) também podem ser expostos. Os riscos de tais posturas ficaram claras com o escândalo Adobe Digital Editions — onde padrões de leitura específicos de usuários eram enviados de volta em texto sem […]

    Reply
  160. […] stronger but narrower. It wouldn’t apply in situations like the recent Adobe Digital Editions privacy breach, but it should be more effective at stopping “unnecessary government intrusion”. I […]

    Reply
  161. […] in the clear (unencrypted). You can read more about this (with links to even more articles) at the Digital Reader. Adobe, of course, is not the only company gathering reader data. Amazon, says Scholarly Kitchen, […]

    Reply
  162. […] was criticized in early October after it was discovered Digital Editions collected metadata about e-books on a device, even if the e-books did not have […]

    Reply
  163. […] wurde bekannt, dass die neue Version von Adobe DE und Reader SDK nicht nur in ungeahntem Umfang Leser- und Nutzungsdaten sammelt (was für sich genommen nicht besonders verwunderlich wäre), sondern diese auch noch […]

    Reply
  164. […] slow and clunky. It works, but this wouldn't be my preferred app (even if I hadn't caught Adobe spying on users several months […]

    Reply
  165. […] ekledi?i kitaplar?n bilgisini toplay?p Adobe’un sunucular?na gönderdi?i ortaya ç?kt?.  Daha da kötüsü, uygulaman?n kullan?c?n?n e-kitap okuyucusunda bulunan dosyalar? taray?p […]

    Reply
  166. […] October of last year, news broke on The Digital Reader that Adobe Digital Editions was taking a significant amount of user data and sending it back to their servers. Adobe Digital Editions (ADE) is a program that allows readers […]

    Reply
  167. […] can download the app from Adobe. Given that previous versions came bundled with free spyware, I am choosing to […]

    Reply
  168. […] October of last year, news broke on The Digital Reader that Adobe Digital Editions was taking a significant amount of user data and sending it back to their servers. Adobe Digital Editions (ADE) is a program that allows readers […]

    Reply
  169. […] in plain text, using unencrypted channels, so just about anyone could access that information. Nate Hoffelder of The Digital Reader made the discovery on October 6, 2014, but the violation is believed to have started with the […]

    Reply
  170. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries […]

    Reply
  171. […] have become normalized into the common practices of building software. Take, for example, a recent discovery that Adobe’s Digital Editions 4 was scanning users’ ereaders and sending info…. Similarly, most digital lending services build the costs of Digital Rights Management into their […]

    Reply
  172. […] list all ebook readers and how much data they have been found to keep on you.  Here is a link on Adobe collecting data on users.  Again, the point of all of this is that the US government has “decided” that data […]

    Reply
  173. Trick Of The Light Rob Thurman Epub | Fix How To2 July, 2015

    […] Adobe is Spying on Users, Collecting Data on Their eBook … – They collect data on books bought from them to some extent or another. Books aren’t bought from Adobe (they aren’t a seller), plus Adobe is collecting info on … […]

    Reply
  174. jacqui13 July, 2015

    And… I have just had a bizarre conversation with an adobe rep when I called to get a adobe digital publishing quote for developing an ebook we needed to create. They would only give me a price for their service if I gave them the clients name. He said because they might be dealing direct with the client. Firstly where is our data protection if we don’t want to give them the name at this stage we shouldn’t have to its our client not theirs and secondly it leaves you with the feeling that their aim is to leave out the middleman ie the design/web agency and deal direct with the end customer!

    Reply
  175. […] the modern Web, and provide personalized services to library users. The October 2014 revelations disclosing what Adobe’s Digital Editions collects about users and their reading habits brought this gap into center […]

    Reply
  176. […] the modern Web, and provide personalized services to library users. The October 2014 revelations disclosing what Adobe’s Digital Editions collects about users and their reading habits brought this gap into center […]

    Reply
  177. E-book: e se davvero Adobe spiasse i lettori di libri digitali? - Open Tag Team24 September, 2015

    […] al dunque. Hoffelder avrebbe scoperto che il software “Digital Editions e-book and PDF reader” regi… e spedisce le relative informazioni ad Adobe, casa produttrice dell’applicazione. Una volta […]

    Reply
  178. […] of their books are sold, but how many pages readers actually peruse. Adobe got into trouble for spying on readers in 2014, though the company now collects less […]

    Reply
  179. […] of their books are sold, but how many pages readers actually peruse. Adobe got into trouble for spying on readers in 2014, though the company now collects less […]

    Reply
  180. […] Thema gemacht hat die Angelegenheit das E-Book-Blog The Digital Reader. Die neueste Version der Adobe-Software protokolliert demnach beispielsweise, welche E-Books im […]

    Reply
  181. […] of their books are sold, but how many pages readers actually peruse. Adobe got into trouble for spying on readers in 2014, though the company now collects less […]

    Reply
  182. just what makes me tick | Medienerziehung in der Familie Meinungsaustausch 2.0 | blogparade25 April, 2016

    […] & Zweife am Beispiel Datensicherheit: Sie kennen dich! Sie haben dich! Sie steuern dich! Adobe is Spying on Users,Collecting Data on Their eBook Libraries Was macht ihr mit meinen […]

    Reply
  183. […] week, several library- and tech-world sites reported that Adobe Digital Editions Reader, version 4 (ADE4), was doing two […]

    Reply
  184. […] publishing world may finally be facing its “rootkit scandal.” Two independent reports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to […]

    Reply
  185. […] Hoffelder, Nate. “Adobe is Spying on Users, Collecting Data on Their eBook Libraries.” The Digit… […]

    Reply
  186. […] Adobe Digital Editions 4 dials home with your data… in plain text – There are some boneheaded security and privacy violations being committed by the latest version of Adobe’s ereader software. […]

    Reply
  187. […] Adobe is Spying on Users, Collecting Data on Their eBook Libraries | The Digital Reader […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top