A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. That anonymous acquaintance was examining Adobe’s DRM for educational purposes when they noticed that Digital Editions 4, the newest version of Adobe’s Epub app, seemed to be sending an awful lot of data to Adobe’s servers.
My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.) Edit: Adobe responded Tuesday night.
- Ars Technica independently confirms many details.
- A second confirmation comes in from Liza Daly of Safari Books.
- Tests show that earlier versions of Adobe DE don’t spy on users.
- Adobe responds.
- Bluefire comments on the story.
- Adobe responds to the ALA (and what I’ve learned since this story broke)
- Digital Editions 4.0.1 is released, and does not spy on users.
- The EFF confirms all of my initial report.
And just to be clear, I have seen this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own eyes.
Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.
I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything.
But wait, there’s more.
Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
In. Plain. Text.
And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.
Update: Further testing has revealed that the files being scanned were actually on my ereader, not my HD. I had not used ADE to load the files on to the ereader, and yet the app scanned them, made a list, and uploaded the list to Adobe.
And just to show that I am neither exaggerating nor on drugs, here is proof.
The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.
The above two files were generated using data collected by an app called Wireshark. This nifty little app can be used to log all of the information that is sent or received by your computer over a network. Muussler and I both saw that data was being sent to 18.104.22.168, one of Adobe’s IP addresses. Wireshark logged all of the data sent to Adobe, and on request spat out the text files.
This is a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects.
On a technical level, this kind of mistake is not new. Numerous apps have been caught sending data in clear text, and others have been caught scraping data without permission (email address books, for example). What’s more, LG was caught in a very similar privacy violation last November when one of their Smart TVs was shown to be uploading metadata from a user’s private files to LG’s servers – and like Adobe, that data was sent in clear text.
I am sharing these details not to excuse or justify Adobe, but to show you that this was a massively boneheaded stupid mistake that Adobe would have seen coming had they had the brains of a goldfish.
As for the legal aspects, I am still unsure of just how many privacy laws have been violated. Most states have privacy laws about library books, so if this app was installed in a library or used with a library ebook then those laws may have been violated. What’s more, Adobe may have also violated the data protection sections of FERPA, the Family Educational Rights and Privacy Act, and similar laws passed by states like California. (I’m going to have to let a lawyer answer that.)
And then there are the European privacy laws, some of which make US laws look lax.
Speaking of Europe, the Frankfurt Book Fair is coming up later this week. Adobe will be exhibiting at the trade show, and something tells me they will not be having a nice trip. (I for one hope that the senior management is detained for questioning.)
In any case, I would highly recommend that users avoid running Adobe’s apps for the near future – ever again, for that matter. Luckily for us, there are alternatives.
Rather than use Adobe DE 4, I would suggest using an app provided by Amazon, Google, Apple, or Kobo. Amazon uses the Kindle format, and each of the last three ebook platforms uses their own unique DRM and Epub (-ish) file format inside their apps. (While Google and Kobo will let you download an ebook which can be read in Adobe DE, that DRM is not used internally by either Kobo or Google.)
None of those 4 platforms are susceptible to Adobe’s security hole.
Of course, I can’t say for sure whether those platforms are more secure and private than Adobe’s, but I’m sure they will be made more secure in the next few weeks.