Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements

Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements Adobe Security & Privacy They may be a day late and a dollar short, but Adobe has finally responded to yesterday's news that they were using the Digital Editions 4 app to spy on users.

Adobe hasn't addressed all of the evidence against them, but they did admit that they were gathering info from users. They won't admit to scraping my library, but they did admit to tracking a user's activities. Adobe claims that it was covered by the their privacy policy and by the TOS for the app:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

I don't know about you, but I don't see how sending a user's reading history in clear text over the web could possibly be in line with a privacy policy.

On a related note, I took some time today to read the TOS for Adobe Digital Edition 4, and I do not see where it gives them permission to track user behavior, much less upload said tracking data in the clear. What's more, I have also heard from a couple other techies who also read the TOS and were unable to find mentions of this program.

Update: Robert has pointed out in the comments the relevant section of Adobe's privacy policy, which you had to find on the Adobe website, and not the TOS I agreed to when I installed ADE 4.

I have asked Adobe for an explanation on this last issue, and I will update this post if they respond. Sadly, I don't expect that to occur; Adobe has not responded to my emails on this issue (I got this statement second-hand from Rich Bellis of DBW).

Update: I am in discussion with Adobe on this and other issues.

 

Nate Hoffelder

View posts by Nate Hoffelder
Nate Hoffelder is the founder and editor of The Digital Reader: He's here to chew bubble gum and fix broken websites, and he is all out of bubble gum. He has been blogging about indie authors since 2010 while learning new tech skills at the drop of a hat. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

57 Comments

  1. Michael7 October, 2014

    “…is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.”

    Which does not apply at all to 99.9% of my epub files, which are DRM-free and are only ever opened in ADE for the purposes of testing compatibility.

    “Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library…”

    Um, nope. It tries to send statistics on my entire library after I open the app, right after I choose a book to open.

    Reply
    1. Nate Hoffelder7 October, 2014

      So you can confirm that they scanned your entire library?

      No one has been able to confirm that detail so far. Can you post a file, please?

      It would really help the story.

      Reply
  2. Michael7 October, 2014

    My experience doesn’t confirm that it’s scanning my entire library, but rather what I think is happening is this: any book you’ve opened in ADE at any point is logged, and that log is added to and retransmitted. I did a test with a fresh install. Added 3 books to my library, and when I opened one, it sent* info on just that one book. Closed the app, launched again, and opened a different title. This time it sent info on both the open book and the previously opened one. Closed, launched again, and opened the third. That time it sent info on all three. Finally, I removed one of the books from the library, closed and relaunched, and upon opening one of the remaining titles, info was sent on all three, including the one no longer there.

    Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?

    * Actually, by send my I mean tried to send, since I blocked the outgoing connection.

    Reply
    1. Michael7 October, 2014

      So when I say it tries to send my entire library, I mean anything I’ve opened in ADE previously. As far as I know it doesn’t include anything added to the library but never opened, or which is elsewhere on your drive but has never been read in ADE. I may be wrong though.

      Reply
    2. Nate Hoffelder7 October, 2014

      “Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?”

      That’s just not possible. There are at least a dozen titles listed which I know without a doubt that I did not open in DE4. There is a handful from HC which I have not even opened on my computer. They sat in my download folder, and were copied to whatever device I was reading on.

      Reply
      1. Michael7 October, 2014

        That’s extra disturbing then. Standard Windows Downloads folder? I haven’t tried placing epubs in that folder specifically, but can do so to see if I can corroborate.

        Reply
        1. Nate Hoffelder7 October, 2014

          Yep. But then there were also the ebooks in the calibre library, which was also in a standard location.

          Reply
      2. Mike Ellids8 October, 2014

        It may share the history with ADE 3 or even 2, did you ever have the books open in them? Did you browse to a folder in ADE4 that contained the books you never read in 4? It might be opening them to display info in its file open dialogue box.

        Reply
        1. Nate Hoffelder8 October, 2014

          Nope. I kept ADE around for much the same reason as a pro would; to check for compatibility. I didn’t use it much. And I certainly didn’t browse to my calibre folder with ADE.

          Furthermore, do you seen the HarperCollins books in the list in the other post? Those were never opened on my computer at all. I can also state with absolute certainty that the Baen titles listed were never opened in ADE – ever. The same goes for the ones bought from Fictionwise.

          Reply
          1. Timothy Wilhoit8 October, 2014

            If you’ve never opened those books in any version of ADE and you didn’t open a book located inside the Calibre folder, it’s a cinch the program was searching for any ePub it could find on your hard drive. That’s completely contrary to Adobe’s statement…The only books scanned were ones opened in ADE. Considering that they said they were attacking piracy, who the heck would open a pirated book with ADE? If their stated goal was fighting pirates, they won’t do any good unless they’re looking at the whole hard drive and I’m sure the Adobe folks are well aware of Calibre’s capabilities using special plugins. They might very well have programmed their app to look for it. That might be too conspiratorial, but who knows.

            Reply
            1. Nate Hoffelder8 October, 2014

              This would be a good technical explanation of how Adobe might have come to scan my HD, but it doesn’t justify the invasion of privacy. And I now have word from Adobe that they insist they didn’t scan my computer.

  3. Michael7 October, 2014

    Okay, I’m spinning up a VM to start over from scratch with a controlled environment. I’ll place epubs on the desktop, in Documents and in Downloads, load Calibre and stick a few in its library, then do another install of ADE4 and see what happens. My main folders are on a different drive than I had ADE on, because I have a small boot drive, so it’s possible it didn’t find my other stuff for that reason. If I can confirm it’s pulling info on books outside its own library, I’ll e-mail you a copy of the log.

    Reply
    1. Nate Hoffelder7 October, 2014

      Thanks.

      Reply
      1. Michael7 October, 2014

        Logs and report sent to your Gmail account. Couldn’t confirm scanning outside of its own library, but one of the logs does show it sending info on all 4 epubs in the test library, not just the one currently open as Adobe claims. Further logs show that ADE sends them info on what’s been deleted as well.

        Reply
  4. Robert7 October, 2014

    I don’t see how sending user info in clear text over the web could possibly be in line with a privacy policy

    Can you please elaborate on what “user info” you think is being sent? As I noted in a recent comment on your original post, meta-data about books – titles, publisher, licensing info – isn’t really user info. The data you shared earlier doesn’t contain anything that would seem to qualify as “user info” (e.g. email addresses, real names, or other personally identifiable information).

    Reply
    1. Nate Hoffelder7 October, 2014

      That is a reasonable nit to pick. I’ll go rephrase.

      Reply
      1. Robert7 October, 2014

        BTW, this the relevent section from the Adobe privacy policy that you agree to (in section 14.1.2 of the DE4 Software licensing agreement). It allows Adobe to collect both personally identifiable and non-identifiable information.

        Not that this is a good thing, but it does mean Adobe is complying with terms that users have agreed to (but probably haven’t read.)

        Reply
        1. Nate Hoffelder7 October, 2014

          I stand corrected.

          But I still don’t see where sending the info in the clear is covered, nor sending info from other ebooks.

          Reply
          1. Nickbango8 October, 2014

            Which, BTW you have to find and read by yourself as no link is provided when you download the app. Even the licence in the installer, which is the only one you actually accept, doesn’t mention it.

            Now, it some countries, only the installer’s licence will be considered valid and the EULA + Privacy Policy (which have to be considered a whole as they mention one another quite often) will not, which means the way Adobe manages EULA + Privacy Policy is ILLEGAL—and they could be punished for that.

            And BTW2, if you do read the Privacy Policy and the EULA, you see the stuff is so vague that it covers anything happening here.

            In short, users agreed in countries where the governing body doesn’t give a damn about customers (that is to say visiting the site = accepting EULA/Privacy Policy), users could sue and win in countries where it is illegal.

            PS: KasThomas being a former Adobe employee, he is biased and EVIL to the bone. He will do anything to defend his former company.

            Reply
      2. Galen Charlton7 October, 2014

        Examination of one of the Wireshark logs shows that the userId key can have a non-blank value. Where does it this come from? I can’t say for sure, but I think it a reasonable guess that it might identify, to Adobe, the user account registered with their license server.

        If so, that would allow Adobe to directly associate book reading information with users. That may or may not have been the case with earlier versions of DE, as it is not clear to me how much information about an DRM ebook got communicated back to Adobe during a license transaction (as opposed to the publisher or distributor running Adobe Content Server).

        However, as far as anybody intercepting the information is concerned, that userId also provides a way to collocate reading activity. For that matter, the user’s IP address, while not of course a surefire way to identify a given individual, could help law enforcement or other determined attackers get close or all the way towards connecting a reading history with a person. And as Mihai points out, simply the combination of books may with effort be sufficient to identify a person.

        So no, DE isn’t passing along names or email addresses back home to Adobe — but somebody intercepting that traffic or gaining access to Adobe’s logs doesn’t necessarily need that.

        Reply
    2. Mihai7 October, 2014

      Depends on the definition of “personally identifiable.” Given a sufficiently large sample of books (say, 50 or so out of a total of, say, 1000000 tracked by Adobe’s content server), it’s very reasonable to assume that the particular combination of books you have lying around can uniquely identify you. While this might not be illegal (however questionable it might be from a moral standpoint), *not disclosing* this to users might be very illegal indeed, at least in the EU.

      Reply
  5. Chris Meadows7 October, 2014

    As I put it in my piece on TeleRead:

    The statement effectively reads like the kind of boilerplate provided to low-level peons who don’t have any actual knowledge but have to say something so people know they’re aware of the issue. (Remember how Amazon’s first response when someone self-published a pedophilia manual was to issue a statement about how “Amazon believes it is censorship not to sell certain books simply because we or others believe their message is objectionable” before finally pulling the book a few hours later when someone with authority actually looked at it? Same kind of thing.) The idea that sending information about what you’re reading in the clear is in line with any information-age privacy policy is ludicrous.

    Reply
  6. […] as one with Adobe’s statement about their data collection that I will (unfairly) sum up as “It’s totally in line with our privacy policy to take that data to make sure that you aren’t stea…” It’s like checking for identify theft by screaming out the person’s social security number […]

    Reply
  7. JRF8 October, 2014

    The data appears consistent with what I would expect from a service that offers cross device synchronization. I would be surprised if WhisperSync/Kindle and Apple iBooks didn’t send essentially the same information back up to their respective mother ships. iBooks, at least, offers synchronization of reading position and annotations on any epub regardless of origin. You need some kind of key to identify whose bits you are synchronizing. The implication that users will escape this “spying” by using apps from Google, Amazon, Apple, Kobo, etc. is laughable.

    The alarming and inexcusable thing here is sending this over the wire sans https. Somebody clearly didn’t get the memo on that basic expectation. I would hope Google, Amazon, Apple, Kobo, etc. have this base covered, but I haven’t verified.

    The lack of transparency is deplorable, but hardly alarming.

    Reply
    1. Nate Hoffelder8 October, 2014

      “The data appears consistent with what I would expect from a service that offers cross device synchronization.”

      Yes, and that’s why I speculated in another post that Adobe could be planning this feature so readers can sync between Adobe DE4 and the new iPad app which I have been told is in the works.

      But that still doesn’t explain why Adobe transmitted all of the reading data, even for non-DRM ebooks. Those should not have been touched.

      Reply
      1. fjtorres8 October, 2014

        Do you have any Alf-ie plugins in Calibre?
        (For testing purposes, of course.)

        According to a report at the Register,
        http://www.theregister.co.uk/2014/10/08/adobe_says_it_slurps_ebook_data_in_plain_text_because_privacy_is_important/

        One of the things ADE 4 now tests for is “certified app ID”. Which implies it looks for non-certified apps. If it is looking for plug-ins and reporting back on installations with them…

        They do say in the article that “piracy” is one of the things they scan for.

        Reply
        1. Nate Hoffelder8 October, 2014

          Yes, bunches.

          Reply
          1. fjtorres8 October, 2014

            Might it be why it scraped your calibre library?

            Reply
            1. Nate Hoffelder8 October, 2014

              Perhaps, but how would it know that I had a plugin if it hadn’t first looked for the plugins?

          2. Timothy Wilhoit8 October, 2014

            I’d say when the app found books that were supposed to coated with their wonderful DRM showed signs of “tampering,” then the presence of the AA plugin might be assumed. The Register article said Adobe claimed they were looking for signs of piracy…they might make the leap that an unDRMed book is a pirated book. I noticed “Calibre” was stamped all over the Baen and Fictionwise books but not on the TradPub books. Interesting…don’t know what it means.

            Reply
          3. Michael8 October, 2014

            @Timothy: The Calibre marker is from the epub metadata itself, and is inserted by Calibre automatically during certain operations. In this case it would just show that some publishers like Baen use it as part of their production.

            I suspect if Adobe found that marker in the metadata of an epub normally sold with DRM, and didn’t see it present in the metadata of the publisher’s original, they’d flag this as potential piracy in their system. I have little doubt, given their intense interest in protecting the monetary value of their DRM system, that this is why they’re sending data on non-DRMed epubs in the first place.

            Reply
          4. Bob W8 October, 2014

            Did you have Calibre server running? I’m wondering if it did a scan for ODPS catalogs and found your Calibre server instance. That might be why others haven’t reproduced it.

            Reply
          5. Michael8 October, 2014

            I meant to say “might just show”, since it’s possible that file came from Nate’s Calibre library. I’ve found that a number of pubs do use Calibre in their workflow, so I’m never surprised when I see it there even on a brand-spanking new download.

            Reply
          6. Michael8 October, 2014

            @Bob: Excellent hypothesis! I did some testing of my own yesterday and couldn’t reproduce the Calibre scanning aspect. I hadn’t thought to check if it’s looking for a server instance. I’m going to try that now.

            Reply
            1. Nate Hoffelder8 October, 2014

              I didn’t have one running, but there’s a chance it was running in the background. (I don’t know how it works.)

          7. Michael8 October, 2014

            I set up a new VM with Calibre’s server on and installed a fresh copy of ADE4, and didn’t detect any probing of the library.

            Reply
          8. Timothy Wilhoit8 October, 2014

            I wonder what happens if you open a single book located within the Calibre folder? I was curious if the program sifts through the rest of the folder once given access.

            Reply
      2. Chris Meadows8 October, 2014

        Well, if they’re doing cross-device last-place-you-read synchronization of all books (like Google Play Books does), they would have to send back that data about all books.

        Reply
        1. Nate Hoffelder8 October, 2014

          Except they don’t have a sync feature yet because they don’t have any apps to sync to.

          Reply
  8. […] ha risposto di fatto senza rispondere perché ha detto che i dati vengono raccolti solamente per verificare […]

    Reply
  9. […] My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)  Edit: Adobe responded Tuesday night. […]

    Reply
  10. Kas Thomas8 October, 2014

    Amazon and Apple already collect this kind of information, and more. Are you picking on Adobe because they didn’t warn you in Terms of Service (even though, actually, they did: section 14.1.2 of the DE4 Software licensing agreement)? Are you outraged simply because of them not using HTTPS? (Something tells me you would have written about it even if they were using HTTPS.) Why is it Amazon and Apple can do this every day but you jump all over Adobe for doing it?

    Google is sucking keywords out of every email you send on Gmail. Surely this is an even greater privacy violation?

    With its Omniture suite, Adobe collects truly massive amounts of analytics info on website customers. (Some of the largest web properties in the world run on top of Adobe Experience Manager, with its SiteCatalyst integration.) No mention of that?

    Reply
    1. Nate Hoffelder8 October, 2014

      “Amazon and Apple already collect this kind of information, and more.”

      That’s not entirely accurate. But just as importantly, I have mentioned that aspect in both of the previous posts on this story. I didn’t mention it here because I wanted to focus on Adobe’s response.

      Apple only collects this kind of info on ebooks you buy from them. Amazon only collects info on ebooks you hand to them or buy from them. And neither company scrapes your hard disk, and then uploads the information in the clear.

      Adobe, on the other hand, made a list of all of the ebooks sitting on my computer, and then transmitted all of the data in the clear. That is hugely different. Adobe then proceeded to defend their actions by claiming that it was covered by their privacy policy.

      And as for Google email, the scanning is limited to what is sent and received inside the service. That is a big difference from what I caught Adobe doing.

      And as for Omniture, I don’t like that either, so I use plugins like Ghostery to protect my provacy.

      Reply
      1. dog8 October, 2014

        You’ll need to protect your job more than your privacy if you continue posting articles without verifying the”facts” you assert first.

        Reply
  11. Mike Ellis8 October, 2014

    Can we confirm that those testing in a VM are using the same release of ADE4? Adobe hasn’t quietly replaced the installer since the story broke have they?

    Reply
    1. Nate Hoffelder8 October, 2014

      At least one person is using the install file I started from. He still has not duplicated my feat.

      At this point there are multiple people who are trying to duplicate my work but cannot. TBH if I didn’t have the file as proof I would have retracted by now.

      Reply
  12. Greg Weeks8 October, 2014

    Did you ever plug a hardware reader in that had these books on it? Since that’s the recomended way to get a DRMed epub onto the reader. I know calibre will suck the metadata out of a reader if it’s configured that way. Maybe ADE sucked the metadata from a plugged in reader rather than from your HD? I pitched ADE 4 off my system and will not install it again to test this.

    Reply
    1. Nate Hoffelder8 October, 2014

      I can say this for at least some of the ebooks in the log:

      I’ve plugged in tablets and ereaders and transferred the DRM-free ebooks over USB using standard file management steps (the same as with any thumb drive). ADE was never involved in any step of the process. Nor was it running when I copied the ebooks.

      Reply
      1. Mike Ellis8 October, 2014

        Did you have a reader with this content on it plugged in while ADE4 was running? Regardless of whether you used ADE to do anything with them?

        Reply
        1. Nate Hoffelder8 October, 2014

          No.

          Reply
          1. Mike Ellis8 October, 2014

            Sorry for the 20 questions, trying to find a way to duplicate your results.

            Reply
  13. Fbone8 October, 2014

    Does the HD scan list match what’s in your Adobe manifest log?

    Reply
  14. Pamela10 October, 2014

    I will never upgrade my adobe again. I have had enough of these big company’s over stepping the bounds of privacy. Who exactly do you guys think you are? You can think you have rights to my information? FUCK YOU! YOU have ruined my buying of digital books. I will buy hard copies now. I will never use a cloud to store info. I will never buy an ipad or iphone.
    Want to buy a kindle?
    Pamela

    Reply
  15. Aimee12 October, 2014

    Adobe also own Omniture, which is used extensively by various organisations to send information back to the database for who knows what.

    Also Adobe own Flash, which is regarded as a security risk.

    Reply
  16. […] continued use of misleading statements as out and out deceptive. Their claim that they only tracked a user’s current reading info has been proven to be false, and yet they stick to […]

    Reply
  17. […] the shit hit the fan. Following criticism from the EFF and from librarians, leading to a partial admission from Adobe that they had been collecting data “in accordance with their privacy policies” (which […]

    Reply
  18. […] Adobe is collecting data from users of Adobe Digital Editions 4, the ePub application. Adobe logs data like: which ebooks have been opened, which pages were read, and supposedly even scanning other books on peoples’ hard drives. Adobe later denied that they scanned other eBooks in the library not being read. […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top
%d bloggers like this: