Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements
They may be a day late and a dollar short, but Adobe has finally responded to yesterday’s news that they were using the Digital Editions 4 app to spy on users.
On a related note, I took some time today to read the TOS for Adobe Digital Edition 4, and I do not see where it gives them permission to track user behavior, much less upload said tracking data in the clear. What’s more, I have also heard from a couple other techies who also read the TOS and were unable to find mentions of this program.
I have asked Adobe for an explanation on this last issue, and I will update this post if they respond.
Sadly, I don’t expect that to occur; Adobe has not responded to my emails on this issue (I got this statement second-hand from Rich Bellis of DBW).
Update: I am in discussion with Adobe on this and other issues.
Michael October 7, 2014 um 6:26 pm
"…is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers."
Which does not apply at all to 99.9% of my epub files, which are DRM-free and are only ever opened in ADE for the purposes of testing compatibility.
"Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library…"
Um, nope. It tries to send statistics on my entire library after I open the app, right after I choose a book to open.
Nate Hoffelder October 7, 2014 um 6:44 pm
So you can confirm that they scanned your entire library?
No one has been able to confirm that detail so far. Can you post a file, please?
It would really help the story.
Michael October 7, 2014 um 6:53 pm
My experience doesn’t confirm that it’s scanning my entire library, but rather what I think is happening is this: any book you’ve opened in ADE at any point is logged, and that log is added to and retransmitted. I did a test with a fresh install. Added 3 books to my library, and when I opened one, it sent* info on just that one book. Closed the app, launched again, and opened a different title. This time it sent info on both the open book and the previously opened one. Closed, launched again, and opened the third. That time it sent info on all three. Finally, I removed one of the books from the library, closed and relaunched, and upon opening one of the remaining titles, info was sent on all three, including the one no longer there.
Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?
* Actually, by send my I mean tried to send, since I blocked the outgoing connection.
Michael October 7, 2014 um 6:54 pm
So when I say it tries to send my entire library, I mean anything I’ve opened in ADE previously. As far as I know it doesn’t include anything added to the library but never opened, or which is elsewhere on your drive but has never been read in ADE. I may be wrong though.
Nate Hoffelder October 7, 2014 um 6:56 pm
"Is it possible in your case it never scanned your drive but was reporting the past history of books that were opened in ADE once upon a time?"
That’s just not possible. There are at least a dozen titles listed which I know without a doubt that I did not open in DE4. There is a handful from HC which I have not even opened on my computer. They sat in my download folder, and were copied to whatever device I was reading on.
Michael October 7, 2014 um 6:57 pm
That’s extra disturbing then. Standard Windows Downloads folder? I haven’t tried placing epubs in that folder specifically, but can do so to see if I can corroborate.
Nate Hoffelder October 7, 2014 um 7:05 pm
Yep. But then there were also the ebooks in the calibre library, which was also in a standard location.
Mike Ellids October 8, 2014 um 12:43 pm
It may share the history with ADE 3 or even 2, did you ever have the books open in them? Did you browse to a folder in ADE4 that contained the books you never read in 4? It might be opening them to display info in its file open dialogue box.
Nate Hoffelder October 8, 2014 um 1:16 pm
Nope. I kept ADE around for much the same reason as a pro would; to check for compatibility. I didn’t use it much. And I certainly didn’t browse to my calibre folder with ADE.
Furthermore, do you seen the HarperCollins books in the list in the other post? Those were never opened on my computer at all. I can also state with absolute certainty that the Baen titles listed were never opened in ADE – ever. The same goes for the ones bought from Fictionwise.
Timothy Wilhoit October 8, 2014 um 1:38 pm
If you’ve never opened those books in any version of ADE and you didn’t open a book located inside the Calibre folder, it’s a cinch the program was searching for any ePub it could find on your hard drive. That’s completely contrary to Adobe’s statement…The only books scanned were ones opened in ADE. Considering that they said they were attacking piracy, who the heck would open a pirated book with ADE? If their stated goal was fighting pirates, they won’t do any good unless they’re looking at the whole hard drive and I’m sure the Adobe folks are well aware of Calibre’s capabilities using special plugins. They might very well have programmed their app to look for it. That might be too conspiratorial, but who knows.
Nate Hoffelder October 8, 2014 um 1:52 pm
This would be a good technical explanation of how Adobe might have come to scan my HD, but it doesn’t justify the invasion of privacy. And I now have word from Adobe that they insist they didn’t scan my computer.
Michael October 7, 2014 um 7:09 pm
Okay, I’m spinning up a VM to start over from scratch with a controlled environment. I’ll place epubs on the desktop, in Documents and in Downloads, load Calibre and stick a few in its library, then do another install of ADE4 and see what happens. My main folders are on a different drive than I had ADE on, because I have a small boot drive, so it’s possible it didn’t find my other stuff for that reason. If I can confirm it’s pulling info on books outside its own library, I’ll e-mail you a copy of the log.
Nate Hoffelder October 7, 2014 um 7:20 pm
Michael October 7, 2014 um 9:02 pm
Logs and report sent to your Gmail account. Couldn’t confirm scanning outside of its own library, but one of the logs does show it sending info on all 4 epubs in the test library, not just the one currently open as Adobe claims. Further logs show that ADE sends them info on what’s been deleted as well.
Robert October 7, 2014 um 7:21 pm
Can you please elaborate on what "user info" you think is being sent? As I noted in a recent comment on your original post, meta-data about books – titles, publisher, licensing info – isn’t really user info. The data you shared earlier doesn’t contain anything that would seem to qualify as "user info" (e.g. email addresses, real names, or other personally identifiable information).
Nate Hoffelder October 7, 2014 um 7:22 pm
That is a reasonable nit to pick. I’ll go rephrase.
Robert October 7, 2014 um 8:33 pm
Not that this is a good thing, but it does mean Adobe is complying with terms that users have agreed to (but probably haven’t read.)
Nate Hoffelder October 7, 2014 um 8:56 pm
I stand corrected.
But I still don’t see where sending the info in the clear is covered, nor sending info from other ebooks.
Nickbango October 8, 2014 um 11:27 am
Which, BTW you have to find and read by yourself as no link is provided when you download the app. Even the licence in the installer, which is the only one you actually accept, doesn’t mention it.
PS: KasThomas being a former Adobe employee, he is biased and EVIL to the bone. He will do anything to defend his former company.
Galen Charlton October 7, 2014 um 10:54 pm
Examination of one of the Wireshark logs shows that the userId key can have a non-blank value. Where does it this come from? I can’t say for sure, but I think it a reasonable guess that it might identify, to Adobe, the user account registered with their license server.
If so, that would allow Adobe to directly associate book reading information with users. That may or may not have been the case with earlier versions of DE, as it is not clear to me how much information about an DRM ebook got communicated back to Adobe during a license transaction (as opposed to the publisher or distributor running Adobe Content Server).
However, as far as anybody intercepting the information is concerned, that userId also provides a way to collocate reading activity. For that matter, the user’s IP address, while not of course a surefire way to identify a given individual, could help law enforcement or other determined attackers get close or all the way towards connecting a reading history with a person. And as Mihai points out, simply the combination of books may with effort be sufficient to identify a person.
So no, DE isn’t passing along names or email addresses back home to Adobe — but somebody intercepting that traffic or gaining access to Adobe’s logs doesn’t necessarily need that.
Mihai October 7, 2014 um 8:34 pm
Depends on the definition of "personally identifiable." Given a sufficiently large sample of books (say, 50 or so out of a total of, say, 1000000 tracked by Adobe’s content server), it’s very reasonable to assume that the particular combination of books you have lying around can uniquely identify you. While this might not be illegal (however questionable it might be from a moral standpoint), *not disclosing* this to users might be very illegal indeed, at least in the EU.
Chris Meadows October 7, 2014 um 8:56 pm
As I put it in my piece on TeleRead:
Say Yes No Maybe So To Privacy | Agnostic, Maybe October 7, 2014 um 8:57 pm
JRF October 8, 2014 um 12:24 am
The data appears consistent with what I would expect from a service that offers cross device synchronization. I would be surprised if WhisperSync/Kindle and Apple iBooks didn’t send essentially the same information back up to their respective mother ships. iBooks, at least, offers synchronization of reading position and annotations on any epub regardless of origin. You need some kind of key to identify whose bits you are synchronizing. The implication that users will escape this "spying" by using apps from Google, Amazon, Apple, Kobo, etc. is laughable.
The alarming and inexcusable thing here is sending this over the wire sans https. Somebody clearly didn’t get the memo on that basic expectation. I would hope Google, Amazon, Apple, Kobo, etc. have this base covered, but I haven’t verified.
The lack of transparency is deplorable, but hardly alarming.
Nate Hoffelder October 8, 2014 um 7:44 am
"The data appears consistent with what I would expect from a service that offers cross device synchronization."
Yes, and that’s why I speculated in another post that Adobe could be planning this feature so readers can sync between Adobe DE4 and the new iPad app which I have been told is in the works.
But that still doesn’t explain why Adobe transmitted all of the reading data, even for non-DRM ebooks. Those should not have been touched.
fjtorres October 8, 2014 um 8:38 am
Do you have any Alf-ie plugins in Calibre?
(For testing purposes, of course.)
According to a report at the Register,
One of the things ADE 4 now tests for is "certified app ID". Which implies it looks for non-certified apps. If it is looking for plug-ins and reporting back on installations with them…
They do say in the article that "piracy" is one of the things they scan for.
Nate Hoffelder October 8, 2014 um 9:59 am
fjtorres October 8, 2014 um 11:07 am
Might it be why it scraped your calibre library?
Nate Hoffelder October 8, 2014 um 11:09 am
Perhaps, but how would it know that I had a plugin if it hadn’t first looked for the plugins?
Timothy Wilhoit October 8, 2014 um 11:52 am
I’d say when the app found books that were supposed to coated with their wonderful DRM showed signs of "tampering," then the presence of the AA plugin might be assumed. The Register article said Adobe claimed they were looking for signs of piracy…they might make the leap that an unDRMed book is a pirated book. I noticed "Calibre" was stamped all over the Baen and Fictionwise books but not on the TradPub books. Interesting…don’t know what it means.
Michael October 8, 2014 um 12:04 pm
@Timothy: The Calibre marker is from the epub metadata itself, and is inserted by Calibre automatically during certain operations. In this case it would just show that some publishers like Baen use it as part of their production.
I suspect if Adobe found that marker in the metadata of an epub normally sold with DRM, and didn’t see it present in the metadata of the publisher’s original, they’d flag this as potential piracy in their system. I have little doubt, given their intense interest in protecting the monetary value of their DRM system, that this is why they’re sending data on non-DRMed epubs in the first place.
Bob W October 8, 2014 um 12:05 pm
Did you have Calibre server running? I’m wondering if it did a scan for ODPS catalogs and found your Calibre server instance. That might be why others haven’t reproduced it.
Michael October 8, 2014 um 12:06 pm
I meant to say "might just show", since it’s possible that file came from Nate’s Calibre library. I’ve found that a number of pubs do use Calibre in their workflow, so I’m never surprised when I see it there even on a brand-spanking new download.
Michael October 8, 2014 um 12:12 pm
@Bob: Excellent hypothesis! I did some testing of my own yesterday and couldn’t reproduce the Calibre scanning aspect. I hadn’t thought to check if it’s looking for a server instance. I’m going to try that now.
Nate Hoffelder October 8, 2014 um 12:24 pm
I didn’t have one running, but there’s a chance it was running in the background. (I don’t know how it works.)
Michael October 8, 2014 um 12:36 pm
I set up a new VM with Calibre’s server on and installed a fresh copy of ADE4, and didn’t detect any probing of the library.
Timothy Wilhoit October 8, 2014 um 12:42 pm
I wonder what happens if you open a single book located within the Calibre folder? I was curious if the program sifts through the rest of the folder once given access.
Chris Meadows October 8, 2014 um 9:01 am
Well, if they’re doing cross-device last-place-you-read synchronization of all books (like Google Play Books does), they would have to send back that data about all books.
Nate Hoffelder October 8, 2014 um 9:49 am
Except they don’t have a sync feature yet because they don’t have any apps to sync to.
SIAMO GEEK – Sperimentatori, entusiasti della tecnologia | Il DRM di Adobe spia gli utenti October 8, 2014 um 2:14 am
[…] ha risposto di fatto senza rispondere perché ha detto che i dati vengono raccolti solamente per verificare […]
Adobe is Spying on Users, Collecting Data on Their eBook Libraries – The Digital Reader October 8, 2014 um 8:22 am
[…] My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.) Edit: Adobe responded Tuesday night. […]
Kas Thomas October 8, 2014 um 9:18 am
Amazon and Apple already collect this kind of information, and more. Are you picking on Adobe because they didn’t warn you in Terms of Service (even though, actually, they did: section 14.1.2 of the DE4 Software licensing agreement)? Are you outraged simply because of them not using HTTPS? (Something tells me you would have written about it even if they were using HTTPS.) Why is it Amazon and Apple can do this every day but you jump all over Adobe for doing it?
Google is sucking keywords out of every email you send on Gmail. Surely this is an even greater privacy violation?
With its Omniture suite, Adobe collects truly massive amounts of analytics info on website customers. (Some of the largest web properties in the world run on top of Adobe Experience Manager, with its SiteCatalyst integration.) No mention of that?
Nate Hoffelder October 8, 2014 um 9:47 am
"Amazon and Apple already collect this kind of information, and more."
That’s not entirely accurate. But just as importantly, I have mentioned that aspect in both of the previous posts on this story. I didn’t mention it here because I wanted to focus on Adobe’s response.
Apple only collects this kind of info on ebooks you buy from them. Amazon only collects info on ebooks you hand to them or buy from them. And neither company scrapes your hard disk, and then uploads the information in the clear.
And as for Google email, the scanning is limited to what is sent and received inside the service. That is a big difference from what I caught Adobe doing.
And as for Omniture, I don’t like that either, so I use plugins like Ghostery to protect my provacy.
dog October 8, 2014 um 2:13 pm
You’ll need to protect your job more than your privacy if you continue posting articles without verifying the"facts" you assert first.
Mike Ellis October 8, 2014 um 4:03 pm
Can we confirm that those testing in a VM are using the same release of ADE4? Adobe hasn’t quietly replaced the installer since the story broke have they?
Nate Hoffelder October 8, 2014 um 4:07 pm
At least one person is using the install file I started from. He still has not duplicated my feat.
At this point there are multiple people who are trying to duplicate my work but cannot. TBH if I didn’t have the file as proof I would have retracted by now.
Greg Weeks October 8, 2014 um 4:42 pm
Did you ever plug a hardware reader in that had these books on it? Since that’s the recomended way to get a DRMed epub onto the reader. I know calibre will suck the metadata out of a reader if it’s configured that way. Maybe ADE sucked the metadata from a plugged in reader rather than from your HD? I pitched ADE 4 off my system and will not install it again to test this.
Nate Hoffelder October 8, 2014 um 4:55 pm
I can say this for at least some of the ebooks in the log:
I’ve plugged in tablets and ereaders and transferred the DRM-free ebooks over USB using standard file management steps (the same as with any thumb drive). ADE was never involved in any step of the process. Nor was it running when I copied the ebooks.
Mike Ellis October 8, 2014 um 4:59 pm
Did you have a reader with this content on it plugged in while ADE4 was running? Regardless of whether you used ADE to do anything with them?
Nate Hoffelder October 8, 2014 um 5:06 pm
Mike Ellis October 8, 2014 um 5:18 pm
Sorry for the 20 questions, trying to find a way to duplicate your results.
Fbone October 8, 2014 um 5:15 pm
Does the HD scan list match what’s in your Adobe manifest log?
Pamela October 10, 2014 um 11:13 am
I will never upgrade my adobe again. I have had enough of these big company’s over stepping the bounds of privacy. Who exactly do you guys think you are? You can think you have rights to my information? FUCK YOU! YOU have ruined my buying of digital books. I will buy hard copies now. I will never use a cloud to store info. I will never buy an ipad or iphone.
Want to buy a kindle?
Aimee October 12, 2014 um 6:07 am
Adobe also own Omniture, which is used extensively by various organisations to send information back to the database for who knows what.
Also Adobe own Flash, which is regarded as a security risk.
Adobe Responds to ALA on Spying Scandal With Fictitious and Misleading Statements – The Digital Reader October 14, 2014 um 2:14 pm
[…] continued use of misleading statements as out and out deceptive. Their claim that they only tracked a user’s current reading info has been proven to be false, and yet they stick to […]
Adobe Updates Digital Edition, Stops Sharing User Info With the Internet – The Digital Reader October 23, 2014 um 5:23 pm
[…] the shit hit the fan. Following criticism from the EFF and from librarians, leading to a partial admission from Adobe that they had been collecting data “in accordance with their privacy policies” (which […]
Am I The Only One Who Doesn't Care About Adobe "Spying"? January 1, 2015 um 7:27 pm
[…] Adobe is collecting data from users of Adobe Digital Editions 4, the ePub application. Adobe logs data like: which ebooks have been opened, which pages were read, and supposedly even scanning other books on peoples’ hard drives. Adobe later denied that they scanned other eBooks in the library not being read. […]