Bad news for anyone who reads e-books or e-documents (including those borrowed from public libraries) with Adobe Digital Editions e-reader: not only does the software allow Adobe to spy on your reading habits and preferences, it sends this data over the Internet in unencrypted plaintext — which means it's ridiculously easy for almost anybody else to spy on your reading habits, too.
On Oct. 6, Hoffelder informed his readers (bold print lifted from the original) that:
A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. … Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.
I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,
But wait, there’s more.
Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
In. Plain. Text.
No need to take Hoffelder's word for it; he also linked to two files which – for anyone who knows how to read computer code – clearly show that Adobe is tracking users and indexing Hoffelder's ebook collection.
Ars Technica offered similar evidence the next day, in its independent confirmation of Hoffelder's discovery, and explained that “Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books … because it can enforce digital rights management rules on how long a book may be read for.”
In other words, Adobe is actually using a Digital Rights Management (DRM) to spy on its users (and make it easy for non-Adobe people to spy on them, too), all in the name of copyright protection.
In Hoffelder's original report about the spyware, he said that Adobe had not responded to requests for comment. The next day he published a new post announcing that Adobe did respond – with “half-truths and misleading statements.” Here is Adobe's actual statement:
Eyes glaze over
The answer is 706 words long and difficult to read without your eyes glazing over, but here are some possibly relevant quotes from it:
Adobe collects information that identifies you. This may include your name, company name, email address, or payment information. We may also sometimes collect other information that does not identify you, such as your job title or industry. …. We collect information about how you use our websites and applications, including when you use a desktop product feature that takes you online …. Adobe may collect information about how you use our websites and applications by using cookies and similar technologies ….
None of those 706 words specifically say anything about e-books or e-readers, though information about how “you use our … applications” might, technically, cover such details as collecting specific data about which exact book you read via Digital Editions, which pages you read and when and for how long — but certainly nothing about your full e-book library or any non-Adobe files on your computer.
At 6:43 p.m. (Eastern time) on Oct. 7, Ars Technica posted an update to say:
An Adobe spokesperson now says the company is working on an update. "In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue," the spokesperson said in an e-mail to Ars Technica. "We will notify you when a date for this update has been determined."
If you translate Adobe's words from Corporate-speak into English, that means: “We're appalled that anyone discovered what we're doing. We will notify you as soon as we determine a face-saving way to extract ourselves from this embarrassing situation.”