PhotoBad news for anyone who reads e-books or e-documents (including those borrowed from public libraries) with Adobe Digital Editions e-reader: not only does the software allow Adobe to spy on your reading habits and preferences, it sends this data over the Internet in unencrypted plaintext — which means it's ridiculously easy for almost anybody else to spy on your reading habits, too.

Nate Hoffelder of The Digital Reader first discovered this on Monday (and Ars Technica independently confirmed Hoffelder's claims the next day).

On Oct. 6, Hoffelder informed his readers (bold print lifted from the original) that:

A hacker acquaintance of mine has tipped me to a huge security and privacy violation on the part of Adobe. … Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,

But wait, there’s more.

Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.

In. Plain. Text.

Similar evidence

No need to take Hoffelder's word for it; he also linked to two files which – for anyone who knows how to read computer code – clearly show that Adobe is tracking users and indexing Hoffelder's ebook collection.

Ars Technica offered similar evidence the next day, in its independent confirmation of Hoffelder's discovery, and explained that “Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books … because it can enforce digital rights management rules on how long a book may be read for.”

In other words, Adobe is actually using a Digital Rights Management (DRM) to spy on its users (and make it easy for non-Adobe people to spy on them, too), all in the name of copyright protection.

In Hoffelder's original report about the spyware, he said that Adobe had not responded to requests for comment. The next day he published a new post announcing that Adobe did respond – with “half-truths and misleading statements.” Here is Adobe's actual statement:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

As Hoffelder noted: “I don’t see how sending a user’s reading history in clear text over the web could possibly be in line with a privacy policy.”

Eyes glaze over

Adobe's online Privacy Policy does offer an answer to the question “What information does Adobe collect about me?”

The answer is 706 words long and difficult to read without your eyes glazing over, but here are some possibly relevant quotes from it:

Adobe collects information that identifies you. This may include your name, company name, email address, or payment information. We may also sometimes collect other information that does not identify you, such as your job title or industry. …. We collect information about how you use our websites and applications, including when you use a desktop product feature that takes you online …. Adobe may collect information about how you use our websites and applications by using cookies and similar technologies ….

None of those 706 words specifically say anything about e-books or e-readers, though information about how “you use our … applications” might, technically, cover such details as collecting specific data about which exact book you read via Digital Editions, which pages you read and when and for how long — but certainly nothing about your full e-book library or any non-Adobe files on your computer.

Other questions Adobe answers on its Privacy Policy page include “How does Adobe use the information it collects about me?” and “Does Adobe share my personal information?” Again, neither answer says anything about collecting a user's reading history, or sending any information in plaintext.

At 6:43 p.m. (Eastern time) on Oct. 7, Ars Technica posted an update to say:

An Adobe spokesperson now says the company is working on an update. "In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue," the spokesperson said in an e-mail to Ars Technica. "We will notify you when a date for this update has been determined."

If you translate Adobe's words from Corporate-speak into English, that means: “We're appalled that anyone discovered what we're doing. We will notify you as soon as we determine a face-saving way to extract ourselves from this embarrassing situation.”

Share your Comments