Tuesday, October 07, 2014

DIGITAL READERS: BEWARE! Adobe Digital Editions 4 Spies On Users (And They're Not the Only Ones) - Includes "Who's Reading Whom? (Be afraid. Be very afraid.)", a short horror story

Think I'm being melodramatic with the title "Digital Readers: Beware! Adobe Digital Editions 4 Spies On Users (And They're Not the Only Ones)"? Well:
  1. I made you look! And,
  2. Sadly, it's no joke.
As fjtorres posted today in Mobileread: Adobe DE 4 spies on users: 
Over at the Digital Reader Blog Nate reports:

My source told me, and I can confirm, that Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)

And just to be clear, I have seen this happen, and I can also tell you that Benjamin Daniel Mussler, the security researcher who found the security hole on Amazon.com, has also tested this at my request and saw it with his own eyes.

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,

But wait, there’s more.

Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.

In. Plain. Text.
More at the source:
http://the-digital-reader.com/2014/1...comment-660086 ###
The responses to fjtorres' above-mentioned Mobileread post ("Adobe DE 4 spies on users"), to Nate Hoffelder's article that prompted it (The Digital Reader: Adobe is Spying on Users, Collecting Data on Their eBook Libraries), and to other articles on the subject are further illuminating. Some even scary. Because ADE's not the only software to behave this way. And this kind of thing's been going on a long time.
Moreover, ADE and Adobe Digital IDs are used by OverDrive, which in turn partners with libraries, schools, and the SYNC YA Literature Into Your Earphones Program that lends and distributes digital content to a target audience aged 13 and up.

Think of the children!

I did.

And that's why, I found the combination of Nate's post, fjtorres' response (including his/her last three words in boldface - see above), and the additional information responders shared in the ensuing threads horrifying. Unbidden, my brain immediately riffed up the vignette posted below, in purple-colored typeface.

"Who's Reading Whom? (Be afraid.  Be very afraid.)"
A short horror story 

CHILD: Mommy, Mommmmy! I can't sleep. My books are spying on me.

MOTHER: There, there, Dear. You're just having a bad dream. Books can't spy on you.

CHILD: But...

MOTHER: Sssh, my sweet.

CHILD: But, Mother, this has been happening with ebooks since at least 2011 and 2012, and some hackers did it even earlier with Kindle books they'd corrupted. Not to mention 2010, when everybody learned Amazon was remotely uploading information about notes and highlights users made on their Kindles. And...and how 'bout those schools that use electronic versions of textbooks to spy on students as they read them? 


CHILD: And it's not just ebooks! Way back in the olden days, at the turn of the century and again about 10 years ago, other guys whom everyone trusted got caught doing things like that with music

     It's never going to stop! Microsoft Kinect counts the number of people in the room to make sure not too many are using it.  And Netflix's use of viewer's data is applauded as a key success factor.  Remember, only 11 months ago, when an LG Smart TV was caught violating a user's private files by uploading data from his USB-connected device to LG's servers? And last December, when Google removed the privacy feature that lets users prevent apps they install from from the Play Store from collecting sensitive data, like phone book information and the user's location? [Sniffle.]

MOTHER [stifling a grin]: Have you been reading "The Library Policeman"?

CHILD: Well, yes. But, Stephen King's story is just pretend. (Isn't it?) 

     Like Nineteen Eighty-Four. (Pauses, frowning.) 

     But this is different; it's really happening! I read about it on the Internet, so it must be true.

MOTHER: [Chuckles outright and looks relieved.] Sweetie, even if books could spy on you, why would they? Books are our friends! That's why Daddy and I, all your teachers, and the librarians, and your grandparents, aunts, and uncles give you books to read all the time. 

     [Crosses to the bookshelf by the bed, and ticks off on her fingers.] Let's see: you've got hardcopy books, paperback books, textbooks, comic books, picture books, ebooks, audiobooks, See 'N Say books, puzzle books, Read to Me books, coloring books, reference books, graphic novels, periodicals... [Drones on, a la "Bubba" Blue's riffs about shrimp in Forrest Gump. Then catches herself.] 

     Sorry, got carried away. Your dad and I read books all the time, too. I even keep books and an ereader next to my bed, and sometimes I fall asleep with them on my pillow. 

     I find that very comforting. You should, too.

CHILD: Mommy. I'm not talking about physical books. Though those are creepy, too.  Do you REALLY place them in your bed? [Grimaces melodramatically.] Bleh!

    But I'm talking about digital books. First, it was just the snoopy suppliers of ereader devices and apps (you know, like Amazon, Apple, CourseSmart, Google, Kobo, NOOK, Sony).  But that creepy spying's spreading like cancer: now, the Adobe Digital Editions 4 software used for digital books is listening in. It pokes around our devices, recording activities and gathering data - much of it not even related to the ebooks we use ADE to authorize. And most of the ereader apps and software I can think of have to be registered with ADE. So Adobe knows everything...and they phone it home.

MOTHER: You mean, like ET? [Hugs and kisses kid. More chuckles.]

CHILD: [Crying.] Yes! But in a bad way. 

     And on top of that, Adobe beams up user's logs to their servers in unencrypted, clear text, allowing anyone in between who can monitor network traffic to intercept that information, too! Mommy, copies of my report cards are saved on my devices. And other secret stuff, like my diary. [Sobs.]

MOTHER: No, Pumpkin. Those bad things you're worried about can never happen. That's one reason why we never download torrent files or pirated content (besides the fact that that would be stealing). And we maintain top-notch, always up-to-date security measures on all our devices.

CHILD: But Mum, I'm not talking about malware. I'm talking about the software we voluntarily download from the so-called "good guys"! The ones who authorize the software we need to borrow digital books from the library and from school... 

     [Sniffles, wipes face with pajama sleeve] 

      ...like maybe, BiblioCommons. But definitely, CourseSmart and Adobe.

MOTHER: [Smiles sympathetically.] Oh, honey. Now, I get what you're talking about. You're so clever! But they're just updating your books. And syncing across devices to enhance your reading experience. Not to worry; those are good things. Lots of apps do that. Adobe and the other developers, and the book publishers, and the ereader suppliers are just looking out for us. As they always do. 

     [Thinks: "Whew! For a minute, there, I thought I'd have to give my kid a tinfoil hat!"]

CHILD: [Recoils, thinking guiltily: "What a maroon! What an ignoranomous!"]

MOTHER: [Opens arms wide.] C'mere Snookums. Let's get a nice cup of hot cocoa with marshmallows and milk. Then, maybe we'll sleep better.

CHILD: [Resignedly gives Mum a hug, then walks with her hand-in-hand into the kitchen, still hoping to convince her.]

[Sitting side-by-side on stools, at the kitchen counter.]

MOTHER: Isn't this nice? So listen, Sweetheart: with so many books in your room, and on your computer and mobile devices, you should never be afraid. The reality is: you're never, ever alone, Honey. Everywhere you go, Dick and Jane, and Spot the Dog, and all the Dr. Seuss characters, the Peanuts gang, Archie's gang, the superheros, and all the Mother Goose characters... [Starts droning again.]

CHILD: [Rolls eyes.]

MOTHER: ...are with you, always. Day and night. Everywhere you go. Every move you make. Every breath you take. Every bond you make. Every step you take. They'll be watching you. [Drones...Cue music.]

CHILD: [Screams.]


Only it's not.

The end, that is.

With Adobe, it's just the beginning. We've only just begun delving into what's already beginning to smell, IMHO, like a steaming, putrid revival of what might be the type of behavior that led to the curtain's being pulled on other trusted providers of seemingly good things digital.

Moreover, as the kid in the story said, this behavior's been happening for years in digital publishing. And it's accelerating.

Nor is that behavior confined to the ebooks industry. If you can stomach the gory details, then read the content linked within the short story, linked immediately above, and linked below.

Unfortunately, as Orwellian and nightmarish as this unraveling ADE 4-gate seems in its own right, it's no bad dream we can wake up from, drink a nice cup of cocoa, and then just shake off.


From my perspective as an avid reader (and ereader); as an academic-practitioner who teaches such courses as business strategy, ethics, and managing innovation & technology; and a non-lawyer who worked in telecom for 10 years - including Regulatory Affairs, I think ADE 4's alleged behavior seems like a real-life, 2014 mirror of the music industry's RealNetworks privacy breach of the late 1990's and Sony digital rootkit debacle of 2005.

Despite the furor this discovery about ADE 4 has raised - first at The Digital Reader, and then elsewhere - I'm sure Adobe won't back down quietly. But (thankfully), neither will such formidable protectors of users' privacy and other rights as:

So we'd better buckle up, gentle readers. And - given Adobe's admissions about ADE 4 and the lack of clarity about ADE 3 - various people who seem to know what they're doing suggest downloading library books directly into OverDrive, reading other ebooks via apps other than ADE, and downgrading to ADE 2, if you must use ADE at all.

Here's the first public response I've seen so far, from Adobe:
We've asked Adobe for an explanation of what exactly is going on and the firm has said that it's looking into the matter. With a lot of staff currently attending the AdobeMAX conference in Los Angeles this may take some time. ®

Updated to add

Adobe says it simply has to log every page you turn to tackle piracy.
Here's the article the link above points to:

Here are some others' reactions: