At least two sources have each independently confirmed that Adobe Digital Editions, the company’s e-reader, actively scans personal data from users local book libraries and sends that data, /in plain text/, back to an Adobe IP address. This blatant lack of security was first displayed at The Digital Reader by its author, Nate Hoffelder, and was later confirmed at Ars Technica by its own author, Sean Gallagher.
In a blog post dated Oct. 6, Hoffelder began his review by stating that a “hacker acquaintance” of his had tipped him to a possible security hole in the Adobe software. While that entrance may sound suspect, Hoffelder later confirms on his own that Adobe is scanning users’ digital libraries and transmitting that information back to at least one Adobe IP address, 192.150.16.235. With the use of a publicly-available network capture tool named Wireshark that can log all traffic going to and coming from users’ computers, he found out about the IP address, the tracking that took place while he actively used the app, and the fact that Adobe is indexing his ebook collection.
Gallagher reports from Ars Technica, in his own investigation, that Digital Editions is widely used at public libraries to help them check out ebooks while also protecting the digital rights management rules of those books. He says he used his own packet capture tool to determine that Adobe sends data back to its own server with the hostname “adelogs.adobe.com” as an unencrypted file across and unencrypted connection. It is the definition of unsafe, and that is largely the point of this overarching story.
It will surely embarrass some people when they find out that data about their reading habits is ending up in Adobe’s hands; for others, this will constitute a major breach of privacy. For everyone, however, there is an element of security and risk involved. To be very clear, Adobe is scanning the titles and descriptions of the books users read; it is also scanning the pages that people read, when they read them, and for how long they read them. Even though Gallagher notes that this behavior may be used to enforce DRM rights for ebooks, Hoffelder takes that stance that there are possible privacy laws being broken with such data scanning and transmission.
Gallagher reviewed Adobe’s terms of use for Digital Editions to find any reference to the program’s intent to log information. He found nothing of the sort and also did not find out how long Adobe stored such data. He does report that it is still unclear at this point how Adobe exactly stores the data once it has it. Still, the method of transmission — in the clear — makes this information to /anyone/ snooping on the unsecure connection. At the least, Gallagher asserts that Digital Editions could be violating the privacy guidelines of library users; at the most, Hoffelder mentions violations of the Family Educational Rights and Privacy Act.
Image courtesy of Hustvedt via Wikimedia Commons.
