Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Adobe Updates Digital Editions Following Privacy Controversy

In response to accusations that it’s spying on users of the e-book reader application Adobe Digital Editions, Adobe Systems has released a new version of the software that addresses some of the reported issues.

In response to accusations that it’s spying on users of the e-book reader application Adobe Digital Editions, Adobe Systems has released a new version of the software that addresses some of the reported issues.

Earlier this month, reports surfaced about Adobe collecting information from Digital Editions 4.0 users, including the books they read and the ones stored in their library. Researchers also noticed that all the data was sent back to Adobe’s servers without being encrypted.

“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said at the time.

“Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy,” the company explained.

At the time, Adobe promised to address the issue of information transmission in clear text. On Thursday, the company released Digital Editions 4.0.1, in which the data collected from users is transmitted securely over HTTPS.

“It is important to point out that while it is correct that prior to the update, certain usage data was transmitted in clear text, Adobe did not transmit or store the actual user ID or device ID in clear text. Even prior to the update, both the user ID and device ID were obfuscated by assigning unique values (“GUIDs”), which were collected and stored in place of the user ID and device ID,” Adobe told SecurityWeek.

This security vulnerability has been assigned the CVE identifier CVE-2014-8068. According to a security advisory published by the company on Thursday, Digital Editions 4.0.1 “adds support for secure transmission of rights management and licensing validation information.” Adobe says the issue affects Adobe Digital Editions version 4.0.98786 and earlier for Windows and Mac.

Adobe maintains its position that the data collected by the e-book reader software has been in line with the end user license agreement and the company’s privacy policy. However, the company wants to be more explicit about its practices so it has added a dedicated page to the Adobe Privacy Policy where it details the collection and use of data.

Advertisement. Scroll to continue reading.

Nate Hoffelder of The Digital Reader, the one who first broke the story, and others have confirmed that data is now sent over SSL. Galen Charlton of Meta Interchange has tested Digital Editions 4.0.1 and confirmed that no information is sent to Adobe on e-books that don’t have digital rights management (DRM) associated with them.

On the other hand, many experts and users say there still are some questions related to Adobe’s data collection practices that remain unanswered.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.