Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Adobe Accused of Spying on Users’ eBook Libraries

Adobe Digital Editions has been found to collect various pieces of information related to the e-books read by its users, a practice which raises some security and privacy concerns.

Adobe Digital Editions has been found to collect various pieces of information related to the e-books read by its users, a practice which raises some security and privacy concerns.

Adobe Digital Editions is an e-book reader software developed by Adobe Systems. It allows users to acquire, manage and read digital publications and the application is recommended by numerous public libraries for borrowing e-books.

Nate Hoffelder of The Digital Reader reported on Monday that the latest version of the program, Digital Editions 4, was tracking users and uploading information to Adobe servers without encrypting it. Hoffelder said Adobe is collecting data on the books that users add to their library, including the pages that were read, title, publisher, and other metadata. This has been independently confirmed by Ars Technica on Tuesday, and by Benjamin Daniel Mussler, a researcher who recently identified a persistent XSS vulnerability in Amazon’s Kindle library.

Moreover, Hoffelder says Digital Editions collects data not only from the books read with the app, but also from other e-books found on the user’s computer. This issue hasn’t been confirmed by others.

The Electronic Frontier Foundation (EFF) is unhappy with Adobe’s practices, and even went as far as calling the application a piece of “spyware.”

Contacted by SecurityWeek, Adobe admitted collecting some information, but denied snooping around in users’ libraries, or on their computers.

“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said in an emailed statement.

“Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”

Advertisement. Scroll to continue reading.

The company admits that uploading the data to its servers in clear is an issue, but says it’s working on addressing it.

Adobe says each piece of information it collects serves a specific purpose. For example, user IDs are collected to authenticate users, while the device ID is needed for digital right management (DRM) purposes. The metadata of the book provided by the publisher (title, author, price, and ISBN number) is part of the actual license and DRM.

 The company has provided details on other data collected by Digital Editions:

-Certified App ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.

-Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.

-Duration for Which the Book was Read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.

-Percentage of the Book Read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.