Adobe Digital Editions has been found to collect various pieces of information related to the e-books read by its users, a practice which raises some security and privacy concerns.
Adobe Digital Editions is an e-book reader software developed by Adobe Systems. It allows users to acquire, manage and read digital publications and the application is recommended by numerous public libraries for borrowing e-books.
Nate Hoffelder of The Digital Reader reported on Monday that the latest version of the program, Digital Editions 4, was tracking users and uploading information to Adobe servers without encrypting it. Hoffelder said Adobe is collecting data on the books that users add to their library, including the pages that were read, title, publisher, and other metadata. This has been independently confirmed by Ars Technica on Tuesday, and by Benjamin Daniel Mussler, a researcher who recently identified a persistent XSS vulnerability in Amazon’s Kindle library.
Moreover, Hoffelder says Digital Editions collects data not only from the books read with the app, but also from other e-books found on the user’s computer. This issue hasn’t been confirmed by others.
The Electronic Frontier Foundation (EFF) is unhappy with Adobe’s practices, and even went as far as calling the application a piece of “spyware.”
Contacted by SecurityWeek, Adobe admitted collecting some information, but denied snooping around in users’ libraries, or on their computers.
“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said in an emailed statement.
“Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”
The company admits that uploading the data to its servers in clear is an issue, but says it’s working on addressing it.
Adobe says each piece of information it collects serves a specific purpose. For example, user IDs are collected to authenticate users, while the device ID is needed for digital right management (DRM) purposes. The metadata of the book provided by the publisher (title, author, price, and ISBN number) is part of the actual license and DRM.
The company has provided details on other data collected by Digital Editions:
-Certified App ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
-Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
-Duration for Which the Book was Read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
-Percentage of the Book Read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.