In response to accusations that it’s spying on users of the e-book reader application Adobe Digital Editions, Adobe Systems has released a new version of the software that addresses some of the reported issues.
Earlier this month, reports surfaced about Adobe collecting information from Digital Editions 4.0 users, including the books they read and the ones stored in their library. Researchers also noticed that all the data was sent back to Adobe’s servers without being encrypted.
“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said at the time.
“Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy,” the company explained.
At the time, Adobe promised to address the issue of information transmission in clear text. On Thursday, the company released Digital Editions 4.0.1, in which the data collected from users is transmitted securely over HTTPS.
“It is important to point out that while it is correct that prior to the update, certain usage data was transmitted in clear text, Adobe did not transmit or store the actual user ID or device ID in clear text. Even prior to the update, both the user ID and device ID were obfuscated by assigning unique values (“GUIDs”), which were collected and stored in place of the user ID and device ID,” Adobe told SecurityWeek.
This security vulnerability has been assigned the CVE identifier CVE-2014-8068. According to a security advisory published by the company on Thursday, Digital Editions 4.0.1 “adds support for secure transmission of rights management and licensing validation information.” Adobe says the issue affects Adobe Digital Editions version 4.0.98786 and earlier for Windows and Mac.
Adobe maintains its position that the data collected by the e-book reader software has been in line with the end user license agreement and the company’s privacy policy. However, the company wants to be more explicit about its practices so it has added a dedicated page to the Adobe Privacy Policy where it details the collection and use of data.
Nate Hoffelder of The Digital Reader, the one who first broke the story, and others have confirmed that data is now sent over SSL. Galen Charlton of Meta Interchange has tested Digital Editions 4.0.1 and confirmed that no information is sent to Adobe on e-books that don’t have digital rights management (DRM) associated with them.
On the other hand, many experts and users say there still are some questions related to Adobe’s data collection practices that remain unanswered.