Adobe’s Latest E-Book Misstep: This Time, It’s Not the DRM

A few days ago, it emerged that the latest version of Adobe’s e-book reading software for PCs and Macs, Adobe Digital Editions 4 (ADE4), collects data about users’ reading activities and sends them to Adobe’s servers in unencrypted cleartext, so that anyone can intercept and use the data, even without NSA-grade snooping tools.

The story was broken by Nate Hoffelder at The Digital Reader on Monday.  The Internet being the Internet, the techblogosphere was soon full of stories about it, mostly half-baked analysis, knee-jerk opinions, jumped-to conclusions, and just plain misinformation.  Even the usually thorough and reliable Ars Technica, the first to publish serious technical analysis, didn’t quite get it right.  At this time of writing, the best summary of it comes from the respected library technologist Eric Hellman.

More actual facts about this sorry case will emerge in the coming days, no doubt, leading to a fully clear picture of what Adobe is doing and why.  My purpose here and now is to address the various accusations that this latest e-book gaffe by Adobe has to do with its DRM.  These include a gun-jumping post by the Electronic Frontier Foundation (EFF) that has inadvertently dragged Sony DADC, the division of Sony that is currently marketing a DRM solution for e-books, into the mess undeservedly.

Let’s start with the basics: ADE4 does collect information about users’ reading activities and transmit it in the clear.  This is just plain unacceptable; no matter what Adobe’s terms and conditions might say, it’s a breach of privacy and trust, and (as I’ll discuss later) it seems like a strange fit to Adobe’s role in the e-book ecosystem.  Whether it’s naivete, sloppiness, or both, it’s redolent of Adobe’s missteps in its release of the latest version of its e-book DRM at the beginning of this year.

But is ADE4’s data reporting part of the DRM, as various people have suggested?  No.

The reporting on this story to date has missed one small but important fact, which I suspected and then confirmed with a well-placed source yesterday: ADE4 reports data on all EPUB format files, whether or not they are DRM-encrypted.  The DRM client (Adobe RMSDK) is completely separate from the reporting scheme.  By analogy, this would be like Apple collecting data on users’ music and movie playing habits from their iTunes software, even though Apple’s music files are DRM-free (though movies are not).

Some savvier writers have pointed out that even though DRM may not be directly involved, this is what happens when users are forced to use media rendering software that’s part of a DRM-based ecosystem.  This is a fair point, but in this particular case it’s not really true.  (It would be more true in the case of Amazon, which forces people to use its e-reading devices and apps, and unquestionably collects data on users’ reading behaviors – although it encrypts the information.)

Unlike the Kindle ecosystem, users aren’t forced to use ADE4; it’s one of several e-reader software packages available that reads EPUB files that are encrypted with Adobe’s Content Server DRM.  None of the major e-book retailers use or require it, at least not in the United States.  Instead, it is most often used to read e-books that are borrowed from public libraries using e-lending platforms such as OverDrive; and in fact such libraries recommend and link to Digital Editions on their websites.

But other e-reader apps, such as the increasingly popular BlueFire Reader for Android, iOS, and Windows, will work just as well in reading e-books encrypted with Adobe’s DRM, as well as DRM-free EPUB files.  BlueFire (who can blame them?) sees the opportunity here and points out that it does not do this type of data collection.  Users of library e-lending systems can use BlueFire or other apps instead of ADE4.  Earlier versions of ADE also don’t collect and report reading data.

A larger question is why Adobe collects this data in the first place.  The usual reason for collecting users’ reading (or listening or viewing) data is for analytics purposes, to help content owners determine what’s popular and hone their marketing strategies.  Yet not only is Adobe not an e-book retailer, but e-book retailers that use its DRM (such as Barnes & Noble) don’t use Digital Editions as their client software.

One possible explanation is that Adobe is expecting to market ADE4 as part of its new DRM ecosystem that’s oriented towards the academic and educational publishing markets, and that it expects the data to be attractive to publishers in those market segments (as opposed to the trade books typically found in public libraries).  Eric Hellman suggests another plausible explanation: that it collects data not for analytics purposes but to support a device-syncing feature that all of the major e-book retailers already offer — so that users can automatically get their e-books on all of their devices and have each device sync to the last page that the user read in each book.

Regardless of the reason, it seems unsettling when a platform software vendor, as opposed to an actual retailer, collects this type of information.  Here’s another analogy: various video websites use Microsoft’s Silverlight web application environment.  Silverlight contains a version of Microsoft’s PlayReady DRM.  Users don’t see the Microsoft brand; instead they see brands like Netflix that use the technology.  Users might expect Netflix to collect information about their viewing habits (provided that Netflix treated the information appropriately), but they would be concerned to hear (in a vacuum) that Microsoft does it; and in fact Microsoft probably does contribute to the collection of viewing information for Netflix and other Silverlight users.

In any case, Adobe can fix the situation easily enough by encrypting the data (e.g., via SSL), providing a user option in Digital Editions to turn off the data collection, and offering better explanations as to why it collects the data in the first place (at least better than the ambiguous, anodyne, PR/legal department-buffed one shown here).  Until then, platform providers like OverDrive can link to other reader apps, like BlueFire, instead of to Adobe Digital Editions.

Finally, as for Sony DADC: the EFF’s web page on this situation contains a link, as a “related case,” to material on a previous technical fiasco involving Sony BMG Music, one of the major recording companies in the mid-2000s.  At that time, Sony BMG released some albums on CDs that had been outfitted with a form of DRM.  When a user put the disc in a CD drive on a PC, an “autorun” executable installed a DRM client onto the PC, part of which was a “rootkit” that enabled viruses.  After a firestorm of negative publicity that the EFF spearheaded, Sony BMG abandoned the technology.  (In one of its more savvy gambits, the EFF used momentum from that episode to cause other major labels to drop their CD DRMs as well; the technology was dead in the water by 2008.)  In this case, unlike with Adobe, the problem was most definitely in the DRM.

Apparently some people think that because this incident involved “Sony,” Sony DADC — which is currently marketing an e-book DRM solution based on the Marlin DRM technology — was involved.  Not true; the DRM that installed the rootkit came from a British company called First4Internet (F4I).  Not only did Sony DADC have nothing to do with this (as I have confirmed), but Sony DADC actually advised Sony Music against using the F4I technology.

18 comments

  1. Good post.

    While it’s true that the privacy problem doesn’t implicate DRM, it does implicate proprietary ecosystems. The only realistic alternative to ADE4 on OSX is ADE2, and Bluefire only recently launched a Windows version of their excellent reader application.

    Eric

  2. (Gluejar = Eric Hellman)

    Thanks Eric,

    I had thought that you could use Nook or Kobo apps for Mac to read any ACS-encrypted EPUB, perhaps with a little futzing around with license files. Not true?

  3. Stephen Toop · ·

    From the Ars Technica article: http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29
    (sorry, bit.ly wouldn’t shorten it for some reason)

    An Adobe spokesperson provided the following statement:

    “Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them.

    All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers.

    Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”

    That middle sentence sounds like DRM too me.

  4. That’s right, but it refers to Digital Editions as a whole. Digital Editions contains a DRM mechanism, and yes, the DRM collects information from the user — for “such purposes as license validation” etc. The DRM does not collect information about the user’s reading behavior. That’s why I call the statement ambiguous. Incidentally, that same statement is what led the EFF to think the same thing. But it doesn’t say that the DRM reports users’ reading actions. A different mechanism — within ADE, but not the DRM — does that reporting. That’s proven by the fact that it reports on DRM-free e-books as well.

  5. Greg Weeks · ·

    I don’t know anyone who actually uses ADE to read books on Windows. You use it to download them and transfer to your hardware based EPUB eInk reader. (Nook, Sony, Etc.) And NO, there isn’t another application that will do this. Bluefire works fine if you are on a tablet and want to read, or want to just read on Windows.

  6. Purple Lady · ·

    ADE is needed to transfer books bought at Kobo to an older Sony ereader or any other Reader that is not a Kobo. If there’s a different way to do that I’d sure like to know. It’s not just for library books.

  7. There does seem to be a good bit of evidence that quite a few people read ebooks on the desktop. The BISG has released reports that show this clearly, and there is mention of this here: http://www.publishersweekly.com/binary-data/ARTICLE_ATTACHMENT/file/000/000/522-1.pdf on page 7 where it quotes a BPA report that 45% of respondents read ebooks on the desktop. Granted that is from 2011, but I’ve seen multiple similar report with similar numbers. Also, my own anecdotal experiences with end users bear this out.

    Regarding transferring ACS encrypted files to tethered eInk devices, it is true that Bluefire Reader for Windows does not (yet) support this. We see a trend away from manually moving files to tethered devices and towards direct downloads to mobile devices via wifi and wireless. Thus we focused our energies in other areas such as providing consumer focused features such as night mode, reading settings customizations, page location sync across devices, etc.

    I would assume that Adobe will address this security issue quickly, and so it is not clear to me yet that developing an alternative for tethered devices is a good place for us to invest. I’d rather bring unique value to the market.

    I know that Sony’s desktop app does. Their Windows app is found here: http://esupport.sony.com/US/p/swu-download.pl?mdl=PRST1&upd_id=9910&os_group_id=5 and Mac version here: http://esupport.sony.com/US/p/swu-download.pl?mdl=PRST1&upd_id=9911&os_group_id=3

    Kobo’s instructions on that are here: http://www.kobo.com/help/en-US/article/2671/syncing-your-books-to-your-sony-ereaderhttp://www.kobo.com/help/en-US/article/2671/syncing-your-books-to-your-sony-ereader

    I beleive Overdrive’s desktop app does so as well.http://help.overdrive.com/customer/portal/articles/1481073-how-to-install-overdrive-s-desktop-app-for-mac-

    ADE3 does not transmit reading data can be used for this as well and is found here: http://www.adobe.com/support/digitaleditions/downloads.html
    -Micah

  8. Greg Weeks · ·

    I suspect it’s not worth your while to develop the capabilities. The main market for ADE seems to be customers of small ebook stores and library patrons. Most of the library patrons have switched to kindle anyway.

    I’ve read books on the desktop. Not in ADE though. If it’s in epub I see no point in doing so. PDFs mostly and some in a browser. I still don’t know of anyone that uses ADE as a reader. I know many people that read ebooks. Most are using their phone now. If you’re getting Bluefire customer support info that shows people reading epubs on their destop I’ll believe you. I suspect is a very small number though.

    Overdrive’s app does NOT transfer ebooks. It will do audio books and video. Can either of Sony or Kobo’s desktop tools download library books? I don’t know as I don’t use either of them. The nook tools cannot.

    I’m actually using ADE2. How long Adobe will let that version continue to work is unknown.

  9. Greg,
    You might be surprised at the volume of ACS content that people are reading. It is much larger in Europe than in the US in indie retail, but still large in NA. 100’s of thousands if not millions of ebooks each month are licensed to readers using ACS.

    Interesting to hear that Overdrive apps don’t transfer ebooks. Are you sure? Their documentation indicated to me that they do, but then I’m not a user for obvious reasons. Nor am I a (current) user of the other apps. My comments were based on a quick scan of their documentation. That said, I do know for sure that Sony’s app was used to transfer files to Sony Readers, I’ve done that myself in the past. Though I’d not used it for library ebooks.

    It may well be that ADE2 or 3 is still the best, and possibly only option for transferring library ebooks to tethered devices. Sorry I could not be more helpful. I tend to use Bluefire Reader for some strange reason.

  10. Actually Bill, your update is not 100% accurate [so I deleted the update. -BR]. So I’m going to take a minute here to clear up this topic as it is poorly understood by many folks in the industry. Sorry in advance for the long comment. I know you personally know most if not all of this stuff, but many don’t.

    .ACSM files are actually a very small text file. In fact, if you change the file extension to .txt you can read it any text reader app. It contains a bit of XML marked up text that tells the reading app what it needs to know to download the actual ACS managed EPUB or PDF file.

    Any app that supports Adobe DRM can read a .acsm file and directly download an ebook from *any* source that distributes ACS rights managed files. That includes Bluefire Reader apps, and many other third party apps for mobile and desktop. Library loaned ebooks included.

    In fact, people all over the world download ACS managed ebooks from their local public library, directly into Bluefire Reader apps on mobile and desktop (as well as to other apps such as Aldiko, TXTR, Mantano, etc)

    Now, in the case of Overdrive libraries, because Overdrive has their own apps, they craft the URL to the .acsm files on mobile devices to specifically launch their own apps to handle the download. That is an intentional choice by Overdrive rather than a technical “limitation” of the platform. I would assume they do that in order to try to make the operation as easy for end users as possible – rather than a specific intent to limit user choice.

    E-ink devices are somewhat of a special case. Because, many of them don’t have wireless networking capabilities at all, and thus ebooks need to be loaded onto them via a cable connected to a PC.

    while it is possible for a device manufacturer to enable ACS managed files to be transferred to the device simply using the operating system’s file system tools (e.g. copy and paste an epub file onto the tethered device’s storage,) most of the time it is assumed that a program like ADE will be used to facilitate that transfer to make it as easy as possible for the user. Easier because such apps can show the title and cover of the books you want to transfer, where the file system just shows file name, which is not near as helpful. What is being transferred is simply an ePUB or PDF file. The .acsm was only used to facilitate the download of that file to the device in the first place (the term “fulfill” is usually used in the case of the download of a DRM’d ebook).

    So you could, for example, fulfill an ebook to Bluefire Reader for windows, and then open ADE on the same computer, and open that same epub or PDF file, and then transfer it to a tethered e-ink device. Or, you might well be able to simply copy that file that was downloaded by Bluefire Reader, right onto the drive of the device, and it would work (assuming the device manufacturer supported such “side-loading” workflows). What we’ve not implemented in Bluefire Reader, is an interface for actually displaying the content of a tethered e-ink device, and for using the Bluefire UI to transfer files (what I was referring to in a previous comment)

    On somewhat of a side note: in order for reading apps to display the cover and title of ebooks, they “open” the book in the background, when it is imported into the user’s app library, just in order to retrieve that title and cover data. I’m guessing that is actually what Nate was seeing in his post about data collection where he thought it scanned his hard drive for files. Where (again I’m just guessing) it was actually a case where a tethered device was attached, and so the app opened those files in the “background” in order to display the meta data in the UI of the app that is used for transferring files.

    One other thing worth mentioning here: ebook files that are ACS managed can be transferred from one device to another (side loading) but library loans are kind of a special case. The app you are putting the files “on to” needs to know how to check to verify that the loan is still valid (e.g. has not been returned already) in order for that to work correctly. We added that feature in Bluefire Reader a long time ago (not for commercial reasons, but because we are big fans of libraries).

    I don’t know of any other apps that do that (support side-loaded library ebooks). Perhaps it is not important to them (e.g. not a money making feature) or because they simply don’t know how (it took us quite a bit or R&D to figure that out). I’m just mentioning this as Bluefire is kind of a special case in terms of supporting that particular workflow, but again, not really a limitation of the platform, just something you have to work to support.

    Maybe that is too much info, but figured a little demystification was in order.
    -Micah

  11. […] Adobe’s Latest E-Book Misstep: This Time, It’s Not the DRM (Copyright and Technology)More actual facts about this sorry case will emerge in the coming days, no doubt, leading to a fully clear picture of what Adobe is doing and why. My purpose here and now is to address the various accusations that this latest e-book gaffe by Adobe has to do with its DRM. *** […]

  12. Jordan Forward · ·

    I’m trying to write a report on this ADE4 debacle, and I could use a helping hand from anyone here. does anybody think privacy concerns will ever threaten or impact the future of Ebooks in any way?

    It’s a tenuous link to try and make, but is there a chance that these kinds of concerns, if exacerbated by more mainstream issues concerning certain formats or types of e-readers, could put consumers off, or impact the ebook (as a way of reading) in any way?

    Any suggestions on this would be greatly appreciated.

    Many thanks,

    Jordan.

  13. Jordan,

    Thank you for coming to this blog with an interesting intellectual inquiry. Yet
    please caveat the following by noting that I am not, not, not a privacy expert.

    First it would help if you got a little more specific about what you mean by “exacerbated by more mainstream issues concerning certain formats or types of e-readers.” If you are talking about whether Amazon or B&N or Apple collect data about users’ reading habits, the answer is absolutely yes, no question about it. However, there is a general feeling among the biggest tech companies that they all suffer when it becomes clear that they are letting personal data be snooped on by the likes of the NSA. The consumer mistrust scares them to death. While I personally smell a faint whiff of hypocrisy about this, I will admit that there’s a huge difference between using your personal info for better ad targeting and using it as an excuse to throw you in jail or kill you. That’s what legitimately scares everyone.

    Having said that, I am not sure I see a link to e-book formats, which nowadays are all essentially glorified HTML. No privacy implications that I’m aware of, whether or not the files have DRM.

    The other data point I will add is that there is a seminal paper in the legal field that may touch on points you’re interested in called “A Right to Read Anonymously,” by the eminent Georgetown copyright scholar Julie Cohen. It’s available here.

  14. AudioNomics · ·

    The “reason” for them sending reader habits is the same as every tech company (though they messed up the implementation, as you said) that gives “free” services.
    SillyCon Valley is nothing more than a corporate spy operation with the general public as the prey. Add in the NSA tag-along to boot, and information collections are complete and thorough.
    “Privacy” ??? What’s that?

  15. I’d say it’s more accurate to say that tech companies use information from users, whether it’s data about their behavior or the content they supply (e.g. posts on social networks), as “input goods” that they don’t have to pay for — as opposed to professional content, which they do have to pay for.

    The hypocrisy comes in when big tech companies start portraying themselves as the great saviors of the public from NSA spying. This posturing — although it may well result in better insulation from actual NSA spying — helps Big Tech draw consumer attention away from their own “spying” activities. A few months ago, Google’s General Counsel David Drummond tried this “don’t look here, look over there” tactic during an NPR interview with NPR’s Audie Cornish – who was having none of it. You could hear the sounds of Drummond squirming over the radio. http://www.npr.org/templates/story/story.php?storyId=249784795

  16. Galen Charlton · ·

    On somewhat of a side note: in order for reading apps to display the cover and title of ebooks, they “open” the book in the background, when it is imported into the user’s app library, just in order to retrieve that title and cover data. I’m guessing that is actually what Nate was seeing in his post about data collection where he thought it scanned his hard drive for files. Where (again I’m just guessing) it was actually a case where a tethered device was attached, and so the app opened those files in the “background” in order to display the meta data in the UI of the app that is used for transferring files.

    I worked a bit with Nate last week to track that down. He came to suspect that ADE had in fact been retrieving and transmitting book metadata from an an attached ereader, and I was able to confirm that was in fact the case.

    This gist contains an example of what ADE 4.0 was sending when an old Sony Reader was attached.

    That ADE was opening epubs from the ereader is not inherently objectionable — as folks here have pointed out, one of the things that ADE does is handling transferring ebooks to and from ereaders. The problem, of course, is that version 4.0 proceeding to transmit the data in the clear.

    Here’s a scenario that exemplifies the problem with this: imagine a user who had been using an early-generation Nook for a while, then found out in September that he could borrow ebooks from the library. If he followed instructions to use ADE 4.0 to open an ACSM file downloaded from OverDrive and transfer the fulfilled ebook to his Nook, ADE would have potentially transmitted the titles of his entire Nook library to Adobe in the clear.

  17. Jordan Xavier Forward · ·

    Thanks for your reply Bill, the paper on privacy was especially helpful.

    I suppose what I should have been asking originally was whether or not concerns over consumer privacy would impact the ebook as a reading platform, and how so?

    I’d be incredibly grateful if you’d point me in the direction of any links or leads that you think might help.

    Thanks so much for your time,

    Jordan

  18. The short answer is, not that I know of. Privacy concerns related to the web in general have always overshadowed privacy concerns about e-books.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: