A few days ago, it emerged that the latest version of Adobe’s e-book reading software for PCs and Macs, Adobe Digital Editions 4 (ADE4), collects data about users’ reading activities and sends them to Adobe’s servers in unencrypted cleartext, so that anyone can intercept and use the data, even without NSA-grade snooping tools.
The story was broken by Nate Hoffelder at The Digital Reader on Monday. The Internet being the Internet, the techblogosphere was soon full of stories about it, mostly half-baked analysis, knee-jerk opinions, jumped-to conclusions, and just plain misinformation. Even the usually thorough and reliable Ars Technica, the first to publish serious technical analysis, didn’t quite get it right. At this time of writing, the best summary of it comes from the respected library technologist Eric Hellman.
More actual facts about this sorry case will emerge in the coming days, no doubt, leading to a fully clear picture of what Adobe is doing and why. My purpose here and now is to address the various accusations that this latest e-book gaffe by Adobe has to do with its DRM. These include a gun-jumping post by the Electronic Frontier Foundation (EFF) that has inadvertently dragged Sony DADC, the division of Sony that is currently marketing a DRM solution for e-books, into the mess undeservedly.
Let’s start with the basics: ADE4 does collect information about users’ reading activities and transmit it in the clear. This is just plain unacceptable; no matter what Adobe’s terms and conditions might say, it’s a breach of privacy and trust, and (as I’ll discuss later) it seems like a strange fit to Adobe’s role in the e-book ecosystem. Whether it’s naivete, sloppiness, or both, it’s redolent of Adobe’s missteps in its release of the latest version of its e-book DRM at the beginning of this year.
But is ADE4’s data reporting part of the DRM, as various people have suggested? No.
The reporting on this story to date has missed one small but important fact, which I suspected and then confirmed with a well-placed source yesterday: ADE4 reports data on all EPUB format files, whether or not they are DRM-encrypted. The DRM client (Adobe RMSDK) is completely separate from the reporting scheme. By analogy, this would be like Apple collecting data on users’ music and movie playing habits from their iTunes software, even though Apple’s music files are DRM-free (though movies are not).
Some savvier writers have pointed out that even though DRM may not be directly involved, this is what happens when users are forced to use media rendering software that’s part of a DRM-based ecosystem. This is a fair point, but in this particular case it’s not really true. (It would be more true in the case of Amazon, which forces people to use its e-reading devices and apps, and unquestionably collects data on users’ reading behaviors – although it encrypts the information.)
Unlike the Kindle ecosystem, users aren’t forced to use ADE4; it’s one of several e-reader software packages available that reads EPUB files that are encrypted with Adobe’s Content Server DRM. None of the major e-book retailers use or require it, at least not in the United States. Instead, it is most often used to read e-books that are borrowed from public libraries using e-lending platforms such as OverDrive; and in fact such libraries recommend and link to Digital Editions on their websites.
But other e-reader apps, such as the increasingly popular BlueFire Reader for Android, iOS, and Windows, will work just as well in reading e-books encrypted with Adobe’s DRM, as well as DRM-free EPUB files. BlueFire (who can blame them?) sees the opportunity here and points out that it does not do this type of data collection. Users of library e-lending systems can use BlueFire or other apps instead of ADE4. Earlier versions of ADE also don’t collect and report reading data.
A larger question is why Adobe collects this data in the first place. The usual reason for collecting users’ reading (or listening or viewing) data is for analytics purposes, to help content owners determine what’s popular and hone their marketing strategies. Yet not only is Adobe not an e-book retailer, but e-book retailers that use its DRM (such as Barnes & Noble) don’t use Digital Editions as their client software.
One possible explanation is that Adobe is expecting to market ADE4 as part of its new DRM ecosystem that’s oriented towards the academic and educational publishing markets, and that it expects the data to be attractive to publishers in those market segments (as opposed to the trade books typically found in public libraries). Eric Hellman suggests another plausible explanation: that it collects data not for analytics purposes but to support a device-syncing feature that all of the major e-book retailers already offer — so that users can automatically get their e-books on all of their devices and have each device sync to the last page that the user read in each book.
Regardless of the reason, it seems unsettling when a platform software vendor, as opposed to an actual retailer, collects this type of information. Here’s another analogy: various video websites use Microsoft’s Silverlight web application environment. Silverlight contains a version of Microsoft’s PlayReady DRM. Users don’t see the Microsoft brand; instead they see brands like Netflix that use the technology. Users might expect Netflix to collect information about their viewing habits (provided that Netflix treated the information appropriately), but they would be concerned to hear (in a vacuum) that Microsoft does it; and in fact Microsoft probably does contribute to the collection of viewing information for Netflix and other Silverlight users.
In any case, Adobe can fix the situation easily enough by encrypting the data (e.g., via SSL), providing a user option in Digital Editions to turn off the data collection, and offering better explanations as to why it collects the data in the first place (at least better than the ambiguous, anodyne, PR/legal department-buffed one shown here). Until then, platform providers like OverDrive can link to other reader apps, like BlueFire, instead of to Adobe Digital Editions.
Finally, as for Sony DADC: the EFF’s web page on this situation contains a link, as a “related case,” to material on a previous technical fiasco involving Sony BMG Music, one of the major recording companies in the mid-2000s. At that time, Sony BMG released some albums on CDs that had been outfitted with a form of DRM. When a user put the disc in a CD drive on a PC, an “autorun” executable installed a DRM client onto the PC, part of which was a “rootkit” that enabled viruses. After a firestorm of negative publicity that the EFF spearheaded, Sony BMG abandoned the technology. (In one of its more savvy gambits, the EFF used momentum from that episode to cause other major labels to drop their CD DRMs as well; the technology was dead in the water by 2008.) In this case, unlike with Adobe, the problem was most definitely in the DRM.
Apparently some people think that because this incident involved “Sony,” Sony DADC — which is currently marketing an e-book DRM solution based on the Marlin DRM technology — was involved. Not true; the DRM that installed the rootkit came from a British company called First4Internet (F4I). Not only did Sony DADC have nothing to do with this (as I have confirmed), but Sony DADC actually advised Sony Music against using the F4I technology.