Wednesday, October 08, 2014

ADOBE Says Read The Small Print

Details about the extent of the Adobe security snoop into individual’s reading habits and harvesting of data is becoming clearer and the arrogance adopted by them over what is personal data would appear to many to raise the question as to whether they are fit to manage many services digital content.

There explanation of what they monitor conveys no remiss and some would say carries the usual ‘read the small print’ caveat and even more interestingly appears to blame publishers and others for asking for those controls even though many appear to be naïve to the fact that the controls are not only enforced locally but that the information about them is sent back to Adobe to harvest.

The information has been confirmed by a number of sources to be unencrypted and therefore open to potentially many parties to read or intercept which in this day and age beggars belief and is clearly any responsibility or care. Their privacy statement can be found at Adobe Privacy Policy  and interestingly under ‘Is my Personal Information Secure?’ states:

‘We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information’.  

We all understand that many services such as Kindle, Overdrive, etc synchronise our reading such to assist our being able to continue to start where we left off. We respect that there is a wealth of information that goes with that. But these transfers are secured and not open and remain within their walled gardens. Anything that resides in Adobe’s Digital Editions 4 library appears fair game to Adobe snooping and data harvesting, even documents and non DRM ebooks!

Adobe may now find itself under pressure from large library services and others to explain their approach and given their ACS4/5 history, the solid umbilical cord to ADE and their apparent approach to ‘act first think later’, some may now be prompted to look at alternative options. However that in itself is not an easy route. It is also clear that this is not an old data harvesting feature but only applicable to ADE4 and probably tied to the ACS5 features they are desperate to get adopted by all.
It is sobering to think that they know and send via an open stream;  
·         Unique User ID which aligns to registration
·         Device ID to restrict number of devices re DRM
·         Certified App ID to ensure only certified apps (licenced sales and rentals)
·         Device IP to determine geo-block
·         Duration of reading to meter reading against certain licences
·         Percentage of the Book Read to enable publishers to align to subscription models and determine if the book has been ‘read’
·         Date of Purchase/Download
·         Distributor ID and Adobe Content Server Operator URL
·         Metadata provided by Publisher (title, author, publisher list price, ISBN number etc)

It is also reasonable to ask why the new controls aren’t performed at a local level by ADE4 and why the data has to go back to the mothership at all. Surely if the publisher states x, y and z rules these can be enforced locally and the only validation required is at the offset to stamp the file as genuine? Perhaps that’s too simple and perhaps Abobe feel that would loosen their tight control and not give them that rich seam of data that they could………


Anonymous said...

Except this Privacy Policy/EULA is not presented (as obvious links for example) when you download this app, the licence you ACCEPT in the installer doesn't contains those two, which means it is illegal in a large number of countries.

Inkling said...

I suspect this will prove a typical tech-media feeding frenzy. Keep in mind:

1. I once talked to someone at Adobe about what I hated about its reader. He agreed but pointed out that the reader was free. The development costs were paid for by publishers, obsessed with features such as DRM. They were the ones who had to be pleased.

2. I'm not sure there's all that much difference between what Adobe is doing and what both Apple and Amazon do with their ebook readers. All track what we're reading remotely. They have to do that to synch between devices. And while I can bypass Apple servers to read a document with iBooks, by far the easiest way to get an ebook onto my Kindle or into a Kindle app is through Amazon's servers. And Amazon makes it very easy to store that document on their servers.

In the end, I suspect this will prove to be like bending and the new iPhones, a tempest in a teapot. A little user good sense can easily correct any potential problems.