Wednesday, October 08, 2014

ADOBE Says Read The Small Print

Details about the extent of the Adobe security snoop into individual’s reading habits and harvesting of data is becoming clearer and the arrogance adopted by them over what is personal data would appear to many to raise the question as to whether they are fit to manage many services digital content.

There explanation of what they monitor conveys no remiss and some would say carries the usual ‘read the small print’ caveat and even more interestingly appears to blame publishers and others for asking for those controls even though many appear to be na├»ve to the fact that the controls are not only enforced locally but that the information about them is sent back to Adobe to harvest.

The information has been confirmed by a number of sources to be unencrypted and therefore open to potentially many parties to read or intercept which in this day and age beggars belief and is clearly any responsibility or care. Their privacy statement can be found at Adobe Privacy Policy  and interestingly under ‘Is my Personal Information Secure?’ states:

‘We understand that the security of your personal information is important. We provide reasonable administrative, technical, and physical security controls to protect your personal information. However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information’.  

We all understand that many services such as Kindle, Overdrive, etc synchronise our reading such to assist our being able to continue to start where we left off. We respect that there is a wealth of information that goes with that. But these transfers are secured and not open and remain within their walled gardens. Anything that resides in Adobe’s Digital Editions 4 library appears fair game to Adobe snooping and data harvesting, even documents and non DRM ebooks!

Adobe may now find itself under pressure from large library services and others to explain their approach and given their ACS4/5 history, the solid umbilical cord to ADE and their apparent approach to ‘act first think later’, some may now be prompted to look at alternative options. However that in itself is not an easy route. It is also clear that this is not an old data harvesting feature but only applicable to ADE4 and probably tied to the ACS5 features they are desperate to get adopted by all.
It is sobering to think that they know and send via an open stream;  
·         Unique User ID which aligns to registration
·         Device ID to restrict number of devices re DRM
·         Certified App ID to ensure only certified apps (licenced sales and rentals)
·         Device IP to determine geo-block
·         Duration of reading to meter reading against certain licences
·         Percentage of the Book Read to enable publishers to align to subscription models and determine if the book has been ‘read’
·         Date of Purchase/Download
·         Distributor ID and Adobe Content Server Operator URL
·         Metadata provided by Publisher (title, author, publisher list price, ISBN number etc)

It is also reasonable to ask why the new controls aren’t performed at a local level by ADE4 and why the data has to go back to the mothership at all. Surely if the publisher states x, y and z rules these can be enforced locally and the only validation required is at the offset to stamp the file as genuine? Perhaps that’s too simple and perhaps Abobe feel that would loosen their tight control and not give them that rich seam of data that they could………

Tuesday, October 07, 2014

Are Adobe Secretly Watching You Read Via DRM?

The question of privacy on the internet has once again raised its head with the posting by Digital Reader on Adobe’s ACS DRM system and what is claimed to be excessive data gathering of personal information from consumer’s elibraries.

We can’t comment on whether the facts as presented are true or false, but we are able to say that if true, they are a significant shift from where Adobe started from and seriously question the role of DRM and whether consumer privacy rights have been breeched.

Abobe DRM history goes back many years. ACS3 was widely used by retailers but effectively broken and open. The start of the latest ebook revolution was initiated with the introduction of the eInk readers and when Sony entered the fray they wanted a DRM system which would effectively give them a march on the rest. Adobe also wanted to regain control of a space they had clearly lost. Overdrive had also built a ACS4 beta that they were using to control their market. We remember Adobe’s introduction of ACS4 and their lack of market awareness and often rigid mind-set and coupled with Sony’s desire to rule the world, we had many often fraught conversations with the two of them but the rest of the market wasn’t ready and so they won the initial battle. Years later it’s a different story and many have either migrated to their own DRM. Amazon and Apple never did join and Kobo and Nook grew alternative offers and Overdrive stuck with their own variant.

Adobe then went into what can best described as the Dark Ages where they still championed interoperability, but where leaderless and gave up trying to manage micropayments and gave this up to a small handful of agents who managed the retail facing activity and collected the money. They then came up with ACS5 or a tighter model which was part born out of the fact that ACS4 could easily be broken by anyone who asked the right questions on the Internet and part by the fact that they were clearly being squeezed out by the big channels. Unfortunately ACS5 has some basic issues which forced Adobe to retract their initially statements and backtrack on their timelines to force full migration to the new platform.

So today we have the news that Abode appear to be data gathering consumer usage information at title level and also at library level. What was read when, what wasn’t read, and probably much more? Is this right or wrong?

Well Adobe provide a DRM locking service aimed at validating ownership and stamping this such that they can ensure rights are managed with respect to devices, etc. Why on earth do they want to gather data on usage other than to sell back to publishers, retailers and libraries. Did they offer and opt in, or opt out to consumers is a mute question and we would suggest that they had to in order to snoop.

They apparently doing this not through the standard interface with hosting sites but through a mole application in Digital Editions that they plant into the consumer library or device. We would like to see the snooper application flagged as unauthorised by the security systems and users being given at least the choice of allowing it in. Whether the Adobe service will work without the mole is an interesting question.

We have to accept that Amazon, Apple, Nook, Kobo and Overdrive all can gather information on their consumers and their walled gardens allow this, but they are walled gardens. Adobe promotes itself as open and interoperable and importantly does not have consumer customer relationships to build in the same way. Again it begs the question what do they intend to do with this information and is it being resold and if so to whom?

However, all this a new news and we await more information about Abode’s intent and what is behind the intrusion into consumer’s private libraries and reading habits.

Personally, if the facts bear up to what has been reported, then Adobe has single handily done more harm to DRM than all the articles every written about it. Consumers if made aware of it will probably shun and question the violation of their privacy.

Finally, we hope that the wider media picks this story up and fully investigates it and if collaborated exposes it to the consumer.  

6th Oct 2014