Adobe’s Newest Security Hole: Telling The World What You Do With Your Library Books


It’s pretty great that in the modern age, you can borrow digital books from libraries, to read at home on the computer or e-reader of your choice. It’s a lot less great that the piece of software most library books use is apparently spying and collecting data on every word you read.

The issue is with Adobe Digital Editions (DE) software, as Ars Technica reports. That’s what many public libraries use to lend e-books, because it allows libraries to meet the required DRM terms for each book (how many patrons can borrow each e-book, and how long they can access it for).

Ars confirmed what the one researcher found: Adobe is collecting data not just on which books have been opened, but on what pages are read, and in which order. They are then sending all of that information, along with the book’s metadata (title, publisher, etc.), to their servers in plain text.

The original researcher also found that Adobe wasn’t just phoning home to tattle on what he did with their Digital Editions. It was scanning his entire computer, gathering metadata from every e-book on his machine, and telling Adobe about them, too. Even the ones that he stored or accessed in other, non-Addobe applications.

This is a huge invasion of privacy by Adobe, and there are two main reasons it’s an issue.

One is that in most states, you do actually have a level of legally protected privacy when it comes to your local library. Nobody puts sensors on your paper library books to figure out how far you get in each one, or which chapters you read or skip.

Although law enforcement can subpoena your records, libraries and librarians tend to take patron confidentiality very seriously. Adobe basically broadcasting borrowers’ behavior to the world for anyone to see is a major violation to the spirit, and sometimes the letter, of those rules.

And that brings us to their second epic fail: the plaintext transmission. Literally anyone who can grab a packet out of the air can see easily what it is you’ve been reading and how far you’ve gotten reading it. And that would include agencies like the NSA or companies like your ISP.

This is far from the first time a company has made this particular gaffe, the researcher writes, pointing to a similar security issue LG had with their smart TVs last year. “I am sharing these details not to excuse or justify Adobe,” he adds, “but to show you that this was a massively boneheaded stupid mistake that Adobe would have seen coming had they had the brains of a goldfish.”

The issue, at least, seems to be confined specifically to Adobe. The researcher did not find the same security flaw in e-reader apps or tools from Amazon, Google, Apple, or Kobo, and suggests that anyone reading ebooks try for now to use one of those tools instead.

Adobe is Spying on Users, Collecting Data on Their eBook Libraries [The Digital Reader, via Ars Technica]