Adobe has been under heavy criticism since a report from Nate Hoffelder at the Digital Reader revealed that the latest version of Adobe Digital Editions (ADE) is collecting and transmitting unencrypted user data back to Adobe. This week, in a message to concerned officials at the American Library Association, Adobe defended its system, and, according to ALA, suggested an update was coming by October 20.
Adobe officials claim their data collection is used only for proper “license validation, and to facilitate the implementation of different licensing models by publishers and distributors.” But a chorus of concerned individuals and organizations has expressed alarm over Adobe’s actions—including librarians, as the ADE e-book reader application is used by “thousands of libraries and many tens of thousands of e-book readers around the globe.”
“It’s complicated,” explains PW contributing editor Peter Brantley, noting that the latest version of ADE apparently sends information “in the clear,” (that is without encryption) back to Adobe, including reader account information, device ID, and pages read (at least of the books in the ADE library, and possibly other books on the user's device, though Adobe denies this). “It's not great that ADE, without any notice, is sending this kind of data back to Adobe, where it is not obvious what is happening with it. Maybe nothing,” Brantley told PW. Regardless, he adds, the collection and transmission of such unencrypted data "abrogates assumptions of reader privacy and creates a hackable dataset.”
In a blog post, the Library and Information Technology Association (LITA), a division of the ALA, decried what they called “confirmed reader data breaches” and expressed a number of concerns beyond the “data transmission” issue.
“ALA also is concerned about the possible over-collection and unnecessary retention of sensitive user data. Are all of the data elements collected necessary for product functionality? Is such sensitive user data deleted soon after the need for operational purposes is fulfilled?”
ALA president Courtney Young said ALA will continue “investigating possible violations of applicable federal or state laws on commerce/trade and privacy, as well as establishing best practices to protect reader privacy and secure the best possible licensing terms for libraries and the general public.”
ALA is hardly alone in its criticism of Adobe. The Electronic Frontier Foundation’s Corrynne McSherry suggested that “the publishing world may finally be facing its “rootkit scandal,” in a blistering post. “And it’s all being done in the name of copyright enforcement."
In 2005, the music industry faced a major revolt when a computer security researcher revealed that a major label’s anti-piracy software was based on a “rootkit,” a damaging system often used by hackers in conjunction with spyware and malware. “The rootkit scandal put several nails in the coffin of DRM and music,” EFF notes, calling the Adobe discovery a potential silver lining. “If enough readers, librarians, publishers and authors speak up, perhaps this latest scandal will do the same for DRM and books.”
Thus far, getting access to e-books for libraries has been the main concern for ALA. But with the alleged Adobe breach, the new focus may finally be on how libraries are getting those e-books.
Gary Price, the librarian behind the the popular InfoDocket, told PW that the Adobe problems should help make e-book privacy "and library privacy in general" a top priority across the entire ALA organization going forward, and that other library organizations also need to be involved.
“We know that the public trusts librarians, and ALA is in a strong position to make help make libraries places to provide information and instruction about many digital privacy issues, and tools," Price told PW. “It's yet another opportunity for the library community be relevant, useful, and important during a time when digital privacy and security are on the mind of many.”