A couple hours ago, I saw reports from Library Journal and The Digital Reader that Adobe has released version 4.0.1 of Adobe Digital Editions. This was something I had been waiting for, given the revelation that ADE 4.0 had been sending ebook reading data in the clear.
ADE 4.0.1 comes with a special addendum to Adobe’s privacy statement that makes the following assertions:
- It enumerates the types of information that it is collecting.
- It states that information is sent via HTTPS, which means that it is encrypted.
- It states that no information is sent to Adobe on ebooks that do not have DRM applied to them.
- It may collect and send information about ebooks that do have DRM.
It’s good to test such claims, so I upgraded to ADE 4.0.1 on my Windows 7 machine and my OS X laptop.
First, I did a quick check of strings in the ADE program itself — and found that it contained an instance of “https://adelogs.adobe.com/” rather than “http://adelogs.adobe.com/”. That was a good indication that ADE 4.0.1 was in fact going to use HTTPS to send ebook reading data to that server.
Next, I fired up Wireshark and started ADE. Each time it started, it contacted a server called adeactivate.adobe.com, presumably to verify that the DRM authorization was in good shape. I then opened and flipped through several ebooks that were already present in the ADE library, including one DRM ebook I had checked out from my local library.
So far, it didn’t send anything to adelogs.adobe.com. I then checked out another DRM ebook from the library (in this case, Seattle Public Library and its OverDrive subscription) and flipped through it. As it happens, it still didn’t send anything to Adobe’s logging server.
Finally, I used ADE to fulfill a DRM ePub download from Kobo. This time, after flipping through the book, it did send data to the logging server. I can confirm that it was sent using HTTPS, meaning that the contents of the message were encrypted.
To sum up, ADE 4.0.1’s behavior is consistent with Adobe’s claims – the data is no longer sent in the clear and a message was sent to the logging server only when I opened a new commercial DRM ePub. However, without decrypting the contents of that message, I cannot verify that it only information about that ebook from Kobo.
But even then… why should Adobe be logging that information about the Kobo book? I’m not aware that Kobo is doing anything fancy that requires knowledge of how many pages I read from a book I purchased from them but did not open in the Kobo native app. Have they actually asked Adobe to collect that information for them?
Another open question: why did opening the library ebook in ADE not trigger a message to the logging server? Is it because the fulfillmentType specified in the .acsm file was “loan” rather than “buy”? More clarity on exactly when ADE sends reading progress to its logging server would be good.
Finally, if we take the privacy statement at its word, ADE is not implementing a page synchronization feature as some, including myself, have speculated – at least not yet. Instead, Adobe is gathering this data to “share anonymous aggregated information with eBook providers to enable billing under the applicable pricing model”. However, another sentence in the statement is… interesting:
While some publishers and distributors may charge libraries and resellers for 30 days from the date of the download, others may follow a metered pricing model and charge them for the actual time you read the eBook.
In other words, if any libraries are using an ebook lending service that does have such a metered pricing model, and if ADE is sending reading progress information to an Adobe server for such ebooks, that seems like a violation of reader privacy. Even though the data is now encrypted, if an Adobe ID is used to authorize ADE, Adobe itself has personally identifying information about the library patron and what they’re reading.
Adobe appears to have closed a hole – but there are still important questions left open. Librarians need to continue pushing on this.