{"id":841,"date":"2014-10-08T07:59:20","date_gmt":"2014-10-08T14:59:20","guid":{"rendered":"http:\/\/galencharlton.com\/blog\/?p=841"},"modified":"2014-10-10T08:18:20","modified_gmt":"2014-10-10T15:18:20","slug":"verifying-our-tools-a-role-for-ala","status":"publish","type":"post","link":"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/","title":{"rendered":"Verifying our tools; a role for ALA?"},"content":{"rendered":"<p>It <a href=\"http:\/\/the-digital-reader.com\/2014\/10\/06\/adobe-spying-users-collecting-data-ebook-libraries\/\">came to light<\/a> on Monday that the latest version of Adobe Digital Editions is sending metadata on ebooks that are read through the application to an Adobe server \u2014 <strong>in clear text<\/strong>.<\/p>\n<p>I&#8217;ve personally verified the claim that this is happening, as have lots of other people. I particularly like Andromeda Yelton&#8217;s <a href=\"http:\/\/screencast.com\/t\/7AOQS2dsG6T\">screencast<\/a>, as it shows some of the steps that others can take to see this for themselves.<\/p>\n<p>In particular, it looks like any ebook that has been opened in Digital Editions or added to a &#8220;library&#8221; there gets reported on. The original report by Nate Hofffelder at The Digital Reader also said that ebook that were <em>not<\/em> known to Digital Editions were being reported<del>, though I and others haven&#8217;t seen that \u2014 but at the moment, since nobody is saying that they&#8217;ve decompiled the program and analyzed exactly when Digital Editions sends its reports, it&#8217;s possible that Nate simply fell into a rare execution path<\/del>.\u00a0<strong><em>UPDATE 10 October 2014:<\/em><\/strong><em> Yesterday I was able to <a href=\"https:\/\/gist.github.com\/gmcharlt\/50707d56ebcb3162e195\">confirm<\/a> that if an ereader device is attached to a PC and is recognized by ADE, metadata from the books on that device can also be sent in the clear.<\/em><\/p>\n<p>This move by Adobe, whether or not they&#8217;re permanently storing the ebook reading history, and whether or not they think they have good intentions, is bad for a number of reasons:<\/p>\n<ul>\n<li>By sending the information in the clear, anybody can intercept it and choose to act on somebody&#8217;s choice of reading material. \u00a0This applies to governments, corporations, and unenlightened but technically adept parents. \u00a0And as far as state actors are concerned \u2013 it actually doesn&#8217;t matter that Digital Editions isn&#8217;t sending information like name and email addresses in the clear; the user&#8217;s IP address and the unique ID assigned by Digital Editions will often be sufficient for somebody to, with effort, link a reading history to an individual.<\/li>\n<li>The release notes from Adobe gave no hint that Digital Editions was going to start doing this. While Amazon&#8217;s Kindle platform also keeps track of reading history, at least Amazon has been relatively forthright about it.<\/li>\n<li>The privacy policy and license agreement similarly did not <strong>explicitly<\/strong> mention this. There has been some discussion to the effect that if one looks at those documents closely enough, that there is an implied suggestion that Adobe can capture and log anything one chooses to do with their software. But even if that&#8217;s the case \u2013 and I&#8217;m not sure that this argument would fly in countries with stronger data privacy protection than the U.S. \u2013 sending this information in the clear is completely inconsistent with modern security practices.<\/li>\n<li>Digital Editions is part of the toolchain that a number of library ebook lending platforms use.<\/li>\n<\/ul>\n<p>The last point is key. Everybody should be concerned about an app that spouts reading history in the clear, but librarians in particular have a professional responsibility to protect our user&#8217;s reading history.<\/p>\n<p>What does it mean in the here and now? Some specific immediate steps I suggest for libraries is to:<\/p>\n<ul>\n<li>Publicize the problem to their patrons.<\/li>\n<li>Officially warn their patrons against using Digital Editions 4.0, and point to work arounds like pointing\u00a0&#8220;adelogs.adobe.com&#8221; to &#8220;127.0.0.1&#8221; in hosts files.<\/li>\n<li>If they must\u00a0use Digital Editions\u00a0to borrow ebooks, to recommend the use of earlier versions, which do not appear to be spying on users.<\/li>\n<\/ul>\n<p>However, there are things that also need to be done in the long term.<\/p>\n<p>Accepting DRM has been a terrible dilemma for libraries \u2013 enabling and supporting, no matter how passively, tools for limiting access to information flies against our professional values. \u00a0On the other hand, without some degree of acquiescence to it, libraries would be even more limited in their ability to offer current books to their patrons.<\/p>\n<p>But as the Electronic Frontier Foundation <a href=\"https:\/\/www.eff.org\/deeplinks\/2014\/10\/adobe-spyware-reveals-again-price-drm-your-privacy-and-security\">points out<\/a>, \u00a0DRM as practiced today is fundamentally inimical to privacy. If, following Andromeda Yelton&#8217;s <a href=\"http:\/\/andromedayelton.com\/blog\/2014\/10\/08\/ebooks-choices-and-the-missing-soul-of-librarianship\/\">post this morning<\/a>, we value our professional soul, something has to give.<\/p>\n<p>In other words, we have to have a serious discussion about whether we can responsibly support any level of DRM in the ebooks that we offer to our patrons.<\/p>\n<p>But there&#8217;s a more immediate step that we can take. This whole thing came to light because a &#8220;hacker acquaintance&#8221; of Nate&#8217;s decided to see what Digital Editions is sending home. And a key point? Once the testing starting, it probably didn&#8217;t take that hacker more than half an hour to see what was going on, and it may well have taken only five.<\/p>\n<p>While the library profession probably doesn&#8217;t count very many professional security researchers among its ranks, this sort of testing is not black magic. \u00a0Lots of systems librarians, sysadmins, and developers working for libraries already know how to use tcpdump and Wireshark and the like.<\/p>\n<p>So what do we need to do? We need to stop blindly trusting our tools. \u00a0We need to be suspicious, in other words, and put anything that we would recommend to our patrons to the test to verify that it is not leaking patron information.<\/p>\n<p>This is where organizations like ALA can play an important role. \u00a0Some things that ALA could do include:<\/p>\n<ul>\n<li>Establishing a clearinghouse for reports of security and privacy violations in library software.<\/li>\n<li>Distribute information on ways to perform security audits.<\/li>\n<li><em>Do<\/em> testing of library software in house and hire security researches as needed.<\/li>\n<li>Provide institutional and legal support for these efforts.<\/li>\n<\/ul>\n<p>That last point is key, and is why I&#8217;m calling on ALA in particular. There have been plenty of cases where software vendors have sued, or threatened to sue, folks who have pointed out security flaws. Rather than permitting that sort of chilling effect to be tolerated in the realm of library software, ALA can provide cover for individuals and libraries engaged in the testing that is necessary to protect our users.<\/p>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-841\" class=\"share-twitter sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\"><span>Twitter<\/span><\/a><\/li><li><a href=\"#\" class=\"sharing-anchor sd-button share-more\"><span>More<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><div class=\"sharing-hidden\"><div class=\"inner\" style=\"display: none;\"><ul><li class=\"share-tumblr\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-tumblr sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=tumblr\" target=\"_blank\" title=\"Click to share on Tumblr\"><span>Tumblr<\/span><\/a><\/li><li class=\"share-reddit\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-reddit sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=reddit\" target=\"_blank\" title=\"Click to share on Reddit\"><span>Reddit<\/span><\/a><\/li><li class=\"share-end\"><\/li><li class=\"share-print\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-print sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/\" target=\"_blank\" title=\"Click to print\"><span>Print<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>It came to light on Monday that the latest version of Adobe Digital Editions is sending metadata on ebooks that are read through the application&#8230;<\/p>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-841\" class=\"share-twitter sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\"><span>Twitter<\/span><\/a><\/li><li><a href=\"#\" class=\"sharing-anchor sd-button share-more\"><span>More<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><div class=\"sharing-hidden\"><div class=\"inner\" style=\"display: none;\"><ul><li class=\"share-tumblr\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-tumblr sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=tumblr\" target=\"_blank\" title=\"Click to share on Tumblr\"><span>Tumblr<\/span><\/a><\/li><li class=\"share-reddit\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-reddit sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/?share=reddit\" target=\"_blank\" title=\"Click to share on Reddit\"><span>Reddit<\/span><\/a><\/li><li class=\"share-end\"><\/li><li class=\"share-print\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-print sd-button share-icon\" href=\"https:\/\/galencharlton.com\/blog\/2014\/10\/verifying-our-tools-a-role-for-ala\/\" target=\"_blank\" title=\"Click to print\"><span>Print<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div><\/div><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"Verifying our tools; a role for ALA? #ebooks #libraries #privacy #adobe","jetpack_is_tweetstorm":false},"categories":[22,6],"tags":[],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3gJ9y-dz","_links":{"self":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/841"}],"collection":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/comments?post=841"}],"version-history":[{"count":7,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/841\/revisions"}],"predecessor-version":[{"id":848,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/posts\/841\/revisions\/848"}],"wp:attachment":[{"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/media?parent=841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/categories?post=841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/galencharlton.com\/blog\/wp-json\/wp\/v2\/tags?post=841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}