Adobe Digital Editions caught calling home with user logs

Home and mobile users might be more familiar with Adobe's Acrobat software for reading PDFs, but those who live on ebooks, particular in the EPUB format, also live in another program called Adobe Digital Editions or ADE. Popular (relatively) and widespread, this program has just been discovered to have one frightening flaw. Apparently, ADE transmits the app's activity logs to Adobe's servers, presumably for copyright protection purposes, but also seemingly includes unnecessary user data. Worse, it transmits them in a manner that can be easily read by unauthorized snooping third parties.

To be fair, the intention of such a process is benign or innocent, depending on whether what you think the "R" stands for in "DRM". There are dozens of EPUB readers out there, some even open source, but libraries, schools, and some other public reading places use Adobe Digital Editions precisely because of those three big letters. Unlike those EPUB readers that either ignore or even strip out DRM, ADE is actually used to enforce those. And it is able to do so by communicating with Adobe's servers. According to Adobe, ADE's information collection and transmission is necessary to implement those licensing models required by publishers or libraries. As such, it harvests information such as the user's Adobe ID, IP address, reading duration, and even reading percentage for "metered" pricing.

Sounds innocent enough except for the fact that ADE actually gathers more than that and definitely more than necessary. In addition to those pieces of information, ADE records and transmits every EPUB that was ever opened in the app and even the exact sequence of pages read. While some might be able to justify that behavior for DRM-protected content, ADE even does the same logging for those that aren't encumbered by such policies, making data collection superfluous. To add insult to injury, those logs that are transmitted every time the app is opened is sent in plain text over an unencrypted HTTP connection, open for anyone with the right tools and the right knowledge to see.

While ADE's end user license agreement (EULA) does stipulate to certain automatic Internet communication, the extent of this user logging isn't exactly covered by it. Adobe also doesn't have a clear indication of how long collected data remains on their servers. The risks to user privacy, which libraries are ethically bound to protect, further complicate the situation. Adobe has formally acknowledged the issue and promises to release an update to the software that will address these issues. But considering the extent of the problem and how long it might have existed without anyone noticing it, users and libraries definitely deserve a more reassuring explanation.

VIA: Ars Technica