14 DAY TRIAL // The latest release of the ebook reading software Adobe Digital Editions has been discovered to track user progress through an opened document and then upload it to an Adobe server in an unencrypted way.
The information monitored by the application includes the pages that were read by the user, the order they were navigated and the time of the action, name of the ebooks that have been opened, publisher details, and whatever metadata is available (genre, publishing rights, total number of pages, description of the document).
This behavior has not been reported in the case of PDF files.
Privacy-invading behavior spotted by multiple users
Digital Editions from Adobe is an application specifically aimed at readers who need a simple way to download and buy digital content that can be accessed online and offline. It also offers the possibility to transfer copy-protected ebooks from one computer to another or to a different reading device.
The logging activity of the software is carried out in real time and it has been reported by Nate Hoffelder of The Digital Reader blog. Apart from witnessing himself the data being sent to an Adobe server called adelogs, he received confirmation on the matter from security researcher Benjamin Daniel Mussler and from Liza Daly of Safari Books.
Furthermore, other independent sources conducted the experiment and reached the same conclusion. Andromeda Yelton, a librarian with coding skills, also analyzed the spying behavior of Digital Editions and made a video with the traffic captured via Wireshark.
Reader's privacy is the main concern
What is worse, Digital Editions does not limit to tracking navigation through an opened document, but it also scans the hard disk for other stored books and shares the info with Adobe.
“This is a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects,” Hoffelder wrote in a blog post.
Adobe Digital Editions integrates the necessary features that allow tracking the amount of time a book has been read, and because of this, it is used in libraries across the world, allowing them to lend digital content to customers.
By enforcing digital rights management (DRM) rules, it can block access to content if the loan period has expired.
However, the software tracks every move in the document indiscriminately, and in many cases, the items are self-published or are not under any DRM restrictions.
On top of this, sending all the details in plain text is dangerous not necessarily because Adobe has the means to profile its user’s reading habits, but because other individuals could capture the traffic and learn personal information about the targeted reader, with the possibility to use it against them.