Adobe spies on readers: 'EVERY page you turn, EVERY book you own' leaked back to base Adobe's Digital Editions 4 ebook reader software collects detailed information about the reading habits of its users – and sends it back to the company in a format that's easy for others to slurp. An investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which pages of ebooks …
Outrageous
But, of course, they'll get away with it.
I am not entirely sure a EULA/T&C is capable of overriding what amounts to illegal access of a computer (come to think of it, the convoluted way you have to dig for the T&Cs with Adobe products may very well fall foul of UK contract law so it's possible that their "agreements" are null and void to start with).
It is none of their business what else you have on your computer, so it's quite possible that this is actually a criminal activity.
It's a good thing for Adobe that the police is no longer really interested in doing, well, police work - this could have been rather entertaining to watch after a complaint. The ICO doesn't really have the right powers for this.
"We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services. Actions reasonably necessary to perform the Services may include (but are not limited to) (a) responding to support requests; (b) detecting, preventing, or otherwise addressing fraud, security, unlawful, or technical issues; and (c) enforcing these terms."
Yours faithfully,
Mr Groucho Marks.
I predict Adobe will say something like:
"This was test code that was only used during testing blah blah blah, none of the transmitted information was stored on our servers blah blah blah blah, the code is not used and no data is collected blah blah, our users are all a bunch of blah. Now shut up and go away."
What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?
Not a bad idea, but go one better and get more bang for your buck. Add literature such as "The Communist Manifesto", "Mein Kampf", the Quran, the Bible, assorted writings by Mao, Trotsky, and maybe the ISIS crew. Then NSA, etc. will get involved. After a couple of weeks, go to children's books. They'll spend months looking for the connection and trying to figure out what you're up to.
I know about zip bombs and xml bombs, anyone know anything about json bombs?
I don't know offhand of an easy way to create a JSON "bomb" of that sort - i.e., an amplification attack. Compression-format bombs are obvious (create a data stream that decompresses maximally), and XML bombs are based on reference compression using entities. JSON is a simple flattened data format; it doesn't incorporate references to its own contents.
I suppose you could do something with Unicode transformation formats, if you know that the recipient will transcode into UTF-8. Then you could pick UTF-16 as the source format and send JSON strings containing characters that transcode into more than two bytes. It's a pretty weak attack.
That said, if you know what the recipient is going to do with the JSON data, opportunities abound for misuse. Considerable care has to be taken in the parsing and handling of JSON data. The format tempts coders into simply eval'ing it (often as a "temporary" approach that becomes lingering technical debt), which means remote code execution; even when people try to parse it properly, they may not be sufficiently vigilant.
There are likely better amplification attacks. If you have a website, fill it with hidden img or iframe elements that have http://adelogs.adobe.com as their source attribute value. Then whenever someone visits your page, their browser will pummel Adobe's server. Hidden links would make spiders do the same. Add scripting for even more attacks. And so on. Of course you shouldn't do this, as it would be unethical and might be illegal in some jurisdictions.
@JustKos
Actually, you know, that's almost worth a script + cron to randomly generate garbage with chucklesome data in it. especially moving from the last page to the first page backwards in timestamps, also.
Anon, just in case I do it and shove it onto pastebin this weekend...
That was exactly my first thought, if they want data well by all means send them data until their little spy server keels over and there is absolutely nothing they can do about it. Sure they might say they experienced a DDOS attack but how can they prove you and a billion of your closest friends aren't flipping through every page of every book ever written as fast as you possibly can, simultaneously of course? It kind of gives new meaning to the term 'book club'.
Actually, you don't need e-books or Adobe.
Sent in clear, you say? To an address quoted in the article?
Ten lines of 'C' embedded in a tight loop will send them data like they never saw before, at the maximum rate that ADSL is capable of. I, personally, would recommend sending binary files, in the hope that they have carelessly-written analysis software, reading all this data.
Maybe that's just the romantic in me...
As much as I keep that book in high regard, recent developments caused it being referred to so bloody often that it pretty much lost all its meaning by now. It's not the book's fault, but its "punch" has been diluted worse than the proverbial "wolf!" outcry (except of course we really DO have that many "wolves" around, sadly).
Are Adobe competent enough to be able to monetise all the lovely data they're picking up?
I wouldn't mind all that, if the software wasn't the most unutterable piece of shit I've ever had the misfortune to deal with. Actually that's unfair, I'm sure I've dealt with worse, maybe.
You can't change the text size on their reader. Amazing! I was setting it up for an aquaintance's wife who has macular degeneration. Sadly she's also got arthritis, so a tablet's not really suitable either. And they'd already got a laptop before I could persuade them to get something else. But they wanted library service books, so have to use Digital Editions.
Except you can't read in fucking digital editions becauase your only option is 12 pt type. I don't think it did voice either, but anyway that's no good - as artificially read text is a real aquired taste.
So next option was to use some competent reading software on said laptop. But no. You can authorise the copyright so you can read on other devices, but not on the PC itself. Horrible pile of crap. Maybe it's improved since. I'd have just broken the encryption, it's apparently easy enough, but that wasn't a process an IT illiterate couple in their late 70s were going to be capable of.
Worth complaining to the data commissioner about?
Nah, the ICO doesn't have the right powers for this, too soft. As far as I can tell, they are accessing parts of your computer entirely without your permission. What else you read is none of their business and they're not law enforcement either so this is as far as I can tell a straight up criminal offence of a worse nature than the Sony rootkit.
They need to be properly prosecuted for this. Otherwise, if they are allowed to do it you cannot convict a hacker either.
The UK one does not and the politicos will ensure that it never will (even if this means alignment to common goals with Belarus with regards to human rights).
However, I would not be so sure about the German, Austrian and/or Scandinavian equivalents of an ICO... Hmm... Those may be worth writing a letter to (if you can manage the apropriate teutonic or viking speak).
One thing software companies should realize by now is that anything they release is going to have the debugger run over it, have its network data transmission scrutinized, etc. by someone, and the results will be blogged about. I'm assuming this is just some developer testing feature that got left on...software companies wouldn't send this kind of data in cleartext.
One would think that if a software company wanted to collect analytics in a way that violated the terms and conditions, it would at least be encrypted and set to be dribbled out at random intervals or embedded in the DRM requests to make detection more difficult.
"I'm assuming this is just some developer testing feature that got left on"
I'm not assuming that, I'm assuming that it was done on purpose and they didn't think they'd get found out.
I'm more willing to accept the plain text bit was a mistake, but not the phoning home.
I'm assuming this is just some developer testing feature that got left on
Sure, with two servers, connected to the internet that receive user data of a million readers. These just happened to be set up by accident and no-one noticed...
(Where is the irony icon?)
Do either of those avoid the requirement to initially open an Adobe DRMed ebook bought from Kobo in the Adobe reader on first reading? It is a constant irritation that I have to do that prior to stripping the DRM via the Apprentice Alf plugin for Calibre and turning the file into an epub. I'd much rather have nothing to do with Adobe at all.
This post has been deleted by its author
and another: 193.104.215.0/24
$ host adelogs.adobe.com
adelogs.adobe.com is an alias for adelogs.wip4.adobe.com.
adelogs.wip4.adobe.com has address 193.104.215.99
$ whois 193.104.215.99
inetnum: 193.104.215.0 - 193.104.215.255
netname: ADOBE-NET
descr: Adobe Systems Software Ireland Ltd.
country: IE
> It's also a possible breach of the software's terms and conditions, which state:
Dear Adobe,
Thank-you for confirming that you do not consider the terms and conditions distributed with your software to be binding on yourselves. I, for my part, do not consider them to be binding on myself. Having reached agreement on this happy state, I intend to use your software without further payment and to disseminate it as I see fit.
Yours etc.
Paging coders..
I'm thinking a way to counter overly aggressive analytics would be to give them data. Adobe seems to like violating privacy wholesale, so wouldn't it be possible to spoof their numerous tools and generate streams of content for their analytics engines? Rather than trying to block it, feed it garbage. It's also perhaps slightly ironic when the video of ADE4 in action comes up with this-
"Viewing this content requires Adobe Flash Player. You can download Adobe Flash Player from http://get.adobe.com/flashplayer/."
It shouldn't require Flash, but it perhaps suits Adobes marketing department for it to do so.
For some reason that put the image of a man in a pinstriped suit in my head...
"Nice place you've got 'ere. Fancy buffers an' all - be a shame if anything nasty happened to 'em... I mean you wouldn't want 'em to start overflowing now would you...?"
Adding to block list on firewall
adelogs.adobe.com
and
192.150.16.235
I actually don't use this product, nor Adobe PDF reader.
I Use Ghostview & Foxit for PDF. Calibre and Mobi for eBooks. Also Kindle DXG with 3G turned off except when I'm panicking and need free 3G Wikipedia Access.
Since Adobe appear not to believe in privacy, who knows the names and office phone numbers of Adobe's top execs?
For UK-based companies, the directors names are available (for free) at places like opencompany.co.uk. Unfortunately there doesn't seem to be an Adobe subsidiary registered in the UK; adobe.com/uk/ says copyright Adobe Software Systems Ireland Ltd, and the Adobe info at the Irish equivalent of Companies House can be found via
https://search.cro.ie/ [company number 344992; posted a full URL here initially but it seems to have been session-specific?]
There's a 2Euro50 fee unless anyone knows of an Irish equivalent to opencompany.
If anyone were to post the relevant details here, we'd soon see who believes in privacy.
I'm not a lawyer but the terms and conditions paragraph provides plenty of wriggle room.
"We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services."
Crucial word here is 'except'; until it's challenged in a court, this gives them free reign to do what they will. It's the same rationale unregulated 3 letter state security agencies and the UK police using RIPA use to do things that others feel invades on their privacy i.e. if we didn't do this then blah blah....terrorists...blah blah...paedophiles....blah blah you'll all be murdered in your beds....blah blah blah...
"Crucial word here is 'except'"
Sorry to disagree, but I think the crucial words are 'reasonably necessary'. Most of the data the program is sending home is not by any means "reasonably necessary to perform the Services". I hope someone -hopefully the EU- throws the book at them.
"I'm not a lawyer but the terms and conditions paragraph provides plenty of wriggle room."
I seriously doubt that.
You could argue that the page turning is for reader use profiling, and you could argue that recording books read is for device use profiling. But this part - "but was also scanning the host computer for all ebooks and sending back information on those as well" - if substantiated, kicks it straight into deliberate unlawful activity.
And no, it doesn't matter what you put in the terms and conditions, those do not override the law. For example, I could provide you with some of my software which carries a term written in tiny print down at the end where nobody bothers to read giving myself rights over your daughter (if you have one). That is simply neither enforceable nor moral if she is adult, and if she is a child...let's not even go there. Just because it is written doesn't automatically mean they have the right.
This software should not be allowed through one's firewall as there is no logical reason why an ebook reader program would need to access the internet.
I'm caught between my usual level of contempt for Adobe* and a lack of sympathy for anyone who still hasn't gotten around to reading Mr Radnum's list (#1 on the list is 'default permit').
* Is there anyone here who sees the number of vulnerabilities found in Flash on a regular basis and thinks that installing more Adobe software is a good idea?
How Adobe knew to contact me with helpful suggestions like "You might consider "Waikiki One-piece Wonders", the long-awaited sequel to "Busty Brazilian Bikini Babes" and "Topless in Tonga".
Really, does Adobe NEED to know what I am reading? I know that Adobe is a global software giant that wants their intellectual property rights protected, but do copyright holders in general just plain have Adobe by the short and curlies to the point that it spies on its customers? And why transmit this data unencrypted? Given what we learned post-Snowden, how much do you want to bet that it is open knowledge among global sigint agencies that you can exploit what Adobe is doing to get an idea of what people are reading?
And of course right behind the sigint agencies are the hackers and internet scammers skimming this information and devising some social engineering attack. "Wow! You like romance novels too!! You know what, I have this great interview where novelist X really opens up about her experience writing her "Patricia the Passionate" series and how she chose to set it during the Napoleonic Wars! Here, I'll email it to you. Just click on the attachment when you get the mail!"
It's bad enough that Adobe is doing this, but to do this with such shoddy security in this day and age is just unforgivably crap corporate behavior.
So they are planning to offer "pay per minute" and "pay per page" charging schemes to the publishers, betting the future revenue of their company on it working, and haven't considered that the data could be blocked or falsified?
Time to sell your Adobe shares, perhaps?
What I think the most likely explanation for this is not (just) that Adobe is spying. Most likely this is part of a portability feature which allows you to start reading on one device and continue on another.
Of course, being Adobe, they likely implemented half the feature, with plans to never finish it.
EDIT: Never mind. They implemented to be evil (DRM).
From another person on another site that pointed out that we actually agree to it.
------------------------------------------------------------------------------------------------------------------------------
BTW, this the relevent section (http://www.adobe.com/privacy/policy.html#info-collect) from the Adobe privacy policy that you agree to (in section 14.1.2 of the DE4 Software licensing agreement). It allows Adobe to collect both personally identifiable and non-identifiable information.
Not that this is a good thing, but it does mean Adobe is complying with terms that users have agreed to (but probably haven’t read.)
------------------------------------------------------------------------------------------------------------------------------
My concern: What happens when these files have difficulty transferring and the whole computer starts to lag while waiting for the files to transfer or for your computer or device to connect. These companies transferring files in the background is nothing new and have the potential to make your device hang. So why are these things done in the dark, in the background where you cannot see it. Why don't they tell you when they are being sent and even let you say WHEN they are sent. I think there should be laws that say the user should control when any data transfers may be done.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
