back to article Adobe spies on readers: 'EVERY page you turn, EVERY book you own' leaked back to base

Adobe's Digital Editions 4 ebook reader software collects detailed information about the reading habits of its users – and sends it back to the company in a format that's easy for others to slurp. An investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which pages of ebooks …

  1. Anonymous Coward
    Anonymous Coward

    Outrageous

    But, of course, they'll get away with it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Outrageous

      Outrageous

      But, of course, they'll get away with it.

      I am not entirely sure a EULA/T&C is capable of overriding what amounts to illegal access of a computer (come to think of it, the convoluted way you have to dig for the T&Cs with Adobe products may very well fall foul of UK contract law so it's possible that their "agreements" are null and void to start with).

      It is none of their business what else you have on your computer, so it's quite possible that this is actually a criminal activity.

      It's a good thing for Adobe that the police is no longer really interested in doing, well, police work - this could have been rather entertaining to watch after a complaint. The ICO doesn't really have the right powers for this.

    2. Vociferous

      Re: Outrageous

      Of course they will. They're a company. The law is there to protect state and companies against citizens, not the other way around.

    3. Gray
      Devil

      Re: Outrageous

      It's an American mega-corporation ... But, of course, they'll get away with it.

  2. Anonymous Coward
    Anonymous Coward

    A Night At The Opera

    "We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services. Actions reasonably necessary to perform the Services may include (but are not limited to) (a) responding to support requests; (b) detecting, preventing, or otherwise addressing fraud, security, unlawful, or technical issues; and (c) enforcing these terms."

    Yours faithfully,

    Mr Groucho Marks.

    1. BillG
      Boffin

      Re: A Night At The Opera

      I predict Adobe will say something like:

      "This was test code that was only used during testing blah blah blah, none of the transmitted information was stored on our servers blah blah blah blah, the code is not used and no data is collected blah blah, our users are all a bunch of blah. Now shut up and go away."

    2. Elmer Phud

      Re: A Night At The Opera

      There ain't no sanity clause

  3. Brian Miller

    No, really, I read it and I have proof...

    What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?

    1. Mark 85 Silver badge

      Re: No, really, I read it and I have proof...

      Not a bad idea, but go one better and get more bang for your buck. Add literature such as "The Communist Manifesto", "Mein Kampf", the Quran, the Bible, assorted writings by Mao, Trotsky, and maybe the ISIS crew. Then NSA, etc. will get involved. After a couple of weeks, go to children's books. They'll spend months looking for the connection and trying to figure out what you're up to.

      1. ZSn

        Re: No, really, I read it and I have proof...

        However, by that time they may have banged you up in Guantanamo bay/labelled you a child molester or both.

        How about sending them the EICAR test virus. It doesn't do any damage but may make their scanners have a fit?

        1. Alan J. Wylie

          Re: No, really, I read it and I have proof...

          I know about zip bombs and xml bombs, anyone know anything about json bombs?

          1. Michael Wojcik Silver badge

            Re: No, really, I read it and I have proof...

            I know about zip bombs and xml bombs, anyone know anything about json bombs?

            I don't know offhand of an easy way to create a JSON "bomb" of that sort - i.e., an amplification attack. Compression-format bombs are obvious (create a data stream that decompresses maximally), and XML bombs are based on reference compression using entities. JSON is a simple flattened data format; it doesn't incorporate references to its own contents.

            I suppose you could do something with Unicode transformation formats, if you know that the recipient will transcode into UTF-8. Then you could pick UTF-16 as the source format and send JSON strings containing characters that transcode into more than two bytes. It's a pretty weak attack.

            That said, if you know what the recipient is going to do with the JSON data, opportunities abound for misuse. Considerable care has to be taken in the parsing and handling of JSON data. The format tempts coders into simply eval'ing it (often as a "temporary" approach that becomes lingering technical debt), which means remote code execution; even when people try to parse it properly, they may not be sufficiently vigilant.

            There are likely better amplification attacks. If you have a website, fill it with hidden img or iframe elements that have http://adelogs.adobe.com as their source attribute value. Then whenever someone visits your page, their browser will pummel Adobe's server. Hidden links would make spiders do the same. Add scripting for even more attacks. And so on. Of course you shouldn't do this, as it would be unethical and might be illegal in some jurisdictions.

      2. Allan George Dyer Silver badge
        Devil

        Re: No, really, I read it and I have proof...

        @Mark 85, good idea, but you don't mind if I use your user ID in the data, do you? Especially when it's page 87 of "Paedophillia and Bomb Making for Dummies".

        1. Mark 85 Silver badge
          Black Helicopters

          Re: No, really, I read it and I have proof...

          Too late. The NSA hacks have your post and on this.....

      3. Anonymous Coward
        Anonymous Coward

        Re: No, really, I read it and I have proof...

        well, from that selection it's plain what you're up to

        p.s. did you mention the ISIS, formerly known as...?

    2. Anonymous Coward
      Thumb Up

      Re: No, really, I read it and I have proof...

      Great idea, but I'm minded to keep it simple and just send back :

      " FUCK OFF YOU CHEEKY FUCKERS"

      1. Anonymous Coward
        Anonymous Coward

        Re: No, really, I read it and I have proof...

        Editing your hosts file might be more effective. I believe 127.0.0.1 is a good address for this stuff.

        1. P. Lee Silver badge

          Re: No, really, I read it and I have proof...

          Free proprietary software. If you're not paying for it, guess what the product is!

          > Editing your hosts file might be more effective.

          "Meh"

          /me goes back to reading in okular.

      2. Anonymous Coward
        Anonymous Coward

        Re: No, really, I read it and I have proof...

        @JustKos

        Actually, you know, that's almost worth a script + cron to randomly generate garbage with chucklesome data in it. especially moving from the last page to the first page backwards in timestamps, also.

        Anon, just in case I do it and shove it onto pastebin this weekend...

    3. Eddy Ito

      Re: No, really, I read it and I have proof...

      That was exactly my first thought, if they want data well by all means send them data until their little spy server keels over and there is absolutely nothing they can do about it. Sure they might say they experienced a DDOS attack but how can they prove you and a billion of your closest friends aren't flipping through every page of every book ever written as fast as you possibly can, simultaneously of course? It kind of gives new meaning to the term 'book club'.

      1. MarkSitkowski

        Re: No, really, I read it and I have proof...

        Actually, you don't need e-books or Adobe.

        Sent in clear, you say? To an address quoted in the article?

        Ten lines of 'C' embedded in a tight loop will send them data like they never saw before, at the maximum rate that ADSL is capable of. I, personally, would recommend sending binary files, in the hope that they have carelessly-written analysis software, reading all this data.

        Maybe that's just the romantic in me...

    4. tempemeaty

      Re: No, really, I read it and I have proof...

      I got one to send them, "Orwell 1984"

      1. DropBear

        Re: No, really, I read it and I have proof...

        As much as I keep that book in high regard, recent developments caused it being referred to so bloody often that it pretty much lost all its meaning by now. It's not the book's fault, but its "punch" has been diluted worse than the proverbial "wolf!" outcry (except of course we really DO have that many "wolves" around, sadly).

  4. channel extended
    Joke

    Copyright enforcement?

    Obviously, collecting all of this data is to help enforce copyright. If I have done nothing wrong I have nothing to hide?

    The fact that this data will likely be sold to advertisers, for a profit, is just GOOD business.

    1. I ain't Spartacus Gold badge
      FAIL

      Re: Copyright enforcement?

      Are Adobe competent enough to be able to monetise all the lovely data they're picking up?

      I wouldn't mind all that, if the software wasn't the most unutterable piece of shit I've ever had the misfortune to deal with. Actually that's unfair, I'm sure I've dealt with worse, maybe.

      You can't change the text size on their reader. Amazing! I was setting it up for an aquaintance's wife who has macular degeneration. Sadly she's also got arthritis, so a tablet's not really suitable either. And they'd already got a laptop before I could persuade them to get something else. But they wanted library service books, so have to use Digital Editions.

      Except you can't read in fucking digital editions becauase your only option is 12 pt type. I don't think it did voice either, but anyway that's no good - as artificially read text is a real aquired taste.

      So next option was to use some competent reading software on said laptop. But no. You can authorise the copyright so you can read on other devices, but not on the PC itself. Horrible pile of crap. Maybe it's improved since. I'd have just broken the encryption, it's apparently easy enough, but that wasn't a process an IT illiterate couple in their late 70s were going to be capable of.

  5. James 51

    I thought this kind of spyware was suppose to be the argument against pirated software. Adobe keep making the pirate's arguments for them. Hope the EU smack the around. Worth complaining to the data commissioner about?

    1. Anonymous Coward
      Anonymous Coward

      Worth complaining to the data commissioner about?

      In your dreams, sir, The ICO is a civil service bureaucrat rather than a policeman for a specific reason. And the penalties are limited to legit-SME frighteners for the same reason.

    2. Anonymous Coward
      Anonymous Coward

      Worth complaining to the data commissioner about?

      Nah, the ICO doesn't have the right powers for this, too soft. As far as I can tell, they are accessing parts of your computer entirely without your permission. What else you read is none of their business and they're not law enforcement either so this is as far as I can tell a straight up criminal offence of a worse nature than the Sony rootkit.

      They need to be properly prosecuted for this. Otherwise, if they are allowed to do it you cannot convict a hacker either.

      1. Voland's right hand Silver badge

        The UK ICO does not

        The UK one does not and the politicos will ensure that it never will (even if this means alignment to common goals with Belarus with regards to human rights).

        However, I would not be so sure about the German, Austrian and/or Scandinavian equivalents of an ICO... Hmm... Those may be worth writing a letter to (if you can manage the apropriate teutonic or viking speak).

  6. John McCallum

    Adobe and eBooks

    Ahh but Adobe did sell eBooks it was run for them by Overland or some such biz bought a couple of them myself they only turned of the servers about a year or so ago.

  7. Erik4872

    Surprised this still happens

    One thing software companies should realize by now is that anything they release is going to have the debugger run over it, have its network data transmission scrutinized, etc. by someone, and the results will be blogged about. I'm assuming this is just some developer testing feature that got left on...software companies wouldn't send this kind of data in cleartext.

    One would think that if a software company wanted to collect analytics in a way that violated the terms and conditions, it would at least be encrypted and set to be dribbled out at random intervals or embedded in the DRM requests to make detection more difficult.

    1. Keef

      Re: Surprised this still happens

      "I'm assuming this is just some developer testing feature that got left on"

      I'm not assuming that, I'm assuming that it was done on purpose and they didn't think they'd get found out.

      I'm more willing to accept the plain text bit was a mistake, but not the phoning home.

    2. Chairo

      Re: Surprised this still happens

      I'm assuming this is just some developer testing feature that got left on

      Sure, with two servers, connected to the internet that receive user data of a million readers. These just happened to be set up by accident and no-one noticed...

      (Where is the irony icon?)

    3. nijam

      Re: Surprised this still happens

      ... and I'm assuming that (a) they're too stupid to write good software; (b) too stupid to understand they're breaking the law; and (c) too stupid to hide (a) and (b).

      Actually, (a) is an observation, not an assumption.

  8. phil dude
    FAIL

    okular...ghostview...

    A few opensource ways of avoiding Adobe.

    Okular is very nice. Ghostview is much older, but maybe more familiar.

    P.

    1. Intractable Potsherd Silver badge

      Re: okular...ghostview...

      Do either of those avoid the requirement to initially open an Adobe DRMed ebook bought from Kobo in the Adobe reader on first reading? It is a constant irritation that I have to do that prior to stripping the DRM via the Apprentice Alf plugin for Calibre and turning the file into an epub. I'd much rather have nothing to do with Adobe at all.

  9. choleric

    Really?

    At one and the same time I roll my eyes utterly unsurprised...

    And yet I also simply cannot believe that a major internet company can still commit such a faux pas.

    1. Triggerfish

      Re: Really?

      Its only a faux pas to us when they are caught, whereas its seemingly the norm for companies these days to do this sort of crap.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        it's faux pas because they sent it in the clear. If it were encrypted, who'd find out what they're sending? And even if somebody did, they'd say: "Look, we did encrypt it to "protect your privacy, okey?!"

  10. This post has been deleted by its author

  11. BongoJoe

    192.150.16.235

    One for the firewall, methinks.

    1. Infernoz Bronze badge
      Big Brother

      Re: 192.150.16.235

      Just added to my fibre router CSM >> URL Content Filter (URL blacklist) as adelogs.adobe.com; that way they can't sneak past by changing the IP address or by using load balancer.

      All the worst URLs get blocked at my router, so that all my devices are protected.

      1. BongoJoe

        Re: 192.150.16.235

        Thanks for that; that's gone into the every enlarging HOSTS file.

    2. Alan J. Wylie

      Re: 192.150.16.235

      and another: 193.104.215.0/24

      $ host adelogs.adobe.com

      adelogs.adobe.com is an alias for adelogs.wip4.adobe.com.

      adelogs.wip4.adobe.com has address 193.104.215.99

      $ whois 193.104.215.99

      inetnum: 193.104.215.0 - 193.104.215.255

      netname: ADOBE-NET

      descr: Adobe Systems Software Ireland Ltd.

      country: IE

  12. 2+2=5 Silver badge

    Software terms and conditions

    > It's also a possible breach of the software's terms and conditions, which state:

    Dear Adobe,

    Thank-you for confirming that you do not consider the terms and conditions distributed with your software to be binding on yourselves. I, for my part, do not consider them to be binding on myself. Having reached agreement on this happy state, I intend to use your software without further payment and to disseminate it as I see fit.

    Yours etc.

  13. yoganmahew

    Never mind all that privacy stuff, do all these companies think we are made of bandwidth?!

  14. Mark Allen
    WTF?

    Copyright

    What about the copyright on the eBooks themselves? Surely this is Adobe stealing copies of the books and transmitting a copy to their own server without the permission of the original author?

  15. Vociferous

    Plaintext over http?

    So one could easily open a connection and pump over a couple of gigs of junk?

    Haha I wonder if their buffers overflow easily.

    1. Dan 55 Silver badge

      Re: Plaintext over http?

      Of course they do, that's why Flash and Reader get updates every two weeks.

      1. P. Lee Silver badge

        Re: Plaintext over http?

        > Of course they do, that's why Flash and Reader get updates every two weeks.

        My pet theory is that the updates are there to keep the product at the front of people's minds. That makes them important in enterprise thinking and mindshare.

        1. Anonymous Coward
          Anonymous Coward

          Re: Plaintext over http?

          Paging coders..

          I'm thinking a way to counter overly aggressive analytics would be to give them data. Adobe seems to like violating privacy wholesale, so wouldn't it be possible to spoof their numerous tools and generate streams of content for their analytics engines? Rather than trying to block it, feed it garbage. It's also perhaps slightly ironic when the video of ADE4 in action comes up with this-

          "Viewing this content requires Adobe Flash Player. You can download Adobe Flash Player from http://get.adobe.com/flashplayer/."

          It shouldn't require Flash, but it perhaps suits Adobes marketing department for it to do so.

    2. GregC

      Re:I wonder if their buffers overflow easily

      For some reason that put the image of a man in a pinstriped suit in my head...

      "Nice place you've got 'ere. Fancy buffers an' all - be a shame if anything nasty happened to 'em... I mean you wouldn't want 'em to start overflowing now would you...?"

  16. Mage Silver badge
    Flame

    192.150.16.235

    Adding to block list on firewall

    adelogs.adobe.com

    and

    192.150.16.235

    I actually don't use this product, nor Adobe PDF reader.

    I Use Ghostview & Foxit for PDF. Calibre and Mobi for eBooks. Also Kindle DXG with 3G turned off except when I'm panicking and need free 3G Wikipedia Access.

  17. gerdesj Silver badge

    It's still there

    $ curl -X POST http://adelogs.adobe.com/datacollector/ping?id=com.adobe.rmsdk.dev.demac

    UP

    Where the hell are the script kiddies when you need them?

    1. Anonymous Coward
      Coffee/keyboard

      Re: It's still there

      POST? why not GET? or go read XKCD, I'm sure their collector is hardened against Bobby Tables.

  18. Anonymous Coward
    Anonymous Coward

    Privacy. Who needs it anyway.

    Since Adobe appear not to believe in privacy, who knows the names and office phone numbers of Adobe's top execs?

    For UK-based companies, the directors names are available (for free) at places like opencompany.co.uk. Unfortunately there doesn't seem to be an Adobe subsidiary registered in the UK; adobe.com/uk/ says copyright Adobe Software Systems Ireland Ltd, and the Adobe info at the Irish equivalent of Companies House can be found via

    https://search.cro.ie/ [company number 344992; posted a full URL here initially but it seems to have been session-specific?]

    There's a 2Euro50 fee unless anyone knows of an Irish equivalent to opencompany.

    If anyone were to post the relevant details here, we'd soon see who believes in privacy.

  19. davemcwish

    Legal Blackhole

    I'm not a lawyer but the terms and conditions paragraph provides plenty of wriggle room.

    "We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services."

    Crucial word here is 'except'; until it's challenged in a court, this gives them free reign to do what they will. It's the same rationale unregulated 3 letter state security agencies and the UK police using RIPA use to do things that others feel invades on their privacy i.e. if we didn't do this then blah blah....terrorists...blah blah...paedophiles....blah blah you'll all be murdered in your beds....blah blah blah...

    1. Anonymous Coward
      Thumb Down

      Re: Legal Blackhole

      What you just said is that it will break if 1) you're not online or 2) you block their IP at your firewall.

      Right? Then it can't be reasonably necessary, can it?

    2. Mephistro Silver badge

      Re: Legal Blackhole (@ davemcwish)

      "Crucial word here is 'except'"

      Sorry to disagree, but I think the crucial words are 'reasonably necessary'. Most of the data the program is sending home is not by any means "reasonably necessary to perform the Services". I hope someone -hopefully the EU- throws the book at them.

    3. heyrick Silver badge
      FAIL

      Re: Legal Blackhole

      "I'm not a lawyer but the terms and conditions paragraph provides plenty of wriggle room."

      I seriously doubt that.

      You could argue that the page turning is for reader use profiling, and you could argue that recording books read is for device use profiling. But this part - "but was also scanning the host computer for all ebooks and sending back information on those as well" - if substantiated, kicks it straight into deliberate unlawful activity.

      And no, it doesn't matter what you put in the terms and conditions, those do not override the law. For example, I could provide you with some of my software which carries a term written in tiny print down at the end where nobody bothers to read giving myself rights over your daughter (if you have one). That is simply neither enforceable nor moral if she is adult, and if she is a child...let's not even go there. Just because it is written doesn't automatically mean they have the right.

  20. silent_count

    Default deny!

    This software should not be allowed through one's firewall as there is no logical reason why an ebook reader program would need to access the internet.

    I'm caught between my usual level of contempt for Adobe* and a lack of sympathy for anyone who still hasn't gotten around to reading Mr Radnum's list (#1 on the list is 'default permit').

    * Is there anyone here who sees the number of vulnerabilities found in Flash on a regular basis and thinks that installing more Adobe software is a good idea?

    1. davemcwish

      Re: Default deny!

      Yup that's why you need a firewall tool. Mines called Little Snitch.

  21. Kev99

    One more reason to not keep your internet connection / wifi on all the time. Und, ve vill find you no matter vhat you try.

  22. harmjschoonhoven
    Flame

    http://[:naughty:]*adobe.com

    I counted 137 links to adobe.com in the vanilla Adobe Reader9 for intellinux, but no links to adelogs.adobe.com or 192.150.16.235 ...... (killed it).

  23. John Brown (no body) Silver badge
    Big Brother

    They'll use the Google defense

    An adobe spokesman said that the phone home data slurping was a simply a test project carried out by one of the developers on his "20% project time" and it accidentally got left in the final production code.

    1. Anonymous Coward
      Anonymous Coward

      Re: They'll use the Google defense

      Just because you didn't intend to break the law, doesn't excuse you from the crime

  24. Marketing Hack Silver badge
    Flame

    Here I was wondering....

    How Adobe knew to contact me with helpful suggestions like "You might consider "Waikiki One-piece Wonders", the long-awaited sequel to "Busty Brazilian Bikini Babes" and "Topless in Tonga".

    Really, does Adobe NEED to know what I am reading? I know that Adobe is a global software giant that wants their intellectual property rights protected, but do copyright holders in general just plain have Adobe by the short and curlies to the point that it spies on its customers? And why transmit this data unencrypted? Given what we learned post-Snowden, how much do you want to bet that it is open knowledge among global sigint agencies that you can exploit what Adobe is doing to get an idea of what people are reading?

    And of course right behind the sigint agencies are the hackers and internet scammers skimming this information and devising some social engineering attack. "Wow! You like romance novels too!! You know what, I have this great interview where novelist X really opens up about her experience writing her "Patricia the Passionate" series and how she chose to set it during the Napoleonic Wars! Here, I'll email it to you. Just click on the attachment when you get the mail!"

    It's bad enough that Adobe is doing this, but to do this with such shoddy security in this day and age is just unforgivably crap corporate behavior.

  25. DerekCurrie
    Devil

    Adobe, I know you don't like people saying this, but...

    ...These days you're not just bumbling and incompetent. You're plain old EVIL and your software is DANGEROUS. Your company seriously requires an executive staff enema. I'm not being funny.

  26. Allan George Dyer Silver badge
    Facepalm

    This is the foundation of their future business model?

    So they are planning to offer "pay per minute" and "pay per page" charging schemes to the publishers, betting the future revenue of their company on it working, and haven't considered that the data could be blocked or falsified?

    Time to sell your Adobe shares, perhaps?

  27. R42

    This is a feature!

    What I think the most likely explanation for this is not (just) that Adobe is spying. Most likely this is part of a portability feature which allows you to start reading on one device and continue on another.

    Of course, being Adobe, they likely implemented half the feature, with plans to never finish it.

    EDIT: Never mind. They implemented to be evil (DRM).

  28. Stretch

    Someone just ddos it

  29. Anonymous Coward
    Anonymous Coward

    From another person on another site that pointed out that we actually agree to it.

    ------------------------------------------------------------------------------------------------------------------------------

    BTW, this the relevent section (http://www.adobe.com/privacy/policy.html#info-collect) from the Adobe privacy policy that you agree to (in section 14.1.2 of the DE4 Software licensing agreement). It allows Adobe to collect both personally identifiable and non-identifiable information.

    Not that this is a good thing, but it does mean Adobe is complying with terms that users have agreed to (but probably haven’t read.)

    ------------------------------------------------------------------------------------------------------------------------------

    1. Vociferous

      EULAs are not contracts.

      They can put requirements to sacrifice your firstborn in there (and they do), that doesn't make it trump the law.

      Or enforceable.

  30. Anonymous Coward
    Anonymous Coward

    Look who else Adobe owns....

    www.omniture.com

    So 'tracking' business as usual.

  31. Potemkine Silver badge
    Childcatcher

    It's to protect children of course

    Or any other BS...

  32. Wraiththe
    Stop

    User should have control when files are sent.

    My concern: What happens when these files have difficulty transferring and the whole computer starts to lag while waiting for the files to transfer or for your computer or device to connect. These companies transferring files in the background is nothing new and have the potential to make your device hang. So why are these things done in the dark, in the background where you cannot see it. Why don't they tell you when they are being sent and even let you say WHEN they are sent. I think there should be laws that say the user should control when any data transfers may be done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020