Adobe’s e-book reader sends your reading logs back to Adobe—in plain text
Adobe’s Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries—actively logs and reports every document readers add to their local “library” along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers’ shoulders.
Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply. Ars has also reached out to Adobe for comment with no response.
Digital Editions (DE) has been used by many public libraries as a recommended application for patrons wanting to borrow electronic books, because it can enforce digital rights management rules on how long a book may be read for. But DE also reports back data on e-books that have been purchased or self-published. Those logs are transmitted over an unencrypted HTTP connection back to a server at Adobe—a server with the Domain Name Service hostname “adelogs.adobe.com”—as an unencrypted XML file.
The behavior is part of Adobe’s way of managing access to e-books borrowed from a library or “lent” by other users through online bookstores supporting the EPUB book format, such as Barnes & Noble. If you’ve “activated” Digital Editions with an Adobe ID, it uses that information to determine whether a book has been “locked” on another device using the same ID to read it or if the loan has expired. If the reader isn’t activated, it uses an anonymous unique ID code generated for each DE installation.
Below is the data transmitted by Digital Editions when we opened an EPUB file of Yotam Ottolenghi’s cookbook, Jerusalem:
DE reported back each EPUB document opened and the navigation within the document, recording each page number viewed in a stream of activity data back to an application called “datacollector.” The XML data is logged locally by the application, and then transmitted each time the application is opened—likely as part of Adobe’s DRM enforcement within DE. No data was transmitted for PDF documents opened.
Ars has contacted the American Library Association for comment as well as Adobe, and we will update this story as more information becomes available.