Sending information about user activity is never a good idea

Oct 24, 2014 12:23 GMT  ·  By
Wireshark should provide totally different traffic capture from Digital Editions now
   Wireshark should provide totally different traffic capture from Digital Editions now

Adobe announced that starting Thursday, October 23, all the information gathered from the users of ebook reading software Digital Editions is encrypted when sent to its servers.

The application collects the data in order to comply with the DRM (digital rights management) policies that protect copyright holders against piracy.

“Adobe uses the information collected about the eBook you have opened in Adobe Digital Editions software to ensure it is being viewed in accordance with the type of DRM license that accompanies that eBook. The type of license is determined by the eBook provider,” the company says.

Company explains the purpose of the information it collects

At the beginning of the month, it was discovered that the program would collect details about books it opened and would deliver them to one of its servers called adelogs.adobe.com.

Nate Hoffelder of The Digital Reader blog said that evidence was found that Digital Editions 4 also scanned the storage unit in search for other books and shared the data with Adobe.

However, this was only the tip of the iceberg, because an analysis of the traffic to the Adelog sever revealed that the information was uploaded in an insecure manner, allowing a third party to intercept and access it in plain text.

In an official announcement, Adobe disclosed the type of information it hauls from the users of Digital Editions, also explaining what it is used for.

Apart from unique values required for the purpose of authentication and identification of the user and the device, the company also retrieves the IP address at the time of purchasing an ebook, duration of reading the text, amount of the ebook that has been read, as well as details included by the providers of the ebook.

Regarding the reading duration, “this information may be collected to facilitate limited or metered pricing models entered into between eBook providers, such as publishers and distributors,” the Adobe announcement says.

The company explains that by some models, publishers can charge libraries for lending an ebook to an individual either since the time of the borrowing or since the reader actually picks up the book and reads it.

HTTPS is now used for transmission of data

One highly important aspect announced by Adobe, though, is that information taken from the user is now delivered to its machines through a secure connection. This eliminates the aforementioned risk of the traffic being intercepted and the information being accessed by a third-party.

Adobe informs that none of the data collected is personally identifiable and that it may share some of it with ebook providers.