The issue was exposed by Nate Hoffelder, author of the Digital Reader blog, who said on Monday that an anonymous hacker acquaintance had tipped him off to “a huge security and privacy violation” by Adobe.
The newest version of the company's e-reader app, Digital Editions 4 (DE 4), collects and transmits in plain text details of every e-book users read via the app, whether bought or borrowed, including their personal and device credentials, the book title and author, and other metadata such as the duration each book was read and percentage read.
Hoffelder complained: “Adobe has just given us a graphic demonstration of how not to handle security and privacy issues.
“Adobe is gathering data on the e-books that have been opened, which pages were read, and in what order. All of this data, including the title, publisher and other metadata for the book is being sent to Adobe's server in clear text, in such a way that anyone running one of the servers in between can listen in and know everything.”
Reflecting the current high levels of sensitivity over personal privacy, Hoffelder also alleged the app was indexing his entire e-book collection, in ”a privacy and security breach so big that I am still trying to wrap my head around the technical aspects, much less the legal aspects” – but Adobe has denied this.
While admitting it collects a range of user credentials and book and metadata, Adobe said in a statement to SCMagazineUK.com: “All information collected from the user is solely for purposes such as licence validation and to facilitate the implementation of different licensing models by publishers. This information is solely collected for the e-book currently being read by the user and not for any other e-book in the user's library or read/available in any other reader.”
But the Electronic Frontier Foundation (EFF) privacy organisation quickly weighed in in support of Hoffelder, saying it was “disturbing that Digital Editions logs every document readers add to their local ‘library', tracks what happens with those files, and then sends those logs back to the mother-ship, over the internet, in the clear.
“In other words, Adobe is not only tracking your reading habits, it's making it really, really easy for others to do so as well.”
Digital Editions is reportedly used by thousands of libraries to enable people to borrow e-books - and the EFF says “sending information in plain text undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers”.
Hoffelder recommends that instead of Adobe DE 4, people could use the e-reader apps provided by Amazon, Google, Apple or Kobo.
He added: “None of those four platforms are susceptible to Adobe's security hole. Of course, I can't say for sure whether those platforms are more secure and private than Adobe's, but I'm sure they will be made more secure in the next few weeks.”
Commenting on the furore, UK cyber security expert Richard Cassidy, senior solutions architect at Alert Logic, criticised Adobe for transmitting data in clear text and said that users should be able to opt-out of sharing any personal data.
He told SC by email: “At the least users must be given the ability to opt-out of any data capture from their personal devices, with greater control on what elements of their personal data can be shared (if even agreed to be shared at all) with external organisations.
“Organisations need to be aware of their responsibilities, not just from a data protection perspective but also from a security one too. Clear–text transfer of data of consumers' product usage activities could be used maliciously. For instance, if attackers had access to such information, they'd be able to craft more effective phasing or email-based malware propagation campaigns and also have enough data to make social engineering attempts more successful.
“The risk to users of allowing clear-text personal data transfer is extremely high and is a threat vector that organisations need to prevent in their security responsibility to customers.”
But Cassidy said the crux of the row is that “we simply don't have an effective global regulation in force at present, to help users better understand their rights in a global online data-driven market.
“The move by the EU Parliament in March is a much-needed step in the right direction and organisations will be watching closely how this affects their operations when handling users personal data within the EU.”
Adobe has confirmed to SC that it is working on an app update to address the issue of transmitting data in clear text. “We will notify you when a date for this update has been determined,” the company said.