This post has been updated with new information.
Adobe confirms some details of recent reports by The Digital Reader and Ars Technica that Adobe Digital Editions 4, the latest version of the widely used ebook platform, is gathering extensive data on its users’ ebook reading habits.
According to Nate Hoffelder at The Digital Reader, “Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order.”
Reached for comment, Adobe confirms that those data gathering practices are indeed in place. “Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them,” Adobe said in a statement this afternoon. The statement continues:
Update: Hoffelder reported that Adobe Digital Editions appeared to be gathering information on his entire ebook library, not just the titles viewed through Adobe Digital Editions. In a follow-up communication with Adobe, which included the file Hoffelder posted to support this suspicion, the company reiterated its earlier statement that “information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader.”
According to the latest reports, that data appears to be delivering to Adobe’s servers as clear text, raising concerns that third parties could easily gain access to it.
Update: Adobe acknowledges that transmitting unencrypted data could pose a security risk: “In terms of the transmission of the data collected, Adobe is in the process of working on an update to address this issue.” Adobe says further that more information on when that update will be in place and of what it will consist is forthcoming.
In its statement this afternoon, Adobe enumerates the data it gathers through Adobe Digital Editions:
- User ID: The user ID is collected to authenticate the user.
- Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
- Certified App ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
- Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
- Duration for Which the Book was Read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
- Percentage of the Book Read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.
- Additionally, the following data is provided by the publisher as part of the actual license and DRM for the eBook:
- Date of Purchase/Download
- Distributor ID and Adobe Content Server Operator URL
- Metadata of the Book provided by Publisher (including title, author, publisher list price, ISBN number)
Adobe has been contacted for clarification and additional information, including whether Adobe Digital Editions 4, which was launched on September 8, is the only version of the platform that’s subject to the data gathering program Adobe outlined today. Earlier versions so far appear to be unaffected. We will update this post as more information becomes available.