A very disturbing discovery has been made. The software used by the St. Mary’s library, University System of Maryland and Affiliated Institutions (USMAI) libraries, and countless other academic and public libraries to lend ebooks is knowingly violating users’ privacy.
As documented in Ars Technica, Adobe Digital Editions tracks and compiles data on which ebooks users download and read, and exactly what each user does with those books. Worse yet, Adobe is sending that information to its servers in plain text, using unencrypted channels, so just about anyone could access that information. Nate Hoffelder of The Digital Reader made the discovery on October 6, 2014, but the violation is believed to have started with the release of Adobe Digital Editions 4.0 in early September.
How it works
Adobe Digital Editions is used by many libraries as a PDF reader for ebook lending to control the digital rights management (DRM) on all borrowed ebooks. This software is essentially what “returns” a borrowed ebook when the loan expires by removing it from a borrower’s computer. Most ebook publishers require a DRM as part of the licensing or sales agreement to ensure intellectual property rights are not violated by end users.
Our reaction
Librarians are furious. As you may recall from when Edward Snowden leaked the NSA’s secrets, librarians value their patrons’ privacy and take every possible precaution to ensure privacy is maintained. The American Library Association (ALA) has issued this statement and the Library and Information Technology Association (LITA) has published this blog post in reaction to the news. Quoted from the ALA statement:
In response to ALA’s request for information, Adobe reports they “expect an update to be available no later than the week of October 20” in terms of transmission of reader data.
Here at St. Mary’s, we will be keeping a close eye on the situation.
Update 10/29/2014:
Adobe made available a software update on Friday, October 24th which includes an encryption mechanism so all user data gathered by and sent to Adobe’s servers is no longer transmitted in plain text. ADE users can download the update (and read Adobe’s privacy statement) here. The American Library Association issued a statement on October 27, 2014 and Nate Hoffelder of The Digital Reader published an update on the privacy breach on October 23rd.