An Adobe data breach with its newest digital reading software has the Seattle Public Library concerned.
The Digital Reader first reported on Adobe’s data collection practices on Monday evening, showing how the company is tracking unencrypted reading history of those accessing e-books using the desktop version of Adobe Digital Editions 4 — including what books were open and what pages were read.
In a statement, Adobe told Digital Reader that it does track user activity for “license validation and to facilitate the implementation of different licensing models by publishers.”
Jim Loter, director of information technology at The Seattle Public Library, penned a blog post today noting his “concern and alarm” with Adobe’s practices since the SPL’s primary eBook distributor, OverDrive, uses Adobe’s Digital Rights Management software.
“The Seattle Public Library values our patrons’ right to privacy, and we have expressed concern and alarm to OverDrive, and asked them to advocate on our behalf,” Loter wrote. “We will be contacting Adobe directly to demand that they address this violation of user privacy immediately.”
Loter’s privacy concerns are not a surprise, especially with how libraries are paying close attention to privacy rights. In addition, as the Digital Reader points out, many states have privacy laws about library books that may have been violated with Adobe’s Digital Edition 4.
Loter advises that those renting eBooks from the SPL should either not use Adobe Digital Edition 4 to manage their eBook libraries or use Adobe Digital Edition 3.
“Again, if you have ever used ADE just to create an Adobe ID for use with OverDrive but otherwise you use OverDrive (or other eReader) to actually read the eBooks, you should not be affected,” he wrote.
An Adobe spokesperson told Ars Technica that it is now working on an update to its software to address the data transmission issue.
Loter also wrote a letter to OverDrive CEO Steve Potash, which you can read below:
To: Steve Potash, President and CEO, OverDrive, Inc.
From: Jim Loter, Director of Information Technology, The Seattle Public Library
Dear Steve,
I know you’ve been hearing a lot in the last few days from libraries about the Adobe Digital Editions data privacy issue that has emerged. The Seattle Public Library would like to voice our concerns as well.
Since OverDrive has always been a strong advocate for libraries and has shown understanding and sensitivity to our commitment to protecting patron privacy, I know that you’re aware of how concerning these reports are to us.
We understand Adobe’s stated challenge to manage and enforce DRM according to multiple business models and publisher requirements, and that the data that’s being collected is intended to support those efforts. We understand that DRM is a fact of eBook life at the moment (though we wish it weren’t so). We are not putting forward a facile argument that Adobe shouldn’t collect any use data at all. Our primary issues are with the seemingly inept and certainly opaque ways these procedures have been implemented by Adobe. Those issues can be summarized in three points that we hope you can help us move forward and use to engage in a dialog with Adobe.
- The data in question is transmitted in plain text. It has been pointed out in other forums that this practice may violate some state laws. It certainly violates best practices, especially in libraries where our policies expressly prohibit this kind of practice. This seems to be the easiest fix to implement, and Adobe has indicated they will do so. However, simply encrypting the transmission is not sufficient to address our concerns.
- The fact that this data is reportedly being captured and transmitted does not appear to be explicated in the application’s terms of service. Library users need to understand what information, specifically, is being collected about them and their activities so that they can make informed choices about their reading behaviors. Libraries have always been explicit about how we manage borrower information and we urge Adobe to be more transparent as well.
- It has not been made clear by Adobe how the data is being handled, protected, and managed, or if the data contains personally-identifiable information (PII). If the intent is truly to enforce DRM and prevent eBooks from being read on unauthorized devices or to meter time and page views (which may be required under some lending models) then there seems to be no need for Adobe to capture PII or to retain the data for longer than a book lending term. We and our patrons would rest easier about this matter if we could be explicitly assured that PII is not being collected and that the data in question is not stored longer than it needs to be to support Adobe’s DRM requirements.
Libraries are in a tough spot because we do not directly contract with Adobe and are not in a position to negotiate or easily have a dialog directly with them about this issue. We feel that OverDrive is in a better position to serve as our advocate on this matter, in addition to our professional associations, and we urge you to help us carry our concerns forward.
Thank you,
Jim Loter
The Seattle Public Library
Director of Information Technology
