The publishing world may finally be facing its “rootkit scandal.” Two independent reports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to their local “library,” tracks what happens with those files, and then sends those logs back to the mother-ship, over the Internet, in the clear. In other words, Adobe is not only tracking your reading habits, it’s making it really, really easy for others to do so as well.
And it’s all being done in the name of copyright enforcement. After all, the great “promise” of Digital Editions is that it can help publishers “securely distribute” and manage access to books. Libraries, for example, encourage their patrons to use the software, because it helps them comply with the restrictions publishers impose on electronic lending.
How big is the problem? Not completely clear, but it could be pretty big. First, it appears Adobe is tracking more than many readers may realize, including information about self-published and purchased books. If the independent reports are correct, Adobe may be scanning your entire electronic library. Borrowing a copy of Moby Dick from your public library shouldn’t be a license to scan your cookbook collection.
Adobe claims that these reports are not quite accurate. According to Adobe, the software only collects information about the book you are currently reading, not your entire library. It also collects information about where you are reading that book, how long you've been reading it, and how much you've read. Still disturbing, if you ask us.
Second, sending this information in plain text undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers. (Adobe does not deny transmitting the information unencrypted.) Indeed, in 2011 EFF and a coalition of companies and public interest groups helped pass the Reader Privacy Act, which requires the government and civil litigants to demonstrate a compelling interest in obtaining reader records and show that the information contained in those records cannot be obtained by less intrusive means. But if readers are using Adobe's software, it’s all too easy for folks to bypass those restrictions.
Third and most depressing: this flaw may have been unintentional, but we probably should have seen it coming. As our friend Cory Doctorow has been explaining for years, DRM for books is dangerous for readers, authors and publishers alike. Whether or not Adobe actually intended to create this particular vulnerability, if your computer is collecting information about you, and then transmitting it in ways you can't control, chances are you've got a security problem.
But there may be a silver lining to all of this. Several years ago, music fans were shocked and dismayed to discover that copy-protection software on music from Sony artists was actually allowing Sony to monitor the fans’ listening habits, sending information home to Sony, and creating a massive security vulnerability. Sound familiar? That discovery led to a public relations meltdown for Sony, not to mention numerous lawsuits. When the dust had cleared, Sony’s DRM cost it millions in fees and settlements, and, of course, did nothing to inhibit infringement. For Sony, and many others in the music industry, the price of DRM finally became too high, and it has since been largely abandoned.
So we’re going to try to be optimistic. The rootkit scandal put several nails in the coffin of DRM and music. If enough readers, librarians, publishers and authors speak up, perhaps this latest scandal will do the same for DRM and books. In the meantime, we'll be taking a hard look at our e-reader privacy chart.