Threat level: goldenrod. We’re okay – see summary at bottom.

[To avoid confusion, note that there are two separate pieces of Adobe software discussed here, with very similar names. Adobe Digital Editions (ADE) is a library of tools to enforce digital rights management; for library e-books, this usually means encrypting it so that it can only be opened until its loan period expires. Adobe Digital Editions Reader, version 4 (ADE4) is one reader program that works with the ADE rights management. Reader programs other than ADE4 can use ADE to open encrypted books.]

Last week, several library- and tech-world sites reported that Adobe Digital Editions Reader, version 4 (ADE4), was doing two bad things:

First, it records data that we would consider private, but which (at least arguably) verifies you aren’t a pirate: your ADE4 license (who you are) and the license for your copy of the book. In addition, it logs your IP address (where you are); metadata for the book you’re reading, the time and date you start and stop reading; and the specific page you’re on and when you go to that page.

ADE4 has also been shown to record metadata for e-books on your system that are not encrypted with ADE rights management. In some situations, ADE4 also scans e-book readers or tablets attached to your computer to see what books are downloaded there. All of this information gets transmitted back to Adobe.

Second, the data is transmitted to Adobe unencrypted. This makes it visible to anyone with access to network log files, or anyone snooping on an unencrypted wireless network (not the WFU wireless, but for example a no-password network in a coffee shop).

There are a lot of ethical and possibly legal issues here, but the situation at ZSR is this. EBL downloads are encrypted with ADE to enforce checkout periods. That would be a problem, except:

  1. We instruct students to read EBL books in their web browser. In EBL’s world, this is not a “download” and so they do not use any ADE rights management.
  2. We believe that users who download ADE-encrypted e-books primarily do so to read on tablets or e-reader devices. We point them to the Bluefire reader, which uses ADE, but does not report reader behavior to Adobe like ADE4.
  3. WFU does not include ADE4 in the standard software load.
  4. Other e-book sources we provide do not seem to use ADE or and digital rights management (yay!), mostly because they offer no way to download a complete book for offline reading (boo!)
  5. E-Books purchased through Amazon, Google Play, or other sources do not have ADE rights management (drop a comment if you know any that do), but often have other digital rights management tying them to a specific reader program.

As of October 16, Adobe is promising an upgrade within the next week or so that will encrypt the data ADE4 sends back to them. However, they insist that the data they’re logging is reasonable and covered by their end-user license agreement.

Some further reading:

TL;DR Summary: The ADE4 e-book reader program violates library patron privacy. Downloaded EBL e-books use Adobe’s digital rights management and could be read in ADE4. However, we believe other available options give ZSR patrons access to this content without the threat specific to using ADE4. Our users are at low risk from this threat, but should be aware of it.