On October 7, Nate Hoffelder, the editor of The Digital Reader blog reported that the newest version of the Adobe Digital Editions software (ADE 4) appears to be transmitting unencrypted data about eBooks back to Adobe's servers.

ADE is used to manage readers’ eBook collections, including eBooks borrowed from public libraries, and can be used to read eBooks on desktop and portable computers. A friend of Hoffelder’s discovered that ADE version 4 gathers and transmits data in plain text about eBooks that have been opened, which pages were read, and in what order. Hoffelder’s article includes samples of data captures and screenshots that seem to bear this out.

According to another source, this issue appears to only affect users who use ADE version 4 on a desktop or laptop computer for reading and managing eBooks ePub or PDF formats. Users of library vendors’ apps on portable devices do not seem to be affected. The Amazon Kindle suite (apps, readers, etc.) is not affected because Amazon uses proprietary DRM rather than Adobe software to manage eBooks.

Adobe confirmed that it is gathering eBook readers’ data and has issued a statement: “All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”

The American Library Association and its Library and Information Technology Association division have released a detailed statement exploring Adobe Digital Edition 4’s transmission of data and protesting Adobe’s current data collection practice, as well as noting the issues with related data collection practices among many other library vendors. ALA President Courtney Young has stated “ALA, and we hope the user and vendor community, will continue these inquiries and conversations—and not just for Adobe Digital Editions—to help ensure that only data necessary for user functionality are collected, are properly protected, are deleted as soon as possible, and licensing terms are as clear and transparent as possible.” In response, Adobe has indicated they “expect an update to be available no later than the week of October 20.”

ReadersFirst supports ALA’s position and makes the following specific requests of our members (indeed, all libraries) and vendors of library eBooks to protect the privacy of library eBook readers.

• As libraries, register your concerns with your vendors, asking them to advocate for library users; for vendors, support the requests of libraries to ensure the privacy of their users.
• Educate library staff about this breach of privacy so that they may inform and instruct concerned readers.
• Simply encrypting the data from plain text in ADE 4, but doing nothing else, is not enough; advise library customers to avoid ADE 4 until it is fixed to a standard acceptable to libraries, collecting only data absolutely essential to ensure the smooth operation of eBooks and ensuring that data related to individual users is never kept beyond the time users have their eBooks. If users recently updated their version of ADE to version 4, recommend that they download and install ADE version 3 to continue reading eBooks until these issues are resolved.

Library eBook vendors, and not just Adobe, should learn from this issue to develop library user accounts that require no personal information (including emails), relying only upon library barcodes for identification and authentication, and should require no other data from users beyond that which guarantees functionality. Should vendors wish to offer enhanced services dependent upon greater data collection, they should clearly indicate to library users what information will be collected and how it will be used, and allow users to opt out of any points not essential for authentication and fair use of library eContent. Data on circulated items should not be associated with individuals beyond the period during which the library user has the eContent. We recognize that library readers contracting with vendors agree to certain conditions, but their privacy should be respected and the use of their data disclosed.

ReadersFirst exists primarily to promote a smooth and trouble-free library eContent experience, but we join the rest of the library community in our shared concern about an unnecessary invasion of privacy that could have a chilling effect on the use of library ebook content.

For ReadersFirst Working Group,
Jim Loter, Seattle Public Library
Christina de Castell, Vancouver Public Library
Michael Blackwell, Columbus Metropolitan Library