Previous Blog Entry Next Blog Entry

SpyA story broke yesterday involving eBooks, libraries, and the privacy of user data. Reporter Nate Hoffelder exposed some serious privacy violations on the part of Adobe, specifically within their Digital Editions 4 product.

Adobe Digital Editions, which most eBook platforms in libraries use (including OverDrive, 3M Cloud Library, Axis 360, and Enki), has been secretly spying on users. No one hacked anything–this is the company itself collecting this data on the sly. Adobe is gathering data on the eBooks that have been opened, which pages were read, and in what order–including consumer-subscription eBooks and eBooks borrowed through a library. Equally disturbing, Adobe is also tracking user activity outside of Digital Editions—gathering metadata from non-Adobe eBooks on the user’s hard disk. All of this data is being kept and transmitted in clear text (plain text that is easily intercepted and duplicated by intermediaries, such as library eBook vendors).

The collection of such data is quite possibly a violation of the California Reader Privacy Act as well as the California Student Online Personal Information Protection Act. Working in California as a Library Director means I have to address this with my community.

As a library customer, I have contacted our eBook vendors and asked for information or comment. So far, nothing.

While not surprised that a big company that can make money off of user data is collecting that user data, I am outraged on behalf of my library users–whose data we strive to keep secure and safe. By offering eBooks platforms with Adobe Digital Rights Management software, we have been unknowingly violating our very own privacy policies.

I am hopeful that the American Library Association, state libraries, and other organizations will publicly decry this gross violation of user privacy.

“Adobe Spies on eBook Readers, including Library Users”

  1. Eric Hellman Says:

    Sarah,

    I’ve recently studied California’s Reader Privacy Act, because New Jersey may enact a law which borrows much of the California laws language. (see http://go-to-hellman.blogspot.com/2014/09/emergency-governor-christie-could-turn.html ). I do not believe that California’s Reader Privacy Act would apply in this situation, because there is no government agency or legal process seeking discovery of the data that is being leaked (unless of course Adobe has been served in a legal process which we don’t know about.) Unfortunately the language in the act is dense, but that’s how this non-lawyer reads it.

    Eric

  2. Sarah Says:

    Eric – The two lawyers I’ve talked to so far on this think it may apply. It depends heavily on what they were collecting and how they were transmitting and storing it, and who had access to the data. I guess we’ll find out soon.

  3. Adobe Privacy & Security Hole - The Creative Librarian Says:

    […] Librarian in Black: Adobe Spies on eBook Readers, including Library Users […]

  4. Eric Hellman Says:

    The relevant California law that should be applied to Adobe is “Cal Gov Code § 6267”. I have no idea how it might be enforced, or what penalties might apply.

    § 6267.  Registration and circulation records of library supported by public funds

       All registration and circulation records of any library which is in whole or in part supported by public funds shall remain confidential and shall not be disclosed to any person, local agency, or state agency except as follows:

       (a) By a person acting within the scope of his or her duties within the administration of the library.

       (b) By a person authorized, in writing, by the individual to whom the records pertain, to inspect the records.

       (c) By order of the appropriate superior court.

       As used in this section, the term “registration records” includes any information which a library requires a patron to provide in order to become eligible to borrow books and other materials, and the term “circulation records” includes any information which identifies the patrons borrowing particular books and other material.

       This section shall not apply to statistical reports of registration and circulation nor to records of fines collected by the library.

  5. Brig C. McCoy Says:

    Hi…

    For what it’s worth, we use B&T’s Axis360 which allows downloading ebooks for use with Adobe Digital Editions or BLIO.

    I spent a few minutes with BLIO and Wireshark yesterday and didn’t see any data travelling between my desktop and BLIO that wasn’t encrypted… no idea what data is being passed, but at least it’s encrypted. 🙂

    …brig

    Brig C. McCoy
    Network Services Manager
    Kansas City, Kansas Public Library
    625 Minnesota Ave
    Kansas City, Kansas 64114
    913-279-2349, Phone
    816-885-2700, Cell
    http://www.kckpl.org

  6. Deborah Stone Says:

    California Gov. Code § 6267 was amended two years ago to extend the duty to protect the confidentiality of library users’ records to private actors who are maintaining or storing managing user records on behalf of the public library:

    “All patron use records of any library which is in whole or in part supported by public funds shall remain confidential and shall not be disclosed by a public agency, or **private actor that maintains or stores patron use records on behalf of a public agency**, to any
    person, local agency, or state agency except as follows …..”

    The applicability of § 6267 may depend on ADE’s legal relationship to libraries. But §6267 would not relieve ADE of its obligations under the California Reader Privacy Act, if that provision appllies to ADE as a “book service” covered by the law.

    Note that both the library confidentiality act and the reader privacy act address *disclosure of user data to third partiies* and under what circumstances disclosure is allowed or can be compelled. Use and retention of data not disclosed to third parties may be another issue.

    Note that Missouri is another state that has tried to address this issue by amending its library confidentiality statute; the text of the newly amended law is online here: http://house.mo.gov/billtracking/bills141/billpdf/truly/HB1085T.PDF

  7. (Failing to) Protect Patron Privacy | Jenny Arch Says:

    […] 10/14/14 The Waltham Public Library (MA) posted an excellent, clear Q&A about the implications for patrons, “Privacy Concerns About E-book Borrowing.” The Librarian in Black (a.k.a. Sarah Houghton, Director of the San Rafael Public Library in California), also wrote a piece: “Adobe Spies on eBook Readers, including Library Users.” […]

  8. Jeremy Hutchinson Says:

    This is a great post. Thanks for bringing it to my attention.

    My library uses Overdrive for E-Books and I did not find anything about the collection of information within the user agreement. Have you heard of any legal action by information privacy advocates like the ACLU? Could a more extensive user agreement be used to circumvent the privacy laws in California?

  9. Sarah Says:

    Jeremy – I am not aware of any legal action by the ACLU or any other organization against Adobe, OverDrive, or other eBook purveyors. Could a EULA circumvent the privacy laws in California? Absolutely. Would it be illegal to do so? Only the courts can say.

  10. David Dodd Says:

    Hello–I am looking into this on behalf of my library, and find many posts stating that there will be fixes, updates, progress, etc. Have there been any? (Fixes, updates, progress, etc.?)
    Thanks,
    –David

  11. Sarah Says:

    The only update is that after the American Library Association and others slammed Adobe for the transmission of unencrypted plain text, they began transmitting the data in an encrypted format. However, Adobe is still collecting the same data and has not said anything about changing the data they collect. So far, the ALA has been silent on this lack of movement on data collection.

  12. Andromeda Says:

    There’s been some continuing chatter in LITA’s new Patron Privacy Interest Group about the Adobe issue, and there are people in that group with both the technical skills and the network (in and out of ALA) to have an impact – I don’t think a specific plan has coalesced, but I encourage anyone who’s interested in this question to get involved with the IG. (Subscribing to their mailing list at http://lists.ala.org/sympa/info/patronprivacy is the best way to get in touch.)

  13. Sarah Says:

    Thanks Andromeda!

Leave a Reply

LiB's simple ground rules for comments:

  1. No spam, personal attacks, or rude or intolerant comments.
  2. Comments need to actually relate to the blog post topic.

You must be logged in to post a comment.