The Electronic Frontier Foundation dropped a bomb on the library world yesterday when they published their findings on an investigation into how Adobe Digital Editions works. Let’s not mince words here, let’s bring this out in the open so we can all look at it.
Any product that you’ve had in your library’s digital collection that used Adobe Digital Editions for digital rights management and control has been keeping track of what your patrons are reading and transmitting it back to Adobe. It has been doing this in the clear and thus Adobe has made it really easy for someone else to track what your library patrons are reading. This has, until very recently, included the highly popular OverDrive digital library collection used by library systems all over the country. Other services such as Freading and OneClickDigital still rely on ADE for DRM authentication among library patrons. Right now, that information is being tracked by Adobe.
And libraries, all over the country, helped them do it. Yes, folks, I mean us.
I looked and searched and came up empty when I tried to find something, anything, on a library calling for an independent audit of the ADE security model and methodology. Like many high level “security management” systems, it’s a black box. You can’t see inside it because, you know, proprietary code and none-of-your-damn-business. Except it was our business. We’re supposed to protect our patrons’ privacy and secure their ability to read what they want from the prying eyes of governments, corporations, and institutions.
We failed. We handed that information right over to Adobe and whoever else was smart enough to tap that line of communication. Since it was an open line of communication, it wouldn’t take all that much to get in on it.
Adobe is basically saying this is no big deal. ADE is only collecting information about the book you’re reading, how long you’ve been reading it, and how far along you are.
Put that into a non-digital scenario. It’s the equivalent of having a librarian follow someone around after they check out a book. That librarian watches the patron, notes what they’re reading right now and where, and how they’re getting along in it. Then that librarian makes a loud, public, cell phone call back to the branch and reports that information so everyone at the Starbucks can hear it.
You think that’s absurd? It’s no different than what Adobe Digital Editions is doing now. They just don’t have to leave the head office to do it.
OverDrive recently removed ADE from their app, so you now authenticate directly with OverDrive rather than Adobe. Thing is, we still know next to nothing about how that authentication process works, if it’s secure, or what they’re tracking. Which is why I’m calling upon OverDrive to expose their authentication method and allow an independent audit of its code to test for security and privacy. OverDrive caters specifically to libraries, this shouldn’t be a big deal for them.
I seriously doubt they’re going to do it. I may be wrong, but I’m often right.
I’m also calling out any other library service using ADE to push for transparency and privacy in ADE’s methods. After all, Freading and OneClickDigital and others are ADE’s customers. They are paying for that software and authentication, they have the right to know what they’re buying. Since we’re buying services from them, we have the right to know too.
I may be wrong, but I’m often right.
Finally, I know this won’t go anywhere, but I’m calling out the library community on this whole thing. We’re paying for this stuff, and none of it’s cheap. We need to demand transparency and security in everything that touches our patrons’ accounts and reading histories. If we can’t get that, then we can vote with our money, because I have a feeling that if a few major libraries start abandoning services because they’re not as above the board on patron privacy as we are, then changes will get made somewhere.