New and Old: Serious Reader Privacy Concerns Both Inside and Outside the Library

UPDATE 3 October 13 (1:00pm) ALA and LITA have both posted statements and updates on the Adobe report.

Worth Noting: Some library catalogs transmit search strings, entries users are reviewing, etc. over the Internet and via wi-fi in an unencrypted manner.
UPDATE 2 October 7 (8:00 pm) Adobe just provided us with the portion of the End User License Agreement (EULA) that appears when you install the software that they say is most relevant to today’s story. Full text below.

UPDATE October 7 (5:30 pm) At the bottom of this post you’ll find the full text of a statement released by Adobe about the Digital Editions story.
—
In the past 16 hours or so Nate Hoffelder at The Digital Reader broke a story about Adobe spying on users who read ebooks using Adobe’s Digital Editions (4th ed.) e-book and PDF reader.
If accurate (Nate and ars technica have yet to hear from Adobe) is bad, awful, and beyond. We encourage you to read all of the details in the three articles linked at the bottom of this post.
But first, I would also like to share a few comments on a related matter.

Library Users and Ebook Reader Privacy: Hardly a New Issue

While today’s reports are 100% major and serious issues it’s important to realize that, ebook privacy,  privacy in the digital/Internet age, and how it libraries are not new issues.
Here’s one of many examples.
Four years ago on infoDOCKET we posted about privacy concerns with the OverDrive/Amazon relationship. We have talked about this issue many times since then both here on the blog, during public presentations, and one-on-one with library leaders and NOTHING has changed.
My question is why hasn’t this solvable concern be corrected? As you’ll read below the solution (barring any possible legal issues) is about awareness, disclosure, and education.
The issue I am raising once again today is that when a library user heads to their library web site to borrow an ebook from OverDrive (marketed and funded by the library) and then places the book on their Kindle device, Amazon has a permanent record of the library record, knows if the book is returned early, and other metrics Amazon collects.
Amazon also stores all of the notes a user makes in the book.
All of this data remains on the Amazon/Kindle server after the book is returned UNLESS the user manually removes it in the same way ebooks purchased by Amazon do.
My point has always been NOT to end the service (not even close) but to clearly and effectively disclose the relationship to users, note what data Amazon is collecting, and explain how to remove the data (if a users wants to do it) off Amazon’s servers. Let me add that we need to do this for all current and future situations involving situations like this.
This infoDOCKET post from June 2013 has more thoughts and examples on this issue and includes a link to others posts on the this issue.
See: “Adding Transparency to the Ebook Transaction” (June 25, 2013)

Summing Up

1. The dedication and vigilance to user privacy that the public (both library users and non-users) appreciate from libraries is not the same in the digital world (for many reasons) and we need to do more.
2. What does this and other library privacy issues arising from digital access mean for what’s discussed in the the ALA Ethics statement? If the U.S. library community doesn’t find them to be of concern perhaps it’s time to change the statement?

We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

3. The library community must be as transparent as we want others to be
4. The OverDrive/Amazon issue is just one of many concerns regarding library user privacy in the age of the Internet, many providers, wi-fi, etc. I’ll share more going forward. On that note,  Eric Hellman pointed out a privacy issue he’s working on a couple of weeks ago on his blog.
5. Internet age privacy a very important issue and libraries and librarians (in all types of libraries) should play a role in informing and educating the public about these issues. The fit is ideal. People trust libraries and librarians.

Final Thought

Btw, whether or not Amazon’s new Kindle Unlimited ebook subscription service will be a success is TBD but as we pointed out a few months ago Amazon has benefited by knowing a LOT (4 years of data at this point) about what library users like to read and how they read ebooks. Where did this data come from? From our users who borrow books using OverDrive. Ironic.

The Digital Reader / ars technica Reports Re: Adobe Digital Editions 4.

1. Adobe is Spying on Users, Collecting Data on Their eBook Libraries (via The Digital Reader)
2. Adobe Digital Editions 3 Probably Safe From Adobe’s Spying, Experts Say
3. Adobe’s e-book reader sends your reading logs back to Adobe—in plain text (via ars technica)

Full Text of Adobe’s Statement Re: Privacy and Digital Editions 4

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader.
User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.
For more background:
For example, Adobe Digital Editions collects the following information:
•       User ID: The user ID is collected to authenticate the user.
•       Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
•       Certified App ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
•       Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
•       Duration for Which the Book was Read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
•       Percentage of the Book Read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.
•       Additionally, the following data is provided by the publisher as part of the actual license and DRM for the eBook:
o       Date of Purchase/Download
o       Distributor ID and Adobe Content Server Operator URL
o       Metadata of the Book provided by Publisher (including title, author, publisher list price, ISBN number)

Links: Digital Editions Web Site and White Paper
See Also: The Complete Adobe Privacy Policy
We were unable to find any additional privacy info specifically for Digital Editions 4.
See Also: Adobe Opt-Out Page
The page lists ways to opt-out of a Adobe data collection for a couple of products/services. However, from what we’ve been able to determine it’s not possible to opt-out of sharing Digital Editions 4 data.  The page to opt-out is here (need to logged-in to Adobe account).

Relevant Portion of End User License Agreement According to Adobe

14. Internet Connectivity and Privacy.
14.1 Automatic Connections to the Internet. The Software may cause Customer’s Computer, without notice, to automatically connect to the Internet and to communicate with an Adobe website or Adobe domain for purposes such as license validation and providing Customer with additional information, features, or functionality. Unless otherwise specified in Sections 14.2 through 14.7, the following provisions apply to all automatic Internet connections by the Software:
14.1.1 Whenever the Software makes an Internet connection and communicates with an Adobe website, whether automatically or due to explicit user request, the Privacy Policy shall apply. Adobe Privacy Policy allows tracking of website visits and it addresses in detail the topic of tracking and use of cookies, web beacons, and similar devices.
14.1.2 Whenever the Software connects to Adobe over the Internet, certain Customer information is collected and transmitted by the Software to Adobe pursuant to the Adobe Online Privacy Policy available at http://www.adobe.com/go/privacy (“Privacy Policy”)

Filed under: Associations and Organizations, Companies (Publishers/Vendors), Data Files, Journal Articles, Libraries, Management and Leadership, New Issue, News, Patrons and Users, Publishing, Reports