Adobe responds to ALA on egregious data breach; some action expected by week of Oct. 20

For Immediate Release
Mon, 10/13/2014


Larra Clark
Director, Program on Networks, Program on America's Libraries for the 21st Century
ALA Office for Information Technology Policy
(800) 941-8478, ext. 8213

CHICAGO — The American Library Association (ALA) decries confirmed reader data breaches by Adobe and calls for immediate corrective action to encrypt and protect reader information. The plain text transmission of reader data over the Internet that was first reported Oct. 7 presumably stretches back as far as the release of Adobe Digital Editions (ADE) 4.0 in early September. The ADE e-book reader application is used by thousands of libraries and many tens of thousands of e-book readers around the globe.

“People expect and deserve that their reading activities remain private, and libraries closely guard the confidentiality of library users’ records,” said ALA President Courtney Young. "The unencrypted online transmission of library reader data is not only egregious, it sidesteps state laws around the country that protect the privacy of library reading records. Further, this affects more than library users; it is a gross privacy violation for ALL users of Adobe Digital Editions 4.”

A recent blog post from the Library and Information Technology Association (LITA), a division of the ALA, outlines many of the technical, legal and ethical concerns within the library community.

In response to ALA’s request for information, Adobe reports they “expect an update to be available no later than the week of October 20” in terms of transmission of reader data. Adobe also stated in their communication to ALA:

“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected for purposes such as license validation and to facilitate the implementation of different licensing models by publishers and distributors. Additionally, Adobe Digital Editions is designed to collect this information solely for eBooks opened in Adobe Digital Editions or stored in the Adobe Digital Editions library directory, and not for any other eBook on the user’s computer. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.”

Beyond the data transmission issue, ALA also is concerned about the possible over-collection and unnecessary retention of sensitive user data. Are all of the data elements collected necessary for product functionality? Is such sensitive user data deleted soon after the need for operational purposes is fulfilled? These issues and guidance are outlined in ALA's policy statements and tools created by the ALA Office for Intellectual Freedom such as the Privacy Toolkit and the Choose Privacy Week website.

“ALA, and we hope the user and vendor community, will continue these inquiries and conversations—and not just for Adobe Digital Editions—to help ensure that only data necessary for user functionality are collected, are properly protected, are deleted as soon as possible, and licensing terms are as clear and transparent as possible,” Young added. “With leadership from the Digital Content Working Group (DCWG) and the Intellectual Freedom Committee, ALA will continue investigating possible violations of applicable federal or state laws on commerce/trade and privacy, as well as establishing best practices to protect reader privacy and secure the best possible licensing terms for libraries and the general public.”