O Privacy, Where Art Thou?

A violation of privacy

A very disturbing discovery has been made. The software used by the St. Mary’s library, University System of Maryland and Affiliated Institutions (USMAI) libraries, and countless other academic and public libraries to lend ebooks is knowingly violating users’ privacy.

As documented in Ars Technica, Adobe Digital Editions tracks and compiles data on which ebooks users download and read, and exactly what each user does with those books. Worse yet, Adobe is sending that information to its servers in plain text, using unencrypted channels, so just about anyone could access that information. Nate Hoffelder of The Digital Reader made the discovery on October 6, 2014, but the violation is believed to have started with the release of Adobe Digital Editions 4.0 in early September.


How it works

Adobe Digital Editions is used by many libraries as a PDF reader for ebook lending to control the digital rights management (DRM) on all borrowed ebooks. This software is essentially what “returns” a borrowed ebook when the loan expires by removing it from a borrower’s computer. Most ebook publishers require a DRM as part of the licensing or sales agreement to ensure intellectual property rights are not violated by end users.


Our reaction

Librarians are furious. As you may recall from when Edward Snowden leaked the NSA’s secrets, librarians value their patrons’ privacy and take every possible precaution to ensure privacy is maintained.  The American Library Association (ALA) has issued this statement and the Library and Information Technology Association (LITA) has published this blog post in reaction to the news. Quoted from the ALA statement:

In response to ALA’s request for information, Adobe reports they “expect an update to be available no later than the week of October 20” in terms of transmission of reader data.

Here at St. Mary’s, we will be keeping a close eye on the situation.


Update 10/29/2014:

Adobe made available a software update on Friday, October 24th which includes an encryption mechanism so all user data gathered by and sent to Adobe’s servers is no longer transmitted in plain text.  ADE users can download the update (and read Adobe’s privacy statement) here. The American Library Association issued a statement on October 27, 2014 and Nate Hoffelder of The Digital Reader published an update on the privacy breach on October 23rd.


Too Awesome Not to Share

As Celia mentioned in her last post, librarians have a long tradition of upholding library users’ privacy. It’s in our professional Code of Ethics!

We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

Code of Ethics of the American Library Association (last amended Jan. 2008)

We’re quite good at making sure that library users’ records and web browsing sessions are kept private (or not kept at all), and have a great history of standing up to legislation we see as infringing on users’ right to privacy (see the NYTimes article in which we receive the now infamous radical militant librarians label, then see us put it on a t-shirt). In general, people love us for this, but people also love social media, online shopping recommendations, and seeing what their best friends just bought on Etsy. There’s a weird conflict between the kind of privacy people say they want and the kind of privacy infringement they’re willing to put up with in order to have a personalized online experience. Libraries have largely stayed out of it, but recently I came across this really cool initiative that seems to have a good balance of user privacy and personalized recommendations.


sometimes things are awesome

This project is the brainchild of the Harvard Library Innovation Lab and is being implemented at not only Harvard but a select group of public and academic libraries in the U.S. The concept is simple: Think something is awesome? Return it to a special “awesome box” or flag it with an “awesome bookmark” and library staff will scan it and have it magically appear on that library’s Awesome Page. What you read remains private, but you now have a better sense of what your fellow-library-goers are reading, watching, and listening to throughout the year.

Plus who doesn’t need a little awesome in their day?

What are your thoughts on the Awesome Box? Would something like it fly at St. Mary’s?