Adobe’s Lax Security Raises Concerns About Student Privacy

Privacy around what students read, along with other personal data, may be at risk due to software giant Adobe’s transmission of the data without encryption.

“Adobe is collecting patron data and collecting it in a fairly open way,” says Sara Kelly Johns, president of the New York Library Association. “But they have to protect the rights of students’ privacy. Bottom line, it’s a little bit too easy for the data to be shared.”

Student rights are protected under the Family Educational Rights and Privacy Act (FERPA), which protects the confidentiality of student records. Written in 1974 long before the Internet became today’s digital superhighway, FERPA still maintains an expectation of and a right to privacy for K–12 students.

Like many ebook platforms, Adobe Digital Editions—used by public libraries as well as schools—tracks what users are reading, their personal information, and even where they last finished reading in a book. This way, a user can stop reading on one device and pick up where they left off with a story on another device. In Adobe’s case, however, IP addresses, user IDs, and other details, were unencrypted during transmission to Adobe’s servers. And that’s a particular problem concerning student readers and, potentially, for Adobe.

School and public libraries understand reader privacy, and information about library usage by students is protected, notes Johns, an instructor at Mansfield (PA) University in the School Library and Information Technologies program. But Adobe has been allegedly collecting readers’ details in plain text without encrypting the data, making it very easy for the information to be captured and read by other parties.

“With [Adobe] sending the information in plain text to their own storage, the potential of it being hacked is much higher than [for] library circulation records,” says Johns. “They claim it’s in their licensing agreement to collect data, that some functionality for the reader would be lost if they didn’t collect that data. But the objection is the way they collect it.”

The American Library Association (ALA) has reacted with terse language after confirmation of Adobe’s “reader data breaches,” according to ALA’s release.

“People expect and deserve that their reading activities remain private, and libraries closely guard the confidentiality of library users’ records,” says ALA President Courtney Young in a statement. “The unencrypted online transmission of library reader data is not only egregious, it sidesteps state laws around the country that protect the privacy of library reading records. Further, this affects more than library users; it is a gross privacy violation for ALL users of Adobe Digital Editions 4.”

With the integration of private companies and  our public education system, Capitol Hill has been paying attention. Just this year, Senators Edward J. Markey (D-Mass) and Orrin Hatch (R-UT) introduced a bill, the Protecting Students Privacy Act of 2014, adding safeguards to educational records held by private companies. Several outfits, from Microsoft to Follett, have decided to self-police, signing the Pledge to Safeguard Student Privacy, introduced in October by the Future of Privacy Forum and the Software & Information Industry Association, and scheduled to take effect on January 1, 2015.

For its part, Adobe has stated that it needs to change its procedure around data collection. The company responded to ALA, saying it expects to offer “an update to be available no later than the week of October 20.”

But privacy issues are nothing new in the library world—and affect students and adults alike. Gary  Price, a librarian and co-founder and editor of Library Journal’s INFOdocket.com, says that when users borrow an ebook through OverDrive, and transfer it onto their Kindle, Amazon then has access to that user’s borrowing records and notes they’ve made annotating their reading—for perpetuity. He believes most users don’t have any idea how much of their personal information is available.

“Libraries owe it to the end user to explain what is going on,” says Price. “Adobe has the right to do this because of what you press ‘okay’ to [at sign up]. It’s what [librarians] should be doing ethically and what can they do legally. That’s the social issue.”