CATEGORIES
- NYC COVERAGE
- WEB STARTUPS
- WEB NEWS
- CONFERENCES
- WEB TECH JOBS
- VENTURE CAPITAL
- MICROSOFT
- INTERVIEWS
- ADVERTISING
- VIDEO
- ALL TOPICS
- ALL COMPANIES
CONTRIBUTORS
- ADRIAN CHAN
- ALICIA NAVARRO
- ALLEN STERN
- CORSIN CAMICHEL
- DRAMA 2.0
- DARREN HERMAN
- HANK WILLIAMS
- MARK DAVIS
- RICK TUROCZY
- SANFORD DICKERT
- SHANNON CLARK
- Comment on YouTube Down by DVS01
- Comment on Twitter COO Costolo: Advertising Coming To Twitter Soon by Satoshi Nakajima
- Comment on Twitter COO Costolo: Advertising Coming To Twitter Soon by OMG Stop the Web! Twitter is gonna run ads ? and Scoble says you?ll love it
- Comment on What?s Up With Yahoo Mail Delivery? by MJ
Update: Adobe Replies To Privacy Spy Concerns
Update December 29 – Please check out the initial Adobe spying post as well.
Yesterday we wrote about Adobe (Nasdaq: ADBE) and their potential spying on CS3 customers. The questions were based on screenshots showing a domain "2o7.net" which is owned by tracking firm Omniture. The screenshot (posted below again) shows what appears to be an internal IP address which it’s not. Why would Adobe try to hide the tracking with a fake IP address?
John Nack, Adobe Photoshop product manager has provided a reply to the privacy concerns. He mentions that Adobe is closed this week and so his reply is the best he could find out while everyone else is away. We appreciate the effort John, thank you.
John notes that there are three places that Adobe CS3 reports data to Omniture:
- The welcome screens in some Adobe apps include a Flash SWF file that loads current news, special offers, etc. These requests hit Adobe.com servers and are logged, like regular browser-based traffic, by Omniture.
- Adobe Bridge embeds both the Opera browser and the Flash Player, both of which can be used to load Adobe-hosted content. These requests are also logged.
- Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged.
He concludes with, "Tracking user habits can be a good thing that benefits customers by helping software creators notice trends & improve their tools. When Adobe has pursued this kind of thing, it’s always been on a strictly opt-in basis."
So John, let me throw it back over to – you note that I can opt-out of the tracking. Where in the installation process is the opt-out screen? Can you post a screenshot of the opt-out screen on installation? And why does Adobe try to hide the tracking by using a fake IP address? Don’t say because that’s how Omniture said to set it up. Thanks!
There is an opt-out for the 2o7.net cookie tracking on the Omniture website:
http://www.omniture.com/privacy/2o7
Note that Adobe products that have a serial number also write to the Master Boot Record (MBRR) of the hard drive during installation.
One user asked Adobe about this and an Adobe manager said “Licensing is the only piece of software that writes something to the MBR and you will all agree that we can’t do away with that.”
Another Adobe employee said “I found out from the licensing team and they confirmed that Adobe licensing code writes to master boot record.” and (as part of a thread) “…Adobe’s licensing technology being used by any other Adobe product. I don’t know the exact answer to your question but if you are ok with Adobe’s other product[s] then [product name] should be fine too.”
I use a separate stand-alone workstation just for Adobe software and disconnect it from the network/Internet because of these types of security risks from Adobe (and a few others such as Microsoft).
Some Adobe product installation routines REQUIRE Internet access or the installation will fail. Some of those programs DEFAULT to establishing an Internet connection upon launch and even after the user sets preferences not to access the Internet, the program STILL tries to accesses the Internet upon startup.
I have tried several times to go to the omniture opt out website (http://www.omniture.com/privacy/2o7) but when I click on their link to opt out it is a dead link. It never opens at all..
Anonymous on December 29 2007 9:49pm
I agree with you.
We must refuse to buy closed source programs, for those of you who MUST continue to use closed source applications i advise you to check if the laws in your country prohibit you from STEALING the program.
Many countries outside the USA, including my home Iceland, have no laws against software license theft as long as your not profiting from it (your not selling fake/generated/stolen serials/licenses).
Software without opt-out is like to require you to learn martial arts just to walk outside your home. Not that we would mind fucking you up, but still.
It’s not just Adobe doing these sneaky tricks. Earlier this year a new version of Wordpress came out that does the same thing. They said it was to notify you of updates, yet it sent all kinds of information about your server. Best part is they didn’t want to tell end users that this was occurring. It seems everyone wants to spy on the users now a days.
Is not my usage data copyrighted by me, the author, of said usage data?? Does it not reside on my computer? Was it not created by my use of my computer?
If I own the copyright on the usage data, Adobe is doing nothing more than stealing this data and illegally sending it to third parties (and likely themselves as well).
Furthermore, as there is no ‘consideration’ in the EULA that the customer receives, the EULA is not a legal contract that would allow any sort of data theft by Adobe. In a legal contract, the customer would receive reasonable and fair consideration for specified use of any personal data. As we know, this is not the case.
Instead we have Adobe harvesting copyrighted data and sending it out the door without informing the customer nor obtaining the customer’s *written* consent.
Needless to say, data theft is a very serious crime.
And it is obvious that Adobe has no interest in doing what is legal, much less acting in the best interests of their customers.
Maybe the EFF/USGOVT needs to step in here and prosecute Adobe to get them to stop stealing from their customers?
What copyrighted data are they collecting? You don’t own the copyright on how often you open Adobe Photoshop. In fact, that data is not copyrightable. Most data itself is not copyrightable, as copyright is about the fixing of creative expression.
Apple users – download and install Little Snitch (google it) It will prevent any software from calling home. The first time it tries you just say never allow it and then forget it. Adobe says this is needed to help improve the user experience and then says it just logs the time and what software it was – how does that help improve my user experience. They must be recording a lot more information otherwise it would not be providing anything useful.
I’m not sure whether this comment will be approved for posting, but there still is more info here:
http://weblogs.macromedia.com/jd/archives/2007/12/republishing_co.cfm
John Nack’s blogpost includes a link to a screencapture of the Welcome screen, with its “Don’t ask again” checkbox to turn off resource checks to adobe.com. (Adobe.com does use Omniture to track site requests, just as you use Google Analytics to track this weblog.)
jd/adobe
Thanks John – that screencapture is just to turn off the welcome screen – does that equal the opt-out? Shouldn’t there be a privacy option upon installation?
oh no – which one was it that she ate? the purple one looked pretty mean compared to the others lol :)
thanks for the update!
I can always send back the schwag you sent me – BTW: My daughter bit the head off of one of the foam desk people :(
John Nack recently posted an update on the Adobe blog, realizing he never addressed people’s primary concern – wtf is up with the crazy domain? Check it out.
To summarize: I don’t know, I don’t know anything about IPs and proxies and stuff (although they really don’t pertain in this situation [sic]). I’ll look into it a bit more.
Opt-out on the Omniture website:
http://www.omniture.com/privacy/2o7
I have no problem with Adobe phoning home – a lot of apps do it. The biggest issue for me: why Adobe is trying to hide the fact.
I can’t wait for their response which we can all guarantee will be BS. It’s apparent the feeble attempt at cloaking this is intentional – best thing they can do is fess up to it.
Ok – I will bet you some schwag that Adobe won’t officially say anything about the fake ip address :)
I find it somewhat disturbing, Michael, that you have no problem with software phoning home. Now it might be completely innocuous – perhaps something as simple as polling for an update (a quick HTTP request of a file which is then checked, if you will); but in the end, at the very least your IP address and typically thus location + time are then logged by some server… and for no particularly good reason unless you -wanted- it to do so.
However, a lot of software that ‘phones home’ sends more than just an HTTP request. It might send some personal data, usage statistics, set/check/track cookies, etc.
Think Microsoft’s earlier plans for WGA – phone home regularly, if something is amiss then toss Windows into a reduced functionality mode.. the chances of false positives having made them change their mind on that for the most part.
I’m part of a software development company, and all of our functionality that automatically accesses the internet is:
1. disabled by default
2. easily enabled/disabled by the user from a central location
3. documented in its own documentation appendix on:
3.1 what it sends (i.e. default things like HTTP GET headers as well as whatever custom data we send)
3.2 why it has to send what it sends
3.3 where it sends it
3.4 how to disable it
3.5 what it retrieves
3.6 why it retrieves it
4. In its basic network traffic, entirely clear on what it connects to (e.g. “updates.example.com”, and “example.com/news.html”)
All of the rest of the internet-accessing functionality is non-automatic and thus always opt-in; the user choosing the option being explicit consent.
I like to think that we’re doing the right thing there.
What benefit do I derive from a company tracking my movement on the Internet without my knowledge?
So apparently nobody here has a clue about web analytics so let’s take a break here. First, half the companies on the Internet of any size using Web Analytics are using Omniture. The company isn’t some secret spying organization or somebody contracted out to do spying for other companies. Their purpose in life is to watch how customers move through websites. They are hired by the websites to do this so that the websites can optimize their sites to help customers out. This isn’t new or anything. Google Analytics is a competitor and it’s a huge market. With a bad website you end up with something like msn.com which is a nightmare to navigate instead of google.com which isn’t.
The IP address does look like a private IP address but it’s obviously not though I don’t see the problem anyway. Like I mentioned most of the websites you go to use some type of third party analytics company because they want to improve their hosting. You should probably be glad because this is done by a third party company and not Adobe themselves. The reporting back to the companies hiring Omniture/GoogleAnalyics is able to be anonymous in this way. The point is to find out what a bulk of the population is doing… not any one contributor. If they tune their websites to individual browsers they are being completely unreasonable and, for the price paid, that’s not likely. Statistics plays into this.
Finally let’s think about this a bit more. 99% of consumers don’t have a static IP address at home so what, exactly, is going to be tracked? Has anybody here who is afraid of spying actually looked at the traffic involved? Omniture puts a 2×2 pixel image on websites so that a tiny amount of bandwidth is necessary for the statistical information to be gathered. If you pull up a LAN trace and watch what actually happens it should be fairly apparent what is being sent across the network. Also it doesn’t take more than a couple seconds and a bit of software to block outgoing traffic to undesired websites. NetFilter on *nix and Zone Alarm for windows are some examples here. If nothing else is found with actual evidence, though, the explanation so far makes perfect sense. Most companies have online help because it is easier to update and, since it’s on a website, it’ll be statistically monitored. If the splash screen is also doing the same then Opt Out and watch the traffic from your box go down. The last point was the embedded Opera browser and Flash Player which loads online content… considering that Photoshop’s entire purpose is NOT to be online that’s probably user-initiated activity so instead of being lazy put URLs in a web browser of your own and then watch as Firefox “phones home” to Omniture too. In fact, while you’re on your fact-finding quest see how many sites use “tracking” (like this one does as I quickly review what’s been happening here).
I agree, most activity on the web results in some record of your activity being made and used, usually for benign purposes.
That entirely misses the point here. If the purpose is benign, which it probably was, why be all sneaky about it with the 192 type address??
When you try to hide what you’re doing that immediately raises flags. Why try to hide it if it’s innocuous?
You hide something if you don’t want others to know about it. What’s being done that they feel required to hide the activity?
I think this is probably just a matter of someone being too clever for their on good. It will be interesting to see what Adobe’s official response is.
The comments about using this that or the other command/software to ID the activity, see exactly what’s being sent and block the activity also misses the point. I shouldn’t have to have the technical expertise to do that to know what’s being sent out from my machine by a piece of software.
Do not connect your Adobe proc running computer to the internet.
Anonymous on December 29 2007 9:49pm
I agree with you.
We must refuse to buy closed source programs, for those of you who MUST continue to use closed source applications i advise you to check if the laws in your country prohibit you from STEALING the program.
Many countries outside the USA, including my home Iceland, have no laws against software license theft as long as your not profiting from it (your not selling fake/generated/stolen serials/licenses).
I’d be a lot more fucked if I couldn’t do my job. Currently, I cannot do that job with Open Source software. I don’t see how Open Source is some kind of salvation for me. Software is a tool for me, not an ideology. I use what works best. Otherwise I won’t have money, and I won’t be able to eat. That’s pretty fucked.
if you use closed source software, I don’t care if it’s from Microsoft, Apple, nvidia, ATI, Real, etc., if the software is closed source (as most commercial software continues to be today) and you can’t obtain the source and compile the program yourself YOU ARE FUCKED. You don’t know what the program is capable of, no matter how hard the creators of the program stroke their e-penis about how they care about security and privacy. Do you want freedom and security? Go open source where you can audit the programs you use or pay someone to do it for you. Support the FSF and put yourself in control. Stop using these closed source programs, REFUSE to buy from them.
I think it’s important to point out that CS3 is not calling ‘home’, it’s calling some company called Omniture. I don’t recall making any sort of agreement with that company and I don’t want them tracking my usage, behavior, or anything. I certainly don’t want them spamming me with ads when I’ve paid through the nose for some software. I want to opt out and as far as I’ve seen, there is no way provided to opt out. I expect I’ll need to configure my hosts file to block 2O7.
They do have an opt out … but … you would have to first know the spying was going on … and … see beyond the obfuscation involved in the address. Clearly (to me) they wanted to hide this to avoid people opting out. I bet more people would have opted-out, and this might not even been an article, had the hostname been “
user-monitor-7.adobe.net” or such.What John calls opt-in (choosing to be a part of something) is very different than what is actually going on. This is an opt-out situation, where a user has to be aware of the issue, go out and find the solution, and apply it. In this case, one of the ways to opt-out requires one to accept a cookie from this tracking firm (sort of an opt-in). I’m getting lost in the layers, but more importantly, as I usually delete cookies (for the very concerns I have in the first place with unannounced tracking), I’d have to repeatedly “opt-out”. John, a true opt-in approach would be one that would ask the user for permission on first install, and never execute such connections unless explicitly granted that permission by the user.