December 28, 2007

Adobe ate me baby!!

Ding ding ding!  We have a winner.

Every year around this time, the online community latches onto some story (CS3 icons last year; “Microsoft to buy Macromedia” before that; etc.) and goes nuts with speculation.  The specualtion is all the more thrilling given that the affected companies are only lightly staffed right now, making it hard to provide a meaningful response.

This year it’s “Lies, Lies, and Adobe Spies“–a story noting that some Adobe apps contact a Web address associated with Web analytics company Omniture.  The story is getting echoed & amplified on Valleywag (“You’re not the only one watching what you do in Adobe Creative Suite 3… Adobe is watching you, too”), CenterNetworks (“I am not suggesting that Adobe is doing anything wrong…” but then “Shame on Adobe, shame“), Daring Fireball (“Assuming this is true, it’s a disgrace, whatever the actual reason for the connections” [emphasis added]), and I’m sure elsewhere.

Whoa, Nellie.

As I say, now is the perfect time for people to throw around whatever wild assertions they’d like, given that so many people are out of the office and can’t respond.  Even so, I’ve been able to find out a few things.  According to Doug Miller from the Adobe.com team, “Omniture is Adobe’s web analytic vendor for Adobe.com. There are only 3 places we track things via Omniture anywhere in or around our products.”:

  • The welcome screens (these things) in some Adobe apps include a Flash SWF file that loads current news, special offers, etc.  These requests hit Adobe.com servers and are logged, like regular browser-based traffic, by Omniture.
  • Adobe Bridge embeds both the Opera browser and the Flash Player, both of which can be used to load Adobe-hosted content.  These requests are also logged.
  • Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged. [Update: To clarify, those contacts are made only if the user requests them--e.g. by choosing Help->Adobe Exchange.]

This, as far as I’ve been able to discover, is the extent of the nefarious “spying.”  If I learn anything else when more people get back on email, I’ll update this post.

Now, let’s get down to brass tacks:

  • There are plenty of reasons, from phishing to Facebook to the NSA, to be concerned about & to debate security & privacy.  But when people cry wolf, making no apparent effort to find out the truth (yeah, let’s assume it’s a disgrace–and please don’t ask anyone at Adobe), they actually make it harder to pay attention to the significant issues at hand.
  • I’m a huge advocate of improving the desktop experience through online connectivity.  There are lots of details to get right here as we work to find the right balance between privacy & connectedness.  Let’s absolutely have those conversations–but let’s not drown them out with a bunch of shrill, irresponsible FUD. (That would be a disgrace.)
  • Adobe could and should do a better job taking security concerns into account.  Including Apple’s Bonjour technology in CS3 apps was meant to make it easier for users to connect to their servers, but the company’s (unintentional) lack of communication caused people to suspect the worst (over the holiday break, naturally).  It’s because we know what these technologies are doing that we may not remember to see them as others might, and to explain what’s going on (and what’s not).  As I say, as the line further blurs between the desktop & online experiences, Adobe & all companies will need to do a better job communicating & giving users choices.

And so, at last, I’m pleading for a little common sense, and for people to give Adobe the benefit of the doubt–or at least to check the facts before screaming “Your Privacy Is An Illusion!”

[Update: Please see this update as well.]

Best,
J.

PS–Tracking user habits can be a good thing that benefits customers by helping software creators notice trends & improve their tools.  When Adobe has pursued this kind of thing, it’s always been on a strictly opt-in basis.
PPS–I’m just miffed that if people are going to besmirch a whole company, they don’t also bother to extend the common courtesy of a crude Photoshop job. ;-)

Posted by John Nack at 11:53 AM on December 28, 2007

Comments

  • Erik J. Barzeski — 1:00 PM on December 28, 2007

    I think Adobe could have done better than to not try to disguise the network address as “192.168.112.207.net.” That alone makes it look like you’re trying to “hide” the activity.
    I also think people are perfectly justified in reacting strongly, and that it’s pretty silly of you to criticize them simply by saying “you should be worrying about the many things that are actually bad.” Condescending…

  • Tim — 1:07 PM on December 28, 2007

    I didn’t like Bonjour because Adobe added it to my Startup without telling me and giving me the option to say no. I didn’t like LR adding apdproxy as well. Suddenly I’ve got an additional process running on my PC and I don’t know anything about it. That’s bad form. Anytime something is added to my Startup the software should tell me what it is. Why it’s important and then allow me to say no.
    [That's a fair point. --J.]

  • Mark Alexander — 1:15 PM on December 28, 2007

    John,
    What is ugly about this action is the actual hostname that Omniture is using. The hostname is trying to be deceive users into thinking it is connecting to a local server rather than a remote one. Using 192.168.112.2o7.net is a pretty sleazy move. I dont have an issue with Adobe or others using Omniture, but it would be better if a more honest URL was used, if I may suggest, abode.omnture.com or analytics.omniture.com or even tracker.omnuture.com.
    Thanks,
    Mark

  • Rob Meyer — 2:31 PM on December 28, 2007

    The problem isn’t the connection itself, it’s a poorly chosen domain name. That domain name looks exactly like something a piece of malware or an attacker would use to make a connection blend in and go unnoticed.
    Presumably, that was it’s purpose here, so it’s not quite obvious that the connection is to a data collection vendor. Granted, that was apparently the vendor’s choice of domain name, not yours. If the hostname were “analytics.omniture.com”, you’d have much less of a problem I suspect.
    Finally, if it’s actually just being requested in the course of webpage loading and they just happen to be your vendor, that’s not quite as bad; more like an accident than something someone did on purpose.
    Still, put pressure on that vendor to fix the domain name; it’s misleading, and that’s a problem.

  • Ben Donley — 2:31 PM on December 28, 2007

    That all makes good sense. So why use a domain name that is disguised as a local network IP address?

  • rocketjam — 2:37 PM on December 28, 2007

    I saw this story this morning, and didn’t worry too much about it since I doubt Adobe’s really worried about what I’m doing, and I’m not using CS3 yet anyway.
    That being said, as you point out, the online community tends to freak when this sort of news comes out, so alerting users when this sort of “tracking” is being used and what for, would tend to cut off the wild speculation in advance.

  • mrmister — 2:39 PM on December 28, 2007

    You’ve missed the point, John. By using the address they have, they’re blatantly trying to trick people into thinking it is a local address. THAT’S the issue, first and foremost. You should amend your post to address that–for some reason your posting here makes no mention of the actual issue people are up in arms about.

  • tripleman — 2:40 PM on December 28, 2007

    None of the three uses that you gave for Omniture tracking have any value for me. Then again, they’re not meant to – they’re meant to have value for Adobe.
    When you add that to the fact that Omniture (and by extension, its clients, Adobe and Apple) obfuscates its outgoing traffic by making it look like LAN traffic, you get someone who is pissed off. It’s not the end of the world, but it’s a piss off.
    The usual explanations of “we’re just trying to be more efficient in targeting you” don’t make me feel any better especially when they only come after their tactics have been exposed.
    I simply expect better from Apple and Adobe, companies whose products I use and love on a daily basis.

  • ben K — 2:46 PM on December 28, 2007

    John: one of the main points that Gruber was addressing on daringfireball, and to which you have not responded, is why the target host has such a stupid/sleazy name: 192.168.112.2o7.net. It certainly seems that this hostname was designed to mislead your users. Smells like bad faith. Why?

  • Konstantinos — 2:58 PM on December 28, 2007

    Well John, if you could tell me why the server is named “192.168.112.2O7.net”, I’d be grateful.
    If you don’t know, would you be willing to take a wild guess?

  • Phelps — 2:58 PM on December 28, 2007

    The issue is not that the app is calling back. Everyone has known that Adobe apps call back since the mid-90s. The issue is that Adobe is having its app call back in a deliberately misleading fashion. By picking an address deliberately crafted to masquerade as a reserved address that it only used for private networks, Adobe has stepped into the black-hat arena. The issue is the deception.

  • Robert McGonegal — 3:02 PM on December 28, 2007

    Fair enough, we can put down our pitchforks and torches then. But what is with 192.168.112.2o7.net? The most charitable answer I can come up with is it’s a “harmless in-joke” being played on us, your customers (who won’t know any better). Ha. ha.

  • Rebby — 3:02 PM on December 28, 2007

    While I understand that it’s true that things of this nature can get sensationalized, you still miss a point that John Gruber brings up. It is one thing for an application to “phone home” or collect various data, and the issues there can be debated. However, to do so by masquerading those connections as local connections, with the 2o7.net domain is something completely separate, and in my opinion dubious at best. And one has to ask himself “why did Adobe try to fool me?”

  • Derek Remund — 3:07 PM on December 28, 2007

    John, What’s disgraceful is not so much the outside connections themselves, but the fact that the destination server is named “192.168.112.2O7.net” in an obvious ploy to defeat local firewalls that are (mis)configured to allow free-flow of supposedly local “192.168.*” traffic. Essentially, these connections are designed in such a way that they attempt to surreptitiously circumvent the security policies that a user has attempted to put in place.

  • Mike — 3:25 PM on December 28, 2007

    So why is it using a web address like 192.168.112.2O7.net? which clearly masquerades as a local area networks ip address? That’s teh suck we think is lame. Happy New Year, I look forward to next years same story and your explanation.

  • Adam — 3:38 PM on December 28, 2007

    The use of a server named “192.168.112.2O7.net” is the problem. I would expect this from a bad windows shareware app – not Adobe. Why not use something like allyourclicksarebelongtous.adobe.com.

  • James Wilson — 3:49 PM on December 28, 2007

    If there is nothing to hide here why give the appearance of deception by refering to a site that looks like a private IP address i.e. 192.168.112.207.net (which looks like an address from RFC1918) instead of something.omniture.com or something.adobe.com? If there is nothing to hide here why give the appearance of trying to hide your tracks?

  • Allen Varney — 4:06 PM on December 28, 2007

    “Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged.” Heavens, how could anyone equate that with “covertly phoning home”?
    [I don't know, because it's not covert. The app only connects to those things if you ask it to do so, by selecting the appropriate menu item. There's nothing covert about it. --J.]
    Ludicrous. And making the connection (192.168.112.207.net) look like a local domain — that was just Adobe’s little IQ test to make sure we’re paying attention. It was simply harmless fun! How could anyone with COMMON SENSE think otherwise? And anyway, remember, it’s all for our own good.

  • James — 4:09 PM on December 28, 2007

    Thanks very much for the insight.
    However, you neglected to address the main criticism – why is the Omniture server named “192.168.112.2O7.net”? This is clearly designed to look like a LAN IP. This is why people are assuming that Adobe has some malicious intent – if the connections are completely benign, why is it necessary to “disguise” the server in this way?

  • Ren — 4:54 PM on December 28, 2007

    Hey John,
    Thanks for the post, just three questions:
    Why not make this a proper opt-in system with a preference check box?
    [This is a good question. I should have noted that there actually is an opt *out* mechanism: you can switch off the welcome screens (via the Don't Show Again checkbox), in which case they'll no longer appear (or load the SWF that makes the network call). That's different than an opt-in mechanism, though.
    I don't know quite what the right approach is. We want to provide a seamless experience, not one interrupted by lots of worrisome alert dialogs. The importance of getting the experience right will grow as the apps offer more Web-hosted content. --J.]
    Why use an address that is designed to look so much like a local address (192.168.112.2o7.net)?
    [This I don't know. Please see my follow-up post. --J.]
    Can I install something on your machine that contacts my machine with some harmless bits of information?
    [It all depends on what it is, what it's doing, and what's in it for me--which is kind of the whole point here: those are the kind of details we need to be making clear. The obscure address sure isn't helping. --J.]
    Thanks!
    Ren

  • Harvard Irving — 5:11 PM on December 28, 2007

    Yeah, this whole “corporate blogging” thing isn’t working out so well, is it? Every time you post such apologia under your name, it just diminishes your reputation, and doesn’t help the company. It sounds too much like you are toeing the company line, rather than being honest and forthright.
    [Well, I am endeavoring to be honest and forthright, and generally I get a lot of positive feedback about the blog.
    The thing is, I didn't come to Adobe to be anybody's mouthpiece or anybody's doormat. I think it was completely irresponsible for a bunch of news outlets to jump on this story and state that Adobe is shamefully spying on users. The easy corporate shill path would be just to let that go, or to ignore the whole thing. (After all, the product for which I'm responsible--Photoshop--doesn't even display the behavior in question.) I have a problem with scare tactics & mob behavior, though, and I'm going to say so. --J.]
    Aside from the obvious issue of “why should splash screens be tracked in the first place?” Perhaps you could answer me this:
    Why is the address that Omniture uses disguised to look like it’s a local network address? Why not use something like “adobetracker.omniture.net” instead? Why use this crazy “192.168.112.2o7.net”?
    [That I don't know. Per all the comments here (to which I haven't had a chance to respond individually), it seems like a dumb move. It's certainly enough to raise concerns, and I'd like to know more about why it was made. With so many people on vacation at the moment, it may take a little time to find out more. As I said in the entry, I'll post more info as I get it. --J.]

  • Bob — 5:17 PM on December 28, 2007

    I absolutely agree with Gruber: using a server named “192.168.112.2O7.net” puts you in the same category as phishers and spammers. Having an app phone home is fine but tell me, and don’t try to sneak it by me by hiding behind a router-ish URL.

  • James Thomas — 10:48 AM on December 29, 2007

    Since trackbacks don’t appear to be working; http://www.mentallyretired.com/2007/12/29/dear-john-nack-how-dare-you/

  • OdayJuarez Man — 2:33 PM on December 29, 2007

    I found myself in agreement with the explaination, however:
    Adobe’s history of working with the Secret Service to intentionally handicap their software with “anti-counterfeiting features” leaves me skeptical of their credibility.

  • Ron McGowan — 2:34 PM on December 29, 2007

    I don’t think any software should assume it’s OK to use MY broadband connection to phone home without asking first if it can. That they chose such a “Tricky” address makes me think they knew they should ask, and chose not to.

  • Scott — 2:51 PM on December 29, 2007

    I sense a lot of emotion in your post. What are you really hiding, Jack?
    [Umm... I give up; what?
    Here's a little background on the emotion. For the last, oh, 360 days I've been fielding inquiries about Adobe's use of Apple's Bonjour technology. You can read the post & the comments if you'd like more detail on it. The comments usually go like this:
    Commenter 1: Adobe/Bonjour are destroying my Internet connection and/or stealing my information!
    Me: That sounds pretty serious, and we need to be sure that's *not* happening. Please provide some evidence/background so that we can investigate.
    Commenter 1: [silence]
    Commenter 2: Adobe/Bonjour are stealing my bandwidth and destroying my life.
    Me: Again, can you provide some evidence to back up these alarming claims?
    Commenter 2: [silence]
    Commenter 3: [repeat] … (and so on)
    The pattern, in other words, is to make a bunch of scary assertions, then disappear when someone takes those claims seriously and tries to act on them. And this goes on and on, month after month. People keep questioning my integrity & that of my colleagues, yet they run away whey I ask for facts.
    It’s one thing when some anonymous person does this & disappears. It’s another when a commercial publication makes totally alarming statements like “Adobe is watching you,” without making any apparent attempts to find out what’s really going on or why. That sucks. It’s irresponsible, and it does a disservice to readers. And I do consider it be be a form of crying wolf: if people fly off the handle without learning what’s happening, they create so much noise that it’s harder to tell what’s serious and what isn’t.
    So yeah, this kind of thing makes me angry. I expect better from journalists, and I’d like to ask for more from readers. *By all means,* let’s take privacy & security seriously (I know I do), and let’s hold everyone’s feet to the fire–Adobe’s obviously included. But let’s *not* indulge in so much cynicism that we assume the worst, without asking good questions & trying to work with the people involved. –J.]

  • b lincoln — 2:57 PM on December 29, 2007

    The use of a fake IP address as a domain name is well below the level of a legitimate professional company like Adobe. It qualifies as clearly unethical, borderline criminal (not legally, but morally), and very similar to the tactics used by Phishers and virus-spreading trojans.
    We own three CS2 licenses and have been loyal Photoshoppers since 2.5. I hope you’ll take the complaints about this nefarious behavior seriously. Whoever thought this one up should be fired because it makes Adobe look like black-masked burglars.

  • Anonymous — 3:18 PM on December 29, 2007

    I know this will likely be censored, but this is just another example of Adobe’s egregiously overreaching then pretending to back off when called in it by the community. Remember Dmitry Sklyarov, anyone?

  • Bob Dole — 3:19 PM on December 29, 2007

    I agree with just about everyone here… using an address “192.168.112.2O7.net” is a red flag. No one with good intentions does this.
    I don’t mind if any given piece of software has a routine to phone home for updates, stats, and even some limited usage stats. But it better be up front, and honest, about what it’s doing.
    What I do with MY computer is generally MY business and if I choose to help development by providing info, I will- but at MY discretion.
    This is just reinforcing the public’s distrust in closed-source software. I for one, will keep Paint.Net around until the bad taste in my mouth goes away.

  • padawan — 4:13 PM on December 29, 2007

    Disclaimer: I’ve been a happy Omniture customer for several years and they’re providing good tools and services.
    Amazing that almost everybody misses the right responsible third party: Omniture. Adobe is using Omniture SiteCatalyst to gather some simple web analytics, which, as explained in this post, are not always reduced to web pages visited with a web browser. Adobe has ZERO choice about which tracking server they have to use, all they can do is use Omniture’s code exactly as provided to them. They cannot change it without losing support and, in fine, reliability in the stats. If you dig a bit deeper, you will find that 192.168.112.2o7.net does not resolve to a single IP but a set of dynamic IPs depending where you are, so Adobe has really NO choice about that (such as replacing this name with a numeric IP).
    This said, the only criticable thing here is the “hack” used by Omniture in naming one of their tracking servers using what looks like a non-routable local IP. That question (and furor, hysteria, whatever) should be directed at Omniture, not Adobe.
    This said, since all they gather boils down to simple web metrics akin to page views, errors, time to load, etc. (aggregate numbers they use to track patterns and issues with their apps, exactly as anyone serious would do with a web site), and since the Omniture trick would not fool many F*cking Stupid Firewalls™(*) out there, I for one would argue that 1) this is definitely much ado about nothing, 2) the rest will just be an exercise in crisis communication (which, unfairly, will be more painful for Adobe than for Omniture, thanks to clueless bloggers and journalists :p).
    (*) I wonder how many of those who are up in arms about the 192.168.* trick bypassing (really stupid) firewalls, are also complaining that their company F*cking Stupid Firewall™ also prevents them to surf freely on the interwebs :p.

  • Checkmate — 5:52 PM on December 29, 2007

    I really don’t mind if software developers want to know about my computing or browsing habits and I will gladly let them collect that information-If they ask me in advance!
    [Be that as it may, I feel compelled to note (again) that the behavior in question isn't tracking your computing or browsing habits beyond noting that an app was launched at a specific IP address. --J.]

  • human — 5:52 PM on December 29, 2007

    If you care about our security and privacy, put up or SHUT UP! Release the source code of these programs and make them all open source. I don’t trust anything a person says, I trust THEIR ACTIONS. Go ahead, keep this comment from being seen or just make a stupid comment after publishing it to make you feel better. Closed source is a joke.

  • johannes rexx — 6:00 PM on December 29, 2007

    Software that contacts the Internet without the user’s explicit knowledge is out of line. It is never in the user’s interest, it is in the vendor’s interest. Ergo every Adobe app needs an explicit consent preference and an overt indication that it is going to the Net. Photoshop is not among them.
    Adobe lost me when it informed the KGB^H^H^HFBI about Elcomsoft’s Dmitry Sklyarov visit to Amerika and had him put in jail! That is evil, Adobe has done evil, and I neither buy nor recommend products from evil korporations.
    Now I understand that Adobe requires “aktivation” for products already purchased? No, I don’t think so, you greedy leaches. I’m going with low cost or open source tools like GIMP, Pixel, and Pixelmator.

  • Lee Moku — 6:01 PM on December 29, 2007

    For a long time Adobe has shown a very fundamental lack of respect its customers.
    Like Microsoft, Adobe does what it wants and uses monopoly power to shove it down the throats of their customers. Yes, Adobe does have monopoly power in content creation.
    So today, we have the revelation that Adobe is data harvesting without informed consent. In the broad sense, spying. Though term “data piracy” may be more appropriate.
    While this revelation is another betrayal of the customer, it does not come as a surprise that Adobe has riddled their applications with spyware.
    And so Adobe continues to build the case that their own destruction *is* “a just cause” for others to take up.
    Sadly, this is a waste of all the good things that the people of Adobe do to build useful, sometimes even enjoyable, products.
    Let us only hope that the new year brings new resolve in the people of Adobe to better themselves, to do more good in the world, to fix the things they have done wrong and to do right by the people they have done wrong by in the past.

  • Frank MacGill — 6:55 PM on December 29, 2007

    John, Could you suggest how to obtain a complete listing of all internet access behaviours embeded into each Adobe product?
    Thanks.
    [Frank: I don't know how I'd go about doing that, but let me think about it. There's the obvious fact that the company makes quite a few products that are all built and managed by different groups. Beyond that, it's hard to guarantee that someone hasn't forgotten to list something (not intentionally, but because the inquiry hasn't reached all the right people). Anyway, it's a good question/request in terms of restoring customers' trust, so I'll see what we can do. --J.]

  • dave™© — 7:09 PM on December 29, 2007

    The thing is, I didn’t come to Adobe to be anybody’s mouthpiece or anybody’s doormat.
    Well, now that you are, how do you like cashing the checks?
    [I guess that's in the eye of the beholder. My take is that I'm trying to engage in a meaningful discussion of important issues, sharing what info I have & looking for more. If people want to be cool about that, great; if they want to be smug & hostile, there's not much I can do about it. Either way, I don't roll over. If I go silent in responding to some of these posts, it's just because the number has become overwhelming, and I've decided to spend part of my remaining holiday break getting out of the house! --J.]

  • CoporateEgo — 7:42 PM on December 29, 2007

    I think John Nack is dishing out a bunch of garbage. Adobe knows exactly what they are doing and it is for their benefit only. They want total control of their software on your system.
    As an example, look at Adobe Reader 8. Notice beginning with version 8 they removed the option to disable automatic update. Wonder why. Now when your software is communicating with Adobe servers, you really have no idea what is being communicated and no way to disable it.
    I personally removed all Adobe software from my systems for that reason alone and found excellent alternatives.

  • Jeremy L. Gaddis — 10:27 PM on December 29, 2007

    Ironically enough, a few days ago my boss and I were talking about this exact thing. During a phone conversation with one of our software sales reps where we were inquiring about “network licenses”, he told us that the CS3 applications do, indeed, “phone home”.

  • Rodney — 11:30 PM on December 29, 2007

    So would you care to explain why the packets going back to omniture contain the serial number of the Adobe product?
    Hmm??
    Sounds like you’ve been caught out red-handed, to me.
    ———————-
    GET /b/ss/mxcentral/1/F.3-fb/[sn-here]?[AQB]&purl=mm&pccr=true&c2=dw&c3=9.0&c4=win&c5=en&c6=full&c7=&c8=&c9=dw_9.0_win_en_full__[AQE] HTTP/1.1
    Referer: http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf?prod=dw&ver=9.0&plat=win&lang=en&stat=full&tday=&spfx=&productName=dreamweaver [adobe.com]
    x-flash-version: 9,0,45,0
    User-Agent: Shockwave Flash
    Host: 192.168.112.2O7.net
    ————–
    which returns a 2×2 pixel blank GIF.

  • John Danielson — 11:37 PM on December 29, 2007

    I’ve included J’s response to Checkmate to ask a question.
    [Be that as it may, I feel compelled to note (again) that the behavior in question isn't tracking your computing or browsing habits beyond noting that an app was launched at a specific IP address. --J.]
    Doesn’t the call home include the serial number of app, thus tracking the individual user? Statistics are being gathered at a very low level.
    [As I've said, I'm working to gather more info about exactly what's going on. Everything I've stated so far reflects what I've been able to learn up until now. To your point, though, I'll refrain from making statements about what is or isn't going on until I have some more authoritative answers. --J.]

  • Lee Moku — 1:03 AM on December 30, 2007

    I will volunteer what we do to help keep companies like Adobe and Microsoft in check.
    All internet access goes through a proxy. There is no way to get out of the LAN without going through a proxy (short of hacking the firewall/proxy server). Adobe update cannot connect. Microsoft Office data-upload cannot connect. Microsoft update/upload cannot connect, etc.
    All access to get out of the LAN is via a username and password that is unique for each application. This way when any application uses the proxy, it is easy to see in the proxy logs.
    The proxy also makes it easy to see what companies are illegally trying to hack their way out of the LAN onto the internet.
    Note that if any company’s software attempts to hack out of the LAN, it is a federal crime, i.e. circumventing the protection of my company’s copyrighted intellectual property.
    Additionally, as Adobe has put data gathering into their software and the use of this data gathering software is not permitted through any legal contract, Adobe can be held liable for any data security breach on my network due to contributory negligence, willful infringement of federal data protection laws, willful disregard of the DMCA, Net Act, etc.
    Overall, it is not in Adobe’s best interest to put any sort of spyware on its customers systems. There should be some separate software that can be downloaded via an opt-in program that is covered by a detailed *written* contract. Anything less and Adobe is holding a legal gun to their own head.
    My guess is that Adobe will have to be sued big time before the company decides to change their policies.
    So tightly controlled internet access will be a good investment.
    Lastly, I would like to say “good job on the blog, John.” I understand that you have to stick to the party line or you will lose your job. In the future, I hope things change so that the people of Adobe can do right by the customer and not have to fear for their jobs.

  • Justin Bell — 1:57 AM on December 30, 2007

    If all this is a misunderstanding, then what’s with the funny IP address?
    Perhaps you could choose your outsourcing more carefully?
    And maybe you should also give many of the more sane reactions the benefit of the doubt, too. Because Adobe, like many large companies, doesn’t have a good record when it comes to questionable practices regarding intellectual law and fair use, and that makes people a lot more suspicious — with good reason, perhaps.

  • Hot — 2:44 AM on December 30, 2007

    The conclusion:
    John writes a blog post which seems to explain himself or account for his actions. Now here’s the key, he has not responded to comments. This is typical amongst those that use the “web 2.0″ to disquise their true motives, profit.
    [Are you kidding me?? Have you read *any* of what's on this page? Crazy... --J.]

  • mike — 4:46 AM on December 30, 2007

    192.168.112.207.net, really? That’s just low. Also uncool is how you twice mentioned that this story broke in december because that’s when the Adobe offices are almost empty. Whatever, Adobe tried to hide this and got what it deserved. If you try to trick the people, then you should just have a damage control PR person 365 days in the office to deal with this. Otherwise, too bad for Adobe. Don’t forget we paid Adobe $1000 for the bloated CS 3 including this crap.
    CS 3 is NOT the best software. There is so much crap in it that has nothing to do with the tasks I use CS 3 for that it is becoming very annoying. This thing is a very good example of that. Please consider making CS 4 about performance and ease of use, not about features. Thanks!

  • James E. Talmage — 5:46 AM on December 30, 2007

    I’m a huge advocate of improving the desktop experience through online connectivity.
    How ’bout if I, who buy your products don’t want my desktop experience “improved through [your idea of] online connectivity?”
    [That's perfectly fine. As I've said repeatedly on this page, we need to strike the right balance between connectedness & privacy. I've frequently reminded people who want to shove everything online that, guess what, not everyone wants to be connected. The trick, I think, is to make the benefits of connectivity present in a way that's not invasive & also not annoying ("May I kiss you now? May I touch your shoulder now?..."). --J.]
    How ’bout improving the user experience through programs that work right? For just one example, have you tried the Outline Stroke command in Illustrator CS3 lately, Mr. Nack?
    [No. I trust you've mentioned it to people who work on that product. --J.]

  • luser — 5:59 AM on December 30, 2007

    did alberto gonzales write this uninformative rubbish? obviously you arent connected on the software side. you sound like a crap producer that doesnt know the product he works on and spends his time at work minnowing upstream, roman style, and blogging about pr shit about a company whos inner workings you are clueless about.
    [Don't forget to thank your mom for the continued use of her basement. --J.]

  • Wade Zimmerman — 10:16 AM on December 30, 2007

    Regardless of what the motive or intentions are the user of your customers methods and habits are their business unless they wish to share and participate and many do as is evident by the Adobe User to User Forum and public betas.
    It might not be in the end a big deal but if it where a choice to opt in there may be a way to make it worth while for a user to opt in.
    Say at the end of each cycle through a random drawing of all the users, regardless of how often they launch an Adobe Application, two were selected to receive free software one a Creative Suite of their choice and the second one a Master Collection.
    I think it is probably a healthy thing to ask the users to assist in improving the product through participation rather than to just opt everyone in.
    The welcome screen has some good potential as a tool it will die if everyone turns it off. And under the circumstances it will probably be turned off by any serious user and for good.

  • John Q Public — 10:41 AM on December 30, 2007

    The obvious question to me is, if you want a pretty splash screen for an app why not include it in the app?
    Seems like the only reason to grab it from the net is to track your users.

  • John Dowdell — 10:53 AM on December 30, 2007

    Frank MacGill wrote, a ways above:
    “John, Could you suggest how to obtain a complete listing of all internet access behaviours embeded into each Adobe product?”
    Like John Nack, I don’t know of any immediate resource, but I agree that such ahead-of-time transparency is the best defense against internet memestorms like this.
    (For what it’s worth, uneasysilence.com has finally approved my early reply there, which was sent three days ago, before this story hit Techmeme. It’s a step…. ;-)
    jd/adobe

  • larue — 11:29 AM on December 30, 2007

    [...the behavior in question isn't tracking your computing or browsing habits beyond noting that an app was launched at a specific IP address. --J.]
    When I open an app on my computer and what IP address I am using is none of Adobes business. None. Excuse me Adobe… can you hear me? NONE. That means you are spying on your customers. And why are you spying on your customers? You say it if for the customers benefit (interesting concept… I pay you to spy on me for my own benefit…).

  • ironfist — 2:32 PM on December 30, 2007

    With this spyware built-in you would think your CS3 was pirated. With a nice trojan as an added bonus!

  • Magic5ball — 3:10 PM on December 30, 2007

    @padawan: That’s the most sensible thing I’ve read here. I don’t understand why it would be Adobe’s problem that users/vendors lack a sufficient grasp of domain name standards to configure a proper firewall or to analyse logs correctly.
    @Lee Moku: What is your phone number to which Adobe and others who have to support Adobe products should direct technical support calls about your scheme? Alternately, which third-party corporate entity do you trust to develop, distribute and support such a proxy? In either case, how much more would you request that the 99% of customers who don’t care about this issue pay for their Adobe products to develop and provide the type of infrastructure you describe?
    @192.168.112.207.net is teh evilz!!11! copy and paste kiddies: Why are you so comfortable spewing alarmist media trivia (the criticism here does not quite amount to the sophistication required for groupthink)? Even if you are entirely right about this issue, what solutions have you proposed to resolve this? Lee Moku at least rises to the level of having thought about the issue critically to provide a technically valid, but potentially expensive solution; what about everyone else?

  • Alexey Petrovsky — 5:04 PM on December 30, 2007

    Every step you’ve done in the two message on issue are wrong.
    John, why not create an halo of desire around the issue? Why not put shiny clothes the discussed feature; drape it accordingly.
    Par example, the user tracking can be put as a additional channel to get in touch with creative people (those who are use Adobe products). Use invites to some service; maybe, give discounts on future products.
    Well, if your intention to send this a half-of-kilobyte of some private data SO strong, why not pay back to the user some way or another for having him expose something about his behavior (time, location, habits can be intersected between 2o7 partners and put into an user mosaic that can be broken some day by an teenage hacker)?
    Your so patronish tone distract already cracked image of Adobe and not welcome to ‘genuine and informative talks’.
    Also, you may leave reply to the comments right after the comment, with quote exact words you discuss.

  • Walter Hawn — 6:00 PM on December 30, 2007

    Aside from the tacky behavior and contemptuous thought behind the ‘local’ IP address issue, the *other* and very serious issue is this: Adobe thinks it has the right to know when I’ve opened an app. It does not. It’s my app, it’s my ‘puter, and it’s my dime. And, for Adobe apps, it’s a damned big dime. If Adobe wants to know when, how often, and where I use an app, it can send me a survey card. I’ll answer as and when I choose.
    And, John, the ‘preview’ function for comments on this blog *really* needs work. Send me an email, I’ll tell you what needs fixing.

  • rommel — 7:30 PM on December 30, 2007

    “it’s always been on a strictly opt-in basis.”
    i dont recall seeing this option during installation. or is this one of those illusions you mentioned?
    [I was referring to programs for the tracking of user activity (logging the menu items you choose, how you use apps together, etc.). Those programs can be valuable for software developers as they reveal usage patterns, and many people are happy to participate. They've always been conducted on an opt-in basis.
    Note that those efforts have nothing to do with the behavior discussed in this thread. --J.]

  • Darksurf — 9:36 PM on December 30, 2007

    It think it was stupid enough not to explain the situation right away.
    First off they tried to hide/disguise the communication from the application.
    Second, the first time they were asked, they said “oh thats just the automatic update feature” = LIE and they stuck with it.
    3rd then they came clean and told everyone = CAUGHT IN A LIE
    [Who said anything about an automatic update feature? Such a feature exists, but it's separate from the apps & behavior being discussed here. --J.]
    Thats all suspicious behavior, of course people are mad! They trusted a company that abused their trust. The could have at least added feature that would have asked whether or not you wanted this data transmitted, then it would have all been OK. Then it wouldn’t seem like they were trying to be sneaky when our backs are turned.

  • Todd Sieling — 7:23 AM on December 31, 2007

    If people hadn’t raised a fuss about this, I doubt that interested people would be hearing from the product manager. It’s kind of a shame, though, that the response comes with such a dismissive tone.
    [Please look at what I wrote. I'm not dismissing legitimate concerns. I do, however, take exception to irresponsible, inaccurate fearmongering. There's a huge difference, and both have been on display in this situation. --J.]
    Any URL that uses such a deceptive construction is suspect, and Adobe could have done better to pay respect to that concern rather than the open disdain. I wouldn’t want to be called in to respond to this over the holidays, but then I also wouldn’t partner with companies that use deceptive tactics to mask their network activity.

  • Lee Moku — 1:39 PM on December 31, 2007

    ” Magic5ball — 03:10 PM on December 30, 2007
    @Lee Moku: What is your phone number to which Adobe and others who have to support Adobe products should direct technical support calls about your scheme? Alternately, which third-party corporate entity do you trust to develop, distribute and support such a proxy? In either case, how much more would you request that the 99% of customers who don’t care about this issue pay for their Adobe products to develop and provide the type of infrastructure you describe?”
    It is my belief that each company/individual should make an informed decision on what level of data theft risk they are willing to accept.
    In the case of “low risk” then you run a LAN that has no connection to the internet.
    In the case of what I will call “medium risk”, you use an open source proxy such as Squid that is used by many people and has been reviewed by many eyes. When configuring this proxy, you will use an authentication mechanism that is secure and gives a unique username and password to each application.
    Squid is what we use. On a dedicated box that also runs Snort for intrusion protection, a firewall, a virus scanner, etc. These are all elements of risk management.
    In the case of “high risk”, you can run what is essentially an open connection to the internet. This sort of “high risk” environment is what enables Microsoft, Adobe, eBay/Skype, BitTorrent Corp. and many others to harvest your data. Any software with “automatic update” is a legitimate data theft threat.
    Needless to say, I would not consider any closed source security system to be anything other than “high risk”.
    Certainly there will be some people that listen and pay attention to the sort of data harvesting issue we are talking about here and put in place appropriate risk management.
    Others will shine it off and decide that they will simply let their chips ride and hope for good luck.
    In the bigger picture, I hope everyone understands the fact that we have John’s blog and Adobe involvement is itself a very positive thing. Adobe has had nothing like this in the past. I know firsthand that there are a lot of good people at Adobe who want to do right by the customer. But there are some old mindsets that are difficult to change. John’s blog helps Adobe gain understanding and is a good step towards being able to change, even if the change itself takes time.
    And let us not forget that we are looking at a brand new year. Hopefully we will see Adobe build on blogs like John’s and start to make their software and their relationship with the customer friendlier. I know this would make a difference for a lot of people, both inside and outside Adobe.
    Cheers! :-)

  • Joolz — 2:33 AM on January 01, 2008

    I agree with the basic point (the IP address) that is upsetting many people, including myself.
    However, I am appalled with the personal attacks on John Nack. What -for example – is the point of this diatribe…
    > Every time you post such apologia
    > under your name, it just diminishes
    > your reputation, and doesn’t help
    > the company.
    What a load of nonsense. In this case, the alternative would be that no one engages us at all.
    While I have my own issues with Adobe, I’ve always been grateful for the fact that John Nack has been willing to engage us. Quite often he has put himself on the front line where others haven’t dared, and (as in this case), he has been the only point of contact. How on earth does that diminish his reputation?
    His product isn’t affected and like it or not, it actually is the Christmas break and workplaces actually really do tend to be empty. If he doesn’t come back with the promised info after Christmas, then get mad or whatever, or get mad at the product managers from the affected products who were nowhere to be seen while John Nack held the fort alone.
    Please. Those of you slinging insults and abuse are demeaning the rest of us out.

  • Jerry Leichter — 8:34 AM on January 01, 2008

    re: Adobe has no choice in how this technology works, people should complain to Omniture, not Adobe.
    Complete nonsense. Buying CS3 doesn’t make me a customer of Omniture. I pay them nothing. They owe me nothing. I may not like what they do, but I have no agreement with them, explicit or otherwise.
    I *do*, however, have an explicit agreement with Adobe – an agreement involving paying them quite a bit of money. With that money comes complete responsibility on their part for *their* product. If they are not happy with the way Omniture does business with *Adobe’s* customers, they can insist that Omniture change its ways. If they don’t, Adobe can go elsewhere.
    If you find a dead roach in your McDonald’s hamburger, would you accept the explanation, oh, we buy our chopped meat from X Meat supply – head office in Brazil; call them, don’t bother us?

  • Kay A. — 3:27 PM on January 02, 2008

    And who are we supposed to ask at Adobe in order to avoid looking like idiots in your infallible eyes?
    [Well, not jumping down my throat with a bunch of hostility is always a good place to start. --J.]
    Is there a special phone number we can call every time we notice one of your applications doing something retarded? Lord knows we get so many useful responses from reporting bugs on your existing support forums, and you’ve given us so many reasons to trust everything Adobe says and does without question.
    [No one asked anyone not to question. What I requested was the benefit of the doubt. I also asked that online outlets wanting to retain some credibility do a little homework before stupidly repeating things like "Adobe is watching you." But "If it bleeds, it leads," and given that people make their livings from driving up their Web stats, this trend is likely to continue. --J.]
    Yup, Adobe’s moral compass is always pointed in the right direction. Where’d that FedEx button go again? I forgot.
    [So, you're citing the company's decision to change a product in response to & accordance with customer feedback as an example of evil? That's certainly a novel approach. --J.]

  • Bradley Gibson — 8:21 PM on January 02, 2008

    Wow, what a complex issue.
    First of all, John, kudos for posting the details of what’s going on in an effort to clear up the confusion. I know it feels like it is a thankless task, but rest assured your efforts are appreciated.
    That being said, after reading your post as well as all of the comments, I find myself in agreement with the ‘obfustication scares me’ camp. I second Mark Alexander’s Dec. 28th post.
    I’m happy to hear nothing nefarious is going on, but it would be nice if the whole process was transparent.
    Happy new year, and best wishes,
    Brad

  • Stephen Prince — 7:40 AM on January 03, 2008

    Human beings are just Chimps with a thumb. If Adobe doesn’t take that into account when creating their apps, then they get the paranoid ” Chimp ” reaction.
    Monkeys are always worried about their territory. Try to get that into your head Adobe.

  • Paul — 8:12 AM on January 03, 2008

    …Chimps with a thumb?
    And with intelligence, free-will, a conscience, emotion, creativity, passion, understanding, wisdom. Not all of which are exclusive to humanns, but the proportion and depth and breadth of these is incomparably huge in comparison with chimps! No, they’re humans! That’s what’s more difficult to accept, Mr Prince!

  • josef — 11:00 AM on January 03, 2008

    this thing makes me stop from further using adobe products and products using macrovision protection in our company.
    [The issue in question here has nothing to do with Macrovision and/or product activation. --J.]

  • 'a stro' — 11:45 PM on January 03, 2008

    Ever heard about ULEAD software? The only right nobody can take away from us, as customers, is … making different choiches.

  • Bensch — 3:00 AM on January 04, 2008

    “Uneasy Silence reports that Adobe CS3 apps are phone home periodically with connections to “192.168.112.2o7.net” — a web server whose name is clearly designed to look like a local area network IP address (particularly when the “o” is capitalized in “2o7.net”).
    This is a disgrace, whatever the actual reason for the connections.”
    That’s the _whole_ blog entry of Gruber on daringfireball. Citing just the last line is misleading…
    [I linked back to the article for those who wanted to read the whole thing, and I didn't appreciate the quick-to-slam tone of it. --J.]

  • Marc Klein — 4:16 AM on January 04, 2008

    I have noticed some really strange “features” by using Adobe applications during the last months. This is the reason why I am working most of the time “offline” by “pulling the plug”. This way, I am able to work more creatively, efficiently and productively.
    [Um, could you elaborate on that? What behavior are you seeing, exactly? --J.]
    graphically & sincerely,
    ” Software & Madness ”
    Marc Klein

  • Marc Klein — 3:17 PM on January 08, 2008

    So please, give me a reasonable explanation why I needed to register my CS2 apps again when I returned to France after my trip to Germany?
    [I'm not sure whether what you're referring to below as "registration" is actually "activation"--a different process. Registration is a voluntary process that involves you sharing your personal info; activation is a mandatory, anonymous process that authorizes use of software on your machine. --J.]
    I took my PowerBook with me for the holiday in order to finish some work. After my holiday, I wanted to start working again on my Apple G5 computer.
    I arrive back in France, I switch on my G5 workstation, started Photoshop and blubbb, I needed to go through the entire registration process once again. I had to do the registration process twice which is strange enough.
    Step 1. I did the software registration over the internet. Adobe said, thank you for registration.
    You are now allowed to work with your purchased software from Adobe and are able to continue doing your homework.
    [It's not necessary to register in order to use the software. It *is* necessary to activate it, which is what makes me think you're talking about the latter. --J.]
    Wow, thank you Adobe.
    Step 2. I closed the Adobe app after registering. I launched the Adobe app once again and I see the Adobe registration process popping up once again!
    [Could it be that you were first prompted to activate (which doesn't involve filling in your name, address, etc.), and that later you were prompted to register (which does involve that info)? I can see where this could be confusing. --J.]
    Step 3. I registered my Adobe CS2 suite AGAIN. And this time Adobe was so “intelligent” to remember my registration process.
    Conclusion. It is NOT Adobe’s business to know WHEN, I am working on my machine, IF I am working on my machine, IF I am working on my PowerBook or my G5 workstation and for sure it is NOT Adobe’s business to know from WHERE I am actually doing my job.
    [None of what you've described leads me to think that Adobe is tracking whether you're working on your machine, or where you're doing it. Activation *is* required, but it should be a one-shot deal. (If it isn't, it's likely that some other process on your system has changed the machine configuration, causing re-activation to be necessary.) --J.]
    The other question would be.
    Why DO I have to register your software over the internet anyway if I have purchased the software through your online store by downloading the files from ADOBE’s website and getting the serial number directly from Adobe?
    [I don't know. Maybe the systems just aren't tied together. Maybe there's a good reason that they should be kept separate. Maybe the person who buys the software is not necessarily the one who uses it. I do know that it's incredibly annoying when I call a company, punch in some long string of digits (credit card number, etc.), and then get introduced to a person who asks for exactly that same info. --J.]
    I make a comparison. I am selling design templates on my website. I am the company selling these products.
    However, is it MY business to know WHEN, IF and HOW my customers are editing my design templates?
    Answer: NO
    It is definitely NOT my business to spy on MY customers. Why should I?
    So why should Adobe?
    [It doesn't. --J.]
    graphically & sincerely,
    Marc Klein

  • Pastafari — 3:42 AM on January 10, 2008

    After installing Photoshop CS3 I noticed the connection… So Adobe connects in the background with a deceiving IP address, doesn’t give me a choice to opt out and I should be happy because it “improves the desktop experience through online connectivity”?
    [As mentioned, it does give you the choice to opt out: simply turn off the welcome screen. As for the URL in question, it'll be fixed. --J.]
    If they want feedback they should ask first. Nicely. Online connectivity improving what? Who said I agree? Such behaviour is familiar. Is the reason why we hate some companies out there. Microsoft anyone?

  • Joe — 9:37 AM on January 18, 2008

    Its getting very very close to the point where i am going to NOT have any internet access on all of our machines, just one which is not connected to the network or anything else.
    Adobe’s cred just took a nose dive.
    And I’m not the only one thinking this, that its time to look for alternatives.
    What happened to Paint Shop Pro??
    Is this what you want serious users to do adobe, look for alternatives, because you behavior is doing just that.

  • pete — 9:54 AM on January 18, 2008

    Interesting, you following what people do with out their permission, and you not saying that you do this.
    There is another similar methodology,
    Thats where someone follows me, without my permission, in a stealthy way, to find out things about me.
    Its called STALKING.
    And that Adobe is a federal crime.

  • puneet — 8:06 AM on January 31, 2009

    plz send me serial number of abode photoshop cs 2 i dnt have it ……..
    [You've gotta be kidding me. --J.]

  • nike basketball shoe — 11:52 PM on November 01, 2009

    I found myself in agreement with the explaination, however:
    Adobe’s history of working with the Secret Service to intentionally handicap their software with “anti-counterfeiting features” leaves me skeptical of their credibility.

  • uggs on sale — 2:50 AM on December 04, 2009

    I think that
    Wholesale jerseys are the greatest winter boots out there. They are warm, they mold to your foot for the perfect fit/comfort, and I would say they are pretty stylish. Now,

  • Ugg boots — 10:13 PM on December 18, 2009

    Is this what you want serious users to do adobe, look for alternatives, because you behavior is doing just that.

  • Ugg boots — 10:14 PM on December 18, 2009

    Is this what you want serious users to do adobe, look for alternatives, because you behavior is doing just that.

  • Robin Capper — 2:38 AM on July 22, 2011

    My concern is not what Adobe does once installed but rather the garbage you try & bundle into your installs.
    I want Reader, well I dont really but need it, and you try & install Chrome

    I need Flash, you try & install McAfee AV scanner (when I already have AV)

    I need shockware, you try & install Norton AV scanner (when I already have AV).

    I know it can be unticked but its bloody annoying. If I want the other stuff I’ll get it from them

Copyright © 2014 Adobe Systems Incorporated. All rights reserved.
Terms of Use | Privacy Policy and Cookies (Updated)