December 28, 2007

What’s with Adobe & the shady server name?

Thanks for all the feedback on this morning’s post about Adobe, Omniture, and (non) spyware in CS3.

In truth, I think I did miss a key point: in this instance the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named “192.168.112.2O7.net,” rather than something obvious and communicative like “adobestats.omniture.com.”  People are rightly asking why that is, and unfortunately I don’t know the answer.  I’m way out of my depth on the details of IP addresses, ports, etc., so I hesitate to comment further.

Instead I’ll work on getting some details from people with more expertise.  Given where we are in the holiday period, it may take a little time.  I’ll post more info as I get it.  Thanks for your patience.

This is a great example of why I said that “Adobe could and should do a better job taking security concerns into account.”  Even if an application’s behavior is ultimately innocuous, it’s important to be transparent and forthcoming about what’s going on.  I don’t want software sneaking around behind my back any more than the next guy does, and Adobe (like all companies) needs to make sure it’s not abusing users’ trust.

[Update: I posted updates here and here. The complete set of posts is here.]

Posted by John Nack at 5:50 PM on December 28, 2007

Comments

  • Peter — 6:18 PM on December 28, 2007

    I am a little annoyed that people get so worked up about tracking relatively mundane details. It seems like as soon as any reference is made to any kind of server hit, people assume that Big Brother has moved in and is downloading indexes of the contents of your computer instantly. A bit hasty, especially from a huge corporation like Adobe, who in spite of their massive resources, I doubt could effectively make use of any personalized information being accessed on a scale that large.
    [It's interesting that you bring up that last point. Gathering information is far easier than making sense of it. Microsoft invested a lot of effort in instrumenting Office to track usage (with user consent), yet I've heard that they ended up throwing tons of data away--for lack of a way to understand it & make decisions accordingly. It's entirely possible they've gotten it right in the time since then, but the problem certainly isn't an easy one. --J.]

  • Michael Wales — 9:52 PM on December 28, 2007

    @Peter
    For the most part people aren’t upset that Adobe is “watching” them. This is a practice we have come to expect. Yes, Adobe could do a better job of informing users this is happening and make the opt-out preference more prominent.
    What people are pissed about (rightfully so), and what this particular blog post is about, is the fact that Adobe is attempt to cloak the fact they are spying.
    [Adobe isn't "spying" on you, and my initial post is largely a critique of the hysteria that fails to separate practice thing from another. Simply noting that a user with a particular IP address requested a SWF file does not, to my mind, constitute "spying." Spying would entail tracking your behavior, associating that behavior with your name or other personal info, etc. --J.]
    The “IP Address” that Adobe calls home to is actually nothing more than a string of useless characters followed by 2O7.net (that’s an O not a zero).
    This practice is wildly deceptive and there is no logical explanation to do so, other than to hide something from the users.
    When I’m paying thousands of dollars for a suite of products, I damn sure don’t expect to be lied to.
    I’m definitely looking forward to Adobe’s final explanation as to why this deceptive practice has taken place.

  • Rad — 9:58 PM on December 28, 2007

    It isn’t the tracking that is the issue. It’s that the domain name is intended to trick improperly configured firewalls and ignorant users. It’s dishonest and similar to what a spyware program would use.

  • Sean Foushee — 10:12 PM on December 28, 2007

    This whole situation could very easily be an issue with Omniture, as it is their domain and subdomain naming convention that caused the Black Hat flags to go up in the first place. However, I think what most in the community are looking for from both Apple and Adobe are an explanation as to their depth of knowledge into Omniture’s operation and IP-esque domain used to track user’s information without their knowledge. I think we all agree that some forms of tracking are acceptable, most people really don’t see anything wrong with tracking hits and visits to websites, but using a system that masks a request as an internal network IP in and of itself is suspicious enough to make most people think more is going on than simple traffic logging.
    What Adobe needs to do first thing Monday morning is issue a public statement stating exactly what information is being logged, why Adobe thinks this information is too important not to allow its users to opt-out, the depth of prior knowledge Adobe had of Omniture’s URI structure and steps they plan to take to ensure this issue is altered in the short and long-term (talking a change of URI request for CS3 and information on tracking in CS4 moving forward).
    John, we all understand you’re not some overseer wanting to control user’s machine’s, and spyware is just as unpalatable to you as the rest of the community, but Adobe needs to better communicate with its user base on its tracking and logging through its apps. Work to allow for a proper opt-out, and work with your third-party data collection agencies on more transparent forms of tracking information that doesn’t intentionally try to trick user’s anti-spyware/trojan/virus software. You never know, most users might appreciate the up-front honesty and help to provide more meaningful and accurate data in the future.

  • Harvard Irving — 11:49 PM on December 28, 2007

    Thank you!
    It’s good that you are finally addressing this. That is what irked me about your previous post on this matter – it was taking a conspicuously long time to deal with the issue that was causing the most angst.

  • Woz — 4:31 AM on December 29, 2007

    I’m sorry but I think it’s not about “the tracking of relatively mundane details”. It’s about the fact that it’s being done in a hidden manner.
    Apart from that what’s relative? Sure, Google scans every email but at least they’re telling us they do. I’ve never understood why I need a ‘Dowload Mananger’ in the first place. The app even required updating some time ago.
    Adobe’s costumers are not ‘paranoid people’. In fact I think they still remember that little button that just popped up in Acrobat Reader adding the ability for the Reader to send the pdf to FedEx Kinko. Apart from that overhere in Europe we have not forgotten Adobe’s ‘new’ pricing policy, requiring us to pay up to 50% more.
    So, even though this ‘phone home function’ is not a big thing really, the secretive manner and the unusual actions taken by Adobe this year make it stand out.
    Bytheway, I know it’s off topic but another thing I’d love to see Adobe do is provide me with a copy of Live Cycle Designer for the Mac versions of the Creative Suites. LCD is inclued in the Windows version. Well I’ve got VMWare…

  • allen stern — 4:58 AM on December 29, 2007

    thanks for looking into this!

  • Gunnar — 6:11 AM on December 29, 2007

    I dislike my behavior being tracked. The deceiving host name complements the tactic.
    If Adobe want’s to track user behavior, make it opt in. The opt out measure at Omniture only works for the browser used for that purpose, not the complete system. That sucks. This opt out is just a sleazy excuse that makes me bitter, it doesn’t work as the user intends it to. I know that would be difficult to do, but you got yourself in that situation by going opt out in the first place.
    Ethical behavior is crucial to success. If I can’t trust your moves, I can’t buy your stuff. For now I block .2o7.net.

  • John Dowdell — 8:14 AM on December 29, 2007

    The search term “2o7.net” pulls up resources on Omniture. A Wall Street Journal article from 2005 says it was chosen because it was shorter than omniture.net.
    [Thanks for the research, John. I'd still like to talk to those guys and more info. All this trouble to save five characters in a URL doesn't seem worth it. --J.]
    Most of the weblogs which are complaining (before searching!!) are using similar analytics tools, and lots of them ping Google, Yahoo, or other behavioral advertisers whenever you visit.
    jd/adobe

  • Michael Froomkin — 10:13 AM on December 29, 2007

    The key point is that IP numbers starting with “192.168.” are the ones that almost all users will have configured as their local network. This domain name is deceptively designed to make what is in fact a call to an internet resource look like a non-internet local network activity. That is highly deceptive and cannot be accidental or innocuous.
    People are right to be angry about this, and Adobe should have no part of it. If that’s something your vendor insists on, either change vendors or create a proper name for it and forward the requests.

  • Tom — 2:10 PM on December 29, 2007

    Ummmm…
    netstat -f inet -an
    Then shut up about being ‘deceived’ by a hostname. It’s really not a big deal unless you’re one of those people who doesn’t feel they’re truly alive unless they’re bitching and moaning about something.

  • Rosyna — 2:24 PM on December 29, 2007

    If I understand correctly, Adobe CS3 products are loading a web resource (or webpage) to show to the user, correct?
    [Essentially, yes. They're loading a Flash SWF file, rather than an HTML page, but the purpose is the same. The only event that could be tracked through this mechanism is the loading of the SWF. --J.]
    And it’s the loading of this webresource that’s causing other web resources to be loaded, just like any other web page on the internets.
    For example, if I go to adobe.com in Safari, it loads a resource from mxmacromedia.112.2o7.net. The domain makes a lot more sense in this case. And this domain actually makes the 192.168. domain look that much worse as it is clearly possible to use a domain that is human readable when using Omniture. The question is, who chose this domain, Adobe or Omniture?
    [As I say, that's what I don't know, and what I'm investigating. Apparently iTunes uses (or used) the same domain, so it seems unlikely that Adobe chose it. --J.]
    Personally, I would have used haruhi.suzumiya.adobe.com as the analytics server. For no other reason that it would cause people to do a double-take when googling it (Google treats periods as whitespace).
    I sadly do not have Adobe CS3, so I am not sure if the prefs for the Welcome Window thing mentions it makes a network connection.
    [As far as I know it does not. This is why I say it's going to be interesting/tricky to find the right balance between privacy and connectedness. I want Adobe apps to help connect people to one another without popping a dozen Vista-style warnings first. I'll bet we can find a simple, elegant solution, though. --J.]
    Xcode 3 also shows a welcome page by default. This is also loaded via a url. It currently only connects to developer.apple.com, but that’s currently.
    [Perhaps Apple does its Web analytics in house. If they used a third party like Google (as this blog does, via Google Analytics), Omniture, etc., would that be a problem? --J.]

  • Irregular — 2:38 PM on December 29, 2007

    You track people, it pisses people off, people will steal from you to even the balance sheet. Honor your audience, produce good software, people buy, reap the rewards.
    Reap what ye sow!
    [Hey, don't call me a "sow"... ;-) --J.]

  • jt — 2:38 PM on December 29, 2007

    I think it’s important to point out that CS3 is not calling ‘home’, it’s calling some company called Omniture. I don’t recall making any sort of agreement with that company and I don’t want them tracking my usage, behavior, or anything. I certainly don’t want them spamming me with ads when I’ve paid through the nose for some software. I want to opt out and as far as I’ve seen, there is no way provided to opt out. I expect I’ll need to configure my hosts file to block 2O7.

  • mark — 2:50 PM on December 29, 2007

    Easy solution for me: I added
    127.0.0.1 192.168.112.2O7.net
    to my hosts file. Now any attempt to talk to 192.168.112.2O7.net reaches my own machine.

  • Ken Sayward — 3:03 PM on December 29, 2007

    @John Dowdell,
    Even your post above ignores the issue being raised here. Do you really not understand, or are you intentionally clouding the discussion? To be very clear:
    2o7.net is not the issue, it is the use of 192.168. in the subdomain name that appears to be intended to deceive. You do understand that, don’t you?

  • PSUser — 3:13 PM on December 29, 2007

    Look, there is no confusion here. Do you really think we are all so stupid that we are going to believe Omniture isn’t intentionally obscuring their tracking by using 192.168…which everyone knows is an internal LAN address? That “2O7.net” with a capital “O” instead of a numeral was just convenience?
    Its obvious to anyone with half a braincell that they chose that for one reason, to deceive people into thinking the tracking was just a harmless internal network action, and nothing was being sent outside.
    If Adobe didn’t realize this, they are being lax in their due diligence of one of their partners. If they did, they are part of the problem. Do you really see any other conclusion we users should arrive at here?

  • p o p m o n k e y — 3:17 PM on December 29, 2007

    I’m way out of my depth on the details of IP addresses, ports, etc., so I hesitate to comment further.
    Are you serious? You’re actually claiming that you are not aware that 192.168.x.x is a reserved network address? Do you have a home network? Do you have a wifi router? An overwhelming percentage of wifi router/broadband modem uses 192.168.x.x as its default network.
    If you honestly don’t know even this much about how networks work, why are you even bothering to address this issue? And especially considering your condescending tone in the previous post?
    In addition, your methodology of “answering” comments on this blog by inserting what looks like “editor comments” is annoying.
    [Sorry that you don't like my style of trying to engage in conversation. It seems like an efficient, readable way to respond to specific points, rather than by using separate reply comments that may appear far down the page. Neither method is perfect, and unfortunately this blog server doesn't support threaded commenting. If you have a better suggestion, I'm open to hearing it. --J.]
    It takes away from the intent of the original comment writers as we never see their original posts in proper context and, given the topic, raises questions of what else you’re editing in the comments.
    [Sigh... I don't edit anything else in what people post (including their typos), except to turn URLs into live links by adding the appropriate HREF tags. The only comments I remove are spam & unintended duplicates.
    I think it sucks that you'd casually imply I'm a dishonest jerk who'd manipulate and distort what others write. Your comment reminds me of the question, "When did you stop beating your wife?" It's easy for you to suggest that I'm a liar, and nearly impossible for me to disprove it. You can always just claim that I'm lying further. --J.]
    Look, I came here on the heels of the “controversy” and see nothing yet that would make me feel any better about it. Quite the opposite.
    Basically, you’re digging a hole here and it really *would* be best for your team to take time to address the issue correctly.
    Specifically:
    1. in your previous post you say that the only times your applications hit the network is in the title screen, to check for updates, and when users take action to connect to the online communities. this means adobe hosted content. omniture is not hosting your content. so please make this clear in your previous post, i.e.: yes, the application grabs some swfs and stuff but it does this through a redirect via omniture for statistical analysis of usage patterns. isn’t that the case?
    [I don't know where the SWF is hosted (locally or on a server), or how exactly the Omniture address is getting invoked. Those are the questions I'm investigating. As I say, getting answers it likely to take a little time given the holiday break. --J.]
    2. why is omniture using this red flag raising address?
    seriously, stop acting surprised that people are upset.
    [I'm not surprised that people are upset. I'm surprised that people are so willing to assume the worst, to ascribe ill intentions, and to question the integrity of others. Or maybe I'm not surprised, just disappointed. --J.]
    your “Adobe ate me baby!” entry should be updated as it’s being linked to from all over the place. it might save people some aggravation.
    [I did update the entry to say that I frankly missed the point of some of the criticism--that the Omniture address seems shady. I'm sorry I didn't grasp that aspect more quickly. For me that aspect of the argument was obscured by the cries of "Shame on Adobe, shame!," "Wear Tinfoil Hats When Using Adobe Products," etc.
    I think others are missing much of my point, which is that it would be better to take a few deep breaths before lighting the torches & storming the castle. --J.]

  • John Smith — 3:26 PM on December 29, 2007

    Well, since I’ve blocked urchin.js (and possibly even google-analytics.com, depending on how I felt about it the last time I configured my router), you can probably tell that any sort of “tell a third party that I did ‘x’” function I can find out how to disable gets thoroughly disabled. It really shouldn’t be this hard to stop software from informing a 3rd party how it was used, but so many software houses think it gives enough value that customers won’t mind. I do mind. I only have acrobat reader and flash installed, would rather Flash websites died horribly, and won’t be installing any other adobe apps.
    Since I’m not a customer, I suspect you’ll keep trying to sell adobe stuff to me anyway.

  • TjL — 3:36 PM on December 29, 2007

    The idea that this isn’t deceptive is absurd.
    Of course it’s deceptive, otherwise there is no need for the 192.168 part of the URL. Apple apps frequently want to ping configuration.apple.com but at least it is clear that it isn’t a local machine (although I’m still unclear why Address Book needs to make such a connection, and why Apple’s CALCULATOR needs to do the same (see http://tj.tntluoma.com/apple/calculator-internet for my post on that).
    There ought to be a way to turn that off both for Adobe apps and for Apple apps.
    If there isn’t, that’s a bug.
    Look, this is simple, your software is being used on my property. Don’t muck around behind the scenes or you’ll lead me to either use another program or start Googling around to find ways to poke holes in your program. Neither are long-term desirable for you.
    If it isn’t clear to you why this would bother people, imagine your cell phone occasionally told the manufacturer where you were using the phone from. Imagine if your TV started telling Sony what programs you were watching.
    Where does it stop?
    Why isn’t this up to *me* to decide who gets that information?
    Little Snitch is proving itself a better and better deal all the time. Is most of what it reports harmless? I don’t really care. I want to be in charge of what my computer does. I paid for it. You did not. End of story.

  • James — 4:20 PM on December 29, 2007

    I think you’re being entirely too kind to Adobe by bowing out due to being “way out of [your] depth on the details of IP addresses.” You don’t need to be a network engineer to understand the salient issue: Adobe is attempting to deceive users about their statistics collection. This is the polar opposite of Adobe’s data collection having “always been on a strictly opt-in basis.”
    [Couple of things: I'm not trying to be kind, and I'm not trying to bow out of anything. I'm just trying not to misstate facts in an area where I don't have enough info or expertise. Second, I think that saying "Adobe is attempting to deceive users" is too strongly put. It implies that some group of people said, "Let's consciously choose to sneak around behind users' backs & gather info on the sly." I'd really like to know more about the history here before drawing that conclusion. --J.]
    Perhaps you’re comfortable with usage monitoring that could improve the product; perhaps I’m not. The problem is that users need to make that choice, and intentional deception reveals that Adobe ranks such user concerns so low as to preemptively ignore them.
    [Whatever the intention, I agree that the choice of this URL sends the absolutely wrong message. --J.]
    This is unfortunate, though sadly not surprising, from a company so dominant in its industry. The answer to me, then, is not to classify this as a minor breach of trust compared to the NSA’s blatantly illegal activities but instead to loudly protest that a company with the power of Adobe must remain answerable to its customers. We need a visible outcry to have a hope of returning to an “opt-in” model.
    [For the record, I do think that this conversation can be healthy. It's particularly important for me to put some hard thought into these issues, as I've been a tireless advocate of improving the desktop experience by weaving in online content. As I keep saying, we'll have to find the right balance between privacy & connectedness. I want people to choose the level of engagement that's right for them, but I don't want to badger them with a dozen popup warnings before making a connection. There has to be a happy medium, and I'm confident we can find it. --J.]
    Now, there are obviously many innocent expalantions for what is done with the data. Regardless, deceptive practices invite users to assume the worst. What is needed is complete transparency about data collection — not easy for a for-profit company, but necessary — in order to rebuild user trust. Incidents like these quickly squander good will built over many years of positive interactions with customers.
    [I agree about transparency. That's why I keep saying "Adobe could and should do a better job taking security concerns into account." The company has to handle these concerns better, and we'll work to do so. --J.]

  • Matt Cross — 4:36 PM on December 29, 2007

    Dowdell, are you kidding? You report your half-assed attempt at researching 2o7.net (completely discarding the issue of using a deceptive subdomain) and have the sack to post, “Most of the weblogs which are complaining (before searching!!)…” – when you’re the one missing the point?!? Bite your tongue before you embarrass Adobe further.

  • Alex — 4:54 PM on December 29, 2007

    I’d like to echo what jt says above, part of the issue is the involvement of a third-party, an involvement I never consented to.
    For the record, the whole issue is this: based on my usage of some CS3 apps, data is sent to an unknown third-party’s shady URL, without my knowledge or consent, without any opt-out mechanism. It is this compound situation that has made people rightly upset, and you should not downplay any part of it.
    Concerning your (admirably) desired “simple, elegant solution” that achieves “balance between privacy and connectedness,” here’s a suggestion for what should happen instead of the existing behavior: upon launching an app for the first time, the Welcome Screen is displayed, like it is now. Instead of automatically fetching the SWF content, however, display in its place a note similar to “Want to display online tips here?” along with some further explanation of what such tips are. When clicked, replace that with the notice “Online content requests will be handled according to Adobe and Omniture’s Privacy Policies. You can disable this feature in Preferences at any time.” Provide links to all applicable privacy policies, along with “Agree” and “Disagree” buttons. Offer a checkbox that applies this decision to all CS3 apps. And as mentioned, the URL absolutely needs to be changed, preferably to something on Adobe’s domain, such as stats.adobe.com.
    All of this—feature prompt, privacy notice, consent, and opt-out info, for all CS3 apps—can all be displayed in the location of the SWF on the Welcome Screen, without any pop-up dialog boxes (and only two clicks, which possibly could be tweaked down to one).
    If Adobe would like to win back some trust, make the web request opt-in like I’ve described above, and drop Omniture for analytics: if they chose the shady server name, no one should do business with them.
    Thanks for your forthcomingness and admission that “Adobe could and should do a better job taking security concerns into account.”

  • John Raykowski — 4:54 PM on December 29, 2007

    popmonkey, give the guy a break. Mom and dad have a home wifi setup and words like ‘private address’ and numbers like 192.168 or 10. etc, are absolutely meaningless to them. Unless the guy is into net details, why would he know this stuff?
    Jack, pretty naive to be surprised or disappointed at the ‘bring out the torches’ response. It is the only response users have that actually gets any attention.
    Lets see that again: It is the only response users have that actually gets any attention.
    People are placing a huge amount of trust in companies such as Adobe when we install their products. Its bad enough to find unexpected outgoing connections, but then to discover the obvious (for the technically minded) attempt to hide the destination, well that sort of screams Deception, does it not?
    To my simple mind, if what they’re doing was on the up-and-up, there would be no need for the deception… That sort of behaviour is only needed when you’re doing something you shouldn’t be or at the least something that might not be seen as acceptable, so now I have to question whats going on and I lose trust in the company and the product.
    As it occurs to me that I have no idea what this company who has betrayed my trust has been doing… hell yes, Bring Out The Torches.
    Now, I agree that the shrillness of it all tends to obscure the facts and real issues, but if there is no other useful recourse that elicits a *meaningful* response from the company…? What else are we to do?
    This stuff sits squarely at the doorstep of the company. Stop doing this crap without very explicit permission.
    This should not be difficult:
    When it happens automagically without my knowledge, I get pissed.
    When its an option in a preferences screen such as ‘Please help us make a better product by allowing us to collect usage data’, I’ll probably check Ok every time.
    -jmr

  • Brian Moore — 5:44 PM on December 29, 2007

    Everyone who has setup a home network knows that 192.168.. is a private network address. The use of it as a subdomain is nothing short of deception and something I would expect from a phisher / scammer/ or malware.

  • Rosyna — 6:35 PM on December 29, 2007

    Since this swf file that is loads the Omniture web resource is located on Adobe’s server, Adobe can change the swf to no longer load the third party resource or load a different one (well, can when the people in charge of this get back). It’s not something in the code of the product itself.
    So what may have been true when this was originally posted may not be true when someone reads this.
    Someone posted the url of the Dreamweaver start page flash thing that loads an Omniture resource at <a href=" http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf“>http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf“>http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf.If you load this url in Safari and open the Activity Viewer, you can clearly see the omniture URL (at least when i checked it).
    Since I do not have Adobe CS3, I cannot determine what url Photoshop CS3 and the ilk use. PS CS2 had a “Welcome Screen” that displays local-only content (‘ExVw’ Resource ID 1711).

  • Mike Simon — 6:48 PM on December 29, 2007

    Something I think might be missing from the discussion here is that while I do expect to be tracked on the Internet when I use a web browser via embedded links to analytics URLs and the like, I don’t expect to have to worry about that when I launch a program that has (for me) no web purpose. So, from my perspective, what we are seeing is:
    1. A program that is NOT a web browser or have any obvious live web connectivity needs making a web connection to someone other than the manufacturer of the software.
    2. The admittedly deceptive domain name looking like an RFC1918 IP address (which, FYI wouldn’t fool even the stupidest firewall, if you are blocking RFC 1918 at the edge, you are using the actual IP, not the hostname. If you are blocking my hostname, it wouldn’t have been 192.168.x.2o7.net. Firewall’s are not the target of this deception)
    3. …bringing us to who IS the target of this deception – not home user who are generally ignorant of RFC 1918, but the more IP savvy people they might call when they are trying to figure out why their IPS is going off, or why IT is complaining about their attempted access of restricted sites. Any decent investigator wouldn’t actually be fooled for a second – but it’s telling that that is who the deception is targeting.
    An application that shouldn’t be making ANY Internet connections doing so in a deceptive way will generally get people talking. Telling folks they are naive for not knowing that CS3 applications will be making connections to the companies they do not know or associate with on the Internet to track their usage isn’t the right approach. Assuming that ANY information is benign just because you don’t see the harm is also not well considered (in the future, I’ll be pursuing warrants for information collected by Adobe/Omniture to verify when someone was likely active in front of a computer – even if they wiped the HD it should still be somewhere out there associated with their source IP.
    MAS

  • Niz — 7:00 PM on December 29, 2007

    Everyone is saying that tracking isn’t the issue but the IP is. I disagree. I think tracking itself IS a very big issue.
    Many apps do track but don’t ask or even mention it on the packaging or when you install them. I think this is very wrong and should be made illegal.
    I don’t want miscellaneous information about my usage of my own computer being sent to whoever, regardless of if they think its OK because it doesn’t contain personal info. I still dont want some damn company assuming they can install extra startup processes that use my PC for their benefit only without at least asking first.

  • chris — 7:07 PM on December 29, 2007

    I’m upset that you’re spying on me. When was I asked if you can contact this address and store this information? How do I turn off the “sharing” (from your software). Oh… I wasn’t asked, and I can’t disable it from within your product…
    [Yes, you can. Please read the information here before posting. --J.]
    Hmmmm. Sounds a little fishy to me. You lose my business forever.

  • Clark Cox — 7:09 PM on December 29, 2007

    “Adobe isn’t “spying” on you, and my initial post is largely a critique of the hysteria that fails to separate practice thing from another.”

    There is only one logical reason for using such a deceptive domain name–to deceive. Adobe is collecting information (however innocuous that information may be) and is actively trying to hide the fact that they are doing so.
    And, what does the New Oxford American Dictionary give as a definition of “spy on”?:

    observe (someone) furtively

    That seems to describe this behavior pretty accurately.

  • J Greely — 7:33 PM on December 29, 2007

    I’m not going to join the dogpile, but I do have an interesting data point for you to consider.
    I searched through six months of web proxy server logs to see what sort of 2o7.net URLs were being used. I found 110 different sites who use Omniture’s service, all of them using URLs that clearly identify the owner (aolnews, bet, brightcove, cbs, denverpost, geappliance, lenovo, msnportal, searscom, sonyebooks, etc, etc).
    No Omniture customer whose site I’ve visited in the past six months used a numeric hostname to try to obfuscate their identity. The only Adobe-related URL on the list was the clearly-named mxmacromedia.112.2o7.net.
    I also found it interesting that my proxy server (Privoxy) was specifically configured to block all 2o7.net URLs. They added that and many other analytics and tracking sites to their default configuration in September of 2006.
    -j

  • Doug Franklin — 8:21 PM on December 29, 2007

    Well, Adobe, say ‘Hello’ to Sony. You’re both in the bit bucket for me. A little bit for the tracking, a little more for the intentionally deceptive URL, but mostly because YOU DIDN’T ASK MY PERMISSION!

  • Greg Shergold — 8:21 PM on December 29, 2007

    This is a *HUGE* mistake on Adobe’s part. The domain name that is being used was chosen for only one purpose and one purpose only…. to DECEIVE and DECEIVE only.Regardless if you/Adobe were aware of this or not, you DID NOT do you due diligence when choosing to partner with this particular tracking company. You complain about people spreading FUD, yet you claim to be out of your league when it comes any sort of simple IP address designations. What are people supposed to suspect? Are we supposed to say “Hey, it’s Adobe, they are a great company, and they wouldn’t do anything that would be even remotely questionable.”
    I’m sorry, I have absolutely no sympathy for you. Remember the whole fiasco with the flash player being bundled with the yahoo toolbar? Granted that was Macromedia, but it’s the same “family of products” so you have inherited that fiasco. So before you accuse people of suspecting the worst, check your past track record. Check the way your industry as a whole has gone. Look at the Sony DRM/rootkit fiasco. Look at how spam has overtaken legit emails. I’m sorry, but that is the present situation. So someone circling the wagons, and calling deceiving activities deceitful is *NOT* spreading FUD.
    I lost a contract over the Macromedia/Flash/Yahoo toolbar fiasco. So what may seem like a little “helpful” thing to you, is very different when you depend on a particular product and a company. Yet again, I’ve lost faith in your products.

  • Phillip Kerman — 8:59 PM on December 29, 2007

    I’m glad I found the link to this follow-up! It saved me from reading the rest of the comments on the original post.
    I appreciate your completeness to follow through and get an answer on the patently deceptive sub-domain issue. I fear this will become a black-eye for Adobe who usually does such a good job in being transparent… and non-aggressive with email etc. Sure, there are some who don’t like any “phone home” or “phone outside company”–but the intention does matter. Ultimately, I think you just need to spell it out more clearly in every case. Put it in the EULA more explicitly or something. Make it opt-in, whatever.
    JD, you’re joking right? If not, it’s insulting.
    Finally, those directing their anger at JN (or, really any single human… but especially one who’s acknowledging the issue) are misguided.
    [Thanks, Phillip. Ironically, the product for which I'm responsible (Photoshop) doesn't include the SWF that's being loaded & causing the furor. Even so, I object to the scare tactics & irresponsibility in journalism (online or off), and I felt obliged to pass along what info I was able to find. I'll pass along whatever else I find out. --J.]

  • John Smith — 9:36 PM on December 29, 2007

    Warning: this may get complicated.
    For me though, the “intention” for involving an outside company in data collection doesn’t really matter that much. First, the company (call it B) who chose to use a third party (call it C) has already determined that B wants C to have that data for some business purpose benefiting B, and possibly the customers (D) of B.
    These customers seem to have less and less information about what B and C are planning to do behind their backs. Even if it is mentioned in the EULA, it’s tough to figure out when “may be provided to a third party” means “will be provided to a company that will aggregate every bit of data that it can find about the customer, and report back”.
    That is what omniture does. It tracks everything it can get its hands on in order to give Adobe a better chance of targeting customers for advertising. Adobe believes this to be beneficial. Some customers (like me) do not.
    Bits of the omniture website seem to indicate they have behavorial targeting abilities. The only “good” way to enable behavorial targeting, is to track user behavior. I’d rather not be tracked, and being able to opt out through using a fairly obscure setting is … eh …
    I’d never guess that I have to check “Don’t Show Again” in order to stop tracking that I wasn’t necessarily aware of in the first place.

  • Bud Aaron — 9:50 PM on December 29, 2007

    If you type in just 2O7.net you will get the following. From even a cursory reading these folks are cookie tracking a world of information about you. I would begin to wonder if Adobe isn’t selling the info to other firms for improved advertising – the amount of information being collected is sinister to me. But note at the very end that you CAN opt out LOL.
    What is 2o7.net?
    2o7.net is a domain used by Omniture to help provide portions of its Omniture SiteCatalyst and Omniture SearchCenter products. Specifically, this domain is used by Omniture to place cookies, on behalf of its customers, on the computers of visitors to customers’ selected websites.
    Omniture Acts on Behalf of our Customers
    Omniture acts as a limited agent to each of its Customers only for the purpose of providing Internet data hosting Web and optimization products and services. Any information obtained by Omniture from the customer’s websites is and will remain customer property, and will be treated by Omniture as proprietary and confidential information of the customer. As such, Omniture will not disclose such information to any third party, unless specifically and rightfully instructed to do so by the customer. Omniture will not review, share, distribute, print, or reference any session data of visitors to the customer websites except as requested by the customer or as may be required by law. Individual records may at times be viewed or accessed only for the purpose of resolving a problem, support issue, billing, or as may be required by law. Customers are responsible for maintaining the confidentiality and security of their usernames and passwords to log into their accounts.
    It is very important that you review the respective privacy policy of each website that you visit, because such privacy policies govern the use of information on those websites, including our customer’s use of Omniture products and services where applicable.
    If you would like more information about Omniture and our privacy practices, please visit our Privacy Center.
    Opt-out Method
    We offer visitors to certain of our customers’ websites a means for controlling the use of session information with respect to the Omniture SiteCatalyst, Omniture DataWarehouse, Omniture Discover and Omniture SearchCenter products using cookies set from Omniture’s 2o7.net domain (i.e. that use the 2o7.net cookie to facilitate data collection). If, at any time a customer’s website visitor does not wish to allow his/her session visitation information to be aggregated and analyzed by Omniture on such customer sites, he/she may utilize the following opt out mechanism. For customers that use non-Omniture cookies to collect data on their websites, please review the privacy disclosures of such customers for specific details on any and all applicable opt outs on such sites.
    Click Here To Opt-Out of 2o7.net Cookie Tracking Now.

  • Drew — 9:51 PM on December 29, 2007

    As mentioned previously, 2o7.net is owned by Omniture. You can go their site to opt out of all cookie tracking from Omniture:
    http://www.omniture.com/privacy/2o7?f=2o7
    Somebody (or many somebodies) at Adobe or Omniture will be getting their ass chewed out for selecting such a deceptively named sub-domain. Very bad move.

  • Pelle Fisk — 10:06 PM on December 29, 2007

    What surprises me the most is that you seems to be surprised that people get paranoid. It seems that the standard way for software companies to act is to abuse their users and either treat them as a free marketing resource or as potential criminals (or possible both). Of course there is no “trust” here.

  • Matt Keefe — 11:08 PM on December 29, 2007

    As much as I dislike spying of any form, I am not so sure Adobe is the only one to blame. Let’s assume for a minute that these services are provided by Omniture as a compiled module and until now Adobe had no idea of such a URL was being used..? Not saying this is the case, but don’t be so quick to cast blame on someone or something without knowing the facts.
    Personally I will be waiting for more information from Adobe (after the holiday break) and assume an answer will be given, until then the speculation of “Bad Adobe” is partly laughable and all around without merit.
    Also, did you know iTunes contacts Apple? Better not use that anymore either.

  • Thomas McQuillan — 1:06 AM on December 30, 2007

    I’d like to commend you, Mr. Nack, for spending your holidays discussing this issue openly on your blog.
    I think Adobe is going the wrong way on a lot of issues, but I can’t think of any other company of its stature providing open dialog of this sort.
    This goes a long way in my book towards mitigating the potentially blunderific impact of this story.
    BTW, has anyone tested whether the said address will actually spoof a local address? It seems to me that the 5-part string wouldn’t pass through a 4- part wildcard.
    On the other hand, they’ve obviously chosen it to be deceptive, perhaps only for the human eye.

  • Jason Topaz — 3:00 AM on December 30, 2007

    We’ll all know very soon if Adobe’s intent is to cover up the fact that they are tracking some user activity.
    I’m sure John Nack is bringing this to Adobe’s attention now. So if Adobe’s intent is not to be deceptive, they will obviously contact Omniture. They will arrange for a less deceptive hostname, and send out an automatic software update to all their applications, repointing them at the new hostname.
    If this does not happen in the very short term, I think it’s pretty safe to assume the deceptive hostname was intentional all along. But if they do make this fix quickly, then I’m willing to give Adobe the benefit of the doubt and assume the deceptive malware-worthy hostname was just some engineer’s idea of a funny joke.

  • p-dawg — 3:39 AM on December 30, 2007

    John,
    I respect your decision to answer questions here, but something was posted on slashdot which suggests that the product serial number is included in what is sent to omniture. I do not want my paid for, registered serial number sent in clear text to a third party. If this is true, and I have not verified it for myself yet, it is very, very bad. Possibly worse than the deceptive (and let’s be honest, there’s no other way to put it) IP addy that omniture is using. Can you verify or deny that product serial number is sent along with whatever other information?
    [I'm afraid I don't have any details like that at the moment. (That's why I meant when I said I was out of my depth on the details of IP addresses, etc.) I need to get more info, but the right people are out of the office right now. As soon as we can get the right people on the horn, I'll share what I find out. --J.]

  • Vinay Y S — 4:18 AM on December 30, 2007

    After reading some of the comments above regarding how innocent Adobe is, or how useless it is for Adobe to do stuff with my data etc I wonder how naive people are in this increasingly Internet dependent age. Scary…
    When I install a desktop photo editing application, I don’t expect it to connect online for day to day activity as it is simply bad due to security reasons. The attack surface area increases when a huge application connects online. As someone rightly pointed out especially when Adobe is embedding so many third-party modules in their application, even though Adobe might be a good company what about the security practices in those smaller third-party companies? Definitely Adobe doesn’t vouch for security of every single line of code in there?
    Adobe might have good intentions, but someone exploiting that “feature” in it won’t.
    So, when such a huge application is connecting to some obscure shady non-adobe server it definitely will cause alarm. (Remember the Skype 3rdparty-module spying issue?)
    Generally, even if a particular suite of application wants to talk online, with user consent, it should be done from a separate much smaller singularly purposed process. And it’s best to make it known of all such network activities clearly in User Document .

  • mike — 4:54 AM on December 30, 2007

    How about making software features that people want instead of ones they don’t want and then giving the option to turn it off. CS 4 should have less crap, and more stuff that I NEED, not stuff that YOU THINK I NEED.

  • JD — 5:50 AM on December 30, 2007

    Don’t be surprised if some “corporate” guys are trying to downplay Adobe’s spying in their posts.
    Just use a firewall and only allow specific applications to connect to internet.
    Also, as suggested, add these nasty hosts to your HOSTS file. You can find some already filled ones, google them.
    Problem solved, no more spying from these sneaky #@$%.

  • Jason — 6:17 AM on December 30, 2007

    John – I just started reading about this and we use all the various flavors of CS3 at work. I figured before you said anything it was the welcome screen making the calls. Big deal, Adobe knows when I load up Flash. I really don’t care. Its my work computer and not my own, I use a Mac at home.
    Its these STUPID people on here that have to go CRAZY for really nothing. I mean, does any of them use Windows? That crap calls home for anything and everything which is why I only use it for work cause I have to. Talk about spying…start with Microsoft.
    I think this whole situation is just stupid and a total waste of my time but its really fun reading all the people that are FREAKING OUT over this. My god send them to a Computer Science course and learn something!
    Just because something is making a call out to a server doesn’t mean they are taking your name, home address and other info down. Get over it!
    You need to be worried about your CC being stolen off that site you bought that cool nerdy present over the holiday. That is what I would be concerned about.

  • keith — 7:33 AM on December 30, 2007

    Hey for years I used PS on a ‘puter that wasn’t even hooked up to the internet. (you get a lot more work done that way too)
    Suppose you could simply turn your connection off rather than worry about it.

  • DBL — 10:32 AM on December 30, 2007

    I’m afraid, John, that you’ve still missed the point. The problem is not that 192.168.112.2o7.net is just some random undescriptive URL. The problem is that those numbers AREN’T RANDOM at all. They are designed specifically to appear to identify a computer on your local network. (i.e. in your house!) If Adobe sent you a promotional letter and claimed that it was written by someone in your family instead of by their marketing dept — would you ever trust them again?
    Let me clarify the analogy, so you will be sure to understand. Adobe is doing the equivalent of pretending to report on what you are doing to your business partner or to your IT department, when actually they are clandestinely reporting to an outside party, instead.
    It makes absolutely no difference whether or not the URL is actually legibly descriptive. If Omniture had used 99.234.112.2o7.net instead 192.168, then there would be no problem.
    So you’ve got it backwards — the problem isn’t that the URL is unrecognisable. The problem is that it is VERY recognisable as something that it is not — something that will help it escape you and firewall’s notice.
    Which is sneaky, dishonest, and probably illegal.

  • Nonce — 10:52 AM on December 30, 2007

    John, I enjoy your blog and I’m sorry you got caught up in all this, especially during the holidays, but between this and the previous Version Cue debacle, it should be clear that end-users don’t feel like Adobe is treating them with respect. I think that’s what this all boils down to.
    There have been several good suggestions in the comments as to how this might have been better handled, and I hope you (Adobe) listened.
    [Yes indeed, I think there's some good stuff here. As I think I've said (somewhere amidst these comments), the whole thing has gotten me thinking about ways we can strike the right balance between connectedness and privacy. It'll just require some up-front planning, thoughtfulness, and engagement with the community. We can make good come from a not-so-pleasant situation. --J.]

  • Rick — 10:59 AM on December 30, 2007

    This is appalling. It’s a deliberate attempt(albeit a clumsy one) to mislead Adobe users about what is going on on their computer. Thinks like this do not happen ‘by accident/oops we goofed’ – please don’t expect us to believe that this was not done deliberately.
    The fact that the only way to opt out of the tracking is to allow them to set a cookie is so surreal I can’t believe it(after all, what is there to stop them then saying – aha – this awkward sod at xxx.xxx.xxx.xxx won’t let us track his behaviour – I wonder why?
    Hmm – I’ll make a note of that..)
    Oh, and if I change browsers they’re tracking me again..
    You owe John Gruber an apology.

  • Ben — 12:18 PM on December 30, 2007

    Hey John, I just want to commend you on putting up with all of this… as you mentioned, a “corporate shill” would just ignore all this, or maybe start spinning it. Instead you are trying to be a responsible interface between Adobe and the (internet savvy) public. And for that you are being burned alive. Keep up the good fight, it’s definitely worth it.
    Clearly this will repeat itself over and over again, but hopefully as more companies start trying to respond directly to their customers like this, those customers will realize the value of such a dialog.
    Though with the flayings you and e.g. Scoble have received, I’m sure some less forward-looking companies are rather hesitant to open themselves up to such public, direct, bidirectional communication.
    The pros still outweigh the cons though. There are a few rational folks out here who realize that Adobe could just as easily be silent on this issue, and _maybe_ release a buried press release or a software patch at some point in the fairly distant future with nary a peep beforehand.
    And those people are, unfortunately, the ones who are most likely to just read each of your posts, say to themselves “hmm, makes sense so far, before I decide he’s the devil, I’ll see what he has to say in a couple days after he does more research”, and never leave a comment.
    So you mostly hear from the reactionaries who assume that because you work for a company that is for-profit, you are, in fact, the devil, and if only you got a little more abuse you’d suddenly see the error of your ways (and what, work for a nonprofit? not sure). Well that and they like to see their name “in print” I guess.
    So, thanks for dealing with the reactionaries. The mostly-silent rational majority appreciates the open, thorough dialog, and it improves your name and the Adobe brand in our minds, even if we don’t feel the need to post a comment.

  • Bill Stone — 1:34 PM on December 30, 2007

    John, I think that these days, users are testy and on edge ever since the Sony rootkit debacle. The most irksome part of that whole circus was the fact that Sony felt completely justified in installing what was essentially a rootkit on people’s computers in order to safeguard their intellectual property. In short, they placed their need to protect their IP above the sanctity of the privacy of their users.
    Remember, too, that this story was broken by Mark Russinovich, who at the time was running the Sysinternals website (before being bought by Microsoft). He posted his entire testing methodology and his results – on his blog. It was his blog readers who escalated the issue to the local media and eventually to local and state Attorneys General.
    Don’t get me wrong, I’m not suggesting anything of the sort should happen in this case, and I’m absolutely sure that the execs from Omniture will be standing on Mr. Narayen’s carpet very shortly — holiday break or not. I’m mererly pointing out that the only way bloggers feel empowered is through blogging, and in at least one case, that blogging made a difference in the way companies treat privacy policies and “spying” on their customers. It also, unfortunately, colored the entire corporate sphere as a group of people who will do anything to 1. protect their IP, and 2. make a buck; people we need to defend ourselves from. An unfortunate side-effect, to be sure, but the justification of “if it makes me more security-aware, then damn the torpedoes, full speed ahead” makes them feel better about posting without researching (or thinking, in some cases).
    Taken in that context, Omniture’s actions in choosing such an intentionally-deceptive server name (there’s really no other explanation for it) go well beyond the realm of a mere programmer’s stupidity. They can easily cross into some hefty corporate liability, and a fair bit of schmutz on the corporate face, which unfortunately spills onto Adobe as well.
    -bill

  • Harvard Irving — 4:30 PM on December 30, 2007

    Its these STUPID people on here that have to go CRAZY for really nothing. I mean, does any of them use Windows? That crap calls home for anything and everything which is why I only use it for work cause I have to. Talk about spying…start with Microsoft.
    Having conerns over a valid issue and being vigilant about them is stupid and crazy?
    Why would I start with Microsoft? I don’t use Microsoft products, but I do use Adobe ones. I don’t see how Microsoft doing something justifies others doing it.
    If we don’t stay vigilant now, then that’s how Adobe products will end up as bad as Microsoft. When is the point you are willing to stand up and say “No!”? When it’s too late? I pay good money for my Adobe products, and I don’t appreciate this.
    It’s not paranoia, it’s not overreaction. It’s a very sane reaction – make oneself heard about something that concerns one.
    If John had really wanted to help his credibility (and Adobe’s) – he should have been just as outraged from the start, as some of the users here are. Really, this is a highly deceptive practice – using an IP address that’s intended to “fake” a local address.
    The big blow for John was when he missed this point and exagerrated the protests (“Adobe Ate My Baby”) rather than joining in the outrage.

  • Alexey Petrovsky — 4:45 PM on December 30, 2007

    Yes, VERY nice.
    When you try to opt-out from the 2o7 services, the page with opt-out INSISTS on putting on my computer ANOTHER cookie that certify that you won’t any cookies from them. Isn’t it the same thing?
    Very clever.

  • Rosyna — 4:59 PM on December 30, 2007

    p-dawg, did you go to the link mentioned in the /. post you quote (I posted the link in an above comment as well)?
    You can see in Safari’s Activity window that the Omniture URL contains the text “F.3-fb/s1199062212549.27?” which is what the /. poster thought was the Serial Number. Unless Safari is giving them access to a serial number from a product that’s not even installed on my machine to Omniture, I am not sure how it is a serial number.
    It looks more like a UUID, a timestamp, or the analytics account number. The value appears iirregardless of how you access the file so it cannot be a serial number.

  • egeezer — 11:17 PM on December 30, 2007

    The folks at Adobe should consider that the global user community had their trust betrayed by Sony in the well known rootkit debacle and the subsequent screw-ups and attempts to minimize. In that case, Sony, like Adobe, was an internationally known and respected vendor with a long standing reputation for legitimacy. People knew them and trusted them. However, as a result of that trust, systems were corrupted, businesses impacted, users of Sony products were harmed as a result of the unannounced and undeclared installation of applications on Sony customer systems.
    So in light of the major betrayal, it is not suprising that the public would be especially cynical and suspicious of unannounced changes or new behaviour in vendor products even if they come from well-known and respected vendors.
    The best thing Adobe can do is immediate full disclosure and remediation of their products to satisfy the user and security community. Obscure opt outs and fine print legalese notices will not be acceptable remedies.
    If Adobe’s response is to try to minimize it, dodge the specific issues and objections or make it go away, the IT press and community will escalate the public outcry. In short it ain’t goin’ to go away, so Adobe as a vendor needs to acknowledge, address and act to protect its trust in the IT world.

  • Tomas — 12:12 AM on December 31, 2007

    The “opt out” feature of most of the aggregators/trackers appear to be just so much eyewash. A “here, put this special cookie from us on your system so we won’t track you with cookies” is just too much to swallow, which is why my browsers have blocked (refused to accept) cookies from 2o7.net and many other trackers for years… :)
    Of course that doesn’t prevent another application from sending information to the tracking server. :(
    That’s why I have yet ANOTHER app on my Mac that asks me any time one of my apps tries to contact outside the first time, and I can allow or disallow that contact (Little Snitch).
    Tom

  • ceejayoz — 6:56 AM on December 31, 2007

    Drew — 09:51 PM on December 29, 2007
    As mentioned previously, 2o7.net is owned by Omniture. You can go their site to opt out of all cookie tracking from Omniture:
    No, you can’t. Read the page – it’s a browser cookie. If you do the opt-out in Internet Explorer, it opts-out only for IE – if you boot up Firefox, you’re being tracked again.
    There is no way to opt-out for non-browser apps like Creative Suite.

  • Ben — 12:13 PM on December 31, 2007

    Just wanted to mention an alternate possibility about the hostname. Rather than it being an intentionally deceptive move by Omniture, couldn’t it simply be a bad joke that didn’t get caught by higher-ups or by their client? Still definitely a bad move, and worth giving them a hard time for, if only so they add another step in their QA process of “can this hostname be construed as evil?”.
    (The whole 2-Oh-7 thing is creepy to begin with of course, but it sounds like it is almost always used with a non-numeric hostname so who knows.)

  • Tobias Hoellrich — 2:36 PM on December 31, 2007

    @ceejayoz: your bold statement is incorrect. non-browser apps like CS3 use the OSs browser services (IE, Safari) to communicate with the web, thus cookies will be shared between browser and the application. So, opting out in the browser that used by CS3, will also opt out in CS3. However, you are correct in saying that cookies are not shared between different browsers (FF and IE for example).
    Tobias/Adobe

  • Phillip Kerman — 8:49 PM on December 31, 2007

    @Tobias yeah, it’s true that non-browser apps may use the services of one browser or the other… but for the record, I went to the opt-out link:
    http://www.omniture.com/privacy/2o7?f=2o7#optout
    clicked the opt-out option… did this once for every browswer installed (in my case IE and Firefox)… then I re-launched Flash CS3 and it STILL pings
    http://192.168.112.2o7.net/b/ss/mxcentral/1/F.3-fb/sXXX?AQB&purl=mm&pccr=true&c2=fl&c3=9.0.0&c4=win&c5=en&c6=full&c7=&c8=PF&c9=fl_9.0.0_win_en_full__PFAQE
    Please, Adobe, figure this out. Most of us are patient.

  • d — 3:54 AM on January 01, 2008

    @Phillip: Isn’t that because CS3 has an embedded Opera browser, and it’s probably using that instead of IE/FF? I might be wrong – I’m only recollecting what I (think) someone mentioned earlier in the comments.
    The ironic thing about this whole debacle is that if Nack hadn’t brought it up, I would never have known about it. Rather than the shrill ‘this is outrageous’ crap that seems to dominate the comments (how can you know? We don’t even know the full story yet!), the thing that gets me is how creepy the entire thing is.
    This could be just be the result of some terrible mistake. But it has to be said – the likelihood of a random set of numbers actually taking this ’192.168.x.x’ form without deliberation is negligible.
    The disguising of the ‘o’ in 2o7.net rather than just using the number 207.net is also sleazy. It was only when someone pointed that out in one of the threads did I notice that, so it is easily missed in the right font.
    So you have Adobe using a company which for some reason is using an IP address which is both creepy and sleazy.
    The question now is shouldn’t be ‘how shall we lynch Adobe?’, it should be ‘What is Adobe going to do about it?’.
    Give ‘em some time though, honestly – it is the holiday season.

  • Strat — 1:27 PM on January 01, 2008

    Spare me.
    Adobe (John Nack, John Dowdell, Doug Miller) is using the tin-foil hat label to obfuscate the intentions of the tracking code. This is a legally purchased retail product phoning home to report first installation and specific OS/config details. The product manager knew about it from day one, the witless Omniture liaison knew about it before the meeting where it was vetted, and the developers knew about it before RTM.
    There are no live links (or anything useful) added to the tracking flash found on the welcome screen. The purpose is obvious and the selected domain enforces suspicions about the seedy nature of this increasingly common practise. Look to previous versions of the product to see how unnecessary this was.
    No one is accusing Adobe of phishing, theft, or operating black helicopters. Most are (rightly) upset by this undisclosed “opt-in” behaviour in an expensive stand-alone application.
    P.S. I’m someone who actually clicks ‘Yes’, more often than not, when asked to provide anonymous usage data for product improvement. Try it (asking) some time.

  • Unhappy Photoshop user — 8:47 AM on January 02, 2008

    Let’s keep a FACT as it is: no matter how much John Nack is apologizing for Adobe, this is SPYING.
    John Nack is not called upon to decide, what kind of information from my computer is “free” to be taken. I am the only one to decide that, and I don’t give anyone a blanc permission.
    IMO there are many customers, whose relationship and attitude to Adobe is strongly disturbed by this covert action.

  • tmalcom — 10:10 AM on January 02, 2008

    If Adobe is interested in regaining any kind of credibility (they have zero right now), I think they should state publicly who in their organization approved and implemented this deceitful spying scheme. The problem with big corporations is that the the people in them who do wrong, and this is certainly a wrong, hide behind the very anonymity they try to take away from their customers and are seldom, if ever, are publicly held responsible for what they’ve done.

  • Froodish — 1:07 PM on January 02, 2008

    There is only one reason to use ’192.168.112.2O7.net’ and that is to masquerade as a local address. One doesn’t have to be an expert on ports and IP addresses to grasp that.
    One reason only: to mislead either humans or firewalls or both.
    The logical next question to ask when discovering clear deception is: Why?
    Why would an application try and disguise its network communication? What is it doing that it doesn’t want me to know about?
    You want to improve products through online connectivity? Well now you’re going to have to bend over backwards to persuade me that you and Omniture are not doing anything nefarious and then maybe, just maybe, I’ll allow your applications to again have network access.
    At best this is extremely poor judgment on Adobe’s part – at worst it’s malware.

  • Tobias Hoellrich — 2:22 PM on January 02, 2008

    @Phillip: I did not try every CS3 application, in fact I only have Fireworks/Photoshop CS3 installed on my Windows XP system. I can clearly see that FW CS3 uses IE’s browsing facilities when making web connections. I deleted the *.2o7.net cookies from IE and Fireworks stopped sending cookies when starting up. That confirms the connection between IE and Fireworks for those applications. Things may be different for other OS/CS3-application combos, but I can’t confirm that at the moment. It is possible that Flash CS3 uses the embedded version of the Opera-browser (like Adobe Bridge) to conduct “web business”. I’m sorry that I can’t be more precise with this issue.

  • Marc — 5:07 PM on January 02, 2008

    John. i just want to say thank you for taking the time to try to get us answers. that is definitely more than you needed to do, especially considering that your specific application isn’t one of the ones that has this activity going on.
    [Thanks for the words of support, Marc; glad to help when I can. --J.]
    try not to let all of the stupid comments on here upset you. they shouldn’t have been directed AT you anyway.
    [That's cool; I don't take it personally. --J.]

  • Tarragon — 1:10 AM on January 03, 2008

    The key factor here is the transfer of information to a server which has been designed to look local.
    The use of the 027.net domain is dubious at the best of times.

  • mr_mcse — 5:04 AM on January 03, 2008

    1) THEY STEAL BANDWIDTH. These applications do not pay for bandwidth used or repeatedly lost. They never asked permission for use.
    2) They cost money in tracking because we believe we have security holes.
    3) We are LEGALLY responsible for the content(RIAA/MPAA/CHILD PORN/PIRACY/DoS attacks, ETC.) and actions of programs on on our machines and networks.
    4) To circumvent our attempts at security is no better than a TROJAN horse sitting on our drives.
    5) INTENT does not matter “YOU” companies are in violation and should be sued for your WILLFULL ACTIONS. You sue for your rights and so should we. How would you like our software on your servers taking snapshots of your Intelectual Property?
    6) Other Corp. or businesses should be outraged at the possible theft of their materials.
    7) DO TO OTHERS AS YOU WOULD HAVE DONE TO YOU! How are we gonna play this out guys?

  • Eric — 9:55 AM on January 03, 2008

    Wow, who needs to go to /. to watch the nerds stretch the limits of hyperbole – or credulity? You think granny understands 192. means on the local network only? Yeah, right.
    Some people just don’t get that a large organization can make mistakes, or not tighten up procedures without making some mistakes to point out the problem areas.
    I have no doubt Adobe will fix this. The fact that the reporting is anonymous makes me think there’s no harm intended.
    There are plenty of evil companies out there who deserve the mob’s ire. Adobe is not one of them.
    People who stop using Adobe’s products because of a misstep like this are like the Sheriff in “Blazing Saddles” holding the gun to his own head and shouting, “Stand back or the [Sheriff] gets it!”
    Please, won’t somebody help that poor nerd? :-)

  • Gary Ulam — 2:39 PM on January 05, 2008

    Will Adobe consent to allowing users to disassemble their code so we can figure out all the dirty spying tricks they’ve hidden in the software?
    I’m sure the answer is a fat “NO”, we can’t let you do that because (1) we have something to hide AND/OR (2) we automatically assume you are going to steal our software. (Bad assumption -I paid $$$ for CS3, just to find out Adobe now thinks it has the right to spy on me).
    Well, if you do illegal SONY-style activity, then why should I trust YOU my dear Adobe? Hence the necessity for a third-party disassembly and review of your code, and the case should be taken to the Attorney General of every country you do business with.
    If you’re EULA prohibits us from snooping inside your code, but you breach our trust by using it to spy on us, I think you’re going to give a lawyer a good excuse to say that your contract with the user is voided.
    Does Adobe really want this?
    Heck no! So come clean, condemn Omniture for the spying 2o7.net sleaze that it is, FIRE whoever made the corporate decision at Adobe to spy in such a sleazy manner, and immediately inform all of your registered users of the issue via email. Plus provide a patch to plug the security hole in your software.
    Since learning of the issue yesterday (thanks to word spreading rapidly in a graphics forum I’m on, not thanks to Adobe!) I’ve had to waste time analyzing what my computer does to make sure this security hole isn’t bigger than it first appears.
    My business has to much at stake and in the past we’ve even had competitors try to hack us.
    It makes me want to build a computer just for Photoshop that never connects to the net, I don’t like being spyed on and I don’t like that I don’t know all the information Adobe transmits.
    (I assume some of it may well
    be to protect Adobe’s ass against pirates, such as sending out a serial #, but they should at least specify what they are sending so I don’t have to waste my IT department’s time with an order to packet-sniff anything going to 2o7.net now!)
    Adobe DESERVES to be punished, it is no different than SONY. Adobe deserves to
    pay my IT guys for any time
    we have to waste due to this
    issue.
    “TRUSTED APPLICATION”? No way
    Adobe, every internet access
    you make through my computers
    will now have to be confirmed
    and packet sniffed until we
    determine what kind of information is sent. Any cookies to Omniture will find
    themselves re-written with bogus information directly in the return http-stream. I don’t consent to Omniture invading my workstations, wasting my bandwidth, etc.
    Gary Ulam

  • Gary Ulam — 3:05 PM on January 05, 2008

    This is a response to the comment from “Eric — 09:55 AM on January 03, 2008″ who wrote:
    Some people just don’t get that a large organization can make mistakes, or not tighten up procedures without making some mistakes to point out the problem areas.
    Eric, no hard feelings, but several of my IT guys are hard core “nerds” and they point out that this 2o7.net affair is not a simple “mistake” but a clear attempt to deceive. Should a thief who gets caught be let off so easily by a judge concluding “he just made a mistake”?
    Rather than dismissing the claims of previous commentors by denigrating them as nerds and silly “sheriffs” of information tech-justice,
    lets deal with facts rather than personalities:
    You claim this information is anonymous, but how did you prove that it truly is? Because Adobe/Omniture says it is? Can we really trust them?
    Also, do you understand how data-mining, geolocation and other similar information technologies work? My company has to register its hardware, software, etc. even though we know a lot of this information ends up in the hands of the data-mining corporations who sell & share this information amongst themselves to develop even larger profiles of the users.
    Here are 2 simple ways it can cause grief for my company:
    1. I don’t need third parties (who may sell information to my competitors, or may one day decide to compete in my field themselves) knowing what hardware and software I purchase, in what quantities, etc. This is very valuable information to competitors.
    2. Tracking cookies can cause embarassing incidents! Before we put in a policy to refuse all cookies unless dealing with the website of required and trusted companies, we had the situation where a worker was using his workstation to find naughty pictures on the web.
    That employee was fired but
    the damage was done.
    Sure enough, the geolocators
    kicked in and we soon found our computers displaying targeted advertising for dating and adult services.
    The geolocation was able to determine the city we were in and said “meet hot women in …….”.
    This looked extremely unprofessional one day when it appeared during a consultation session with a
    client.
    We know it was all caused by tracking cookies.
    In the end, many cookies just serve to re-direct more advertising towards you, and this wastes our bandwidth and $$$.
    God bless the nerds. If it weren’t for people like them, we’d all conclude the Sony rootkit affair was also a “harmless mistake” much like what you think Adobe has done.

  • Leslie — 6:57 PM on January 07, 2008

    John Nack’s posting is a ‘non-answer’. It is a carefully worded response that fails to address the questions being raised, but is designed to give the appearance of saying something important. Here is the Senior Product Manager for Photoshop claiming that he doesn’t have an explanation for a major function of the program (I would consider ‘phoning home’ with details of what a user is doing with the program–even if it is as simple as checking for multiple or illegal copies–a ‘major function’). Frankly,I don’t buy it. He of all people at Adobe should know about major functions and design issues of Photoshop. Even his post of January 02, 2008 says nothing more than “We don’t know anything about it.” I don’t buy it. I think this is a case of someone being caught with their hand in the cookie jar and he is hoping that he can avoid addressing the issue long enough that the issue will go away.
    [Thanks for the total lack of benefit of the doubt... I said I'm working on it, and I am. Sometimes at a big company (esp. when other companies are involved) it's not possible to move as quickly as one would like. --J.]

  • Phil Brown — 3:23 AM on January 08, 2008

    Those of you accusing Adobe (and John, personally…what is up with that – he’s been openly responding as he can on this issue for MONTHS before this latest little attack of interest from some quarters) should check your cookies (depends on your o/s where they will be).
    Have a look for other instances of the address that so concerns you. Then, when you notice that every other firm that uses this company to conduct similar research has the same questionable IP naming technique, I hope you’ll immediately launch yourselves at those companies in the same way, else you might consider printing a label that says “hypocrite” and sticking it to yourselves.
    Neither Adobe nor John need me sticking up for them, but when they make the effort to try to obtain details of something like this and to discuss it in public, it’s absolutely terrible to see them attacked for it.
    The very fact that such abuse and attacks are happily posted on this blog should tell you a lot about their willingness to remain open and honest when there’s a problem or a mistake.
    Meh, I’ve only been back at work 2 days since the holiday and already my faith in my fellow man is eroding. The irony of Internet based IQ tests does not escape me…

  • Andrew — 12:10 PM on January 10, 2008

    Let’s not forget folks: blogs, the Internet and all the rest of the 1′s & 0′s move much more quickly than People (and large corps.) do. Give Peace (and John) a chance to get this problem sorted.
    p.s. The above referenced digit is a “zero” – not the letter O ;]

  • Gary Ulam — 3:53 AM on January 13, 2008

    This is in response to the following posted by Phil Brown:
    Have a look for other instances of the address that so concerns you. Then, when you notice that every other firm that uses this company to conduct similar research has the same questionable IP naming technique, I hope you’ll immediately launch yourselves at those companies in the same way, else you might consider printing a label that says “hypocrite” and sticking it to yourselves.”
    Phil, it’s true that Adobe isn’t the only company utilizing these methods and I certainly appreciate the openness with which Adobe is permitting this blog to run, unlike certain companies who have censored or locked user discussions in forums (ie. try googling “lcd panel lottery” and you’ll see what I mean).
    Good companies know censorship backfires, and I applaud Adobe for permitting our comments to appear on this blog.
    However, to rebutt the comment you made, I must state that adopting a “hey, other companies do it too” attitude does not justify why my high priced software suite is surreptitiously being used to gather…marketing?….information
    about me while I believed its primary purpose was to permit me to edit photos!
    Furthermore, what use are cookies in a photo and video editing suite? I can understand if I was browsing other companies websites, but with Adobe I was getting the cookies just using my workplace TOOLS!
    It’s too bizarre to imagine that Adobe/Omniture need marketing information every time I use my tools!
    At Omniture’s server that receives my cookie information, it will be very simple for them to determine when and how often my company uses its software, just by looking at the cookie logs. If they associate that with my
    IP address (and possibly my registration data), it can give them enough precious information to sell to my competitors that would like a general idea of how much business I’m doing in the current fiscal period. Of course I’m not saying Omniture *IS* doing this, but only that it has the *ABILITY* to do so thanks to the built-in cookie spying routine that Adobe put in to a NON-WEB-BROWSER softare tool.
    I can expect to block my web browser from serving info to O mniture, but should I have to become paranoid about blocking my trusty Adobe suite? Heck no!

  • Phil Brown — 6:19 PM on January 13, 2008

    Gary – my point was to address the apparent claims (from many!) that Adobe was some how soley to blame or involved in under hand techniques. This isn’t unique to Adobe, and yet they’re being targetted as if it is.
    They’ve had a problem brought to their attention. They’ve reasonably explained that it’s not as bad as some people were trying to make out. They’re now looking to fix it.
    Although some will complain that they took too long, in my epxerience with a major corporation such as this, the time frame has been extremely fast. It’s also been transparent and open, which ought to be applauded (and some people, such as you, are doing just that).
    Going forward, you are going to see many more apps intergrated with web functionality (heck, you browse the web from inside many online games now!) in order to access support, marketing, additional features and so forth.
    Of course you should be able to opt out (or even better, choose to opt in in the first instance). But I would think it’s fairly clear that this address wasn’t createed exclusively for use by Adobe. There really is nothing sinister in Adobe engaging a company to do research for them.
    Omniture’s decision to use that address is very poor. Adobe, no doubt, will not be so trusting themselves when they have someone create code for them. Everyone’s learned something.
    Everyone makes mistakes. It’s how we deal with and address them that matters the most. We should be promoting how this issue has been handled (without ignoring the underlying issue – which is being resolved) rather than harping on with conspiracy theories and ad hominem attacks. That’s really been my point (and I think you agree).

  • TiredoftheSNOOPING — 5:13 PM on July 20, 2008

    1. We should NOT have to go to Adobe.com website to change settings on FlashPlayer on our own hard drives to avoid their sneaky hidden FLASH COOKIES! This is extremely heavyhanded and sneaky of Adobe/Macromedia. (Those who don’t even know about Flash Player cookies need to read up on them, then do a search of their own hard drives: *. sol – and be surprised at what they find.
    2. Even after you DO change the settings and try to avoid all Flash Player cookies, you will probably get more anyway.
    3. If you do BLOCK all Flash Player Cookies, some sites, like youtube.com will NOT work for you, unless you go back and ALLOW the Flash Player Cookies.
    4. EVERYONE using Flash Player should demand that Adobe/Macromedia release a patch for their product that enables end-users to change these settings on our own hard drives, without the interference and nosiness of Adobe forcing us to do any changes ON THEIR WEBSITE!
    Whose machine is it, anyway?

  • j — 11:19 PM on August 17, 2008

    Wow, great job finding out more info on this for us. It’s been what, eight months with no answer?
    [I posted updates here and here (within a week of the entry on which you're commenting). So, great job on your thorough research. --J.]

  • bill gall — 3:59 AM on September 02, 2008

    I solved this problem a long time ago. I bought a separate computer just for graphics work. That computer never gets hooked to any network, wireless or other because I removed the modem. I don’t mean I disabled it, I mean I opened the tower, took it out and threw it in the dumpster. NOTHING will happen on my computer without my say so. In addition, I garbaged Adobe when they came out with cs2 because it was needlesly bloated. Alot of my associates said “screw this” and downloaded pirated copies of CS2 and CS3 that had been recoded to work in an actual productive manner. One of them had a portable copy of CS3 that’s just over 80 megabytes and can be run on any computer from a keychain flash drive with no endless lags in startup or operation and certainly no illicit activities. I would have done this too, but I don’t really need Adobe anymore. There are plenty of alternatives and some of them are even free. And now that Adobe’s let their market dominance go to their heads, they’ve lost the trust of their customers (at least the ones that count), just as Sony did when their heads got too big and they implemented rootkits. Sony will never make another penny of mine me and now neither will Adobe. When a company reaches a certain size, they forget that it’s the customer that controls their success or failure, not vice versa. Now the tide has turned. Trust has gone elsewhere and the company that will sink Adobe is already on the rise. Here’s to the fall of yet another empire, brought down from inside by its own greed. Bon Voyage, Adobe. You brought it on yourself. ;)

Copyright © 2014 Adobe Systems Incorporated. All rights reserved.
Terms of Use | Privacy Policy and Cookies (Updated)