January 08, 2008

Adobe and Omniture: Further details

As promised last week, a number of Adobe folks have been gathering information about Adobe desktop applications’ communications with a server named “192.168.112.2o7.net,” operated by Web analytics firm Omniture.  Having already discussed what data is (and is not) being gathered and tracked, let’s talk about the history & purpose of the implementation.

The welcome screen (screenshot) that’s available in some Adobe CS3 applications (Flash, Fireworks, Dreamweaver, Illustrator, and InDesign) is designed to show fresh, relevant news and information.  For that reason it loads a Flash SWF file that’s hosted on Adobe.com, just as a Web browser would do.  When the SWF gets loaded, it pings the Omniture server to record the event.  As noted previously, no personal information is uploaded in that exchange.

Some questions & answers:

Q.: Why does the SWF fetched into the welcome screen call the Omniture server?
A.: All of the content fetched from Adobe.com does this.  Adobe, like almost all companies with a Web presence, anonymously tracks usage patterns and response-time statistics.  The only way to get effective data on this is to use client-side callbacks, and Adobe works with Omniture to do this.  Hence the call to the Omniture server.

Q.: Why does Adobe use a server whose name is so suspicious-looking?
A.: I’m afraid the answer is that we don’t really know.  The fact is that this SWF tracking code already existed on the Macromedia side at the time the companies merged, and it was adopted without change by a number of products for CS3.  The people who wrote the code originally did not document why they used that server name, and we can’t find anyone who remembers.  I’m sorry we aren’t able to provide a more solid, definitive explanation.

Q.: Follow-on: Given that you can’t give a good reason why Adobe is using a server whose name is so suspicious, are you going to change the name?
A.: Absolutely.  We are working with Omniture on this right now, and will make this change as soon as we can.  (I don’t know how long this will take, but will post here when I do.)

Longer-term (in future releases), we’ll do a better job of explaining what the apps are doing of the network and why.  I think we can enable some really amazing user experiences by bringing the desktop & online worlds closer together, and that most people will want to participate in those.  The key thing is that they be given the choice, and that they be made aware of what’s going on.

Does that make sense?  All in all, I’m glad that people raised the issue; that we can explain what Adobe apps are doing; and that we can bear this experience in mind as we move forward.

J.

PS–A tech note is now live on Adobe.com, detailing the way the apps interact with the 2O7.net server.

Posted by John Nack at 5:53 PM on January 08, 2008

Comments

  • Peter Witham — 6:08 PM on January 08, 2008

    So based on that I guess if you choose to not display the welcome screen in the applications then the server would not be called?
    [That's correct. --J.]

  • Jim Monaco — 6:26 PM on January 08, 2008

    You guys are the best company in the world. But you probably already knew that :)
    With the current state of mega-corporations, it’s just amazing to see a company take such swift, clearly explained, apologetic, correcting actions simply because their users pointed something out.
    Hat’s off to you, John, for spearheading this particular effort, and in general for always braving the full brunt of user opinions right here in public. It can’t be easy!

  • Ted Tschopp — 6:30 PM on January 08, 2008

    When you are looking at addressing how your apps work accross the network, can you take into account that some of us use your products in a corporate enviroment. Activating and registering them via the web is not possible becuase your applicaitons do not support proxy servers on Windows. And we are required to use the corporate proxy server. There is no exceptions, and no options other than calling each time we want to reregister and move stuff.

  • Phillip Kerman — 6:50 PM on January 08, 2008

    Okay, so I appreciate the technote and the comments above. I can also accept and take your word for the thing about “no one remembers”. Man, if someone had to look at code I did 5 years ago I wouldn’t envy them. And… since you agree it’s a less than desirable subdomain and plan to fix it–that’s great.
    One thing that might be worth noting is that while the “get fresh content” feature of the start page is of debatable value (frankly 99% of the time it says “hey, you want to buy something?”)… the option to turn it off in order to block the server calls also coincides with disabling the (arguably) real value of the start page. That is, I like the start page… but I’m indifferent to the fresh content. My choice is to live without the start page or accept the tracking. Naturally, the option to independently turn one off and not the other is something to add in the next round of improvements. In fact there could be THREE options:
    –start page on/off
    –get fresh .swf content/ads
    –track my usage to make product better.
    Finally, and maybe I’m just naturally argumentative… but I am curious how does knowing what apps I launch help improve the product? I’m not saying it doesn’t but from a statistical perspective it doesn’t seem like a great value.
    Anyway, thanks for sticking with this and I think it’s a fair expectation that you’ll have placated most people on this issue.

  • Stefan — 6:58 PM on January 08, 2008

    Oh, how good does it feel to see someone simply say “I don’t know” instead of making up some phony excuse that doesn’t help anyone. Nice! :-)

  • Nat Brown — 7:01 PM on January 08, 2008

    Thanks for the research, regular updates, and explanation. We’ll have to start calling you the Omnipotent Omniture Ombudsman, so to speak.

  • Rosyna — 7:13 PM on January 08, 2008

    Of course, viewing that technote causes your browser to send information about all your loaded plugins to Omniture. (Again, Safari activity window)

  • Matt — 9:10 PM on January 08, 2008

    Kudos to you for the swift action John!

  • Steve Howard — 9:17 PM on January 08, 2008

    Hilarious.
    The software has being doing this for 5 years, and it’s not been a secret all this time. Suddenly the sky is falling.
    OK it’s good to see Adobe being reactive, but the uproar from the user base is 5 years too late.

  • David Chartier — 11:18 PM on January 08, 2008

    Great follow-up Mr. Nack. You are an exceptional voice of transparency for such a large and ominous company.

  • Manuele De Lisio — 2:19 AM on January 09, 2008

    just… why 192.168.112.2o7.net instead of dunno, adobefreshandrelevantnews.com?
    I mean, sorry but it doesn’t smell OK…
    [That's what I'm saying above: the current URL sends the wrong message, and it'll be changed. --J.]

  • Keith Peters — 4:44 AM on January 09, 2008

    If you don’t like the start page, you can always create your own.
    http://www.bit-101.com/blog/?p=508
    http://www.bit-101.com/blog/?p=509
    http://www.bit-101.com/blog/?p=510

  • Matt Radel — 5:53 AM on January 09, 2008

    So why was the welcome screen omitted from Photoshop? It just seems inconsistent.
    [You're right, and it is. We simply ran out of time. --J.]

  • Allen Stern — 8:00 AM on January 09, 2008

    Here’s my update:
    http://www.centernetworks.com/adobe-reply-spyware-concerns-omniture
    John – have a read please as I thank you in my post. While I don’t agree 100% with the outcome, you went above and beyond, especially during a holiday, to help. You should be thanked.
    [Thanks for the link, Allen. I'm on the road at the moment (hence the delayed responses), but I'll check it out shortly. --J.]

  • Chris — 9:55 AM on January 09, 2008

    Is it REALLY that important to force ads into the welcome screens?
    [The SWF isn't an ad. Customers have frequently complained that they don't know where to go to find news and resources about Adobe products. The SWF is meant to provide links & news. It's one of many efforts to help people get more value from the products they've purchased. --J.]
    I’ve already bought the product, can’t you pleeeeze be satisfied with that and stop trying to somehow pry additional pennies out of me while I’m using the application that I’ve already bought? Sounds like one of those “clever” ideas that the marketing department thought up and that was reluctantly implemented by the engineers. Years later, the plan hasn’t produced a nickle (I would guess) and instead had resulted in a huge black eye for — wait for it — the engineers!
    [Yes, it's always villainous "marketing" screwing up the works... :-P --J.]

  • Yazdgerd — 11:50 AM on January 09, 2008

    Runs to buy Little Snitch.

  • Ernie Longmire — 12:55 PM on January 09, 2008

    I’m glad that Adobe finally took the issue seriously enough to come up with a response, but it’s a little frustrating that it required eight months (http://blogs.adobe.com/jnack/2007/01/cs3_doesnt_inst.html#c326034) and a huge uproar. It may not have been a “secret” over the past five years, but you can hardly expect the average user to have known about it before now. Most folks don’t actively monitor outbound network traffic from their desktops, and wouldn’t know what to do with the information if they did. Now with Vista, it’s pretty hard to miss.
    This was the electronic equivalent of coming home to find some guy wearing a ski mask in your kitchen. If you prefer to assume he’s an invited guest and offer the fella a drink and some light conversation … well, it’s your house and that’s your prerogative. If it happens in my house I’m dialing 911 and letting the cops sort it out.

  • sambeau — 6:34 PM on January 09, 2008

    Ernie,
    The ski mask thing…
    It’s really not. You’re way over the top there. It’s an interesting metaphor, but, a splash screen on a piece of graphics software phoning home has no resemblance to an intruder wearing a balaclava. None. Not at all.
    Not saying Macromedia were right, but… keep the ball on the deck , will ya!

  • Billy — 7:48 PM on January 09, 2008

    This is absurd. “We really don’t know” is not answer. It’s your app, controlled by your employees… find out. You can’t in one breath say it’s performing a useful function by serving the latest updates, and then right after say you don’t know how it got there. There’s only one reason to name a server that, and I don’t think it’s Adobe’s attempt at an ironic joke. It is to allude detection, and now that they’ve been caught it begs the question, why were you trying to avoid detection? “I don’t know” is a pathetic response.

  • Ranell Courier — 8:15 PM on January 09, 2008

    John
    Even though this all turns out to be “innocent” there are a couple of concerns:
    Why did Adobe ever put this in in the first place? Why did they feel the need to know about how I use the product (even in anonymous aggregate.) You DON’T need client side callbacks. You claim the information helps you understand the product usage and then tell us that it is not collecting any serious information. Which is it? Why did Adobe try to hide it by using an internal network type IP?
    [As mentioned, the server naming decision was made at Macromedia pre-merger, and I haven't been able to get a good answer as to why it was made. --J.]
    Why am I not notified of it right up front?
    [As I've been trying to say, I think we should do a better job of communicating about what's happening & giving people control over it. --J.]
    Why am I not given a way to turn it off?
    [I'm not sure why people keep saying that they're not given a way to opt out of this. You can simply choose not to show the welcome screen, in which case it won't load, display the SWF, and ping the server. --J.]
    Who is compiling the final product? Even your top guys had to research this so one has to wonder what other things are in Adobe’s software the we are not aware of yet?

  • Netinspector — 2:20 AM on January 10, 2008

    Listen Adobe!
    Since the switch from Golive to Dreamweaver, I don’t trust you anymore! Once you blamed Dreamweaver!! That is what I remember very well!!!!
    Most customers are suffering from amnesia, but I don’t!
    ADOBE your management is equal to M$. Buy drestroy and misuse your marketingpower.
    Shame on you!

  • sambeau — 5:16 AM on January 10, 2008

    Billy,
    A pathetic response is better than a dishonest one.

  • effgee — 5:36 AM on January 10, 2008

    “… The key thing is that they be given the choice, and that they be made aware of what’s going on. …”
    Actually, no it isn’t. The key is that users be given said choice before the software initiates any kind of network connection, anything else is plain and simply unacceptable.

  • gd — 12:39 PM on January 10, 2008

    I’m happy to see that, through your efforts John, Adobe finally took serious notice of a decidedly suspicious domain name, and decided to change that name. Unfortunately, before your involvement, Adobe apparently didn’t take users’ concerns about this name seriously, as the issue was first raised and brought to Adobe’s attention many months ago. Sadly, it seems that a couple of “sky-is-falling” blogs were required to get the name changed.
    I would add that, as a user, I welcome and appreciate informative opt-in (or opt-out) questions regarding application behaviour (and particularly non-obvious behaviour). Other than for apps whose primary purpose is to connect to the net, I consider an application’s attempt to connect to an internet server to be ‘non-obvious’ behaviour.

  • SBG — 12:44 PM on January 10, 2008

    The one inconsistency here that has been brought up, but skipped over in your replies is the question about how it can be improving the software if it’s not really sending any important data.
    Can you detail exactly how this process works?
    1.What is the information that is collected.
    2. How is it used to improve the app?

  • Kay A. — 3:24 PM on January 10, 2008

    The world would be a better place if Flash did not exist.

  • Eric — 4:02 PM on January 10, 2008

    Sigh, I guess some people’s reading comprehension isn’t as good as others. Mark Twain must have had you in mind when he wrote:
    “A man who carries a cat by the tail learns something he can learn in no other way.”

  • john doe — 12:17 PM on January 15, 2008

    Phoning home in any manner without PRIOR permission is unacceptable in any and all cases.
    If this is truly a “feature” that users want, then an opt-IN setting that could be enabled when the app is first booted would work without any backlash or invasiveness and still give everyone what they want.

  • Thomas — 2:23 PM on January 16, 2008

    I am not sure if this has been addressed yet, but I will venture a guess as to why the name 192.168.112.2o7.net was used.
    192.168.X.X are numbers used on internal networks, and are not routed on the Web. Note that when you boot up the new router on your home network, 192.168.1.X series of addresses are used by default. You can learn more about network address translation (NAT) here http://www.openbsd.org/faq/pf/nat.html
    If someone quickly looks at the address 192.168.112.2o7.net it appears to be a device on the network and won’t be investigated as much as say ServerThatCollectsYourData.com. If this is correct, this seems to be a little on the sneaky side to me.
    My 2 cents.
    John – I do appreciate that you took the time to investigate this matter and were willing to say I don’t know.

  • Three Cents — 3:45 PM on January 17, 2008

    here are two solutions while we wait for adobe to discover why the code they themselves wrote contains what it does
    http://dev.netcetera.org/blog/2007/12/30/opting-out-of-omnitures-1921681122o7net-the-geeky-way/
    http://himself.wordpress.com/2008/01/10/opting-out-of-omniture%E2%80%99s-1921681122o7net-the-lazy-way/

  • know the truth — 4:09 PM on January 19, 2008

    First off, I think this is all a bunch of baloney. The lame explanation simply proves you can’t trust Adobe.
    I think Adobe knew exactly what it was doing, and consciously decided to abuse users trust with ready made trouble management set in place complete with lame answers.
    Users should be weary and acquire good software firewalls.

  • WRW — 1:50 PM on January 25, 2008

    I kind of wonder what else they are doing, since while using MY PURCHASED copy of Illustrator CS2, I get popups telling me about CS3. I am definitely getting rid of this spyware!
    [First I've heard of it. Where in CS2 are you seeing such popups? --J.]

  • Agent — 11:18 PM on March 31, 2008

    I’m going to start a class action suit. Watch the news…

  • Francisco Berridi — 8:08 AM on April 08, 2008

    Guys, the 92.168.112.2o7.net is not an “Adobe spy” domain, that all, is just a Sub-dmomain of the 2o7.net domain, and is used by Omniture for tracking, in a 3rd party cookies mode, Omniture has a solution to this “problem” wich requires some DNS configurations, so this way Adobe will be able to use something like metrics.adobe.com instead 92.168.112.2o7.net, im sure they are working on it.

  • Stefan — 2:23 AM on July 07, 2008

    @ Billy: You are right thus. Adobe would exactly have to know what does it there. I already know why I the welcome screen never use.

  • Marc — 12:26 AM on March 10, 2010

    Bravo! Two years later (2010) Adobe CS4 applications still try connecting to 192.168.112.2O7.net.
    So much for the last answer in this post:
    “Absolutely. We are working with Omniture on this right now, and will make this change as soon as we can. ”
    Shame on Adobe. :(

  • me — 2:39 PM on February 27, 2011

    “as soon as we can”

    One would have thought ‘never’ and ‘soon’ would be mutually exclusive

    Where can I download the adobe-dictionary?

Copyright © 2014 Adobe Systems Incorporated. All rights reserved.
Terms of Use | Privacy Policy and Cookies (Updated)