January 02, 2008
What data do Adobe apps gather & upload?
As promised, a number of folks at Adobe have been digging into questions raised about what data is being gathered by Adobe applications, what’s being uploaded & tracked, etc. It’s an ongoing investigation, but in the interest of sharing info as quickly as possible, I’d like to pass along what we’ve gathered so far.
One of the most alarming claims (made by readers posting on Slashdot and elsewhere) is that Adobe apps are surreptitiously uploading users’ serial numbers. Adobe engineer Tobias Hoellrich has spent a bunch of time analyzing the issue and has posted his findings and methodology on his blog. Short story: "Based on my analysis, I don’t see any evidence that serial-numbers are being sent to either *.adobe.com or *.2o7.net." This info matches everything else I’ve been able to learn on the subject: the welcome screen SWF is not gathering/uploading serial numbers or other personal info.
There is one instance in which Adobe applications do upload a user’s serial number: during product activation. During that process (which has been around for roughly four years), an encrypted copy of the serial number is uploaded to the activation server. Note that activation is not the same thing as registration. The registration process (during which you supply your name, contact info, etc.) is optional and is not connected to activation (which does not include that kind of personal data). Details are available in the activation FAQ. None of this is new, nor is it related to the welcome screen SWF, but it’s worth mentioning for the sake of clarity & disclosure.
Tobias’s post doesn’t discuss the controversial "2O7.net" URL being in conjunction with the welcome screen SWF. Adobe staff are getting in touch with stats-tracking firm Omniture to get more info. As soon as I have more to share on that front, I’ll post it here.