Heads Up if You're Using Adobe Acrobat Reader

The following article appears here:

formatting link

Linux users may have been pleased to find that Adobe has finally made available a new version of its Acrobat Reader, with accessibility features, a much slicker interface than Acrobat 5.x and new and other spiffy features. However, there are a few other features that Linux users should be aware of. A company called Remote Approach is promising to alert PDF publishers as to the "reach and use of their materials." We were curious to find out how Remote Approach was going to make good on its promise, given that PDF has largely been seen as a one-way medium. To find out, we created a test account and uploaded a PDF to be "tagged" by Remote Approach, and then downloaded the modified document to see whether Remote Approach could log our use of the document.

Remote Approach's reporting did not work when we viewed the document with Kpdf, Xpdf and Adobe Reader 5.0.10. It also failed using Apple's "Preview" application on Mac OS X. The document was still viewable with no apparent glitch in other PDF readers, but the reporting function did not work. However, when we opened the file using Adobe Acrobat Reader 7, Remote Approach started logging views from our IP address. After doing a little research, we found that Adobe's Reader was connecting to

formatting link
each time we opened the document. The information is submitted over port 80 using HTTP, so it is unlikely that a home or office firewall would, in a normal configuration, block the activity, unless the firewall administrator is attempting to block Web browsing.

Apparently, Remote Approach's "tag" to our document included the addition of JavaScript code causing Acrobat to report back to their server; the information reported includes the fact that the document had been read, our IP address, and which viewer it had been read in. (Interestingly, Remote Approach does not seem to recognize the Linux version of Acrobat Reader, as it left the "User Agent" field blank in its reports.)

What many Linux users may not have realized, since Adobe did not release an Acrobat Reader 6.x for Linux, is that Adobe has added JavaScript support to PDF and the official Acrobat readers since Acrobat 6.x. For those interested in the JavaScript support and its abilities in Acrobat, see Adobe's scripting reference or scripting guide. (Both are PDFs, of course.)

By default, Adobe Reader 7 turns on JavaScript, so the "tagged" document is able to "phone home" without the user's awareness. Turning off JavaScript disables the document's code, and prevents Remote Approach (or any other entity) from tracking views of the document. No doubt, Remote Approach is using features that would normally be used to submit information from a PDF form.

The inclusion of JavaScript in Adobe Reader 7 for Linux no doubt provides a number of welcome features for users, but it also raises some privacy issues. The reader does not inform the user that information is being submitted, so users are likely to be oblivious to the fact that another party is aware of their PDF reading habits. While a user may not find it objectionable to notify the publisher, there are those of us who don't care to allow publishers to snoop on activities taking place on our personal computers.

Lucky for us, there are plenty of alternatives to Adobe's Reader. Free PDF readers are unlikely to adopt features allowing the reader to silently phone home in response to code stored within the document itself. If you must use Acrobat, however, you may want to have a look at the JavaScript settings first.

Reply to
Tony P.
Loading thread data ...

When I disable the Adobe Javascript option, I get prompted on every exit from Adobe Reader 7.0.x that "This document requires Javascript". That will appear when the only actions were to open and then close Adobe Reader without loading any document. So I can leave it on and risk the covert tracking or I turn it off and get nagged with a bitch message on every exit where I have to click on a No button (to prevent turning on the global option).

Looks like I'll be looking for an alternative PDF viewer. in the meantime, I've configure the app rules in my firewall to always block any connections from acrord32.exe. Screw them.

Reply to

Response CROSS-POSTED TO alt.privacy.spyware.

Rather than fiddle with the javascript settings, would it not be simpler to add the site

formatting link
to whichever hosts file that you use on your PC?


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.