Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.
One of the world’s largest academic paper publishers said it adds a unique fingerprint to every PDF download by users in a bid to prevent ransomware, not piracy.
Elsevier defended the practice after an independent researcher discovered the existence of unique fingerprints and shared their findings on Twitter Last week.
“The identifier in the PDF helps prevent cybersecurity risks to our systems and those of our customers – there is no metadata, PII [Personal Identifying Information] or personal data captured by them,” an Elsevier spokesperson said in an email to Motherboard. “Fingerprinting PDF files allows us to identify potential sources of threats so that we can notify our customers to act accordingly. This approach is commonly used in the academic publishing industry.
When asked what risks he was referring to, the spokesperson sent a list of links to ransomware news articles.
However, Elsevier has a long history of prosecuting people who pirate or share its paid academic papers. In 2015, Elsevier sued SciHub, the “Pirate Bay of Science”, which hosts millions of journal articles, including those from Elsevier. In the past, the company has come under fire for acquiring other academic platforms that distribute articles for free in an effort to corner the market. Some universities have boycotted Elsevier in the past, and the company has used legal threats against other sites that host academic papers online. The company has had cybersecurity issues before. In 2019, he left a server open to the public internet and exposed users’ email addresses and passwords.
It’s unclear exactly how fingerprinting every downloaded PDF could actually prevent ransomware. Jonny Saunders, a doctoral student in neuroscience at the University of Oregon who discovered the practice, said he believed Elsevier was trying to monitor its users and prevent people from sharing their research without paying the company. .
“The subtext is strong enough for me,” Saunders told Motherboard in an online chat. “These breaches/ransoms are really a pretense to say ‘universities need to lock accounts so people can’t browse PDFs’.”
“When you have things that you don’t want other people to give away for free, you want a way to find out who’s giving them away, right?” they added.
Do you know of any other companies or organizations that perform this type of tracking? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
Additionally, Saunders said, Elsevier’s claim that there is no metadata or personal data captured is misleading, given that the company itself admits that it uses this system to identify accounts that have been hacked.
“To say that unique identifiers *themselves* do not contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time download like browser fingerprint, institutional credentials, etc,” Saunders said. “To justify them as a ransomware protection tool is to bluntly admit that these codes are intended to identify the downloader: what would be their use if not to identify the compromised account or system?”
A company spokesperson did not respond to Saunders’ allegations.