Skip to content

Privacy and Security for EPUB3

Jump to bottom
Wendy Reid edited this page Jan 12, 2022 · 2 revisions

EPUB Threat Model / Privacy Advice

Security/Privacy Objectives

  1. EPUB should preserve content author and end user confidentiality where possible.
  2. Content integrity.
  3. Reading Systems should advise users of their data policies, and protect content integrity and user data.

Content

Threats

  • falsified creator information (including identifiers, DRM licenses, etc.)
  • remote resources come from compromised or risky sources
  • links to remote resources that compromise user or platform security
  • container contains malicious content, or links to it
  • spoofed platforms (where content is designed to imitate or replicate a platform's experience in order to trick a user into providing data)
  • scripting:
    • serving information to remote receivers
    • local storage
    • unauthorized collection of user data

Recommendations

  • Content authors are responsible for the development and construction of their content. As such, authors should do their best to ensure that end users are not exposed to any of the threats. This includes the responsible use of scripting, remote resources, and URLs within content.
  • Content authors are advised to avoid the use of any means of collecting user information. If user information needs to be collected for any reason, it is strongly advised that the content author inform the user of the reason and intended usage for the information, and provide an opt-out option as the default.
  • Content processors, defined as entities that handle the ingestion of EPUB content for distribution, display or sale, should also be aware of the potential risks in ingestion. It is advised that content processors should check content for malicious content on ingestion, in addition to the validation steps that usually occur. This could include running virus scans, validating external links and remote resources, or other precautions.

Reading Systems

Threats

  • scripting:
    • compromised local storage
    • unauthorized collection of user data
    • sending of information to remote receivers
  • spoofed platforms
  • malicious content within containers
  • accessing malicious remote resources
  • collection of user data
  • user-generated content
  • digital rights management

Recommendations

  • Reading systems are responsible for the display of EPUB documents. Reading systems should do their best to ensure that end users are not exposed to any of the threats by building protections against them into their reading systems. Reading systems should also provide clarity and personalization to the data they may want to collect and use about the user and/or their reading behaviour.
  • It is understood that the collection of some user data may be required for the sale, delivery, and operation of an EPUB file, particularly on platforms where the sale of an EPUB file and the method of reading it are connected. In these cases, it is recommended that the reading system or retailer be clear about the data being collected, how it is used, and allow for user opt-outs where possible. Anonymization of data is strongly recommended for the privacy and the security of the user and reading system.
  • It is also understood that user data may be required or helpful for some reading system affordances. In these cases, anonymization is strongly recommended. It is also recommended that reading systems inform users of what data is needed, what it is to be used for, and to provide methods to opt-out.
Clone this wiki locally