One of the world’s largest publishers of academic papers said it adds a unique fingerprint to every PDF users download in an attempt to prevent ransomware, not to prevent piracy.
Elsevier defended the practice after an independent researcher discovered the existence of the unique fingerprints and shared their findings on Twitter last week.
“The identifier in the PDF helps to prevent cybersecurity risks to our systems and to those of our customers—there is no metadata, PII [Personal Identifying Information] or personal data captured by these,” an Elsevier spokesperson said in an email to Motherboard. “Fingerprinting in PDFs allows us to identify potential sources of threats so we can inform our customers for them to act upon. This approach is commonly used across the academic publishing industry.”
When asked what risks he was referring to, the spokesperson sent a list of links to news articles about ransomware.
However, Elsevier has a long history of pursuing people who pirate or share its paywalled academic articles. In 2015, Elsevier sued SciHub, the "Pirate Bay of Science," which hosts millions of journal articles, including those from Elsevier. In the past, the company has faced criticism for acquiring other academic platforms that distributed papers for free in an attempt to corner the market. Some universities have boycotted Elsevier in the past, and the company has used legal threats against other sites that host academic papers online. The company has had cybersecurity issues before. In 2019, it left a server open to the public internet and exposed user email addresses and passwords.
It’s unclear exactly how fingerprinting every PDF downloaded could actually prevent ransomware. Jonny Saunders, a neuroscience PhD candidate at University of Oregon, who discovered the practice, said he believes Elsevier is trying to surveil its users and prevent people from sharing research without paying the company.
“The subtext there is pretty loud to me,” Saunders told Motherboard in an online chat. “Those breaches/ransoms are really a pretext for saying ‘universities need to lock down accounts so people can't skim PDFs.’”
“When you have stuff that you don't want other people to give away for free, you want some way of finding out who is giving it away, right?” they added.
Do you know of any other companies or organizations doing this type of tracking? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Moreover, Saunders said, Elsevier’s claim that there is no metadata or personal data captured is disingenuous, given that the company itself admits it uses this system to identify whose accounts have been breached.
“Saying that the unique identifiers *themselves* don't contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time of download like browser fingerprint, institutional credentials, etc,” Saunders said. “Justifying them as a tool to protect against ransomware is a straightforward admission that these codes are intended to identify the downloader: how would they help if not by identifying the compromised account or system?”
The company’s spokesperson did not respond to Saunders' allegations.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.