Academic Journal Claims It Fingerprints PDFs For 'Ransomware,' Not Surveillance

An anonymous reader quotes a report from Motherboard: One of the world's largest publishers of academic papers said it adds a unique fingerprint to every PDF users download in an attempt to prevent ransomware, not to prevent piracy. Elsevier defended the practice after an independent researcher discovered the existence of the unique fingerprints and shared their findings on Twitter last week. 'The identifier in the PDF helps to prevent cybersecurity risks to our systems and to those of our customers -- there is no metadata, PII [Personal Identifying Information] or personal data captured by these,' an Elsevier spokesperson said in an email to Motherboard. 'Fingerprinting in PDFs allows us to identify potential sources of threats so we can inform our customers for them to act upon. This approach is commonly used across the academic publishing industry.'

When asked what risks he was referring to, the spokesperson sent a list of links to news articles about ransomware. However, Elsevier has a long history of pursuing people who pirate or share its paywalled academic articles. It's unclear exactly how fingerprinting every PDF downloaded could actually prevent ransomware. Jonny Saunders, a neuroscience PhD candidate at University of Oregon, who discovered the practice, said he believes Elsevier is trying to surveil its users and prevent people from sharing research without paying the company. 'The subtext there is pretty loud to me,' Saunders told Motherboard in an online chat. 'Those breaches/ransoms are really a pretext for saying 'universities need to lock down accounts so people can't skim PDFs. When you have stuff that you don't want other people to give away for free, you want some way of finding out who is giving it away, right?'

'Saying that the unique identifiers *themselves* don't contain PII is a semantic dodge: the way identifiers like these work is to be able to match them later with other identifying information stored at the time of download like browser fingerprint, institutional credentials, etc,' Saunders added. 'Justifying them as a tool to protect against ransomware is a straightforward admission that these codes are intended to identify the downloader: how would they help if not by identifying the compromised account or system?'

Read more of this story at Slashdot.