EDRLab

EDRLab
Basic information
Founded	2015-07-17
Legal Structure	Non-profit
Industry	Software
Also known as	European Digital Reading Lab
Official website	https://www.edrlab.org/

EDRLab is a "non-profit development laboratory working on the deployment of an open, interoperable and accessible digital publishing ecosystem worldwide." It has over 100 members, but some of its founding members are: Editis, Hachette, Centre National du livre, Groupe Madrigall and the French State. EDRLab is a member of W3C and Readium Foundation. It is one of the main contributors to Readium toolkits and the manager of Readium LCP DRM. They are also the creators of Thorium Reader, an EPUB reading application.^[1]^[2]^[3]

Consumer-impact summary

EDRLab is one of the main contributors to Readium LCP DRM. Their EPUB reader application, Thorium Reader, which uses LCP, does claims to be private, yet it has "non-personal" data collection that the user cannot opt out of. It also contacts EDRLab's servers every time the application is started.

This is not apparent, since Thorium's installer doesn't inform the user of this, there are no "agree/disagree" options and Thorium's interface does not directly link to either the Terms of service or the Privacy policy. Users also wouldn't be notified if the privacy policy were to change, since that would require them to manually check the Privacy policy page for updates.

The Terms of service also mentions that the user agrees to "indemnify and hold harmless the EDRLab" even for "alleged" breaches by the user of the Terms of service. It is also stated that "EDRLab Parties have the right to monitor the use of the Application."

The application is also marketed as open source yet it is stated in the privacy policy that it is in fact not entirely open source, but rather has a "small software library used as core for the Readium LCP DRM, which does not store or send any data." This requires users to trust the company on their word, since users cannot inspect the application, as they may not "rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part", according to the Terms of service. Furthermore, this connects directly to the 2nd paragraph.

Incidents

Thorium Reader privacy policy and terms of use

Privacy policy

Despite Thorium's homepage stating that:

This application is free, with no ads and no private data leaks.

^[4]There is data collection, but it is stated that it is "non-personal." The application calling itself private might give some users the wrong impression if they take it to mean "no calling home." The reader sends this "non-personal" data to EDRLab's servers. It is impossible to opt out of "notifications" that are sent to a server every time the application is started. They state that this information

is for analytics only and not accessed by any third party. It is used to get information about the evolution of the number of installs of the application per operating system, the evolution of usage sessions and the main locales in use.

And

Parameters of such notification are:
a timestamp,

the version of Thorium Reader,

the operating system of the device and its version,

the locale of the application at the time it is started,

if this is the first start of Thorium Reader after a fresh install.

The IP address of the device is not stored along with the above information.
It is not possible to opt-out from this notification.

Also:

a notification is sent to an LCP Server each time a protected publication is open. This is required by the LCP specification for checking if the license of use of the publication has been updated. There is not centralized LCP Server, each server is operated by the distributor of the protected publication acquired by the user.
Parameters of such notification are:

a device identifier, automatically generated at the install of the application.

a device name, automatically generated at the install of the application.
The codebase of Thorium Reader is open-sourced and can therefore be fully inspected, with the exception of a small software library used as core for the Readium LCP DRM, which does not store or send any data.

The terms of privacy policy can also evidently be changed without users being notified in their actual reading application, but rather:

We may change the Privacy Policy from time to time. We will notify you by posting the revised Privacy Policy on this page and the date on which the last changes were made will be noted at the top of the page.

So users would have to periodically check this site to know whether any terms have changed.

Terms of service

Moving on to the Terms of service there are several interesting things. First:

You hereby agree to indemnify and hold harmless the EDRLab Parties from and against any and all claims, actions or proceedings of any nature whatsoever and all damages, judgments, losses, liabilities, costs and expenses, including reasonable attorneys’ fees and expenses (including those incurred to enforce this provision), arising out of your use of the Application, the Content, any actual or alleged breach by you of these Terms of Use, or any violation by you of any applicable law or the rights of any other person or entity.

Especially:

any actual or alleged breach by you of these Terms of Use

As per this, one is agreeing to "indemnify and hold harmless the EDRLab Parties" even for alleged breaches of the terms of service.

In one of the quotes above, it is mentioned that due to Thorium's open source nature, one can inspect its source code apart from a "small software library used as core for the Readium LCP DRM, which does not store or send any data" Which, one cannot verify that part, since:

In addition, you may not rent, sell, modify, decompile, disassemble, reverse engineer or transfer the Application in whole or in part. You may not use any device, software or routine to interfere with or attempt to interfere with the proper functioning of the Application in whole or in part.

So it would appear that it is up to individual users to decide if not being able to verify that part is acceptable to them. Finally, there is also this:

However, you acknowledge that the EDRLab Parties have the right to monitor the use of the Application, at its sole discretion, and to disclose any information necessary to comply with any law, regulation or government request, in order to be able to operate the Application adequately or in order to protect itself or its users under the “Privacy Policy”

^[5]^[6]The above summarizes and discusses Thorium's Privacy policy and Terms of service. Readers are encouraged to consult both the Privacy policy and the Terms of service for themselves and form their own conclusions.

User not clearly presented with terms

During the installation process, the user is not clearly presented with the Terms of use or the Privacy policy. There is no option to agree or disagree with the terms. While it is not possible to opt out, the user doesn't know that during installation, unless they'd scrolled down on Thorium's webpage or wherever they're installing it from (e.g. Microsoft Store) and clicked on the corresponding link for either the Terms of use or the privacy policy. The user would have to click "About Thorium (online)" in the bottom right corner of the interface to be taken to Thorium's website, where they could then scroll down and find the Terms of use and the Privacy policy. See External links for installation videos of Thorium.^[7]^[8]

Installation step: 1
Installation step: 3
Installation step: 2

Searching for terms in the app: 1
Searching for terms in the app: 2
Searching for terms in the app: 3
Searching for terms in the app: 4

Products

Thorium Reader

External links

References

↑ "About". edrlab.org. Archived from the original on 2 May 2026. Retrieved 24 Jun 2026.
↑ "EDRLab members directory". Archived from the original on 3 Mar 2026. Retrieved 24 Jun 2026.
↑ "SITUATION AU REPERTOIRE SIRENE". insee.fr (in français). 24 Jun 2026. Archived from the original on 24 Jun 2026.
↑ "Thorium Reader". edrlab.org. Archived from the original on 19 Jun 2026. Retrieved 24 Jun 2026.
↑ "Thorium Reader – Terms of Use". edrlab.org. 22 Nov 2022. Archived from the original on 17 Jun 2026. Retrieved 24 Jun 2026.
↑ "Thorium Reader – Privacy Policy". edrlab.org. 22 Nov 2022. Archived from the original on 17 Jun 2026. Retrieved 24 Jun 2026.
↑ Stine Kjær Kappel (24 Feb 2026). "installer_thorium_pc". edumedia.dk (in Danish). Archived from the original on 25 Jun 2026.{{cite web}}: CS1 maint: unrecognized language (link)
↑ Stine Kjær Kappel (24 Feb 2026). "installer_thorium_mac". edumedia.dk (in Danish). Archived from the original on 25 Jun 2026.{{cite web}}: CS1 maint: unrecognized language (link)

[1] "About". edrlab.org. Archived from the original on 2 May 2026. Retrieved 24 Jun 2026.

[2] "EDRLab members directory". Archived from the original on 3 Mar 2026. Retrieved 24 Jun 2026.

[3] "SITUATION AU REPERTOIRE SIRENE". insee.fr (in français). 24 Jun 2026. Archived from the original on 24 Jun 2026.

[4] "Thorium Reader". edrlab.org. Archived from the original on 19 Jun 2026. Retrieved 24 Jun 2026.

[5] "Thorium Reader – Terms of Use". edrlab.org. 22 Nov 2022. Archived from the original on 17 Jun 2026. Retrieved 24 Jun 2026.

[6] "Thorium Reader – Privacy Policy". edrlab.org. 22 Nov 2022. Archived from the original on 17 Jun 2026. Retrieved 24 Jun 2026.

[7] Stine Kjær Kappel (24 Feb 2026). "installer_thorium_pc". edumedia.dk (in Danish). Archived from the original on 25 Jun 2026.{{cite web}}: CS1 maint: unrecognized language (link)

[8] Stine Kjær Kappel (24 Feb 2026). "installer_thorium_mac". edumedia.dk (in Danish). Archived from the original on 25 Jun 2026.{{cite web}}: CS1 maint: unrecognized language (link)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]