Giving BooksOnBoard a second chance

After all the feed­back I got from report­ing my first impres­sions of Book­sOn­Board, I decid­ed I might have been hasty in judg­ment, and that I should give them anoth­er chance. After all, they are an ebook sell­er that accepts Pay­Pal and I some­times end up with client pay­ments in Pay­Pal that take days to trans­fer to my check­ing account. It would be con­ve­nient to be able to use them as a vendor.

Fore­warned with the knowl­edge that I would have to care­ful­ly exam­ine the file for­mat options before click­ing «buy», I went to find The Fair­Tax Book by Neal Boortz and John Lin­der, rec­om­mend­ed to me by my father in response to a recent post.

Book­sOn­Board­’s web­site is still rather clut­tered, but that can be for­giv­en. I’ve built a few clut­tered web­sites in my time and I could see the poten­tial charm in a web­site that feels like an inde­pen­dent book­store with piles of books stacked willy-nil­ly and a sys­tem of orga­ni­za­tion under­stood only by the pro­pri­etor. I typed «Fair Tax» into the search box and got zero results.

Search

I near­ly left the site in search of a site that does car­ry the book, but then I thought to look for oth­er books by the same author. I typed «Boortz» into the search box and came up with five results, two of which were for The Fair­Tax Book. Note that there is no space between the words «Fair» and «Tax.» That’s what my friend Scott Munro calls con­cape­na­tion and what many pro­gram­mers call camel case. Typ­ing «fair» and «tax» into the search box as sep­a­rate words failed to pro­vide the result.

Now I have to ask: are they incom­pe­tent? I wrote a search algo­rithm for a web­site back in 1998 that returned results for par­tial match­es, and in 1998 I did­n’t know any­thing about object-ori­ent­ed code or inter­fac­ing with data­bas­es (I kept my search index in a com­ma-sep­a­rat­ed text file) and bare­ly under­stood the con­cept of local ver­sus glob­al vari­able scope. In short, in 1998 I was an incom­pe­tent pro­gram­mer with tools that would today be con­sid­ered archa­ic and I wrote a more use­ful search engine than the Book­sOn­Board team.

Book formats

Well, again, every­one has room for improve­ment. After all, I did find the book I want­ed on the sec­ond try, and that’s not too bad. So I pressed on. There were two results for the book I want­ed. One for $14.99 and the oth­er for $10.99. What’s the dif­fer­ence? I looked at the page for one of them, then at the page for the oth­er. I could­n’t see any dif­fer­ence at all. I remem­bered that Book­sOn­Board sells both eRead­er-style PDB books and Adobe PDFs and went back to the more expen­sive one to see if it list­ed a file for­mat. Noth­ing on the book page about the file for­mat, but then I saw that «for­mat» is a tab on the page. Not obvi­ous, espe­cial­ly con­sid­er­ing that choos­ing the wrong for­mat could mean a non-refund­able and non-read­able pur­chase, but OK, at least I saw it when I was look­ing for it. I clicked on the tab and found that this was not an ebook but an audio­book. That’s why there were two list­ings with two dif­fer­ent prices.

That it took that much research to find out that I was­n’t even look­ing at the right cat­e­go­ry of prod­uct is a strike. It should be obvi­ous from the search results whether a book is an ebook or an audio­book. Most peo­ple, look­ing for one, would not be hap­py to receive the oth­er. Fail­ing a dis­tinc­tion on the search page, leav­ing that infor­ma­tion off the main book’s descrip­tion? I trust it would be clear before get­ting to pay­ment what the for­mat was, but nev­er­the­less: how much work should a cus­tomer have to invest in order to give a ven­dor money?

I went back to the less-expen­sive book and found that it is an ebook and, as Book­sOn­Board­’s rep­re­sen­ta­tive claimed (though not true for the ear­li­er book I pur­chased) that it is avail­able in sev­er­al for­mats. I clicked to add the book to the cart and the sys­tem picked a for­mat for me, which was not change­able from the shop­ping cart. So once again I back­tracked to an ear­li­er page, clicked on the for­mat I want­ed rather than the main «buy now» but­ton and went on.

I was tempt­ed to go with the Adobe DRM ver­sion, but I still haven’t giv­en Blue­Fire Read­er a test run. I’ve installed it, but I nev­er start­ed read­ing the oth­er book that I bought from Book­sOn­Board because my expe­ri­ence with them turned me off. I ought to get around to it, but there is no point in hav­ing two books as guinea pigs for read­er soft­ware I haven’t used. So I went with the old eRead­er-style DRM.

Security

Now the top­ic of secu­ri­ty comes up. I men­tioned ear­li­er that one of the appeal­ing fac­tors of Book­sOn­Board is that they accept pay­ment through Pay­Pal. They would­n’t have made a sale today if not for that, because their secure web­site con­tains both secure and non-secure items. Usu­al­ly that hap­pens with images that are linked from the main web­serv­er address, but it is pos­si­ble for some­one on a serv­er that the pack­ets are trav­el­ing through to manip­u­late the unen­crypt­ed parts of the page, which could be images, or stylesheets, or javascript or even Flash objects. My rec­om­men­da­tion is that unless you know how to exam­ine the con­tents of the page and know that what you’re doing is safe, you should nev­er input your cred­it card infor­ma­tion on a site where the secu­ri­ty lock icon has a red X and where the let­ters «https» are strick­en with a red line.

Pay­Pal does all their trans­ac­tions on Pay­Pal’s own site, so I ignored the secu­ri­ty warn­ing from the brows­er. I would­n’t have to put any sen­si­tive data in to the form. So I bought my book and lived hap­pi­ly ever after.

…and security, again

This brought up anoth­er issue that should be dis­turb­ing to the pub­lish­ers that work with Book­sOn­Board: eRead­er-style ebooks are keyed on the user’s cred­it card num­ber. As Book­sOn­Board­’s rep­re­sen­ta­tive point­ed out, some peo­ple aren’t com­fort­able with using their cred­it card num­ber as a pass­word, but I think it’s a clever and fair sys­tem. The cred­it card infor­ma­tion is not vis­i­ble after the book has been unlocked, and it allows for lim­it­ed lend­ing of an ebook. You might well copy an ebook to a friend, but most peo­ple are unlike­ly to give their cred­it card num­bers to any but their most trust­ed friends. The most one might do is copy the book to the friend’s device, key in the cred­it card num­ber them­selves, and let the friend read the book. Like a print­ed book, the book might be passed around a cou­ple of times, but it won’t be post­ed on the Inter­net with the key for just any­one to read, except by some­one who does­n’t care who has their cred­it card number.

Since I paid through Pay­Pal, what would I do for a key for my new­ly-pur­chased ebook? I con­fess I did­n’t even think of this until I was prompt­ed by Book­sOn­Board to enter my name and cred­it card num­ber so that my new book could be encrypted.

I have no rea­son to dis­be­lieve the dis­claimers on that page, which assured me that my card would not be charged or stored and that the infor­ma­tion would only be used to encrypt my new book. I’m sure that is all true. How­ev­er, here they were ask­ing me to enter my cred­it card num­ber into a form with com­pro­mised secu­ri­ty. No way. I do know how to check to see which ele­ments of a page are inse­cure but frankly I’m too lazy to do that when I’m not get­ting paid for it.

So I tried some­thing that may run me afoul of the DMCA, but to which I had no rea­son­able alter­na­tive: I entered a fake cred­it card num­ber into their form, and down­loaded my book.

Not only did I enter an invalid num­ber, I entered a num­ber with an invalid num­ber of dig­its. Amer­i­can Express cards have fif­teen dig­its, but none of them start with the numer­al 4. Only Visa cards start with 4, and they all have six­teen dig­its. In a per­fect world, Book­sOn­Board should have run what is called a ZDA or zero dol­lar autho­riza­tion on the card. If the card num­ber came back from the card proces­sor as invalid, they should have asked me for anoth­er num­ber. Fail­ing that they could at least have run sim­ple pat­tern-match­ing to see if the num­ber could pos­si­bly have been a valid cred­it card number.

So I don’t think I’m the one who ran afoul of the DMCA by cir­cum­vent­ing the eRead­er secu­ri­ty sys­tem: it is Book­sOn­Board who made the DRM on eRead­er-for­mat books they sell tooth­less. Any­one can buy a book with Pay­Pal, prob­a­bly enter the sin­gle-dig­it num­ber 3 and the name «John Doe» into the cred­it card num­ber entry fields, and have a book that they can upload to any num­ber of FTP servers and web­sites with the unlock instruc­tions, and nev­er have that be traced back to them. Book­sOn­Board may as well just hand the books out with­out any DRM. That would make them pop­u­lar with a lot of peo­ple (includ­ing me) but prob­a­bly not pop­u­lar with the pub­lish­ers whose books they sell.

I’m sor­ry to slam Book­sOn­Board twice in a row. I real­ly want to be able to say that they are a great com­pa­ny to do busi­ness with. I love inde­pen­dent busi­ness­es and would much rather sup­port the small­er upstart busi­ness than the huge ones. I can only hope that Book­sOn­Board will invest some of their devel­op­ers’ time into cor­rect­ing these faults.

Book­sOn­Board, if you don’t have good UE (user expe­ri­ence) peo­ple, I can send you résumés for some excel­lent UE peo­ple, at least a cou­ple of whom I know are active­ly look­ing. Or you could hire me. My rates are rea­son­able and I’d love to help out a small busi­ness like your­self. UE is not my spe­cial­ty but it’s an area even I could help you with and it’s not the only area in which you need help. I real­ly do wish you the best, but you’ve got work to do.

Post­script: in the two hours it took to write this, I have yet to see my receipt from Book­sOn­Board. I have a receipt from Pay­Pal, which arrived instant­ly but not from Book­sOn­Board. I checked my spam fil­ter mail­box and it’s just not there. Book­sOn­Board, you’ve got things that need fixing.