VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
tech: real networks secret monitoring system
From:
Kelly Pierce <[log in to unmask]>
Reply To:
Kelly Pierce <[log in to unmask]>
Date:
Mon, 1 Nov 1999 06:52:33 -0600
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (181 lines) 
This was on the front page of today's New York Times 

kelly 

   
November 1, 1999

CD Software Is Said to Monitor Users' Listening Habits

By SARA ROBINSON

     RealNetworks' popular RealJukebox software for playing CD's on
     computers surreptitiously monitors the listening habits and certain
     other activities of people who use it and continually reports this
     information, along with the user's identity, to RealNetworks, said
     a security expert who intercepted and examined data generated by
     the program.
     
     In interviews last week, company officials acknowledged that
     RealJukebox, which can copy music to a user's hard drive and
     download it from the Internet as well as play it, gathers
     information on what music users are playing and recording.
                                                                         
     Dave Richards, RealNetworks' vice president for consumer products,
     said the company gathered the information to customize services for
     individual users.
     
     He and other company officials insisted that the practice did not
     violate consumer privacy because the information was not being
     stored by RealNetworks nor distributed to other companies.
     
     But privacy advocates and security experts interviewed last week
     were unanimous in condemning the practice, calling it a violation
     of the privacy of the 13.5 million registered users of RealJukebox,
     almost all of whom have given the company their names and e-mail
     addresses.
     
     Even if the company's use of the data is benign, these experts
     said, the practice is unacceptable because of the secrecy:
     RealNetworks, one of the largest distributors of audio software on
     the Internet, does not inform consumers that they are being
     identified and monitored by the company.
     
     The information that RealNetworks gathers is extensive. According
     to Richard M. Smith, an independent Internet security consultant
     from Brookline, Mass., who discovered RealJukebox's monitoring
     functions, each time the program is started on a computer connected
     to the Internet, it sends in the following information to the
     company: the number of songs stored on the user's hard drive; the
     kind of file formats -- RealAudio or MP3 -- the songs are stored
     in; the quality level of the recordings; the user's preferred music
     genre, and the type of portable music player, if any, that the user
     has connected to the computer. Officials at RealNetworks said most
     of this information was used to offer music selections to users
     based on their preferences.
     
     All this information is combined with a personal serial number
     known as a globally unique identifier, or GUID, which is assigned
     to each user when he or she registers the software.
     
     RealJukebox is distributed only on the Internet, and users are
     instructed to register -- giving the company their names, e-mail
     addresses and ZIP codes -- when they install the software.
     
     What is more, if RealJukebox is used with its default settings, it
     automatically loads each time a CD is inserted in the CD-ROM drive,
     and if the computer is connected to the Internet, the title of the
     CD is sent, together with the GUID, to RealNetworks.
     
     "Either they have been dazzlingly careless with their treatment of
     personally identifiable information or they are completely
     disingenuous," said Jason Catlett, founder and president of
     Junkbusters, a privacy watchdog organization. "Which is worse? If
     they are not disclosing what they are doing, that is
     unconscionable."
     
     Some other CD player programs also assign GUID's to each copy of
     the software. The difference lies in what they do with it. The
     Microsoft Corporation, for example, says that the unique identifier
     in its Windows Media Player is used for such things as purchasing
     multimedia from a Web site. It is not routed through Microsoft, nor
     does Microsoft require users to register, and it does not gather
     information through Media Player, said a spokesman for Waggener
     Edstrom, a public relations firm that represents Mircrosoft.
     
     The fact that RealJukebox is gathering this information is not
     mentioned in the long privacy policy the company posts on its Web
     site. Nor is it acknowledged in the licensing agreement that users
     must approve when installing the program.
     
     David Banisar, a lawyer in Washington who specializes in Internet
     law, said that RealNetworks' surveillance practices could violate
     various state and federal statutes, including the Computer Fraud
     and Abuse Act. "It's a new type of case that hasn't been brought
     before," he said. "But I think it's a pretty good case."
     
     Banisar argued that RealJukebox could be considered a "trojan
     horse," a legitimate program that contains hidden instructions to
     perform illegitimate functions.
                                                                         
     Company officials said on Friday that the registration procedure
     for the free version of RealJukebox did ask for personal
     information, including name and e-mail address, but they said that
     users could skip the registration and still use the program and
     that RealJukebox would stop prompting users to register after five
     attempts. Some customers, they said, had stumbled on this fact and
     had declined to register.
     
     However, customers who purchase RealJukebox Plus, a version with
     enhanced features that RealNetworks sells online for $29.99 with a
     money-back guarantee, cannot avoid registering since they must type
     in a unique serial number to install the program. And in this case,
     RealNetworks also gathers credit card and mailing address
     information before it assigns the number.
     
     Richards of RealNetworks said the reason the program tallied the
     number of songs a user had recorded was to enable the company to
     determine whether the user was "naïve" or "sophisticated." This
     better enables the software to steer sophisticated users toward its
     advanced features, he said.
     
     But this seemed at odds with a statement by Steve Banfield,
     RealNetworks' general manager of consumer products, who said the
     company was gathering only "aggregate usage" information about
     users of the software.
     
     Privacy experts said the kind of information being gathered by
     RealJukebox had the potential to be used to detect copyright
     violations.
     
     Banfield said that to his knowledge, the company had no plans to
     allow information about individual users to be used in this manner.
     
     But Catlett of Junkbusters said that such information could be
     subpoenaed under the Digital Millennium Copyright Act. "This usage
     and tracking information is a way for them to collect intrusive
     profiles about people and possibly set up prosecutions for
     copyright infringements," he said.
     
     Like some 250 other such programs, RealJukebox licenses the right
     to use a database of CD titles and tracks that is compiled and
     maintained by a company called CDDB. This enables the software to
     display the title and tracks of a CD moments after it is loaded
     into the computer.
     
     To do this, the program must send out information to CDDB every
     time a user plays a CD.
     
     But unlike other popular programs, RealJukebox routes the
     information through its own servers and tags it with the GUID,
     which uniquely identifies the user.
     
     Banfield said the information went to CDDB via a proxy server, a
     computer that masks certain data, to protect the privacy of
     RealJukebox users. He said it was his understanding that CDDB
     typically collected a user's e-mail address each time its database
     was queried, but by using a proxy server, he said, RealNetworks'
     users were all generically identified as [log in to unmask]
     
     Banfield painted RealNetworks as a defender of consumer privacy,
     asserting: "Everyone else who uses that database sends them their
     e-mail address. We don't."
     
     Ann Greenberg, senior vice president of marketing and business
     development for CDDB, said last week that her company "strongly
     encourages but does not require" e-mail addresses or any other
     identifiers than enable the company to tally unique users of its
     database. She said the addresses were purged every four days. But
     she said it was not fair for RealNetworks' to blame CDDB for
     gathering personal information.
       


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2