[LINK] ID tracking tags in iTunes purchases

Roger Clarke Roger.Clarke at xamax.com.au
Wed Jun 6 17:38:39 AEST 2007


[The fact that Apple embeds purchaser-name in tracks purchased from 
iTunes seems to me to be a pretty limited privacy problem.  But since 
it's been reported as an issue, I guess we'd better monitor it.]

Apple mum on ID tracking tags
The Sydney Morning Herald / AP
June 6, 2007
http://www.smh.com.au/news/digital-music/apple-mum-on-id-tracking-tags/2007/05/31/1180809520236.html?page=fullpage#contentSwap1

Apple's recent rollout of songs without copy protection software at 
its iTunes Store has given consumers new flexibility, but questions 
have emerged over the company's inclusion of personal data in 
purchased music tracks.

Are the songs that are being billed as free of so-called digital 
rights management technology really "DRM-free" or are there still 
strings attached?

The Electronic Frontier Foundation, a consumer watchdog group, said 
the embedded user information in the purchased track raises privacy 
issues.
Apple declined to comment.

The trendsetting company has always embedded user information - a 
user name and email - into its copy-protected tracks. But until the 
market-leading iTunes Store began offering DRM-free music last week, 
no one raised much of a ruckus.

DRM technology puts a sort of software lock on digital songs or 
movies, dictating where and how the content can be played and 
distributed. With DRM-free content, some songs purchased from iTunes 
now work directly on portable players other than Apple's iPod, 
including Microsoft's Zune.

Though piracy of digital music over the internet remains unabated 
even with the growth of legitimate online retailers like iTunes, 
Apple's debut of DRM-free songs could tempt some of its users to 
share their purchased tracks with others online.

Technology blogs Ars Technica and The Unofficial Apple Weblog were 
among the first to reveal that personal data remained in the 
unrestricted iTunes tracks.

Their reports last week prompted speculation that the data could be 
used to trace copies uploaded to online file-sharing networks back to 
the people who originally purchased the tracks, opening those users 
to music industry copyright lawsuits.

The Recording Industry Association of America, whose piracy lawsuits 
have ensnared organized outfits as well as individual grandmothers 
and youths, declined to comment. EMI Group, the major record label 
behind Apple's inaugural batch of DRM-free songs, also declined to 
comment.

"DRM prevented us from playing the music we have purchased on all of 
our devices. We asked that this be removed and we got what we were 
looking for," said Erica Sadun, a prolific technology blogger on 
TUAW.com and author who conducted her own tests of Apple's embedded 
identification tags.

"But I'm on the fence in terms of the privacy issues," she said in an 
interview. "Consumers should always know what they're getting into."

The Electronic Frontier Foundation, which also analyzed the DRM-free 
song files on iTunes, said it did not want to jump to any conclusions 
on Apple's reasons for embedding the personal data.

Besides, users can remove their identifying data from the files 
simply by burning the tracks to a CD and then ripping the songs back 
to their computer in the MP3 format, said Fred Von Lohmann, an 
attorney with the San Francisco-based group.

Still, the group takes issue with the fact that the personal 
information stored in these type of song files is not encrypted. If 
someone were to lose their iPod or have their laptop stolen, for 
example, anyone using simple software tools could access the personal 
data in the songs, von Lohmann suggested.

"It just seems careless and unwise for somebody like Apple to start 
planting this kind of personal information without protection in the 
files," von Lohmann said. "It's not as bad as leaking your credit 
card number or your Social Security number, but it's still a pretty 
careless security leak."

Michael Gartenberg, an analyst at JupiterResearch, said he does not 
think Apple planned to use the personal data as a secretive tracking 
tool.

"I think it's more of a way of retaining a proof of purchase," he 
said, adding how the identifying tags on copy-protected tracks likely 
facilitated Apple's ability to approve user upgrades to previous song 
purchases.

"'DRM-free' means I'm not restricted from putting the songs on other 
devices anymore, but it doesn't give users a license for piracy," he 
said.

Ultimately, whether it's intentional or just an inadvertent deterrent 
for the illegal sharing of digital tunes, Gartenberg predicts other 
major online music retailers will similarly embed user tags once 
they, too, start to introduce DRM-free songs.

"I think everyone is going to have to do this as some way for 
tracking purchases," he said.

Sadun agreed.

"It's a brilliant compromise," she said, "between the forces of the 
music industry which have been too heavy handed and the forces of 
consumers who perhaps have pulled too far toward information freedom."

Online music retailer eMusic.com, which sells songs in the 
unrestricted MP3 format mostly from independent labels, says it keeps 
of a record of user purchases on its own computer servers but doesn't 
place any kind of user data in any of its tracks sold.

Apple should be more upfront about its purpose for the embedded 
information, said David Pakman, eMusic's chief executive. "You should 
tell customers what you're doing with it before they spend money with 
you," he said.

AP

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list