February 20, 2002 5:40 PM PST
Windows Media aware of DVDs watched
In a Web advisory, computer privacy and security consultant Richard Smith detailed what he termed "a number of serious privacy problems" with the Windows Media Player for the Windows XP operating system.
The posting flagged a feature that allows Microsoft to log what DVDs play on a particular PC through the use of an electronic tracking file known as a "cookie."
"Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD," Smith wrote in his advisory. "When this contact is made, the...server is giving an electronic fingerprint which identifies the DVD movie being watched and a cookie which uniquely identifies a particular (Windows Media Player). With (these) two pieces of information, Microsoft can track what DVD movies are being watched on a particular computer."
In addition, the player creates its own database of all DVD titles watched, Smith wrote.
"It is now amended," said David Caulton, lead product manager for Microsoft's Windows Digital Media division. "As of this morning, we have updated the policy to specifically call out that DVD metadata involves a call to the network and a cookie."
The metadata at issue lets people using WMP and XP navigate through DVDs with more information than simple track numbers. The metadata, including track titles, DVD cover art, and credits, sits on the WindowsMedia.com Web site, from where the player retrieves it.
"Microsoft can be (using) DVD title information for direct marketing purposes," Smith speculated in his advisory. "For example, the WMP start-up screen or e-mail offers can be customized to offer new movies to a WMP user based on previous movies they have watched. Microsoft can be keeping aggregate statistics about what DVD movies are the most popular."
Microsoft denied that the information collected would let it target individual users.
"One thing Smith says that's simply wrong is that e-mail offers could be customized," Caulton said. "We don't have any information about who user No. 345216436 is, so there's no way to send them e-mail."
Caulton contended that Microsoft's cookie did not give the company any individually identifying information, that customers concerned about it could disable cookies in their browser, and that the database on the computer hard drive--which lets people access downloaded DVD metadata when they're offline--was stored in a proprietary, machine-readable format that could not be easily read by a third party.