Apple criticized for embedding names, e-mails in songs

A correction was made to this story. Read below for details.

It used to be that music fans believed cryptic messages about Satan or the death of a band member were hidden within rock albums.

Nowadays, the secrets buried in digital music are way too easy to find, according to the Electronic Frontier Foundation (EFF). The consumer watchdog group, which focuses on the Web, is taking issue with Apple's practice of embedding customer information within iTunes music.

Apple includes customer names and e-mail addresses within song files purchased from iTunes, according to Fred von Lohmann, an EFF attorney. Several tech blogs wrote about the embedded information this week after Apple launched iTunes Plus, a service that features music stripped of controversial copy-protection software.

Von Lohmann pointed out that data could easily be compromised if an iPod is lost or stolen.

"It's not as bad as losing a credit card number," von Lohmann said, "but it's still information that people wouldn't want floating around out there--especially without them knowing about it."

Apple hasn't said why the company would leave customer information exposed. But some observers have speculated that Apple is adding watermarks to music files. Watermarking describes the practice of inserting identifying information into digital files so they can be tracked. Privacy groups frown on such practices, but von Lohmann doubts that these were Apple's intentions.

Mike Goodman, a Yankee Group Research analyst, argued that watermarking is "certainly better than digital rights management.

"Watermarking does not treat the consumer like a criminal," Goodman said. "DRM is also restrictive, telling you how many times you can play a song or which device it can be played on. Watermarking works on the assumption that a consumer is innocent but provides the industry an opportunity to catch someone that breaks the law."

Ars Technica and Tuaw earlier reported on the personal information within iTunes' music.

 

Correction: This story erroneously reported that Apple had in the past encrypted personal information of iTunes customers embedded within music files. The data is available in clear text.

[afolgueira]

Please don't complain!!!

This is not new, any song you purchase from iTunes comes with your name, email etc. What do you guys want to do??? make money off this free music and don't be responsible for it. ahahah

[suyts]

Don't you think

there is a better way?

[foomonkey249702348]

Apple assumed to have goofed?

Wait -- Fred von Lohmann assumes Apple just goofed here?

You got to be kidding.

Is Fred/EFF so naive? Oh right, they have their own agenda.

[totorototoro]

DRM'ed iTunes songs not encrypted

The DRM'ed (.99 cent) songs don't have the emails or customer names encrypted either. I can see that information, including on iTunes songs I don't have authorization to play. (my wife bought them with her account, and I don't have this computer authorized to play them, but I can see her name and email)

[Riquez-001]

Some people will never be happy

OK, so the song you own & you paid for on your computer has
some encrypted info in it that can identify you - a bit...

Big fkin' deal.

You also have your details in your address book file on your
computer & in the CV you wrote in Word. The cookies saved by
your browser have your usernames & password in them. The
countless emails you have backed up all have intimate details
about your life.

Since it would be illegal to share/sell the music file you own, you
really have no problem do you? I mean, you wouldn't put your
browsers cookies on bittorrent would you?

Everyone has moaned that Apple's DRM is a bad thing & ranting
"I will never buy iTunes music until they remove the DRM!"
OK, so now they remove it & people still need to complain about
it - "you have to pay 20p! outrageous! It's only 256 bit, i wanted
512 bit! Ripoff!"
It seems that the same people were saying "I will never buy a
Mac until it can run Windows & has a 2 button mouse" - OK, so
now it does (& has) they have to find another stupid reason to
complain.

Give me a break you moaning b'stards. This a great moment in
the history of online music & your getting a great deal. It's
exactly what we've asking for - hurray!
Stop complaining about a trivial stuff & enjoy your DRM free
music.

[coolfactor]

Agree completely.

Apple hasn't done anything different with the name and email address than what it's been doing for the past 2.5 years. They've just re-encoded at a higher bit rate and without DRM. That's it! Get over it people.

[afolgueira]

Agree

People complain about windows, they complain about mac os x, they complay about everything when the first thing they should do is complain about their complaining, ahhaah .

[Amazingant]

Odd...

I just checked, and I noticed that I can open the old DRM files in Notepad (although it takes forever to load) and my full name, email address, and everything else you can see from the iTunes info screen is in there in plain text. This information can't be that encrypted if it can be read through a standard text editor.

So, what was the problem with the new files?

[unknown unknown]

My question is why?

It certainly not for anti-piracy cause if it's laughably easy to get around. Re-ripping it would do it, that and it's not hard to strip audio data out of the mpeg4 container format and rebuild it sans ID information.

[MSSlayer]

Also

It is trivially easy to encode some random name and email address into AAC and MP3 files and flood the P2P sharing networks, making this completely pointless.

There is absolutely no reason for this, therefore there is no reason it should exist.

[GGGlen]

Because

Even though you're making the EXACT SAME POINT iTunes
supporters have made for the LAST FIVE YEARS, legions upon
legions of Mac Haters have said "Ohhh!!! It's SOOOO HARD to re-rip
a file that WE HATE APPLE for forcing us into it!

[LarryLo]

Quit Complaining!

I am amazed by the response to this. Its a Watermark it means its your file.

Everyone and their mother has cried and screamed for DRM Free Music, so that you could play "Your Music" on any device you want, whenever you wanted...well now you have it. So what if Apple embeds some watermark in it? If you are not sharing the files you have nothing to worry about. If you are really paranoid convert them to another format, or burn them to a CD an rerip them.

This criticism is just silly, we finally get what we want, and just cause they stuck our name on our file people are getting their panties in a bunch?

You don't like it, buy a Zune!

[MSSlayer]

I didn't get what I wanted

Where is the uncompressed high quality music files?

Where are the music files that contain nothing more then music.

There is no reason for this, nor any valid excuse.

[michaeljmac]

Who cares!

You know if you don't illegally share those files with other people,
noone but the purchaser has that information. Oh no, my own
name and email on my computer, what a horrible thing. The only
people that care about this is people who want to illegally share
these files.

[Bellette]

Exactly, Who Cares?

Get over it,

This information is in my local telephone book for goodness sake.
Let's not sue every last person on Earth over rubbish like this.

[MSSlayer]

really?

So if someone hacks your computer and decides to share your files, you will be willing to take responsibility for it?

It is amazing how few people grasp legitimate privacy and security issues.

[sdai]

No big deal ...

so people are used to expose everything personal at MySpace yet they're shy from sharing their emails? LOL What are these people smoking???

[Freiheit13]

Fair Use

"but it's still information that people wouldn't want floating around out there--especially without them knowing about it."

If you're not illegally sharing your files with others, this information would not be "floating around out there". If I buy tracks on iTunes and play them only on devices which I own then no one else is ever going to see my name and email address in them. I think it's perfectly legitimate to put this in as a deterrent to illegal sharing in a way which in no way whatsoever affects legal fair use by the purchaser.

[MSSlayer]

Yes it can

Especially if you are storing them in a windows machine.

Lets see how much these anti-whiner whiners whine when their machines get hacked and their music files that pointlessly and stupidly contain private information gets spread around and not only do you get an avalanche of spam, ans also, the RIAA comes knocking on your door with a $10000 lawsuit against you.

Lets see how little you care, when people embed your name and email in files not even yours and the same things happen.

Seriously, there needs to be a battery of tests required before you are allowed to operate a computer.

[unknown unknown]

RE

I doubt this is going to stop or even be a deterrent to file sharing since it's trivial to get around or remove. Since the mpeg4 format is divided into sections or "atoms" that have a name and length removal is easy.

[anassassinoftime]

Hell Is Freezing Over

By and by, this story has probably seen the most intelligent
forum comments ever! It's rare this day and age to see an entire
thread of mostly-sensible responses.

To reiterate the points that have already been stated: the big
story here is that you can now download DRM-free music legally
and efficiently.

So they embed your name in a file you purchase? Big deal. DRM-
free music is about fair use, and fair use doesn't include
distributing your music to the general population.

As for "losing an iPod" - I'm sure most iPods are full of personal
information such as name, etc. Having the users name
embedded in the audio files is trivial at best.

Quit whining and enjoy what you now have: a legal means to
acquire DRM-free music!

[CentrOS]

My thoughts exactly...

Nothing more to add.

[MSSlayer]

People are getting more dumb by the minute

People have no clue how much damage this can cause.

[GGGlen]

Nope

Reasonable, educated, intelligent people disagree with you, and
you're getting hysterical.
At 1st, I thought it was funny, but I'm becoming a little concerned
for your mental health.
Back away from the forums for a day ot two, take a deep breath,
buy a Zune (where I'm sure you'll find True Happiness), and check
in with us later.

[Vegaman_Dan]

Seriously true

And with the Apple iPhone about to go live, this data will have yet another vector to get loose. It's an unacceptable security risk and unthinkable that a company would do this, especially one that has been so user focused in the past.

Hopefully they will correct this oversight and we'll all blissfully forget these issues.

[esbeale]

No privacy violation if you don't give away the music

Anyone who thinks this is an invitation of privacy isn't thinking
rationally (or frankly doesn't care). If you don't give away the music,
then your privacy has not been invaded as no one will ever see your
info. If you give away the music, then you have committed a crime,
and you have voluntarily waved your privacy rights. DRM-free
doesn't mean responsibility free.

[tahoerob]

Thank you!

Finally, someone thinking rationally. The only people who worry
about this are the people who are breaking the law. It seems a very
reasonable trade-off in my mind for enjoying the ability purchase
DRM-free music. I wish the EFF and others would stop hiding
behidn the "privacy" issue in an effort to defend illegal filesharing.
It's getting old.

[Vegaman_Dan]

And if it's lost or stolen?

If you buy a new car from the dealer and then it gets stolen, no big deal, right? Well, other than it was stolen, of course. No identity theft issues there to worry about though.

Now imagine if the dealer had put all your personal information inside the trunk and had never told you that they did this on all their cars they sold. You *thought* it was all secure, but now you learn that the dealer has now delivered your information to those who want to do you harm.

That is simply irresponsible by the dealer. The fact that they never told you this until it was too late is even more so.

[osxxp]

What if some "friend" borrows Watermark songs then Use P2P Website

What if some "friend" uses your computer to email himself/herself
one of the Watermarked songs . . . then uses a P2P Website to
"share" it. Your name & email Watermark could end up in the hands
of hundreds (thousands?) of file sharing users.

That scenario makes me uneasy.

[chassoto--2008]

They your "friend" is a jerk

There's another word I'd use, but it will get flagged ;)

[michaeljmac]

"Borrow"?

What exactly are you talking about here? Borrow? What does that
mean?

[`WarpKat]

Secure Your Computer?

Hello? Did we miss the most important lesson of owning a computer? It's like owning a dog.

You have to take some personal responsibility in having it. Create a guest account that anyone can use but is so completely restricted that it can't view any files other than what is necessary to conduct whatever business they need to.

Most people won't bother and it's those people that will have the toughest time in proving they are not in willful violation of any contract or law.

If you want to be lazy and not do that one simple thing, then you deserve to have your computer ransacked by your 'friend.'

[MSSlayer]

That could never happen

Because the idiots on this site say it isn't a problem.

That is one of dozens of realistic and probable scenarios that will happen because of the stupidity of Apple.

[skeptik]

borrow = steal?

If your friend "borrows" your song and posts it, you're guilty of assisting theft twice - giving to your friend and spreading to the internet.

Should you be fined or go to jail for this? Hell no.
But your scenario for justifying your protest is invalid because it isn't legal to begin with.

[bignumone]

Complaints about "watermarks"

They could have hidden it. They should have encrypted it.
They would have had they know about it.
Could have, should have, would have?
Can you really complain? This is so much better than having
someone tell you how you can use the music and how many
times you can play it. And given how much people "borrow"
music and how long they "borrow" it, can you blame them for
marking it in a way that ties it to the original owner?
It all comes down to this; copying music and giving it away is
stealing. Do you do your job for free? If you don't like the price
for what you are getting, don't buy any of it. The artists and
recording companies will lower the price to meet market
demand.

[ktemplar]

Should be easy

I havent looked at this myself yet, but if the information is so easily viewable in a text editor I would suspect that it would take about 15 minutes for me to write a perl script that I could use to scrub my info from any music I buy from iTunes.

[afolgueira]

Agree with ya

People that care about this are those who want to do something iligal with this.

[MSSlayer]

lol

If you have nothing to hide, why should you care?

What a tired, unintelligent argument.

[afolgueira]

Just Relax and enjoy the music on other devices

This is great, NOw i can play this music on my 360, or any other WMP device.

[Dr Dude]

Misleading! Old iTunes files have this too!!

I also checked an older .m4p track that I bought from iTunes over a
year ago. I opened it in TextEdit and my name and email is clearly
visible.

Old news, just tring to **** on Apple's parade.

Move along folks., nothing to see here.

[rthutchison]

This is like sewing my name in a shirt...

that I buy. I should be able to re-sell something that I own shouldn't I?

[skeptik]

not it's not

You should IMHO be able to resell the downloads you've bought just like you can resell a CD.

However... current licensing restrictions do not permit this, so you really wouldn't need the ability to do this.

Focus your energies on reforming the market, not fighting faux privacy issues.

[Vegaman_Dan]

Not quite

>This is like sewing my name in a shirt...that I buy. I should be able to re-sell something that I own shouldn't I?

No, it's more like having the store that sold it to you putting your name and personal information inside the shirt sleeve and then never telling you about it so you have no idea you have any sort of exposure of personal information.

Apple can easily have a class action lawsuit on their hands if they aren't careful with each and every song purchase of this format coming back to fine them. They will be quick to quietly address this situation before it gets out of hand.

I hope.

[totorototoro]

CNET, are you going to clarify this article?

Are you and the EFF still claiming the original iTunes songs encrypted personal information to protect the user, and the new ones removed this encryption?

Did you take two songs you bought, one .99 and one 1.29, and open them in someone else's copy of iTunes? Did you check "Get Info"? Did you see that both copies of the song have the person's name and email address clearly visible? So if your iPod was stolen or lost, people can get your personal information REGARDLESS if it was an iTunes or iTunes Plus song. The EFF guy is completely wrong on this issue, and this new "fear of loss of privacy", or at least this example is completely fallacious. Has he issued a retraction?

[totorototoro]

thanks!

:) Wonder if the EFF has issued a retraction too.

[MacHeads]

Well some of the comments are enlightening...

Really it shows somehow the true colors of some Cnet forum
users ... for me watermarking is necessary ... putting the
information in the clear too for the following reasons :

A) Sharing Lending your DRM-Free files breaches the articles of
fair use in a major way ... Sharing it on P2P also does break that
agreement.

B)if someone wants info on your machine ... there are MANY
easier ways than to hack into an Ipod ... Messenger Outlook and
IE do the job MUCH MUCH easier than Itunes does.

C) The privacy concerns in this matter are trivial when you know
some chat servers i would not name use BASE64 to encrypt your
conversations over the web when we all know this is easy to
break.

On a side note i would like to remind Apple users here we are
facing a distinguished audience of people that whine about
Apple constantly when they shall take their complaints to
another company that stiffle their rights of ownership and
endrangers their privacy in so many ways we cant even count.
Also to add salt to the comment i remind that a large number of
PC software is either hacked warezed etc etc .... That some of
the people posting here are not looking forward to respect the
rules of any normal software market but the ones they want for
themselves and themselves only.

I hope on a lighter note that i am wrong but some of the
comments including the one before me about the shirt shows
may be otherwise .

[Vegaman_Dan]

Baaaaaaah.

I suppose people have to judge you by your comments. In this posting alone you have made it clear that personal security and keeping your personal information private is not important.

It's that level of intentional ignorance that really makes me worried about others that share the same opinion. How many are willing sheep heading to the wolf?

[`WarpKat]

Damned if you do...

Unfortunately, because of the alleged notoriousness of P2P networks (read: RIAA Rants), Apple appears to have been walking a fine line.

Personally, if I ever download music from iTunes, or anywhere else for that matter, I'm not going to share what I've purchased with anyone - it's mine. I bought it. The last thing I want is to put it up on a P2P network where some RIAA monkey can tag my IP address and send me boatloads of junk mail. And that's not even with concern of my personal information embedded in the track that I've downloaded to begin with. I'm simply a stingy bloke and if you want a track, you'll spend $1.30 (or whatever the price is now) for it. Don't enjoy what I've bought on my dime.

One thing Apple should have done was publicly state, "we embed your personal information in the track for this and that purpose..." If it's stated somewhere that is publicly accessible, please point me to it. I really don't know that's the case, but the last two or three articles within the past couple of weeks are the first I've heard about this.

I think that would have been acceptable, it would have been common knowledge, and thus, a reasonable deterrent.

Regarding fair use of DRM content, I do believe that if you're purchasing an album online, you should be allowed to burn that album to CD a certain number of times and play it in your car, home stereo, however, re-ripping it for the purposes of playing it in a player not authorized (a non-DRM capable DAP) is against the licensing and should be discouraged unless you've paid the DRM-tax to remove the DRM.

Apple, despite my dislike for the overpriced iPod, is making an effort at balance - make the music houses happy by deterring cost-consuming sharing and providing the music DRM-free at a premium for play on just about any player that supports unprotected AAC.

This is a business model, and it's a fairly sound one, IMHO. I give Apple a B+ for effort.

As for privacy advocates and the EFF, waste your energy on more pressing issues - it's doubtful Apple is going to change this anytime soon. If you don't like how they conduct their business, you could always go to eMusic and download some Don Ho.

[gthomasdirect]

Just noise to put fear into buying iTunes Plus tracks

The more I see these articles/stories show up, the more I
suspect RIAA/big content planting these. The reason, they lose
their argument if people buy DRM free tracks. They need
something to frighten the consumer.
The plot is already extending, basically suggesting that you
leave a song accidentally on someone's computer (or have your
ipod stolen) someone may post those files, but with your
account name and email attached to them, you'll be liable.
Of course that probably means, it shouldn't be too hard to
modify that info, or have someone spoof it.

Besides, that info has always been in iTunes tracks since day
one. If I remember correctly, didn't Hymn give you the ability to
remove that info?

It really doesn't make a difference. Having your email and
account name on the file is a good way to keep customers more
cautious with their music files.