January 12, 2006 12:25 PM PST

Apple's iTunes raises privacy concerns

A new version of Apple Computer's popular iTunes software, released Tuesday, is drawing barbs from privacy advocates for sending information about computer users' playlists back to Apple.

The new music software includes a "MiniStore" window, which provides recommended links to Apple's music download service when a listener actively clicks on a song in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found.

"If this was Microsoft or RealNetworks, people would be screaming and calling for heads to roll."
--Kirk McElhearn, author

Because iTunes users typically sign up for the music store with an e-mail address and a credit card number, the account ID number could in theory be linked to that information, as well as a user's purchase history, said Apple expert Kirk McElhearn, who has published several books on Macintosh computers. The same number is also used for other Apple products, such as the Apple Developer accounts and the online .Mac accounts, he added.

"I'm an Apple user and an Apple supporter, but this isn't what we expect Apple to do," said McElhearn, who published details about the iTunes data transfer on his Web site. "If this was Microsoft or RealNetworks, people would be screaming and calling for heads to roll."

In a statement, an Apple representative said the company "does not save or store any information used to create recommendations for the MiniStore."

The issue has raised eyebrows particularly high in the community of Apple computer users, though the new feature is also included in the Windows-based iTunes. Macintosh users have typically not been exposed to many of the advertising-supported or adware programs that are common in the Windows world, and which routinely raise privacy concerns through poorly disclosed data exchanges.

special coverage
Apple's new crop
Sink your teeth into all the news from this week's Macworld Expo.

Indeed, in 1999, RealNetworks was sued for releasing a version of its RealJukebox that included a "Global Unique Identifying Number," which identified a listener's specific copy of the player without initially disclosing this feature in a privacy policy. RealNetworks said it had added the identifying feature as a way to "offer valuable personalized services" but later removed it after lawsuits and customer criticism ensued.

As of Thursday morning, the license agreements distributed with iTunes did not disclose the exchange of any data tied to song information or users' personal accounts. Information included with the software said the new 6.0.2 version "includes stability and performance improvements" but does not mention the addition of the MiniStore.

The company has posted an article on the Apple Web site that discusses the MiniStore. It says data about the song selected in iTunes is sent to the iTunes Music Store in order to provide relevant recommendations. It provides instructions for turning this feature off and says no data is sent, once turned off.

The article does not mention the transfer of any uniquely identifying information about the user.

The exposure of the data transfer has been dismissed by some bloggers and online sources as a typical feature of music-playing software. However, some bloggers are calling for a more specific disclosure of exactly what data the iTunes software is sending back to Apple--and what it is being used for.

"I wish they had told me what they were doing before I installed it," said Marc Garrett, an independent programmer in Washington who was one of the first to identify the iTunes issues. "I think Apple should disclose that in their end-user agreement."

72 comments

Join the conversation!
Add your comment
I don't care.
I don't know why, but I just don't really care if people are tracking me like this. Maybe I should feel violated, but I just don't. Know if the government was doing it I would be foaming at the mouth.
Posted by System Tyrant (1453 comments )
Reply Link Flag
But off course you don't...
And that's because, "If this was Microsoft or RealNetworks, people would be screaming and calling for heads to roll."
But it is not. This is Apple, and Apple can do no wrong. ;-)
Posted by aemarques (162 comments )
Link Flag
Why, Apple, why?
Okay, maybe the subject line is a bit much, but I am a bit surprised at Apple for bringing automatic advertising into iTunes. I have been using iTunes for some time now, and one of my reasons is that it hasn't been cheapened the way some other players have. The fact that you can turn off the advertising is a plus, though.

While I do value my privacy, I don't think that this will be that much of an issue, really. If you have an account with the iTunes music store, Apple already has your valuable information. All that they are doing in this case is comparing what you listen to with what they have available. It doesn't sound that sinister to me. If you don't want Apple to know what you listen to, you can always go the route of not having an iTunes account for them to tie you to.
Posted by ddesy (4336 comments )
Reply Link Flag
So turn it off
It's easy. Click on the icon, and it's gone.
Posted by swift2--2008 (197 comments )
Link Flag
See here for the rest of the story
Apple says not to worry. In fact, they said there is FUD being sent. What is true? Look here for more...

<a class="jive-link-external" href="http://www.macosxhints.com/article.php?story=20060111071001306&#38;lsrc=osxh" target="_newWindow">http://www.macosxhints.com/article.php?story=20060111071001306&#38;lsrc=osxh</a>
Posted by pritchet1 (20 comments )
Reply Link Flag
tisk tisk Apple
You have no right to look at my playlists or otherwise. If you need access for a new feature then you need to offer a "Buy in" telling us exactly what you are looking at and using to provide the service.

If this were microsoft people would be screaming their heads off and filing a class action by now.
Posted by capfan12 (101 comments )
Reply Link Flag
Relax, Unclench that #ss
All that is said or going on is no different than if you were
searching and adding music from the Apple store into your
shopping cart. When you go to view and buy what's in your
shopping cart Apple makes suggestions placed in the table at
the top.

It sounds like only data from a song selected is sent back to
iTunes Music Store to provide you with a list of suggestions,
that's it. Apple knows how screwing things can get with privacy
issues based on the Sony debacle. They are not going to
jepardize there fan base.

If you don't like switch it off or stop downloading from iTunes,
turn off your account, convert your protected music to CD's and
reconvert them to Rhapsody or whatever music players there are
these days. Suck it up or put up.
Posted by cooldogjones (53 comments )
Link Flag
Wait, what's the problem?
Apple says no personal information is stored.

When the mini-store is open, it confers with a database to find
similar songs. It may not be obvious to Joe Schmoe, but the
program would naturally have to communicate over the net.

But Apple should be careful not to cross the line of maintaining
listening profiles linked with iTunes Music Store ID's. That would
creep some people out.

As well, it might be prudent to include a warning about the
operation of the mini-store in a separate dialog box upfront. Or,
have it off by default and place a note beside the checkbox to
turn it on.


As it is now, this story is hit-grabbing speculation, NOT
reporting of any value. Unique personal information MIGHT be
included in a communication. That's nice. But that's the clincher
to the story and it is presently baseless. The tory should've been
written to reflect that. If Apple screwed up, lay it on. But as it is
now, this is drivel (though drivel that should be reported if it has
legs).
Posted by mgreere (332 comments )
Reply Link Flag
How Stupid
I'd prefer to get relevant suggestions from Apple via the MiniStore and this doesn't bother me in the slightest bit. They are not storing the data and are using it live - without being stored, what's the problem? WHO CARES?

It seems like every time Apple has made large strides forward, the media has to create some type of stir just to make news. &lt;yawn&gt;
Posted by maclifer (26 comments )
Reply Link Flag
It seems like every time
MS does anything, privacy concerns and the slightest bit of data collection make for huge headlines, with Apple labeled MS bashers leading the charge. What is good for the goose is good for the gander; Allows for better service? Ya, I can deal with that. Just ditch the tin-foil hats&
Posted by catchall (245 comments )
Link Flag
"It does not collect data"...
It does not collect data, "I have just received confirmation from
Apple directly (from a confirmed source I trust implicitly) that
absolutely no information is being collected from the MiniStore
(though clearly data is sent to make the feature work)." -
MacOSXHints

If you don't like the mini-store in your library - shift, command, m.
Geez, don't be so paranoid.
Posted by cjohn17 (268 comments )
Reply Link Flag
what do you mean it does not collect data. the fact that it wants to hook up with current account and view the info of one's library it is in fact getting info from your computer. don't believe that bs from them.

it's a feature that one paid for when he or she upgrades to the new firmware and iTunes right? so, why won't I be curious to look at its features but without giving Apple the info of my library. Ok, i have most songs dowloaded from limewire. So?

Still it's a privacy issue.
Posted by kentuttin (3 comments )
Link Flag
"Much to do about nothing"
If you sign up for "one click" with the iTMS, Apple already has your
credit card info. Personally, what music I like is not exactly a matter
of national security, and I appreciate being presented with choices
that match my taste in music. "Much to do about nothing."
Posted by (2 comments )
Reply Link Flag
Simply Ludicrous
The way I see it, this is nothing more than a "salesperson" making a
recommendation. Go in to any store and start shopping and you
will be given product recommendations. And like a typical store
setting all you have to do is say no. Apple gives the user the
oppurtunity to turn the feature off, which is the same as telling a
salesman no thanks.
Posted by rpiovarchy (1 comment )
Reply Link Flag
Why ID the Music Player
okay, here i am amongst a bunch of appler users. and i'm perfectly fine with you guys liking one of those machines, though i have other preferences (irrelevant what it is). but, i'd sure like to know one little thing: if apple isn't storing that data about songs played, then why is it necessary to send a string id'ing the specific player? why couldn't htis same feature be implemented using only the songs played, without id'ing the specific player? anyone with even the smallest inkling of sensitivity to privacy would have realized that id'ing specific players is taboo; write the software around that.

mark d.
Posted by markdoiron (1138 comments )
Reply Link Flag
IDing music players...
It's not IDing music players, such as Real Networks did in 1999. It's
IDing users. So if you log in to your iTMS account on one computer,
then have the MiniStore give you recommendations, it sends _your_
ID, not that of the computer's copy of iTunes. Log out, then log
into your account on another computer; it sends the same ID.
Which is, I think, more insidious.
Posted by Kirk McElhearn (3 comments )
Link Flag
X-Dsid isn't your Apple ID
If you check the "expert's" work, you'll note that he's dead
wrong. The X-Dsid element transmitted is no more than a
WebObjects datastore ID. This is very similar to a PHP session
ID. There is no link to a user's AppleID. Wait until the
WebObjects session cache expires and that number will change
(unless it's saved into a cookie).

See <a class="jive-link-external" href="http://www.blackhat.com/presentations/bh-usa-04/bh-" target="_newWindow">http://www.blackhat.com/presentations/bh-usa-04/bh-</a>
us-04-shema-up.pdf

This is FUD, and CNET is spreading it thick. Must be a slow
news week...

Charles
Posted by chassoto--2008 (71 comments )
Reply Link Flag
A couple of questions
Just wanted to check since it sounds like you know what you're talking about:

Does this information transmit info on Playlists that contain music ONLY purchased from the music store or all music regardless?

I realize they don't transmit any other personal information (if you can even consider a playlist personal information in the first place) but I was just wondering.

I agree, FUD story.
Posted by (461 comments )
Link Flag
re: X-Dsid isn't your Apple ID
There has been some controversy over this, in part because the number of characters in Apple IDs seems to have changed over time. There is a good discussion of this topic at the Boing Boing blog (<a class="jive-link-external" href="http://www.boingboing.net/2006/01/11/steve_jobs_apple_dis.html" target="_newWindow">http://www.boingboing.net/2006/01/11/steve_jobs_apple_dis.html</a>), where others have have noted the connection between the data string being exchanged and their Apple IDs.


Thanks much for reading.

John Borland
Posted by klaxonator (13 comments )
Link Flag
I'm afraid you are incorrect...
If you are an ADC (Apple Developer Connection) member, you
can easily see that the X-Dsid number corresponds to your
Apple ID. It is displayed, on your ADC profile page, as your ADC
member number. This is the same as your Apple ID number
(which is mapped to the email address you use as an Apple ID),
and, in my case, and in the case of four other people I checked
with, this is the same number that is both contained in an
iTunes cookie and sent when the iTunes MiniStore sends data.

I looked at the PDF you linked to; it is incorrect. One of the
people I verified this with has a 6-digit Apple ID number; others
have 8 (my case) or 9, and, most likely, people with older Apple
ID accounts have smaller numbers.
Posted by Kirk McElhearn (3 comments )
Link Flag
The "expert" himself replies:
Regrettably, the X-Dsid tag is indeed one's Apple ID, or rather
its numerical version.
Most people will never be able to verfiy this unless they join the
Apple Developer Connection, in which case correspondence
from both sides must contain that number.
I sent an e-mail to Mr. Shema on Friday to alert him to this, but
have not received a reply.
Posted by Mike Griffin (1 comment )
Link Flag
my take is
that Apple should have done more to explain what the new
feature does and, upon first launch, ask users if they want it
enabled. Aside from that, it's no big deal.

Actually, I tried it out by double-clicking on one of my favorite
artists and learned that she just released a set of three extended
play songs. I was pumped and bought them right away. Guess
Apple wins on that one. On the other hand, I don't like the
mini-store taking up so much screen real estate, so I turned it
off.

From a standpoint of discovering new music, I wouldn't mind a
much more comprehensive feature that examined the all the
highly rated music in my library, not just what I have bought
from iTunes, and made a set of suggestions.
Posted by Thrudheim (306 comments )
Reply Link Flag
Raises privacy concerns for who??
For one, it does not collect and store the data. Two, if you turn of the mini-store, it doesn't even send anything.

This is a junk story.
Posted by nazzdeq (74 comments )
Reply Link Flag
No way to know for sure...
How do you know this information isn't stored in a database somewhere? The RIAA may want to subpeona this someday!
Posted by Mad Dog - Chi (22 comments )
Link Flag
Data sent can be stored
Just because they aren't currently storing that information or correlating it with other data they have on you doesn't meant they can't or won't. If they don't store the ID why are they even sending it? If they have no intention of storing the data there's no need for the ID to be sent.

All is not well with their explanation.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
true. IT is a huge and scheming business now.

in the first place, apple shouldnt have this feature. just go on with the genius feature without asking for your library info that is hooked with your Apple ID etc. That's plain "Genius!"

the company wants to track illegal music downloads so they can sue limewire other filesharing websites someday. Know your IT World people....
Posted by kentuttin (3 comments )
Link Flag
People need to get a...
LIFE! I've never seen so many anti-Apple fanatics out there.
What do you guys do spend every waking moment sitting in
front of you Windows Machine and look for anythng you can use
to strike back at Apple? Hell I'm not found of MS but I was
backing them when the EU wanted to take them for their money.

If you are a job-less slob, 250 lbs.+ or skinny, adult male, still
living with and mooching off your parents, you've got more
problems to worry about than if Apple is taking your personal
information.

If it applies to you deal with it.
Posted by cooldogjones (53 comments )
Reply Link Flag
And another thing...
people who jump to conclusions without verifying the facts show
there ignorance outright. A witchhunt doesn't mean ****. Thank
God you people aren't leading troops in combat. You'd get them
killed. "Death by ignorance". Please don't join the U.S. Armed
Forces. We need intelligent, bright people.
Posted by cooldogjones (53 comments )
Reply Link Flag
Changing times
The complaints about the new version of iTunes and privacy are
based on a vision of privacy that is too rigid. It is a question of
trust and a trade-off. I let them have this information because it
results in benfits for me. I find the information they provide about
other related music very useful. I trust them. If ever that trust is
broken then I, and I imagine many others, will be out of there in a
hurry.
Posted by AlanMc (1 comment )
Reply Link Flag
Can Anyone Say NETFLIX?
Never heard any stink about them. I simply ignore their lame
recommendations (my choices are so eclectic anyway, it is
laughable) and chalk-it up to one of the concessions I made when I
signed-up. Besides, what Apple is doing is WAY less intrusive.
Posted by KLPNYC (8 comments )
Reply Link Flag
It's a difference of informed consent
I don't intend to pass judgement on whether either system goes over the line, but the Netflix system is significantly different than Apple's. Netflix simply takes into acount your past rentals and ratings and uses those to recommend movies. It should be obvious that if you have an account they will be able to keep track of what you have purchased (or rented). Thats nothing new or unexpected. The ratings information is consiously provided by the user. Other systems (Yahoo! Launchcast, etc...) are doing the same thing.
Apple's system, on the otherhand, transmits information about any song you play, whether it was an iTunes purchase or not. The difference is the user choice. Netflix only knows what I choose to tell them about myself. Apple doesn't make that distinction, at least with this feature enabled. The two systems can't really be compared.
Posted by someguy389 (102 comments )
Link Flag
Climb down from the tree, kitty
I noticed it when I installed, but I didn't have time to play. Then I
noticed it changed when you selected any track. You don't have
to be a genius, but you know, each song has an artist and a
genre. Gee, that's personal: Charlie Parker is on my iPod, and he
plays... jazz! Yes, I like jazz!

So I picked up a free (legal) cut of Betty Karnette. I clicked it, the
data that I was playing R&#38;B artist Betty Karnette went out over
the Internets. That was matched up a) to the iTunes catalog, and
they informed me that they have the whold cd that my song is
from. And then, following the "R&#38;B" tag, it showed me a number
of the most prominent female R&#38;B artists.

Now, since iTunes is a store, it could be sending out your
password, your credit card number, etc. But it's not, as people
with packet analyzers tell us.

The previous version had an earlier version of this software,
making suggestions based on previous purchases. This works
better.

Apple should have been more careful. It should have explained
what the service sent and didn't send, and told you if you turn
off the store you stop sending any data at all. It's important to
do that, or else the nutcases start getting concerned.
Posted by swift2--2008 (197 comments )
Reply Link Flag
Of course we'd be screaming
Not because Apple is blameless, but because Microsoft are soulless
thugs.
Posted by swift2--2008 (197 comments )
Reply Link Flag
Distrusting Apple
I have been a faithful client of iTunes for the better part of two years now. While at the beginning, Apple seemed like a company that about its costumers, that panorama seems to be rapidly changing. First it reduced the number of machines that can play their songs, songs that I paid for. Now, they are sending out targeted marketing. Next, they will probably change their 99-cent-per-song policy.

It seems that in the bussiness world there are no saints (heh heh heh).
Posted by Sentinel (199 comments )
Reply Link Flag
Darn it!
First my tivo phones home with my viewing habits. Then I find that my cable company tracks my viewing habits through their decoder box. Next I read that Windows XP phones home with who knows what everytime I use the built in search function. Now Apple wants to know what music I'm playing?

What's that? At least I can stop iTunes from sending this info just by turning off the MiniStore?

Never mind.
Posted by rcrusoe (1305 comments )
Reply Link Flag
This is exactly what we needed in iTunes, leav'em alone
Hey folks,
This is the stuff that will make iTunes rock. I have been listening to stuff in iTunes before and wondered..."Now what goes with this for a playlist." This is like Amazon.com's "the page you made." They just take information off of your browsing and purchasing habits. Haven't you ever been wondering through the Music Store looking for something? This is here to help. Plain and simple.
Posted by wilsonhines (2 comments )
Reply Link Flag
Privacy concerns are getting a bit out of control.
In general, I think that being concerned about privacy is a very good thing. However, some of the "privacy advocates" out there are starting to remind me of &lt;insert religion here&gt; fundamentalists. They are set on convincing everyone that every company and/or website out there exists for the sole purpose of installing spyware on their computers and such.

Where I work, we get emails daily from people who are convinced that we are using "cookies" to install spyware and quite possibly to beam messages directly into thier head urging them to buy our product. In reality, we only use cookies to make their user experience better (like storing user preferences and allow them to stay "logged in" if they wish).

People need to listen to the privacy zealots less and get more facts on these issues before they freak out.
Posted by jbrunken (16 comments )
Reply Link Flag
Doesn't anybody realize...
That regardless of if they store the information transmitted or not, the RIAA can sue or file subpeona to obtain user playlist information to see if people are ripping music that they did not buy? The RIAA has already shown their propensity to do this by subpeonaing file sharing sites for scrape lists. And, it is the RIAAs stance that consumers must pay for every copy of the music they listen to (they don't seem to think the Home Recording Act or fair use exists) and that changing formats requires paying full-price again for a new license.

Time to add the itunes mini-store server URL to my routers ban list.
Posted by Methuss (101 comments )
Reply Link Flag
Or
just turn it off from iTunes.

And let's be real here. The RIAA cannot prove from a playlist what's been ripped from a CD you own and what's been pirated from teh net.
Posted by (461 comments )
Link Flag
Ok...
That is how they want you to be and how it starts.
Posted by Sboston (498 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.