[Newspoetry] realjukebox

[Joe Futrelle]

since we're using lots of realmedia on newspoetry, I think people
should be aware that "realjukebox" has been found by security experts
to collect extensive information about its users listening habits,
which it then reports to realnetworks.  this is a violation of
privacy.  a NYT story about it follows.

note: this is *not* an issue with realplayer. nor do I suggest not
using their formats and players; what I did for myself was to simply
uninstall realjukebox on my system until I get some independent
assurance that they're going to cave to pressure from privacy groups
and remove their anti-privacy "features".

---
RealNetworks' popular RealJukebox software for playing CD's on
computers surreptitiously monitors the listening habits and certain
other activities of people who use it and continually reports this
information, along with the user's identity, to RealNetworks, said a
security expert who intercepted and examined data generated by the
program.

In interviews last week, company officials acknowledged that
RealJukebox, which can copy music to a user's hard drive and download
it from the Internet as well as play it, gathers information on what
music users are playing and recording.

Dave Richards, RealNetworks' vice president for consumer products,
said the company gathered the information to customize services for
individual users.

He and other company officials insisted that the practice did not
violate consumer privacy because the information was not being stored
by RealNetworks nor distributed to other companies.

But privacy advocates and security experts interviewed last week were
unanimous in condemning the practice, calling it a violation of the
privacy of the 13.5 million registered users of RealJukebox, almost
all of whom have given the company their names and e-mail addresses.

Even if the company's use of the data is benign, these experts said,
the practice is unacceptable because of the secrecy: RealNetworks, one
of the largest distributors of audio software on the Internet, does
not inform consumers that they are being identified and monitored by
the company.

The information that RealNetworks gathers is extensive. According to
Richard M. Smith, an independent Internet security consultant from
Brookline, Mass., who discovered RealJukebox's monitoring functions,
each time the program is started on a computer connected to the
Internet, it sends in the following information to the company: the
number of songs stored on the user's hard drive; the kind of file
formats -- RealAudio or MP3 -- the songs are stored in; the quality
level of the recordings; the user's preferred music genre, and the
type of portable music player, if any, that the user has connected to
the computer. Officials at RealNetworks said most of this information
was used to offer music selections to users based on their
preferences.

All this information is combined with a personal serial number known
as a globally unique identifier, or GUID, which is assigned to each
user when he or she registers the software.

RealJukebox is distributed only on the Internet, and users are
instructed to register -- giving the company their names, e-mail
addresses and ZIP codes -- when they install the software.

What is more, if RealJukebox is used with its default settings, it
automatically loads each time a CD is inserted in the CD-ROM drive,
and if the computer is connected to the Internet, the title of the CD
is sent, together with the GUID, to RealNetworks.

"Either they have been dazzlingly careless with their treatment of
personally identifiable information or they are completely
disingenuous," said Jason Catlett, founder and president of
Junkbusters, a privacy watchdog organization. "Which is worse? If they
are not disclosing what they are doing, that is unconscionable."

Some other CD player programs also assign GUID's to each copy of the
software. The difference lies in what they do with it. The Microsoft
Corporation, for example, says that the unique identifier in its
Windows Media Player is used for such things as purchasing multimedia
from a Web site. It is not routed through Microsoft, nor does
Microsoft require users to register, and it does not gather
information through Media Player, said a spokesman for Waggener
Edstrom, a public relations firm that represents Mircrosoft.

The fact that RealJukebox is gathering this information is not
mentioned in the long privacy policy the company posts on its Web
site. Nor is it acknowledged in the licensing agreement that users
must approve when installing the program.

David Banisar, a lawyer in Washington who specializes in Internet law,
said that RealNetworks' surveillance practices could violate various
state and federal statutes, including the Computer Fraud and Abuse
Act. "It's a new type of case that hasn't been brought before," he
said. "But I think it's a pretty good case."

Banisar argued that RealJukebox could be considered a "trojan horse,"
a legitimate program that contains hidden instructions to perform
illegitimate functions.

Company officials said on Friday that the registration procedure for
the free version of RealJukebox did ask for personal information,
including name and e-mail address, but they said that users could skip
the registration and still use the program and that RealJukebox would
stop prompting users to register after five attempts. Some customers,
they said, had stumbled on this fact and had declined to register.

However, customers who purchase RealJukebox Plus, a version with
enhanced features that RealNetworks sells online for $29.99 with a
money-back guarantee, cannot avoid registering since they must type in
a unique serial number to install the program. And in this case,
RealNetworks also gathers credit card and mailing address information
before it assigns the number.

Richards of RealNetworks said the reason the program tallied the
number of songs a user had recorded was to enable the company to
determine whether the user was "naive" or "sophisticated." This better
enables the software to steer sophisticated users toward its advanced
features, he said.

But this seemed at odds with a statement by Steve Banfield,
RealNetworks' general manager of consumer products, who said the
company was gathering only "aggregate usage" information about users
of the software.

Privacy experts said the kind of information being gathered by
RealJukebox had the potential to be used to detect copyright
violations.

Banfield said that to his knowledge, the company had no plans to allow
information about individual users to be used in this manner.

But Catlett of Junkbusters said that such information could be
subpoenaed under the Digital Millennium Copyright Act. "This usage and
tracking information is a way for them to collect intrusive profiles
about people and possibly set up prosecutions for copyright
infringements," he said.

Like some 250 other such programs, RealJukebox licenses the right to
use a database of CD titles and tracks that is compiled and maintained
by a company called CDDB. This enables the software to display the
title and tracks of a CD moments after it is loaded into the computer.

To do this, the program must send out information to CDDB every time a
user plays a CD.

But unlike other popular programs, RealJukebox routes the information
through its own servers and tags it with the GUID, which uniquely
identifies the user.

Banfield said the information went to CDDB via a proxy server, a
computer that masks certain data, to protect the privacy of
RealJukebox users. He said it was his understanding that CDDB
typically collected a user's e-mail address each time its database was
queried, but by using a proxy server, he said, RealNetworks' users
were all generically identified as user at real.com.

Banfield painted RealNetworks as a defender of consumer privacy,
asserting: "Everyone else who uses that database sends them their
e-mail address. We don't."

Ann Greenberg, senior vice president of marketing and business
development for CDDB, said last week that her company "strongly
encourages but does not require" e-mail addresses or any other
identifiers than enable the company to tally unique users of its
database. She said the addresses were purged every four days. But she
said it was not fair for RealNetworks' to blame CDDB for gathering
personal information.

------------------------------------------------------------------------
Joe Futrelle                  | "Willy isn't Zionist -- though at
Team Leader, Emerge           | least, we disproved Carron." -- Sophie
Scientific Data Tech. / NCSA  | Ivor Gainsborough 
http://emerge.ncsa.uiuc.edu/  |