Feeds

RealNetworks caught secretly swiping users' jukebox data

If you thought your Leonard Cohen habit was a secret, you were wrong...

  • alert
  • submit to reddit

High performance access to file storage

RealNetworks has been caught surreptitiously grabbing information about the preferences of users of its RealJukebox software. The software, which is available free and is used to play music CDs, also tells RealNetworks who you are and what you like listening to. Until this was exposed by electronic privacy expert Richard Smith (co-founder of Phar Lap Software), RealNetworks had neglected to mention this to users. Smith it was who exposed Microsoft's use of serial numbers in conjunction with Windows 98 registration, and he details the procedure RealNetworks has been using here. RealJukebox sends out information on the CDs users listen to, along with a unique player ID number that says who they are. It also reports how many songs are recorded on the hard drive, the type of portable MP3 player being used, and music preferences. When a user registers RealJukebox they are assigned a Globally Unique Identifier (GUID), that is their own personal serial number. This is encrypted in the Windows registry, but Smith has discovered that it's the same number as is sent to RealNetworks along with information about music preferences. This happens on the fly if you play a CD while you're connected to the Internet. There are something in the region of 13 million registered users of RealJukebox, which makes any database RealNetworks has gathered a potential powerful marketing tool. On top of this, although the software is free, some of the registered users will be owners of RealJukebox Plus, the paid-for version, so RealNetworks will have had a record of their credit card details as well. According to Jason Catlett of privacy lobbying outfit Junkbusters, until the weekend RealNetworks' privacy policy on the site didn't mention the GUID system at all. Now it says: "A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content." Which presumably means there is some cross-checking of registration data with preference data. The policy goes on: "RealNetworks uses GUIDs for statistical purposes and to personalise the services which are offered within our products." This hasn't impressed Catlett, who has written an open letter to RealNetworks COO Thomas Frank saying that: "This surreptitious transfer of information without the consumer's knowledge or consent is a kind of 'Trojan Horse' attack that should constitute 'exceeding authorised access' under the Computer Fraud and Abuse Act of 1986." Catlett has thoughtfully forwarded a copy of the letter to the FBI. He also says he's asking TRUSTe to investigate whether the company breached consumer privacy or its TRUSTe licence. But TRUSTe, you'll recall, exonerated Microsoft entirely over the Hotmail matter recently. Whatever the US Feds say about this, this kind of stuff is definitely against the law in Europe. In the wake of the discovery of the procedure it doesn't seem that RealNetworks has got its act together on the subject. On the one hand the system is allegedly intended to help it figure out demand, so it's not about individual users. But on the other, if it's used to personalise services, then it must be about individuals. And then there's the question of why the GUID is encrypted on the user's machine. Smith wonders about that... ®

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.