Feeds

RealNetworks caught secretly swiping users' jukebox data

If you thought your Leonard Cohen habit was a secret, you were wrong...

  • alert
  • submit to reddit

Security and trust: The backbone of doing business over the internet

RealNetworks has been caught surreptitiously grabbing information about the preferences of users of its RealJukebox software. The software, which is available free and is used to play music CDs, also tells RealNetworks who you are and what you like listening to. Until this was exposed by electronic privacy expert Richard Smith (co-founder of Phar Lap Software), RealNetworks had neglected to mention this to users. Smith it was who exposed Microsoft's use of serial numbers in conjunction with Windows 98 registration, and he details the procedure RealNetworks has been using here. RealJukebox sends out information on the CDs users listen to, along with a unique player ID number that says who they are. It also reports how many songs are recorded on the hard drive, the type of portable MP3 player being used, and music preferences. When a user registers RealJukebox they are assigned a Globally Unique Identifier (GUID), that is their own personal serial number. This is encrypted in the Windows registry, but Smith has discovered that it's the same number as is sent to RealNetworks along with information about music preferences. This happens on the fly if you play a CD while you're connected to the Internet. There are something in the region of 13 million registered users of RealJukebox, which makes any database RealNetworks has gathered a potential powerful marketing tool. On top of this, although the software is free, some of the registered users will be owners of RealJukebox Plus, the paid-for version, so RealNetworks will have had a record of their credit card details as well. According to Jason Catlett of privacy lobbying outfit Junkbusters, until the weekend RealNetworks' privacy policy on the site didn't mention the GUID system at all. Now it says: "A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content." Which presumably means there is some cross-checking of registration data with preference data. The policy goes on: "RealNetworks uses GUIDs for statistical purposes and to personalise the services which are offered within our products." This hasn't impressed Catlett, who has written an open letter to RealNetworks COO Thomas Frank saying that: "This surreptitious transfer of information without the consumer's knowledge or consent is a kind of 'Trojan Horse' attack that should constitute 'exceeding authorised access' under the Computer Fraud and Abuse Act of 1986." Catlett has thoughtfully forwarded a copy of the letter to the FBI. He also says he's asking TRUSTe to investigate whether the company breached consumer privacy or its TRUSTe licence. But TRUSTe, you'll recall, exonerated Microsoft entirely over the Hotmail matter recently. Whatever the US Feds say about this, this kind of stuff is definitely against the law in Europe. In the wake of the discovery of the procedure it doesn't seem that RealNetworks has got its act together on the subject. On the one hand the system is allegedly intended to help it figure out demand, so it's not about individual users. But on the other, if it's used to personalise services, then it must be about individuals. And then there's the question of why the GUID is encrypted on the user's machine. Smith wonders about that... ®

New hybrid storage solutions

More from The Register

next story
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.