Feeds

RealNetworks caught secretly swiping users' jukebox data

If you thought your Leonard Cohen habit was a secret, you were wrong...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

RealNetworks has been caught surreptitiously grabbing information about the preferences of users of its RealJukebox software. The software, which is available free and is used to play music CDs, also tells RealNetworks who you are and what you like listening to. Until this was exposed by electronic privacy expert Richard Smith (co-founder of Phar Lap Software), RealNetworks had neglected to mention this to users. Smith it was who exposed Microsoft's use of serial numbers in conjunction with Windows 98 registration, and he details the procedure RealNetworks has been using here. RealJukebox sends out information on the CDs users listen to, along with a unique player ID number that says who they are. It also reports how many songs are recorded on the hard drive, the type of portable MP3 player being used, and music preferences. When a user registers RealJukebox they are assigned a Globally Unique Identifier (GUID), that is their own personal serial number. This is encrypted in the Windows registry, but Smith has discovered that it's the same number as is sent to RealNetworks along with information about music preferences. This happens on the fly if you play a CD while you're connected to the Internet. There are something in the region of 13 million registered users of RealJukebox, which makes any database RealNetworks has gathered a potential powerful marketing tool. On top of this, although the software is free, some of the registered users will be owners of RealJukebox Plus, the paid-for version, so RealNetworks will have had a record of their credit card details as well. According to Jason Catlett of privacy lobbying outfit Junkbusters, until the weekend RealNetworks' privacy policy on the site didn't mention the GUID system at all. Now it says: "A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content." Which presumably means there is some cross-checking of registration data with preference data. The policy goes on: "RealNetworks uses GUIDs for statistical purposes and to personalise the services which are offered within our products." This hasn't impressed Catlett, who has written an open letter to RealNetworks COO Thomas Frank saying that: "This surreptitious transfer of information without the consumer's knowledge or consent is a kind of 'Trojan Horse' attack that should constitute 'exceeding authorised access' under the Computer Fraud and Abuse Act of 1986." Catlett has thoughtfully forwarded a copy of the letter to the FBI. He also says he's asking TRUSTe to investigate whether the company breached consumer privacy or its TRUSTe licence. But TRUSTe, you'll recall, exonerated Microsoft entirely over the Hotmail matter recently. Whatever the US Feds say about this, this kind of stuff is definitely against the law in Europe. In the wake of the discovery of the procedure it doesn't seem that RealNetworks has got its act together on the subject. On the one hand the system is allegedly intended to help it figure out demand, so it's not about individual users. But on the other, if it's used to personalise services, then it must be about individuals. And then there's the question of why the GUID is encrypted on the user's machine. Smith wonders about that... ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
10 Top Tips For PRs Considering Whether To Phone The Register
You'll Read These And LOL Even Though They're Serious
Stop ROBOT exploitation, cry striking Foxconn workers
HP downturn and automation eroding overtime on China's production lines
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.