Feeds

RealNetworks caught secretly swiping users' jukebox data

If you thought your Leonard Cohen habit was a secret, you were wrong...

  • alert
  • submit to reddit

The essential guide to IT transformation

RealNetworks has been caught surreptitiously grabbing information about the preferences of users of its RealJukebox software. The software, which is available free and is used to play music CDs, also tells RealNetworks who you are and what you like listening to. Until this was exposed by electronic privacy expert Richard Smith (co-founder of Phar Lap Software), RealNetworks had neglected to mention this to users. Smith it was who exposed Microsoft's use of serial numbers in conjunction with Windows 98 registration, and he details the procedure RealNetworks has been using here. RealJukebox sends out information on the CDs users listen to, along with a unique player ID number that says who they are. It also reports how many songs are recorded on the hard drive, the type of portable MP3 player being used, and music preferences. When a user registers RealJukebox they are assigned a Globally Unique Identifier (GUID), that is their own personal serial number. This is encrypted in the Windows registry, but Smith has discovered that it's the same number as is sent to RealNetworks along with information about music preferences. This happens on the fly if you play a CD while you're connected to the Internet. There are something in the region of 13 million registered users of RealJukebox, which makes any database RealNetworks has gathered a potential powerful marketing tool. On top of this, although the software is free, some of the registered users will be owners of RealJukebox Plus, the paid-for version, so RealNetworks will have had a record of their credit card details as well. According to Jason Catlett of privacy lobbying outfit Junkbusters, until the weekend RealNetworks' privacy policy on the site didn't mention the GUID system at all. Now it says: "A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content." Which presumably means there is some cross-checking of registration data with preference data. The policy goes on: "RealNetworks uses GUIDs for statistical purposes and to personalise the services which are offered within our products." This hasn't impressed Catlett, who has written an open letter to RealNetworks COO Thomas Frank saying that: "This surreptitious transfer of information without the consumer's knowledge or consent is a kind of 'Trojan Horse' attack that should constitute 'exceeding authorised access' under the Computer Fraud and Abuse Act of 1986." Catlett has thoughtfully forwarded a copy of the letter to the FBI. He also says he's asking TRUSTe to investigate whether the company breached consumer privacy or its TRUSTe licence. But TRUSTe, you'll recall, exonerated Microsoft entirely over the Hotmail matter recently. Whatever the US Feds say about this, this kind of stuff is definitely against the law in Europe. In the wake of the discovery of the procedure it doesn't seem that RealNetworks has got its act together on the subject. On the one hand the system is allegedly intended to help it figure out demand, so it's not about individual users. But on the other, if it's used to personalise services, then it must be about individuals. And then there's the question of why the GUID is encrypted on the user's machine. Smith wonders about that... ®

Boost IT visibility and business value

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?