This article is more than 1 year old

RealNetworks caught secretly swiping users' jukebox data

If you thought your Leonard Cohen habit was a secret, you were wrong...

RealNetworks has been caught surreptitiously grabbing information about the preferences of users of its RealJukebox software. The software, which is available free and is used to play music CDs, also tells RealNetworks who you are and what you like listening to. Until this was exposed by electronic privacy expert Richard Smith (co-founder of Phar Lap Software), RealNetworks had neglected to mention this to users. Smith it was who exposed Microsoft's use of serial numbers in conjunction with Windows 98 registration, and he details the procedure RealNetworks has been using here. RealJukebox sends out information on the CDs users listen to, along with a unique player ID number that says who they are. It also reports how many songs are recorded on the hard drive, the type of portable MP3 player being used, and music preferences. When a user registers RealJukebox they are assigned a Globally Unique Identifier (GUID), that is their own personal serial number. This is encrypted in the Windows registry, but Smith has discovered that it's the same number as is sent to RealNetworks along with information about music preferences. This happens on the fly if you play a CD while you're connected to the Internet. There are something in the region of 13 million registered users of RealJukebox, which makes any database RealNetworks has gathered a potential powerful marketing tool. On top of this, although the software is free, some of the registered users will be owners of RealJukebox Plus, the paid-for version, so RealNetworks will have had a record of their credit card details as well. According to Jason Catlett of privacy lobbying outfit Junkbusters, until the weekend RealNetworks' privacy policy on the site didn't mention the GUID system at all. Now it says: "A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content." Which presumably means there is some cross-checking of registration data with preference data. The policy goes on: "RealNetworks uses GUIDs for statistical purposes and to personalise the services which are offered within our products." This hasn't impressed Catlett, who has written an open letter to RealNetworks COO Thomas Frank saying that: "This surreptitious transfer of information without the consumer's knowledge or consent is a kind of 'Trojan Horse' attack that should constitute 'exceeding authorised access' under the Computer Fraud and Abuse Act of 1986." Catlett has thoughtfully forwarded a copy of the letter to the FBI. He also says he's asking TRUSTe to investigate whether the company breached consumer privacy or its TRUSTe licence. But TRUSTe, you'll recall, exonerated Microsoft entirely over the Hotmail matter recently. Whatever the US Feds say about this, this kind of stuff is definitely against the law in Europe. In the wake of the discovery of the procedure it doesn't seem that RealNetworks has got its act together on the subject. On the one hand the system is allegedly intended to help it figure out demand, so it's not about individual users. But on the other, if it's used to personalise services, then it must be about individuals. And then there's the question of why the GUID is encrypted on the user's machine. Smith wonders about that... ®

More about

TIP US OFF

Send us news


Other stories you might like