# iTunes privacy -- ATTN ARTISTSERIES



## Macaholic (Jan 7, 2003)

This one's for you baby.

http://macdiscussion.com/article_show.php3?article_id_var=266

Frankly, I like the store showing me this info, and I could care less if Apple knows what music my IP address is playing, It's easy to turn off, of course.


----------



## Vexel (Jan 30, 2005)

Personally.. I like this. If Apple's logging what I'm playing.. maybe they'll get some decent music for that iTMS thing  

I really don't see this affecting the end user at all.. on or off. It's nice that you can turn it off when you want. So it's no big deal to me


----------



## Guest (Jan 11, 2006)

I am against them doing it without expreslly TELLING you that they are doing just that. In any other context when a company does that with no notification to you it's called spyware.

Of course .. I may be a bit biased hehe. I wrote that article  Thanks for the link.


----------



## Chealion (Jan 16, 2001)

There is also more info at http://www.boingboing.net/2006/01/11/itunes_update_spies_.html

The most pertitnent part:


> "I just ran a packet trace of the new iTunes - it only connects to Apple if the Mini Store is open. For regular MP3s, it'll run a full text search to find related articles, for purchased music, it searches by the original product ID. Sample query string is:
> 
> /WebObjects/MZSearch.woa/wa/ministoreMatch?an=Daft% 20Punk&gn=Electronic&kind=song&pn=Discovery


Meaning that it's nothing more then a highly customized search request for the music store. What they do with that info however we don't know. However if you shut it off, it doesn't send any data so it's not true spyware functionality.

Is it adware/spyware? Only if you feel it is and opt in. However you are opted in by default - but you can't consider it malware as turning off that feature is the click of a button right on the main window.


----------



## trump (Dec 7, 2004)

I could care less if people know what I'm listening to...all it gives them is my musical taste


----------



## Guest (Jan 11, 2006)

exactly Chealion

It's not the fact at what it does, it how they brought it into pass that bothers me. On my packet scan it also showed me that they do track the search ID's and it sends that info to a server called metrics.apple.com ... if that's not telling us that they are tracking it I don't know what will 

I wouldn't say it's malware ... but adware/spyware without a doubt. Most people don't seem to care, but as the comments on my article bring into point though, today it's what music you're listening to, tomorrow it's ______ ?


----------



## ArtistSeries (Nov 8, 2004)

mguertin said:


> I wouldn't say it's malware ... but adware/spyware without a doubt. Most people don't seem to care, but as the comments on my article bring into point though, today it's what music you're listening to, tomorrow it's ______ ?


Maybe we should get GordGuide in on this one? 
http://www.macworld.com/weblogs/editors/2006/01/ministore/index.php

You can easily see the direction that this is taking. Yes my original objections with the privacy issues still exist and are vindicated by this slowly expanding with this new version of iTunes. 
If Apple (and related companies) were more open, then I think fears would be reduced. 
People don't really seem to care and that is the unfortunate part. Apathy is the data miners greatest ally...


----------



## Macaholic (Jan 7, 2003)

ArtistSeries said:


> Apathy is the data miners greatest ally...


Oh whatever, man...


----------



## Klaatu (Jun 3, 2003)

Sheesh!

People are just figuring this out now? More people should get a program called Little Snitch. You may be a bit freaked as to how many programs are doing this. I've noticed this on iTunes for months, at least. Maybe a year.

And add me to those who say, if I want to share, fine. But if you do it without telling me, it's called spying. For that I have no tolerance.


----------



## ArtistSeries (Nov 8, 2004)

Look, on Slashdot someone pointed out that people where up in arms about the Sony Rootkit phoning home (yes there is more to it than that). Somehow it make it okay because it's Apple?

If Apple had asked for permission ahead of time, this would be a very different issue. Some find it a cool feature, great for you. 

You may not see anything wrong with Apple collecting market research but if Apple had been honest about it and stating it up front, we would not be having this discussion.


----------



## ice_hackey (Aug 13, 2004)

I use snitch as well.
Programs ask me once - then I say "no", end of story.

I don't recall iTunes connecting to the web, but then again, it only asked me once. 

It's a fantastic program; the first thing I install on any mac I own.


----------



## iMatt (Dec 3, 2004)

ArtistSeries said:


> Look, on Slashdot someone pointed out that people where up in arms about the Sony Rootkit phoning home (yes there is more to it than that). Somehow it make it okay because it's Apple?
> 
> If Apple had asked for permission ahead of time, this would be a very different issue. Some find it a cool feature, great for you.
> 
> You may not see anything wrong with Apple collecting market research but if Apple had been honest about it and stating it up front, we would not be having this discussion.


So you reject Apple's denial that they're gathering research data?

Per the front page of Slashdot yesterday:



> Apple Responds to iTunes Spying Allegations
> 
> "According to MacWorld and BoingBoing: 'An Apple spokesman (reliable word has it that it was Steve Jobs himself) told MacWorld that Apple discards the personal information that the iTunes Ministore transmits to Apple while you use iTunes. [...] Apple tells us that the information is not actually being collected. The data sent is used to update the MiniStore and then discarded.' Apple also has a *knowledge base article, which apparently was available the day iTunes 6.0.2 was introduced, explaining the MiniStore behavior and how to disable it:* 'iTunes sends data about the song selected in your library to the iTunes Music Store to provide relevant recommendations. When the MiniStore is hidden, this data is not sent to the iTunes Music Store.'"


If this is true, and I have no reason to think it isn't, this is several orders of magnitude less serious than Sony's rootkit -- which, let's remember, can compromise your entire computer. It's not because it's Apple that it's no big deal, it's because it's a trivial invasion that can be fully disabled with a single click. It's so not-serious, about the only thing I can fault Apple for is making this feature the default behaviour. 

Full discussion (which I haven't had the chance to read): http://apple.slashdot.org/article.pl?sid=06/01/12/1513223


----------



## rubeole (Oct 21, 2005)

iMatt said:


> trivial invasion


I don't see those two words as being well-matched for some reason.

When I was in grade 8 I might've not just openly told strangers my name and home address, but I sure wore patches / put up stickers of my favourite bands.

Now I feel oppositely - where you can have my address, sure come visit for tea! But if you start digging through my personal tastes (i.e. playlist) without asking first, you are gonna get trouble. The last time someone 'data-mined' my musical preferences, there was the big "punk revival" of 1994.


----------



## iMatt (Dec 3, 2004)

rubeole said:


> I don't see those two words as being well-matched for some reason.
> 
> When I was in grade 8 I might've not just openly told strangers my name and home address, but I sure wore patches / put up stickers of my favourite bands.
> 
> Now I feel oppositely - where you can have my address, sure come visit for tea! But if you start digging through my personal tastes (i.e. playlist) without asking first, you are gonna get trouble. The last time someone 'data-mined' my musical preferences, there was the big "punk revival" of 1994.



True, "trivial" and "invasion" don't go well together. But maybe "invasion" doesn't really belong here? They say they're not keeping the data, just using it to update the mini-store, and immediately discarding it. Nothing at all is sent if you click once to disable the mini-store. If they turn out to be lying about any of that, I'll join in crying foul. In the meantime, I'll argue that it's a very poor candidate for a cause célèbre.


----------



## MannyP Design (Jun 8, 2000)

Personally, I think the key difference what Apple is doing is that they're offering an electronic version of a sales clerk who notices a particular genre/artist that you happen to be "browsing" (or listening to; whatever) and offers a friendly suggestion of other CDs you might be interested in, as opposed to scouring your library for every song you have and sending the data to a person who dissects, analyzes and exploits it.

Think about it: every search and purchase is logged and categorized anyway, why would they feel the need to further intrude into your personal privacy to get additional information that would likely yield similar results? If you browse, listen to, and then buy brand "X" music from the iTMS... they don't need to look at your library to figure out what kind of music you like or what your spending habits are. They pretty much have you pegged. 

I just don't get the whole paranoia thing... a company catering to my personal tastes in music in the hopes of getting me to buy more--that's the least of my worries.


----------



## rubeole (Oct 21, 2005)

« MannyP Design » said:


> Personally, I think the key difference what Apple is doing is that they're offering an electronic version of a sales clerk who notices a particular genre/artist that you happen to be "browsing" (or listening to; whatever) and offers a friendly suggestion of other CDs you might be interested in...


Seriously, does that happen in real life? That would irk me into a fit.

If that friendly clerk is the one at the local record store where I've been going for years, and we're acquainted - fine. This, I think, is the assswipe at HMV who's upselling me so he can get a free cellphone from his manager. Nevermind his alterior motives, I probably know more than him about my music of choice, and always will. Unsolicited advice is the worst sort. That said - there are reasons I mailorder my records...


----------



## MannyP Design (Jun 8, 2000)

rubeole said:


> Seriously, does that happen in real life? That would irk me into a fit.


Well, it does, but maybe not to THAT degree. Whenever I go to a CD store (if the clerk is familiar with my type of music) they sometimes mention a CD of interest might have been released (depending on what I have) when I go to pay the cashier. Sometimes it's by the same artist(s), and sometimes it's of a similar genre.

I rarely go to HMV... way overpriced. I usually frequent local CD shops that have a decent selection of mainstream and local/indie music.


----------



## macsackbut (Dec 15, 2004)

The only real problem as I see it is that the mini store is on by default. Make it an op-in feature and the (minor) problem is solved in my books.


----------



## ArtistSeries (Nov 8, 2004)

rubeole said:


> Now I feel oppositely - where you can have my address, sure come visit for tea! But if you start digging through my personal tastes (i.e. playlist) without asking first, you are gonna get trouble. The last time someone 'data-mined' my musical preferences, there was the big "punk revival" of 1994.


Actually Apple also has your personal information.
http://www.mcelhearn.com/article.php?story=20060112175208864


> Some things just go on getting worse. If it wasn't enough that iTunes 6.0.2 contains spyware and adware, now it turns out that the program not only sends information about the song you have selected to Apple's servers, but also sends your Apple ID, or, at least, its numerical equivalent.
> 
> Michael Griffin first noticed this, as reported on Boing Boing, and I had trouble reproducing it at first. But I quickly found out that he was right, with the exception that his Apple ID is six digits and mine is eight. (See the updates to the Boing Boing story for more on how I discovered this.)
> 
> So, after Apple claimed that they were not "collecting" information, it now turns out that the information they send is directly linked to a user's account identifier, if, of course, the user has an Apple ID. If you have never logged into your iTunes Music Store account, you won't have this ID, and Apple can't track you. But if you have, even once, this ID is stored in a preference file on your computer, and sent with each iTunes MiniStore request.


http://www.boingboing.net/2006/01/11/steve_jobs_apple_dis.html


> This raises the question: if Apple discards the personally identifying information after receiving the current song, why does it need your personal iTunes account identifier at all?
> 
> And I should make clear to you that the six digit number is not an iTunes identifier of some sort. It is my Apple ID. Apple ID's are unique to every individual and are used for all of Apple's services -- iTunes, .Mac, Apple Care, OS X registration, pro application use, the online Apple Store, the Apple Developer Connection, and so on. Between all of the information, Apple knows a lot about me, right down to my Mother's maiden name.


----------



## Guest (Jan 14, 2006)

yep that lines up exactly with what I found as well and posted to my article on macdiscussion.com. It sends ALL of this info to a server called metrics.apple.com ... so all the talk that they aren't collecting the data for other usage seems like a HUGE loadof bunk to me. Why send it all to a server called metrics if you're not analyzing it ?!??!?


----------



## ArtistSeries (Nov 8, 2004)

mguertin said:


> yep that lines up exactly with what I found as well and posted to my article on macdiscussion.com. It sends ALL of this info to a server called metrics.apple.com ... so all the talk that they aren't collecting the data for other usage seems like a HUGE loadof bunk to me. Why send it all to a server called metrics if you're not analyzing it ?!??!?


I think that if Apple had been upfront about it it may have been different. 

I find it disgusting and wonder how the Mac community would react if MS or Real did the same thing?


----------



## rubeole (Oct 21, 2005)

> Apple ID's are unique to every individual and are used for all of Apple's services -- iTunes, .Mac, Apple Care, OS X registration, pro application use, the online Apple Store, the Apple Developer Connection, and so on.


None of those apply to me. Never messed with any of them.
I wonder about software and security upgrades/updates though...?


----------



## MannyP Design (Jun 8, 2000)

AS, if you've given Apple your credit card, and have set up an account to purchase goods from them... it's implied that they will know exactly what you've looked at and what you've bought--just like every other e-commerce business (Amazon, Napster, Real, MS, etc.) They all know what you've browsed at... what you've bought.

In order for you to have complete privacy, you'll need to get your stuff the old fashioned way -- by going to a store. But you'll need to pay cash, because your credit card company can see where you've shopped.


----------



## ArtistSeries (Nov 8, 2004)

Manny, what I buy is different from what I listen to.
Real Tunes was sued when they tried something similar.

Apart from privacy issues, if Apple is using this data to make money should they not give some back to the user? If they want my private data - then they should pay me for it.

And please note that this is not anonymous information - this is information that knows exactly who you are. 

What has pissed people off is that Apple is sending information without your consent to a third party. Not saying anything is assent. I spoke about not being able to turn off Gracenote and see this as an evolution of Apple's thinking. 

"Any society that would give up a little liberty to gain a little security will deserve neither and lose both."
Benjamin Franklin


----------



## ice_hackey (Aug 13, 2004)

Well.. install "little snitch" and tell it not to let iTunes connect to ANYTHING. Presto - you're private!

That's what I've done.
I only open it up for the Ricky Gervais podcast, then I lock it up again.

I dole out connectivity to my apps the same way the military provides it's soldiers with rations. Maybe this will suit you?


----------



## MannyP Design (Jun 8, 2000)

AS: Like you said: "If."

There is nothing you have shown to date that Apple is giving your personal information to a third party. So, unless you have something a lot more substantial and definitive--other than a whole lot of corpspeak, technical babble and conspiracy theories--it's nothing more.


----------



## gordguide (Jan 13, 2001)

Either you believe Apple and GraceNote when they say they don't retain any identifying information, or you don't. Personally, I don't believe they are the kind of company to lie about such things, but you may not trust Apple whatsoever. To each their own.

But, "Spyware" means a very specific thing; and that does not include what iTunes does, by any stretch of the imagination. I don't have a problem with anyone who doesn't like iTunes' behaviour; certainly there's plenty to be wary about when dealing with anything networked and a healthy skepticism is certainly an asset if you use a computer.

No matter how much or how little it bothers you, it is not spyware. We reserve that for specific forms of invasion and coverup, and It's not doing anyone any favours when we dilute the language by misapplying a label that means something quite specific.


----------



## ArtistSeries (Nov 8, 2004)

mguertin said:


> yep that lines up exactly with what I found as well and posted to my article on macdiscussion.com. It sends ALL of this info to a server called metrics.apple.com ... so all the talk that they aren't collecting the data for other usage seems like a HUGE loadof bunk to me. Why send it all to a server called metrics if you're not analyzing it ?!??!?


On the whole, Apple knowing what songs you play, does not seem to bother most. This is different in the sense that Apple was not transparent about the process. There is no warning in the EULA. 
The information is also going to Omniture (a third party). You may want to trust Apple, but do you trust a third party with that information? Omniture is a marketing firm, and data mining is a big business - what assurance do you have about that data not being sold?

Apple said that it did not keep any data - but why even need your Apple user ID?

Going over to http://www.omniture.com/ explains what they do - 

If you want to loose privacy to Apple, then it should be when you decide, not when Apple wants. All these cross-promotions are getting to be a little much. What happened to software that just worked without trying to sell me something?


----------



## MannyP Design (Jun 8, 2000)

The whole "why Apple ID" thing is a moot point -- they have your credit card. There is nothing under Apple ID that your credit card won't tell them. End of story. Apple keeps records of your personal information under Apple ID -- purchase history, shipping addresses, credit cards... the same way Amazon keeps your personal data in their member account... the same way practically every other company does.

From Apple's site:


> Apple’s privacy policy covers the collection and use of personal information that may be collected by Apple anytime you interact with Apple, such as when you visit our website, when you purchase Apple products and services, or when you call our sales or support associates.
> 
> ...
> 
> ...


I think it's pretty clear. A lot of things they talk about (market research) apply to when you register your product -- which is easily bypassed if you do not want to convey personal information (where the product will be used and what purpose, etc.)

Microsoft does the exact same thing. A lot of companies do.


----------



## ArtistSeries (Nov 8, 2004)

Apple has changed the behaviour of the mini-store this morning.


----------



## Guest (Jan 18, 2006)

I don't think they had a choice ArtistSeries. They know that they way they did it was wrong and luckily due to the nature of how their setup runs they can correct it server side without having to deploy a whole new iTunes update to the masses.

That said I'm glad they at least give the option now and tell you that your information is being sent to Apple.

You'll also notice the wording that they do not "keep information related to the content of your music library." What do they consider as being "related to the content" of my music library? I would say that my Apple ID is related hee, but at least this is a step in the right direction.


----------



## iMatt (Dec 3, 2004)

Smart solution. It looks like turning it on by default was the answer to the question: "how do we advertise this feature?" The new answer is much better. 

The question about the Apple ID remains. Is this info sent when you're playing purchased music, or any music?

(FWIW, I see no point to the mini-store and so leave it disabled, because iTunes is always in the background for me unless I'm actually poking around in the music store proper.)


----------



## MannyP Design (Jun 8, 2000)

iMatt said:


> Smart solution. It looks like turning it on by default was the answer to the question: "how do we advertise this feature?" The new answer is much better.
> 
> The question about the Apple ID remains. Is this info sent when you're playing purchased music, or any music?
> 
> (FWIW, I see no point to the mini-store and so leave it disabled, because iTunes is always in the background for me unless I'm actually poking around in the music store proper.)


Apple ID has nothing to do with using the application as far as listening to music goes, outside of purchasing and downloading music from iTMS. It may do a check to see if you are allowed to play the music (DRM restrictions and authorizations as it is tied to Apple ID) but it does not send info to Apple HQ of what playlists you have (save for published ones in iTMS that _you_ decide to share) or what music you have in your library (outside of iTMS purchases.)

It will certainly not tell Apple what CDs you have listened to, or what songs you have ripped.


----------



## ArtistSeries (Nov 8, 2004)

iMatt said:


> The question about the Apple ID remains. Is this info sent when you're playing purchased music, or any music?


Any music.


----------



## iMatt (Dec 3, 2004)

« MannyP Design » said:


> Apple ID has nothing to do with using the application as far as listening to music goes, outside of purchasing and downloading music from iTMS. It may do a check to see if you are allowed to play the music (DRM restrictions and authorizations as it is tied to Apple ID) but it does not send info to Apple HQ of what playlists you have (save for published ones in iTMS that _you_ decide to share) or what music you have in your library (outside of iTMS purchases.)
> 
> It will certainly not tell Apple what CDs you have listened to, or what songs you have ripped.


No, I didn't think any of that. In fact, I said nothing whatsoever about what they might do with that information. But there were suggestions that communications with the mini-store involved the Apple ID in some or all cases, as learned by analysing packets. I was just asking whether it was "some" or "all" or "somebody erred in analysing his packets". 

With regard to purchased music, iTunes does not need to phone home every time you play it. When you authorize a computer, the keys to the locked files are copied to that computer. It's probable that the keys are updated periodically, for example when you update iTunes, as a way of foiling jHymn and Harmony. But old keys will continue to work if (for example) you keep an authorized computer off the Internet permanently.


----------



## MannyP Design (Jun 8, 2000)

ArtistSeries said:


> Any music.


Wrong. The only information Apple will have about your music is what you've purchased from them -- not what you have in your Library, or in your CD tray. There's a huge difference.

The ministore only offers suggestions based on what's playing--Apple does not receive the information for data mining. It's akin to javascript that relays the time from your computer from a website. It doesn't mine the data.

From Apple:



> Apple does not keep any information related to the contents of your music Library.


----------



## iMatt (Dec 3, 2004)

« MannyP Design » said:


> Wrong. The only information Apple will have about your music is what you've purchased from them -- not what you have in your Library, or in your CD tray. There's a huge difference.


From post 19 in this thread:



> If you have never logged into your iTunes Music Store account, you won't have this ID, and Apple can't track you. But if you have, even once, this ID is stored in a preference file on your computer, *and sent with each iTunes MiniStore request.*


Was this original claim accurate? Is it still accurate today? If it's accurate, is Apple doing anything with that information, or is it just the result of an oversight/design flaw in the programming of the mini store function?

Those are the questions I still have.


----------



## MannyP Design (Jun 8, 2000)

I believe it has something to do with the content -- you cannot purchase music from the iTMS outside of iTMS Canada... with the obvious exceptions depending on whether you use foreign iTMS gift/credit cards from, say, the UK, USA, etc.

If you're listening to a band that is not available for purchase on iTMS Canada, then they cannot offer a suggestion via the Ministore.


----------



## iMatt (Dec 3, 2004)

« MannyP Design » said:


> I believe it has something to do with the content -- you cannot purchase music from the iTMS outside of iTMS Canada... with the obvious exceptions depending on whether you use foreign iTMS gift/credit cards from, say, the UK, USA, etc.
> 
> If you're listening to a band that is not available for purchase on iTMS Canada, then they cannot offer a suggestion via the Ministore.


So it's a stand-in for a country identifier? I guess that makes some sense, though it seems like overkill. A simple drop-down menu would do the trick.


----------



## ArtistSeries (Nov 8, 2004)

mguertin should be able to verify this - I have not bothered to check today.
Yes the claim was accurate and has been confirmed by a few sources.

This site has a good breakdown: http://www.mcelhearn.com/article.php?story=20060113123710770


> *The iTunes MiniStore sends personal information to Apple's servers.* True, in part. It also sends information to a company called Omniture. The since1968 blog has a great article explaining more about Omniture.


http://since1968.com/article/155/omniture-itunes



> *The iTunes MiniStore sends personal information to Apple's servers, and other servers, for every song you play, the contents of your entire library, etc.* _False. The iTunes MiniStore only sends this information when you click a song._ If you double-click a song from an album or playlist, for example, the first song's information is sent to Apple's servers, but subsequent songs are not. iTunes also sends information for CDs that you insert into your computer (if iTunes is running) to either play or rip. iTunes also does not send the contents of your entire library or anything else to Apple's servers.
> 
> *The iTunes MiniStore sends a personal ID to these servers.* _True._ As I explain in this article, the iTunes MiniStore sends your Apple ID (or at least its numerical equivalent) with each request for information. It also sends song information (name, artist, and genre) for music you have ripped yourself, or a unique identifier for songs you have purchased from the iTunes Music Store (iTMS). The Apple ID is used for the iTunes Music Store, for .Mac (if you have a subscription), for Apple's developer program and other Apple services, including purchase you make from the Apple Store. The Apple ID can therefore be linked to your credit card, your address, and your purchasing habits with Apple.


You can read the rest at the above links.


----------



## Guest (Jan 18, 2006)

It is true. Ethereal and tcpdump both show that my Apple ID is still being sent by the ministore. The ITMS XML file that is served still includes the "ping" command to the server metrics.apple.com (which contains a transaction ID -- which seems to be the unique identifier used on the original ministore request -- which containts your ITMS ID).

I'm glad they are at least warning users about this now. What users choose to do is their own choice. I choose to NOT use the ministore. Apple did a big slipup on this one and they have gone far down the trust chain in my eyes for trying to quietly pull something like this, which one of the above articles mentioned that Real Networks got sued for in the past.


----------

