The news that Realnetworks has been playing Big Brother with people downloading its Realjukebox player has heightened concern over the issue of how consumers can protect their privacy online.
Realjukebox is a widely used software application that lets users download compressed music files onto their PCs, then play back on the PC or using a portable digital music player.
While Realjukebox is said to have 13.5 million subscribers, it seems none except for Richard Smith, a US-based Internet security consultant, were aware that their every usage was being monitored.
Who's watching you?
Smith discovered that the Realjukebox software was relaying information to Realnetworks about what music and CDs he was listening to, which songs were recorded on the hard drive, and the type of portable MP3 player he owned. It also passed on an ID number that identified who he was.
The culprit was the globally unique identifier (GUID), a unique serial number which Realjukebox issued for each user. This meant users' personal registration information such as name and email, which they offered freely at the time of registration, could be identified from the GUIDs.
Using Realjukebox's Get Music service update, usage information like encoding options, type of portable device used, total song tracks in music database, how the user chose to receive automatic music downloads, and their genre preference, was secretly sent to Realnetworks.
"This monitoring system has the potential to be used as a powerful profiling system to help market new CDs and related products at the expense of personal privacy," said Smith in a report.
Apology to users
The company insists it was only collecting 'aggregate' statistics on how Realjukebox was being used. It quickly issued a statement apologising for the privacy breach, and issued a patch to block Realjukebox collecting such data.
"We made a mistake in not being clear enough to our users about what kind of data was being generated and transmitted by the use of Realjukebox. We respect and value the privacy of our users, and we deeply apologise for doing anything that suggests otherwise," said Rob Glaser, chairman and chief executive of Realnetworks.
However, privacy advocates are not satisfied: "A simple apology is not good enough. The privacy of the users of this popular piece of software should have been respected in the US and elsewhere," Yaman Akendiz, director of pressure group Cyber-Rights & Cyber-Liberties (UK), told vnunet.com.
To appease critics the company yesterday launched a consumer privacy initiative which it says will help consumers give informed consent before personally identifiable information is gathered about them or used.
Tip of the iceberg
However, this does show how easy it is for companies to collect detailed, personal information over the Web without consumers' knowledge and build a personal profile of each user. That information can then be used in direct marketing campaigns or even detect copyright violations.
With so many sites offering music and software downloads, consumers must become more aware of the potential risks when divulging information: the Realnetworks case could well be the tip of iceberg.
Privacy campaigners Junkbusters issued a statement for consumers concerned about their privacy while using downloads.
"Although it is too early to tell, the patched Realnetworks product may now be more privacy-friendly than competing alternatives. We do not have information on whether Musicmatch or any directly competing products have intrusive features. We cannot recommend Microsoft's products because of the company's consistently horrendous record on privacy. The other major product, Winamp, by Nullsoft, is now owned by America Online. AOL's history on privacy could most generously be described as checkered, but it has made substantial improvements over the past two years."
At your own risk
Akendiz added that the Realnetworks case is an example of the risk consumers face when using US sites, as they don't have the same strict data protection laws as Europe.
"While Europe favours legal protection for privacy and personal data, US government favours self-regulatory mechanisms that, in my view, do not provide consumer confidence or protection. The result of such a bad approach and non-legal protection is such bad examples as the Realnetworks incidence," he said.
Akendiz meanwhile advises consumers how to guard their privacy while using the Web:
- Be concerned about your personal data and personal details, including personal communications. Heed your gut feeling that the Internet is an insecure medium, and think before you give away personal information.
- Use privacy enhancing technologies such as Pretty Good Privacy (PGP) and encryption to protect your personal communications.
- Report those without privacy policies or those which are not registered for the purposes of the Data Protection laws to the appropriate bodies - e.g. to the Data Protection Registrar within the UK.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff