View Full Version : iTunes 6.0.2 - Spyware or not?

2006-08-06, 22:39
A lot of discussions have taken place in the past few days about a new iTunes feature. When you update to iTunes 6.0.2, it will tell you the only new features are video preview in the shop and some bug fixes. But the most visible new feature you see once you have it installed is the so-called MiniStore - a not-so-small shop frame in the lower third of the main iTunes window. It displays albums similar to the ones you click inside your song database. Personally, I would regard a list of similar music as a good way to broaden my music horizon. But since there were so many public opinions and comments on this topic, some of our detectives decided to give it a deeper look.
Let's start with the good news - as soon as you hide the MiniStore window (there's a button in the lower right corner of the screen - the fourth from the right), no more data will be submitted. But then, users probably wouldn't know that data would be submitted at all, so nearly every user will have sent some.
To find out if this is really harmful, let's take a look at what data was sent outside. We found both the artist and album name of each clicked song in the outgoing data stream, unencrypted. Now since this is the iTunes Music Store, they need to track your identity for valid purposes in the usual Store you manually open when you want to. If you've bought a song in the Store before, the iTunes Music Shop knows you, and it would be easy to associate the data of the currently playing song with that profile.
You may ask if it really is that bad if Apple knows this. That depends... Apple didn't mention what they do with that data. We requested a statement from Apple, but the German PR person was simply not available for us except for a form letter rejecting any accusations. Now there are a bunch of websites saying that someone, maybe even Steve Jobs himself, said that the data would not be used, but discarded. Maybe that even is right - but they lied to their users in the license agreement, and there's no proof that those rumors are true. Furthermore, there's the question where the data was sent to.
So where did it go to? We tested the Windows version inside out, and found a bunch of connections, but only to Apple itself and their mirrors at Akamai, which is legit. We then got the idea to test the Macintosh version, and indeed found connection to 2o7.net, which belongs to a company named Omniture. Omniture is a company for Web Analytics and Web site Statistics. On the one hand, this means that data may be transmitted to a third party even, which according to the license agreement should not happen, at least not without clearly expressed users' consent. On the other hand, why does Apple need an external company for analytics and statistics if they discard the information right after looking up related albums?
These doubts have caused us to give Apple a few calls, emails and faxes, expressing our concerns, asking for a statement and offering our help in getting an insight from an anti-spyware companies perspective. The only answer we received was a form letter making fun of the fact that we have no Macintosh version and giving us the clearly wrong standard answer that no personal data is submitted, and a link to their website showing how to disable it (you can find it in link list below this article).
Let's summarize it. Should you be paranoid? Unless you have a bunch of MP3s downloaded from file sharing networks maybe, in which case I guess you wouldn't want a company working close with music labels to know, you probably don't need to be. It's a violation of law, and it's a break-in into your privacy, but it's not yet such a big deal as the recent Sony story. But you should show Apple your dislike clearly before they take the next step on the intrusion ladder (by the way, did you know that Apple forces OS registration on you way harder than even Microsoft?). And our sign of dislike is the removal of the About iTunes.rtf file from iTunes, which is the one concealing this new spying feature.
Here's a list of web sites that have dealt with the new iTunes version and its spyware:

tuaw: New MiniStore in iTunes 6.0.2 (http://tuaw.com/2006/01/10/new-ministore-in-itunes-6-0-2/)
Omniture, Apple, iTunes, and Privacy (http://since1968.com/article/155/omniture-itunes)
BoingBoing: iTunes update spies on your listening and sends it to Apple? (http://www.boingboing.net/2006/01/11/itunes_update_spies_.html)
Kirkville: iTunes: Apple's New Spyware and Adware Application? (http://www.mcelhearn.com/article.php?story=20060111150127268)
BetaNews: New iTunes Prompts Privacy Concerns (http://www.betanews.com/article/New_iTunes_Prompts_Privacy_Concerns/1137008458)
Heise: iTunes will nach Hause telefonieren (http://www.heise.de/newsticker/meldung/68245)
arstechnica: MiniStore in iTunes 6.0.2 comes with privacy concerns (http://arstechnica.com/news.ars/post/20060111-5957.html)
MacWorld: Eyeing the iTunes MiniStore (http://www.macworld.com/weblogs/editors/2006/01/ministore/index.php)
Apple: How to show or hide the MiniStore in iTunes (http://docs.info.apple.com/article.html?artnum=303066)

More... (http://www.spybot.info/en/news/2006-01-13.html)