Windows Tracks CDs & DVDs You Watch

lcypher writes "The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP), which records the song titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. " This looks like less of a big deal than the article makes it out to be, but it definitely could be used for evil.

Re:eak...

[phyta]

Or .. get a firewall that detects and controls net-bound data.

www.zonealarm.com has a great free firewall program that prevents mplayer (and others) from misbehaving.

No Worries

[jeepthang]

While obviously spyware is a ripe pain in the ass. It only spies on two formats; DVDs and CDs. So: Who out there running Windows XP actually uses Windows Media Player to view their DVDs? Almost all retail video cards equipped for DVD playback come with DVD software. There are also a few wonderful third party DVD players. And who listens to CDs? I assume everyone out there rips their CDs to MP3, and then listens through winamp or the like. Bah. -Jeepthang

CDDB does the same thing

[a3d0a3m]

Has anyone else noticed that CDDB [.com] does the same thing? Any program that gets CD information from CDDB, which includes Music Match Jukebox and older betas of Exact Audio Copy [a great program [exactaudiocopy.de] would require an e-mail address before you could automatically download title and track information for CDs that you would insert? Someone should be checking out their privacy statments, because that would let them garner the same information.

Fortunately, their privacy policies [gracenote.com] state otherwise:

Data Aggregation. Gracenote CDDB collects aggregate statistics on which music and artists are most commonly identified by users with the Gracenote CDDB Service. ("Aggregate statistics" means "group statistics" such as the Gracenote Digital Top Ten, not individual statistics about your personal use of the service.) Besides posting these statistics for you and other fans to enjoy, Gracenote CDDB may publish or share this aggregate information with other companies. This aggregate data, by its nature, will not reveal the identity of our users. We also use aggregate data to help us improve our servers and other components of the Gracenote CDDB Service.

It doesn't now, but if an investor comes along with a big suitcase of cash, I wonder if their privacy policy would change overnight?

adam

Re:This is just a local CDDB mirror

[BrookHarty]

Yup, logs into a database, gives them an ID based on your computer, your IP, and the multimedia your viewing, also leaves a nice log file on your PC of your activity.

So no, its a little more than just a mirror of a CDDB database. The traffic is bi-directional, and leaves a log trail.
-
I was so naive as a kid I used to sneak behind the barn and do nothing. - Johnny Carson

Real Player used to be worse

[young-earth]

Remember when Maria Cantwell [senate.gov] and Real [real.com] got caught tracking [rcn.com] all the music that was anywhere on your computer?

The big question is, will Microsoft respond in the same way and back down?

Re:I can't even play music on my computer any more

[sameb]

>WinAmp is bloated spyware

Huh? I'm a faithful winamp user -- have been since it was shareware. When you install, they clearly give you an option to "submit anonymous usage statistics", which you can very easily uncheck.

If you want the term 'spyware' to mean anything, try using it when warranted.

Sam

Re:I can't even play music on my computer any more

[Chops]

... WinAmp is bloated spyware, RealPlayer is the same ...

... the damn thing crashes!

... My perfectly usable computer has been handicapped by its software.

May I make a few [redhat.com] small [xmms.org] suggestions [sourceforge.net]?

Re:This is just a local CDDB mirror

[ruisantos]

De only way to disable it, requires you to disable cookies completly. Check Microsoft response [computerbytesman.com] to the autor. This can be good in some sites, but you will lose some features on other sites.
You can always disable cookies on IE and use them on mozila [mozila.org]

Technical Details

[arnoroefs2000]

For a bunch of technical details about read this [securityfocus.com] posting on Bugtraq.

"WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index". I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer."

Re:This microsoft patent...

[nemo]

The patent was granted in 1997... (April1 in fact).

The TiVo came out... when? (I honestly don't know? But I doubt it's development started before 1997)

Of course, who is to say what patents the TiVo uses...

Not to mention that prior art is only an issue if the patent is challenged with it. You can have all the prior art in the world, and the patent will stand if it's not used.

Re:Playing right now:

[sql*kitten]

What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?

It doesn't go to Microsoft, it's just a cache of CDDB lookups you've done. AudioCatalyst does the same thing - but it's tracking not only what you play, but also what you rip to MP3. Surely, if you are looking for a conspiracy, that is where to look?

This cache is just a performance enhancement, like your web browser maintaining a cache of pages you've visited. If anything, it improves your privacy: it makes it much more difficult for CDDB to track how often you play a particular CD.

From the article:

When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.

Re:This is just a local CDDB mirror

[Mr_Silver]

Another use for it is the neat feature that it has for when you aren't on a perminant dial-up connection.

It basically stacks up cd details until you get on-line and then downloads the track listings for all the CD's in one go.

Whilst this doesn't sound much to your average connected American, here in the UK where broadband is stupidly expensive and the majority of us are on pay by the minute 56k modems its an absolute godsend because we don't have to keep dialing up every single time we put a new CD in.

The "privacy" checkbox doesn't actually work

[Anonymous Coward]

You can also turn off WMP's unique identifier thing if you're worried about privacy.

So just out curiosity, I fired up NetMon and WiMP 7 and stuffed a few audio CDs into my drive. Sure enough, when WiMP made the HTTP request, a little GUID was attached.

Now comes the fun part... per the instructions in Microsoft's Privacy Statement, I went into the Options and unchecked the "Allow internet sites to uniquely identify your player" option. Then I stuffed another CD in and, guess what, the same GUID was still sent up.

Apparently there's been a little miscommunication between Microsoft's programmers and the authors of the Privacy Statement.

Re:This is just a local CDDB mirror

[Cally]

Curse this Moz build... damn testing only binaries... :)

The links:
Here's his page on the topic [computerbytesman.com];

Bugtraq post [securityfocus.com]

Microsoft's response [computerbytesman.com].

Re:It's not a log, it's a cache

[Sarcazmo]

You are wrong, Media Player is sending a globally unique ID to a MS server, along with a fingerprint of the DVD you are watching. This GUID is associated with an email address if you signed up for their newsletter, and also the newsletter encourages you to register for a Passport account.

Here [securityfocus.com] was the original BugTraq post that started this all. Read carefully.

Serious privacy problems in Windows Media Player for Windows XP by Richard M. Smith

http://www.ComputerBytesMan.com

February 20, 2002

Introduction
============
I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. Thesep problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.

In particular, the privacy problems with WMP version 8 are: - Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched
and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer. - The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer. - As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP "phones home" to get DVD title
information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers. - There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any
easy method of clearing out the DVD movie database on the local hard drive.

Technical Details
=================

When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator. Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being played.

For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD: http://windowsmedia.com/redir/QueryTOC.asp?WMPFrie ndly=true&locale=409&
version=8.0.0.4477&
cd=1E+ 96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1 151E+13CF9+
15812+16C5D+1A04F+1BF2D+1ECB7+212E1+2 2E48+25724+27 E9D+2A91A+
2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D 517+4E51B+4F DBC+51F74
The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD. This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
Here's what this cookie looks like: MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086
By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated
with their WindowsMedia.com cookie.

For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers: http://windowsmedia.com/mg/Newsletter.asp?eNws=rms @computerbytesman.com&
format=HTM

The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can be associated with a cookie value at any time. Also when subscribing to the Windows Media newsletter, I was encouraged
by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have
watched. There is no evidence however that Microsoft is making this connection. The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch
on my computer.

After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML file: http://services.windowsmedia.com/amgvideo_a/templa te/QueryDVDTOC_v3.xml?
TOC=90a1b0d1571524ea

WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All
Users\Application Data\Microsoft\Media Index". I didn't see any method
of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer. Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the
information. Here are some possibilities: - Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies they have watched. - Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly "top ten" lists. - Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.) Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing purposes. The letter of this law does not apply to Microsoft because
they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.
Recommendations
===============

I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide.
In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched. If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent
Microsoft from tracking individual movie viewing choices.

Vendor Response
===============
Response from the Windows Digital Media Division of Microsoft Corporation is available here: http://www.computerbytesman.com/privacy/wmp8respon se.htm
Acknowledgements
================
Thanks to Ian Hopper of the Associated Press for bringing this issue to the attention of the author.

Links
=====
Digital Media in Windows XP
http://www.microsoft.com/windows/windowsmedia/wind owsxp.asp
Media Player for Windows XP Privacy Statement
http://www.microsoft.com/windows/windowsmedia/soft ware/v8/privacy.asp
The RealJukeBox monitoring system
http://www.computerbytesman.com/privacy/realjb.htm
TiVo's Data Collection and Privacy Practices
http://www.privacyfoundation.org/privac ywatch/repo rt.asp?id=62&action=0
Internet Explorer SuperCookies bypass P3P and cookie controls
http://www.computerbytesman.com/privacy/supercooki e.htm Video Privacy Protection Act
http://www.accessreports.com/statutes/VIDEO1.htm
Bill Gate's memo on Trustworthy computing:

http://www.computerbytesman.com/security/billsme mo .htm

Re:I can't even play music on my computer any more

[nuxx]

Well, v3 *is* a beta... I'd expect some crashes. Also, remember that v3 is also completely skinnable, not like the older versions were. Go download some of the more useful new skins and see how you like it then. I think that once the stability is taken care of it'll be real nice to use.

-Steve

Re:Playing right now:

[o0_kave_0o]

Sorry but it isn't just a CDDB cache at all if you bothered to scan through the database you will find every mp3 you have ever played in Media Player listed.

Check it out for yourself the log can be located here:

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

the "_v_0_12" part may vary on your PC but this is the file mentioned in the article.

How to defeat it

[sllort]

How to disable this feature:

The file, wmplibrary_v_0_12.db, contains in cleartext the name of every movie you've ever watched with media player. The names are in cleartext but each byte is spaced out with a pad byte, so you can't just grep for the names you're looking for.

If you delete the file, WMP regenerates it on use.

But, if you create the file as a zero-byte file, WMP does not fix it and does not store any information about what WMP is playing, ripping, burning, etc.

Tested Today, 2/21/02, with Windows 2000 and WMP 7.1. Oh, they didn't mention it's not just XP? It's not just XP.

--
You're Reading Managed Agreement [slashdot.org]

Re:unique id

[donweel]

After installation of XP you must do some cleaning:
Media Player, Player> Tools> Options>, tab Player uncheck "Allow internet sites to uniquely identify your player". Also uncheck Acquire licences automatically. Also Group Box Automatic Updates uncheck "Download codecs automatically". Open Explorer, then right click on "my Computer" select "Properties", tab Advanced> Click on "error reporting", uncheck all 3 items. Also Remote> uncheck all to disable control of your computer from internet. From Explorer get into Control Panel, Internet Options, Advanced, uncheck "Automatically check for Internet Explorer Updates". You may choose to double click the clock and select "Internet time" and uncheck "Automatically synchronize with an internet timeserver". Go to the Control Panel again, get into "Administration", "Services", find "Error reporting Service" and select "disableed" as the start type. Also, "Automatic Updates", disable (this one is important, I understand some updates caused malfunctions). You may also chose to disable "Windows Time". Select Start> Run> type "regsvr32 /u licdll.dll". Also type "regsvr32 /u regwizc.dll". XP hides some software you may wish to remove, use notepad to edit \windows\inf\sysoc.inf remove the word "hide" form those victims you wish to uninstall. Make shure ther are 2 commas instead you will see other lines with the same so you know it's correct. Thats it, XP has some of the usual M$ bullshit but it is hackable. And I must admit it is fast. Try booting Star Office with it. But it does not play well with others, Does anyone had success with multibooting Linux and XP, I believe it must be done with the NT loader, Lilo dosn't seem to work. Also Boot Magic fails to recognize it. I was using seperate Drives for each O.S.

"Title and Chapter Information"?

[DaveWood]

The reason your entire viewing habits are available to MS is because every time you insert a DVD, WMP8 contacts an MS website with your GUID and the DVD's TOC. This is in addition to keeping a log of DVD's on your computer. The ostensible purpose for the request is to get the DVD's "title and chapter information."

This begs the question: what is a DVD's "title and chapter information," anyway?

What possible purpose does having it serve?

We all know that CD player programs call up CDDB because there's no track and album titles handy on the disc. That's fine and good: perfectly legitimate use of network callback. Note: there's no need at all for any personally identifying information (GUID, cookie, or whatever) in that transaction... but that's not my main point.

Unlike a CD, a DVD has every piece of information you already need included, along with a custom interface, etc etc. And in all the coverage I've seen of this issue, no one seems to be catching on to the fact that, as far as anyone can tell:

DVDs are not CDs. There is no justifiable need for any user to have a DVD's "title and chapter" info at all, let alone for them to give a unique identifier to MS while requesting it.

So why go to all the trouble of building a scalable web application to service a non-feature?

Sure, MS is rich, but I guess conservatively that this functionality was a low six figure outlay to start, and it creates a neverending and not inconsiderable ongoing support cost to maintain a database and a server farm. It has to be big: they're servicing every XP/WMP8 user in the world, after all.

On a final note, let's consider the infamous Windows GUID. It's generated from a variety of sources: your PIII Processor Serial Number, if available, your ethernet MAC address, and I believe several other pieces of optional identifiable hardware are potentially tapped.

Microsoft is the same company that silently attached GUID's to every Word document you produce, by the way.

GUIDs don't contain your name or email themselves, but wait...

http://www.computerbytesman.com/privacy/wmp8dvd.ht m [computerbytesman.com]

"However, if a person signs up for the Windows Media newsletter, their email address will be associated with their WindowsMedia.com cookie."

It gets better.

"Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched."

If you are curious, the other shoe dropping will sound like this:

MS "Passport" registration (which is required for customer support) also collects GUIDs directly.

-David

Re:And yet the TIVO is A-OK...

[phillymjs]

The difference being, TiVo was upfront about what they collected, and people sniffed the outgoing packets from their TiVos and confirmed that what they said was being sent, was all that was being sent. Furthermore, TiVo gives you the option of opting out, and people sniffed the outgoing packets again to confirm that once you opt out, the tracking data is no longer sent.

Microsoft didn't tell anyone about this crap they put in WMP, and when 'caught,' simply amended their EULA to cover it. Additionally, Microsoft offers no option to opt out of it, and even if they did, anybody who tried to confirm this by the same methods the TiVoers used would probably get whacked by the DMCA.

~Philly

How to defeat Windows XP Media Player Spyware

[SimHacker]

There's a simple and effective way to defeat the Windows XP Media Player spyware, which records a list of all media files you've played. This also applies to older versions of Windows Media Player, as well.

It's a trivial fix, really. Windows Media Player records the list in a file. Just make the file read-only! Problem solved.

Here's the file name for Windows XP:
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows ME:
c:\Windows\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows 98:
c:\Windows\wmplibrary_v_0_12.db

The easiest way to find the file is to search your disk for "wmplibrary". Then right-click up the properties for that file and make it read-only.

This spying behavior has been around for a long time. I noticed it a year or so ago, and made the log file read-only. It's been working fine ever since, without writing a log.

You can see the log in the Windows Media Player by pressing the "Media Library" button and opening up the outlines. Just make sure to clear out the log first, before you make it read-only. When you delete an item from the log, it goes into "deleted items" folder. So make sure you finally clear out the "deleted items" section of the log.

I found the log file by using Igor Arsenin's [iarsn.com] "taskinfo [iarsn.com]" utility, that lets you see all the files any process has open. Taskinfo is a great tool for figuring out what logs any Windows programs are keeping. Solid Russian engineering. Use it to spy on the spyware!

-Don