iTunes is Malware?

Moby writes "On the heels of the big Apple love-in that is Macworld comes some interesting but alarming news. Recently a few blogs have started to indicate that iTunes is tracking your music preferences and using that data to recommend other songs from iTMS. The article provides a good overview, with some recommendations of its own. Basically, iTunes is tracking your music and sending the data back to Apple servers. This info is then used to advertise songs that may be to your tastes. A convenient feature, perhaps, but it raises concerns over privacy."

Big Brother and the iTunes Company

All companies want to market their products to you as effectively and automatically as possible. With the sudden rise in data mining tools such as this, what's a big corporation to do but hop on the bandwagon?

You may remember that Amazon even patented [slashdot.org] a similar technique. And I've always suspected my local grocery store of profiling me. Afterall, I hand them a little tag on my keychain for my discount, they scan it and suddenly my name is on the reciept. I'd be naive to think they aren't generating statistics about me and secretly making note that I buy far more long grain wild rice than the average consumer.

So what's the problem here? The problem is that I don't like it. I don't want a computer program diagnosing me at a hospital even if it is built on solid Bayesian probability models and I don't want a profile of my musical tastes being generated on a company's database. My taste in music is my business and I don't want other people knowing that my most listened to album is Tom Dooley and Other Hits by The Kingston Trio.

All I've learned from this is that a big company is a big company whether it's Microsoft, Sony, Apple or Google.

From the article:

Apple has overstepped its limits, and this spyware (because it sends information to a server) and adware (because it displays information to attempt to sell you products) is a very serious breach of the trust I have long had in Apple's products.

Oh, come now, you're telling me you've trusted Apple? What has Apple done to gain your trust? They're a profitable corporation and that's where their interests lie. How to get the moneys from your hands to theirs as efficiently as possible.

The only thing that makes me sad about this is that local bands still lose out because I doubt they'll ever make recommendations unless tens of thousands of users are showing that association. I wish Apple would make a service called halfTunes that sold songs at 50 or 25 or free for bands that are looking for exposure, not profits.

Re:Big Brother and the iTunes Company

Right from www.apple.com/itunes "while you're browsing your own music, the MiniStore will automatically show you more music from your favorite artists that you can find at the iTunes Music Store." If you don't like it, don't use it. It's not being deceptive about what it does, which is why it's not spyware. You didn't bother reading what the software clearly states it does, and now your mad about it. How does that make sense.

Re:Big Brother and the iTunes Company

Usually, the way to handle something like this is to leave the feature disabled, unless you've asked the user or they explicitly enable it. The problem is that it is enabled by default, without asking the user.

Re:Big Brother and the iTunes Company

If the user bothered to read the features list they would know it was there. You're absolving the end user from personal responsibility. The information was there, but the users were too lazy to bother reading anything about the product they were using. The American public is used to being spoon fed everything and it's led us to being fat and lazy. Personal responsibility folks. It's not that difficult of a concept.

Re:Big Brother and the iTunes Company

But no one every told me about personal responsibility. I blame society and the government!

Re:Big Brother and the iTunes Company

If the user bothered to read the features list they would know it was there. You're absolving the end user from personal responsibility.

While the poster might be absolving the user from all responsibility, you are doing the same with Apple. Privacy is something that needs to be respected by the vendor and they should be required to ask the user what elements of their privacy they are willing to give up. There are just too many contracts for too many different things to be able to read them all - it would be nice, but in reality people give up on reading them.

Re:Big Brother and the iTunes Company

I use Little Snitch on OS X which monitors applications trying to go out over the network and asks what I want to do about it before it will let the app do its thing. From what I can see, Itunes uses port 80 to do its thing. With Little Snitch I could make a rule to not let Itunes do this, but this would disable the itunes store. Not that I use it anyway after they expired all of my free pepsi points without warning...

Re:Big Brother and the iTunes Company

Can the feature even be turned off by those dilligent enough to do so? (Short of resorting to firewalling?)

Yup. I was able to shut it off moments after seeing it on.. I didn't even know what it was doing there, why I couldn't shut it off or that it was even watching what I was playing. I just went into options, parental controls, and shut off the music store because I don't use it anyway, if I want to buy something from the ITMS I'll just go enable it and purchase, then disable it again..

Also I saw an article today here [macosxhints.com] at macosxhints.com (via slashbox) which explains how to do it too:
"Thankfully, there's an easy workaround. Kirk McElhearn used tcpdump to verify that if you simply disable the mini store (Edit: Hide Ministore, or just Shift-Command-M), then no data is transmitted. So that's the hint -- if you value the privacy of your listening habits, then hide the mini store. "

-matt

Re:Big Brother and the iTunes Company

Appearently you're not reading enough into it. It clearly states, as you can see from my bolding above that it says "while you're browsing YOUR OWN MUSIC".

I've bought about 10 songs from the iStore, but have about 3000mp3s in my iTunes. The recommendations I've gotten are pretty obviously from those 10 songs I bought. Don't know if they know about my 3000mp3s, but they're not making recommendations from it right now.

Re:Big Brother and the iTunes Company

If you don't like it, use something else

People can't decide to quit using spyware until they discover it, now can they? That's the value of publicising this issue.

As it happens, I'm not an iTunes user at all (mplayer and xmms). One of the big things I love about Linux is freedom (for lack of a better word) from little spams tucked into every icon and preinstalled application and bookmark. But I think issues like this clearly illustrate the benefit of keeping media available outside proprietary players, and that won't happen unless a lot of people demand it. My own choices alone will not determine the environment I live in. The more people complain about the commercialization of every mouse click, the better the future will be.

Re:Big Brother and the iTunes Company

According to macosxhints: "Kirk McElhearn used tcpdump to verify that if you simply disable the mini store (Edit: Hide Ministore, or just Shift-Command-M), then no data is transmitted."

Though McElhearn's blog seem to have been slashdotted, poor guy... :)

It's there

The button is the fourth from the right at the bottom of the iTunes window. It turns off the Mini Store.

But it can be disabled trivially.

This new feature puts up a little pane in the iTunes window that shows songs related to the song you are currently playing. There is no indication that I can find that the iTunes Music Store is actually storing that information. It's unlikely that Apple could store that kind of volume of information, given that it happens on selection, not on playing.

But I don't think people should worry. You can simply press one button and iTunes stops doing it (the disclosure button on the left side of the bottom button bar). It's pretty simple to verify that your computer isn't sending any data on track selection or play when that window is not added, so in general you only get this information when you ask for it. Further, all it has to go on are the identifying tags in the music, and these can be easily changed, so it's not something that could ever hold up in any sane court if someone came at you with a lawsuit. Then again, sanity doesn't seem to be a prerequisite these days, so our milage may vary.

Don't get me wrong, I am not to happy about this feature because it's effectively embedding ads in iTunes. They're pretty well targeted, but they're ads. Still, the article seemed to overreact to what iTunes is doing.

Re:But it can be disabled trivially.

Except that, as implemented, it seems to be opt-out.

I just happened to have run the 10.4.4. updater this morning, so when I opened iTunes just now I was asked to agree to the latest EULA. I skimmed through it and found no mention of usage data being sent to Apple, so I then read through it closely and still found no mention. When I hit ‘agree’ and iTunes opened, there was an outgoing connection to phobos.apple.com, which I denied. It made only that single request. I closed the iTMS pane at the bottom, and got no further requests until I opened it again.

So yes, it’s quite simple to avoid having your play history sent (if that is indeed what is happening), but unless you have a third party egress firewall running (or have been quite ruthless with ipfw in the past), it will start sending out data before an otherwise knowledgeable user can disable it.

Re:But it can be disabled trivially.

Right. Relevant, non-annoying ads in a free product. That's Google level evil right there.

Re:Big Brother and the iTunes Company

You don't even have to play it. Just selecting it is enough. I like this new feature, but I think I'm the only one here :-)

Re:Big Brother and the iTunes Company

And I've always suspected my local grocery store of profiling me. Afterall, I hand them a little tag on my keychain for my discount, they scan it and suddenly my name is on the reciept. I'd be naive to think they aren't generating statistics about me and secretly making note that I buy far more long grain wild rice than the average consumer.

Suspected? Secretly? They make no secret about it. What do you think those cards are for? They offer you discounts in return for your demographic information and purchasing habits. They print coupons after your sale based on it too. Its not some grand secret conspiracy.

Re:Big Brother and the iTunes Company

Which is why when signing up for my discount card, I listed myself as a 60 year old lady with an address in a retirement center.

Makes me wonder what happens in their data centers when I make a late-night beer run... :-)

Re:Big Brother and the iTunes Company

Yeah, I have two of those cards. For one I put "Carly Fiorina" for the name and I use it for most purchases. The other has my real name, but I only use it when I buy Condoms or sour cream.

They do track you...

Grocery stores can, and DO, track individual purchases. Recently, a fire fighter was suspected in an arson because his card had shown as purchasing the accelerant used in the fire. It wasn't until someone else confessed [heraldnet.com] that he was cleared. The DEA has subpoenaed records looking for people purchasing large numbers of baggies. A large grocery store, in the aftermath of 9/11, turned over to the FBI their entire loyalty database of purchases and purchasers, without so much as a subpoena, to "help find and fight terrorists."

Re:Big Brother and the iTunes Company

My husband is an avid hater of any sort of nonsense that invades his privacy so about two years ago when applying for a "SaveOnFoods" card (without which you cannot get the sale prices on some of the food iteams of course) he put "Darth Vader" as the name on the card.

It still gets me when they try to do the whole "Have a nice day Mr. ___" after you pay them, take a look at the name, pause, and then give up on the whole tactic altogether.

Re:Big Brother and the iTunes Company

I once signed my real name and number on one of those, and I got zilch that I could tell was from filling it out. No mail, no phonecalls ... nothing.

But as I've read more about the grocery store industry I'm thinking more and more that those 'club' cards aren't much about tracking consumers as in identifying the gross number of unique shoppers that use the club card.

The reason being, is that the way grocery stores work is a little counter-intuitive. You would think that some shopper for safeway goes out, finds some variety of products , then places them on the shelves in such a way that the more profitable are chest level.

The actual mechanics are much more complex. Food suppliers will actually pay money to have their products on the ends of the isles, in the best position on the space. I'm pretty sure there's a little buying and selling on the part of Safeway, but I suspect the real situation is more like the suppliers are renting the space out to put their products on.

The store brand then is the way the store makes money on the actual product not on just the shelf space.

Therefore, the club cards are something that safeway charges for. Products become club specials, not when safeway finds a crate going bad, or found a good deal, but when the supplier pays safeway to put them on the club. So, Safeway really doesn't care about the information behind the card, (My last couple of club cards I got, they just handed me a new card, I didn't have to fill out anything). All safeway cares about is how often the card is used, so they can tell their suppliers how great it would be if they put their products on the club card.

Re:Big Brother and the iTunes Company

I actually work for Safeway and can reliably tell you that companies pay us to place their product in a specific spot in the store. Safeway feels that a large portion of its profits come from these vendor deals rather then actual product sales. This does not mean product sales are useless, but that we make a very large percentage of our money off product placement.

As far as tracking sales with the club card. For instance, the safeway cards that do not have magnetic stripes but rather just a barcode, that barcode does not hold a lot of information. The other club cards with the magnetic strip can actually made to link to your checking account for shopping at Vons. Of course a pin number is tacked on for a bare level of security. I find that the vast majority of customers will have a club card with correct information as well. Also many of them have the card connected to their bank accounts.

As far as employees not using their club card, I have never heard an employee say they refuse to use the card as it tracks sales (I mean, heck, this company pays your freaken checks, they have all your information ANYWAY). Most employees that do not have cards are really just to damn lazy to fill out a peice of paper.

Speaking of iTunes, yes they are tracking what you download, not sure if they ask or not, though I'm sure its in the eula, but if they asked and you said yes, I do not see the problem. Do not like it, do not use them for your music needs.

Privacy Risk != Malware

Ever used an Internet browser? That sends data to various servers, does that constitute a risk to your privacy? Probably, but it doesn't make Firefox, IE & Opera 'malware', in the same way that even if iTunes is sending data to Apple, it's not necessaraly malware.

Kneejerk reactions like this are unsupprising given the current culture of "Oh my god, the've got my name and they know what music I like!". If you are conserned about your privacy with regard to a company or service, I suggest you start with their Terms of Service [apple.com] and Privacy Policy [apple.com] - If you don't like them, you don't have to use their service.

Re:Big Brother and the iTunes Company

Oh, come now, you're telling me you've trusted Apple? What has Apple done to gain your trust?

Why, their motto, of course! After all with a motto like Don't be Ev... whoops.. I'll come back next article.

Re:Big Brother and the iTunes Company

I wish Apple would make a service called halfTunes that sold songs at 50 or 25 or free for bands that are looking for exposure, not profits.

And why do you think bands are looking for exposure? Exposure means more customers. More customers means more profits.

Extremely easy to disable, and more info

First of all, I don't know how this qualifies as iTunes suddenly being "malware", but anyway...

Edit -> Hide MiniStore (or shift-command-M)

No information of any kind is sent when the MiniStore is disabled.

What iTunes 6.0.2 is doing:

Sending information about the currently playing track to Apple, and then displaying information related to that track in the iTunes Music Store in the MiniStore pane. It is not broadly "tracking your music preferences".

Further - though we admittedly don't know this since Apple doesn't explain how it is using the data - there is no proof that Apple is doing anything but merely changing the MiniStore display based on what track you are listening to (which is very likely exactly what they're doing); not aggregating or "tracking your music preferences".

iTunes isn't doing this surreptitiously, either: the MiniStore pane clearly actively changes depending on what track you have selected. One would presume this does not happen via magic or the dark arts.

I'd love to have comment from Apple, and a clear presentation that information is being sent to Apple for x purpose, and a clear option to allow - or disallow - such use. I've looked through the iTunes 6.0.2 license and do not see any such guidance.

Granted, the MiniStore pane is present by default, but it can be disabled as easily as is described above.

I realize many people think this represents "going over the line"; but is there ever any instance where datamining to match items you might be interested in to your interests is acceptable? Is there any value to having this be the default state in certain instances where it could be significantly helpful?

Re:Extremely easy to disable, and more info

Edit -> Hide MiniStore (or shift-command-M) No information of any kind is sent when the MiniStore is disabled.

Then it should be disabled by default or you should be asked (in plain English) if you want it enabled when the program starts for the first time after update. If you say no it shouldn't ever ask you again nor should it track your listening preferences.

I realize many people think this represents "going over the line"; but is there ever any instance where datamining to match items you might be interested in to your interests is acceptable? Is there any value to having this be the default state in certain instances where it could be significantly helpful?

No. Absolutely not. Especially when they didn't ask my permission first.

Re:Extremely easy to disable, and more info

Then it should be disabled by default or you should be asked (in plain English) if you want it enabled when the program starts for the first time after update. If you say no it shouldn't ever ask you again nor should it track your listening preferences.

You don't know that it's "tracking" anything, even now.

On the other hand, we don't know it's not doing that, since Apple doesn't tell us.

No. Absolutely not.

It's never ok for an external entity to attempt to match things to your interests? Okay, possibly a different philosophical outlook on things, here...

Especially when they didn't ask my permission first.

Agreed. But, as I said, it's not exactly a secret that it's doing something to be able to actively change the MiniStore display.

Sure, Apple's trying to sell something. But it can also be argued, correctly, that this improves the user experience with iTunes (aside from the broader privacy argument). I do, however, agree that Apple should have made this clearly known on the first launch, and given an option at the same time to simply disable it.

Re:Extremely easy to disable, and more info

But it can also be argued, correctly, that this improves the user experience with iTunes (aside from the broader privacy argument).

Then they can watch my surfing and purchase habits inside the *store* (which I am 110% sure that they already do). They don't need to track my listening habits for music that was not purchased in their store. Just because I am using their software doesn't mean they should be able to receive information about *everything* I listen to on it.

Since when was spying on people just because they utilize your software something that people found acceptable?

Re:Extremely easy to disable, and more info

It may infuriate you, but that's just the state of things, I guess.

Giving up is lame. You should be ashamed.

Re:Extremely easy to disable, and more info

To add to the parent poster, I think "Malware" is not an appropriate term for what this program is doing.

When I use the term "malware" I typically mean programs that do one or more of the following;

- resist uninstallation
- persist after uninstallation attempts
- reinstall after uninstallation or "by the roots" removal
- hide from the user
- hide from the operating system
- hide what they are doing *
- damage the operating system
- replace, interfere with, spoof, or hijack functions such as DNS resolution, home page, file associations and toolbars
- create problems in order to sell you a "fix" for them

The one with the asterisk, is the ONLY one of these things that iTunes is doing, and that only if the user is hopelessly ignorant about computers and the internet.

It might be "spyware" but it is not "malware" in my book.