Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Privacy Your Rights Online

Windows Tracks CDs & DVDs You Watch 421

lcypher writes "The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP), which records the song titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. " This looks like less of a big deal than the article makes it out to be, but it definitely could be used for evil.
This discussion has been archived. No new comments can be posted.

Windows Tracks CDs & DVDs You Watch

Comments Filter:
  • Pr0n (Score:4, Funny)

    by 68030 ( 215387 ) on Thursday February 21, 2002 @02:30AM (#3042859) Homepage
    Turns out they are just tracking all the pron
    file names so they can track them down on
    kazaa easier.

    Those lazy bastards. (:
  • eak... (Score:2, Funny)

    by mlk ( 18543 )
    time to add
    in the hosts file, and maybe a quick webpage to return
    Mlk and a vacume cleaner
    the spam-email from that could be veryyy intresting :)
  • Playing right now: (Score:5, Insightful)

    by torpor ( 458 ) <ibisum@gm a i l . com> on Thursday February 21, 2002 @02:35AM (#3042881) Homepage Journal
    DVD: "1,000 ways to torture a Billionaire", widescreen format. No region encoding.

    But anyway, fair enough. What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?

    Seems the only way to fight this will be with dis-info ...
    • Someone should make a "patch" that transmits "fuck you microsoft" 100 times for every video you play ;)
    • by sql*kitten ( 1359 ) on Thursday February 21, 2002 @06:26AM (#3043483)
      What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?

      It doesn't go to Microsoft, it's just a cache of CDDB lookups you've done. AudioCatalyst does the same thing - but it's tracking not only what you play, but also what you rip to MP3. Surely, if you are looking for a conspiracy, that is where to look?

      This cache is just a performance enhancement, like your web browser maintaining a cache of pages you've visited. If anything, it improves your privacy: it makes it much more difficult for CDDB to track how often you play a particular CD.

      From the article:
      When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.
      • The problem is, that when requesting the information from that web site your Media Player may actually give out your unique user id (does it? can that be turned off? I don't know). Farther down the article a MS spokesperson says, that they don't use the ID in the process (which might either mean they throw it away serverside for now, or that this version of Mediaplayer doesn't send it), but may do so "on behalf of the users" in the future. Then the MS droid spins of into praising Bill Gates standing up for user privacy. I must say that some actions of Microsoft don't fit that privacy philosophy (for example like outfitting mediaplayer with a unique id at all).
      • by o0_kave_0o ( 560645 ) on Thursday February 21, 2002 @09:58AM (#3044168)
        Sorry but it isn't just a CDDB cache at all if you bothered to scan through the database you will find every mp3 you have ever played in Media Player listed.

        Check it out for yourself the log can be located here:

        C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

        the "_v_0_12" part may vary on your PC but this is the file mentioned in the article.
        • well duh (Score:5, Interesting)

          by twitter ( 104583 ) on Thursday February 21, 2002 @11:55AM (#3044817) Homepage Journal
          How else is the Digital Rights Denial OS supposed to work? The terms of thier EULA alow them to scan the contents of your computer. Why bother to send it over the web when you have permision to take it at will? People downplaying this have obviously forgotten all M$ news of the last month. All the pieces fit so well.

          Media Player will be used to extort money from users, media companies and advertisers. Microsoft wants to be the asshole in the middle and wants to use that position to make money. They have created their own media formats to break at will, a method to do it, and put it all in their EULA. What more can you ask for? Do you really think that they won't sell your information? Oh, I suppose you forgot how they sold "real estate" on your desktop.

          The only way for them to keep themselves in that position is to eliminate every other option. If you continue to use M$, your internet will have three channels and you will never be able to contribute. Your money goes to those who would enslave you.

          Let's see, M$ can write files to my computer that I can't delete and can access my computer in ways that I can not. They must be root, and I am not.

      • Does that mean that they're storing this somewhere OTHER than the cd.ini file(or whatever it's called) that's supposed to be used to identify CDs? Since they say "new in this version" I'm guessing maybe yes, and then we do have a reason to cry conspiracy.
  • by Scoria ( 264473 ) <> on Thursday February 21, 2002 @02:35AM (#3042884) Homepage
    If your IP address is static as opposed to dynamic, Microsoft may possess the ability to compare it to the one used to register Windows XP.
    • Although I agree with you that static IP could possibly be used for tracking, I would consider it too much of a longshot. How would Microsoft know if you were static or dynamic? They would have to have a unique ID that they could assign you at XP registration time and then send back when playing a DVD in WMP8. All the analysis I've seen of this so far show that this is in fact not happening.
    • Yes, but not in the way that you think. Remember that part of XP is a GUID, which contains the MAC address of your NIC, plus any other unique serial numbers.
      A few thing that a quick Google search turned up: GuUID Explorer [] and JunkBusters' [] web page on GUID and MS' software. The History and Advisory are good reads here.
  • The real problem isn't so much what Microsoft will do with the information. I mean really who cares.

    But what other 3rd parties could do with it is really disconcerting. Even assuming MS doesn't sell the information, the information is still being collected and deposited somewhere. Somewhere that maybe a detective or the FBI could trace you down. Or your system administrator, wife or mother-in-lawyer.
    Just for innocently checking out that warez movie link...or borrowing a DVD that happened to be ripped..
    • Just for innocently checking out that warez movie link...or borrowing a DVD that happened to be ripped
      It's a sad day when we can't break the law without fear of reprise.
    • Personaly I don't care about it that much, but Its easy to see how sombody sniffing your packets might find something embarassing. Over zealous investigator do have a way of making mountains out of mole hills, I guess they take it personal when thay waist days of time investigating stupid trivial things that don't amount to much.
  • by Zoid ( 8837 ) <> on Thursday February 21, 2002 @02:35AM (#3042888) Homepage
    If you read the article all this "database" is a copy from the CDDB records (or whatever CDDB is called these days) used for caching. You stick a CD in, it generates a checksum and asks CDDB for the artist/track listing and stores it locally, so it doesn't have to ask again later. As far as I'm aware, there isn't any sending of this database.

    It appears they extended to DVDs as well as CDs (just a bigger database I suppose).

    The article is a bunch of fluff for a functionality we've used for a long time with numerous programs such as XMCD, AudioCatalyst, etc etc. Microsoft adds it to media player and omg, privacy for getting the disc information for you. I'm pretty sure there's a button to turn it off.

    (Gracenote is probably using the CD request data anyway for marketting purposes these days).
    • by BrookHarty ( 9119 ) on Thursday February 21, 2002 @02:56AM (#3042998) Homepage Journal
      Yup, logs into a database, gives them an ID based on your computer, your IP, and the multimedia your viewing, also leaves a nice log file on your PC of your activity.

      So no, its a little more than just a mirror of a CDDB database. The traffic is bi-directional, and leaves a log trail.
      I was so naive as a kid I used to sneak behind the barn and do nothing. - Johnny Carson
      • It's not a usage log. It's a local cache of DVD contents.

        Read the advisory. Each time a new DVD/CD is put in, media player asks Microsoft for a title and track listing, gets the result and stores it in a local database file. It does not request again if you insert the same movie. So other than 'first use' there is no usage log.

        I'm not clear on what the id-string is used on the request. Microsoft is no different than Gracenote who gets your IP, operating system, etc if you put a CD in when you're running XMCD and its configured to asks CDDB/Gracenote for CD track listings.

        I've been using CDDB for years. This is no different than before. It's a bunch of privacy concerns for an established method of CD title/track requests (extended to DVDs now apparantly).
        • by BrookHarty ( 9119 ) on Thursday February 21, 2002 @03:50AM (#3043135) Homepage Journal
          The files are stored in
          C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
          I also saw a file wmplibrary_v_0_12.lrd that had my hostname in it, and a file called WMPImage_AlbumArtLarge.

          Actually I use FreeDB so I dont have to give any info out. M$ Didnt even tell users they were being tracked till this article, at least they are going to let people know with an updated privacy statement. We really shouldnt have to wait for someone to point out privacy concerns that the vendor should disclose.
          It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy. - Janov Pelorat in Asimov's Foundation's Edge

        • (extended to DVDs now apparantly). which doesnt seem weird to you, since any dvd that would be in a central database already has the title information on it.
      • I am really, really glad I decided to block Media Player from the accessing the internet (thank god for ZoneAlarm).

        I believe this should nip this problem in the bud. Another reason this is really a non-issue: simply block Media Players access to the internet with some sort of firewall. Not the hardest thing to accomplish.
    • by Mr_Silver ( 213637 ) on Thursday February 21, 2002 @06:51AM (#3043542)
      Another use for it is the neat feature that it has for when you aren't on a perminant dial-up connection.

      It basically stacks up cd details until you get on-line and then downloads the track listings for all the CD's in one go.

      Whilst this doesn't sound much to your average connected American, here in the UK where broadband is stupidly expensive and the majority of us are on pay by the minute 56k modems its an absolute godsend because we don't have to keep dialing up every single time we put a new CD in.

    • The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP)

      Actually this was discovered by Richard M. Smith, who has a good record of finding bugs-by-design, security holes and privacy breaches in MS software. Here's his page on the topic [], on the topic, and []here's Microsoft's response - which is all in the first sentence, really, "we do not believe [this] represents a user privacy concern." All this was in my submission of the story, last night - heh, it's the first time I've submitted a story and someone else's post got there first. Or better.

      In reply to those people saying "this is just the same as CDDB, what's the big deal?": this IS a bad thing, for the following reasons:

      • As with most of the rest of XP's phone home functionality, there's nothing to tell the end user what's happening here. As with previous incidents of unexpected traffic seen from XP machines, Smith had to break out a packet sniffer to discover what the traffic was and where it was going.
      • You trust Microsoft NOT to start correlating this info to make some use of it further down the line? You trust them NOT to sell it to the MPAA so help them track evil pirates playing non-MPAA titles? As they don't even tell you they're doing it, there's no privacy policy involved - they give no categorical assurance that they won't give the info the CIA or the BSA, for that matter.
      • Why the hell should Microsoft get to run CDDB as well as everything else? It's just another example of their greed and desire to own all your media.

      Think about it: Passport, web services, yuor company's servers, your corporate desktop, your own home PC, all your apps, your phone, set-top box, Palm ripoff, Psion rip-off... apart from washing machines and guided missiles, I can't think of anywhere that software runs which Microsoft doesn't aspire to own. Actually, come to think of it, NT4 at least can allegedly operate as a router; they've been trying to make headway in the embedded market for years, and I fear that "version 3 syndrome" will kick in on their efforts there soon... sheesh, they're even selling firewalls now. When the great day comes that Microsoft own all mass markets for software, they'll buy out some major consulting/services firm and start trying to put independent developers out of business, too. Pray that day never comes...

      Microsoft have yet to learn that in privacy and security matters, the correct default is to trsut no-one and nothing. If you prove to your customers or users that you're worthy of trust, you'll get it. Take it for granted, and assume that the user won't MIND if your software starts sending your personal data back to the vendor (or a thrid party) without telling you, and you start getting into people's shitlists. When you're Microsoft, you have to bend over backwards to ensure that not only are you doing the right thing, but that you're SEEN to be doing the right thing. If you give a flying one, that is; if you really are Microsoft, then you couldn't care less, because your Windows monopoly means 99% of users and customers haven't got any choice in the matter.

      And what if you're a network security person and spot unauthorised traffic (which is what this is) on your network? You could spend a lot of time & energy investigating. For all I know, this could be a DDoS agent that some kiddie's planted on a cracked XP box, and is now starting to flood .

      If you really think this is "just like CDDB", ask yourself: why are Microsoft going to the trouble and expense of providing this "service" - given that they don't even tell people they're doing it? What do they hope to gain from it? How does this increase their marketshare or mindshare? Follow the money...

  • by three14 ( 725 )
    All the article says is that Windows Media Player does a CDDB lookup when it plays a CD, and caches the result.
    If you look in your home directory on your Linux box, you'll probably find a similar cache.
    Someone just noticed that you can reconstruct people's listening habits from their CDDB lookups - no big deal.
  • by Tremul ( 190113 ) <> on Thursday February 21, 2002 @02:38AM (#3042903) Homepage
    Several weeks ago when you bought our webcam, we decided that for non-related marketing purposes that we would randomly start recording data and sending it back to the company. We don't intend to sell these pictures to anyone.
  • I admit it, I use windows. I have a couple legit copies of WinME. Every time I use media player (rarely), I have to refuse to upgrade... Which brings me to my real point: I will not upgrade past this point (WinME). WinME is it for me. It may not be great, but it runs what I need it to: lots of different sorts of development stuff (mostly java), CAD and 3D stuff, games, etc. I'm a serious software engineer and when I want to deploy I use either FreeBSD or RedHat Linux. And I always keep those up to date (relatively). But Winblows is stuck for me... and this is just another reason.
    • I will not upgrade past this point (WinME).

      That's painful. I stay as far away from 95/98/ME as I can. 2000 and XP, on the other hand, are pretty nice. If you're going to squat on one version of Windows, you ought to at least consider one that's not going to torture you for the rest of your life.
  • Winamp does this too (Score:3, Interesting)

    by Glonk ( 103787 ) on Thursday February 21, 2002 @02:39AM (#3042908) Homepage
    By default Winamp logs "anonymous usage statistics" unless you turn it off during the install.

    You can also turn off WMP's unique identifier thing if you're worried about privacy.

    Honestly though, set down your tinfoil hats for a second: Why do we really care?

    Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?

    I also have very serious doubts that MS would ever sell the information it'd collect from it. The money from that is absolutely tiny and the feedback from the public would be absolutely horrible. What I see instead is a more personalized music service, kind of like, where it personalizes and gives you music and movie picks based upon what you watch. Amazon does this too when you're logged in, keeping track of recently viewed items, etc.
    • by maxpublic ( 450413 ) on Thursday February 21, 2002 @02:50AM (#3042970) Homepage
      Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?

      You don't. I do. I don't need a reason to want to keep people out of my personal life. Rather, they need a good reason to butt into it.

      • Right.
        And they need a damned good reason to butt into it without my knowledge or consent.
        I'm an old fart and don't much care who knows what about me, but nobody has a right to my personal information. That right belongs to me. Only.
  • I don't usually like the fine sounds of knees jerking, so for you folks who didn't even read the text under the title, here is a friendly notice:

    False:Windows Tracks CDs & DVDs You Watch

    True:Windows Media Player 8 Tracks Media played.

    And the most important piece of information in the article is: "If you're watching DVDs you don't want your wife to know about, you might not want to give her your password," said David Caulton, Microsoft's lead program manager for Windows Media."

  • ...but now it is presented as an inciteful act in a slashdot article and we are all up in arms.

    Quoth the article: "Microsoft said the program creates the log file so a user does not have to download repeatedly the same track, album or movie information. The company said the ID number was created simply to allow Media Players users to have a personal account on the Web site dealing with the software."

    It's just a client side cache. That's all. The windows CD player has done this since at least windows 3.1 (although the user had to enter the track titles by hand.)

  • Odd Interpretation (Score:3, Interesting)

    by Ieshan ( 409693 ) <> on Thursday February 21, 2002 @02:46AM (#3042951) Homepage Journal
    " information is collected on Microsoft's servers that would be personally identifiable..."

    So, in other words, Microsoft (having engineered the world's most widely used operating system) still hasn't figured out how to pinpoint where data transfer is coming from. Because it seems to me, oddly, that if I'm sending someone data through a system they set up that I don't know about... they must know about it, and also must know how to analyze the results of all their data-grabbing. And see where the crap is coming from. And keep track of what I'm listening to.

    I don't use Windows Media player, personally. But if it ever came down to the log files, I'm sure MS could say to someone who ripped the software: "Actually, you have an unauthorized copy of windowsXP, how else would you be transmitting data through our security loophole with the same key as those twenty thousand other people?"
  • Install Winamp and/or some other program that will pre-empt WMP and force it to preserve file associations. I would hope that one of the commericial DVD player programs would do the same thing.

    Does Microsoft not learn? Do they not remember the stink over the tracking in Office documents? The stink over the UID with Intel Processors? Why would they think that collecting a list of CDs and DVDs that we've watched/listened to and then transmitting it back to Microsoft is a good idea? I mean seriously the OS has enough problems without having to worry about the damn thing spying on me.

    What do we have to do to communicate to companies that we don't want to give them our information, unless we specifically opt-in. How hard is that? I haven't met many people that don't think it's a good idea to do it that way. Privacy is preserved, but you can choose to give away your privacy if they offer you a good enough deal. I always fill out the various opt out policies, but it's scary how often I have to go hunting in legalese to find out exactly where I need to send it.
    • "Oh fuck. You caught us [feign death]. Even though we already used the data, we are so sorry and promise to never, ever ever do it again. We really mean it this time."
      Not to sound like an open source bigot (actually, even if a program is open source, most people won't even bother looking at source code, dare you say actually compiling it) but there is a reason that this code was put in, you can be sure that placing a more or less unique code into an online database was a bitch to program, so it wasn't put in there without a reason.

      What can I say, at lease MS is changing their privacy policy, even though they aren't doing much else about it.

      Arrogant companies piss me off, what can I say...
    • Winamp? By default, it does exactly the same thing as WMP does. What is the big deal all of a sudden about CDDB? Ok, so MS extended it to DVDs. Oh no!!

      It's amazing how quickly an otherwise non-story can become a big story with such sensationalist responses simply because Microsoft's name is attached to it.
      • It's amazing how quickly an otherwise non-story can become a big story with such sensationalist responses simply because Microsoft's name is attached to it.

        Well, yes. If I am seen boarding a plane headed for Washington DC, that's not news. If Osama Bin Ladin is seen boarding a plane headed for Washington DC, that's news.

  • No Worries (Score:2, Informative)

    by jeepthang ( 560529 )
    While obviously spyware is a ripe pain in the ass. It only spies on two formats; DVDs and CDs. So: Who out there running Windows XP actually uses Windows Media Player to view their DVDs? Almost all retail video cards equipped for DVD playback come with DVD software. There are also a few wonderful third party DVD players. And who listens to CDs? I assume everyone out there rips their CDs to MP3, and then listens through winamp or the like. Bah. -Jeepthang
  • Logging
    Logging occurs when information is sent from the Player to a streaming media server. Logging informs the server of various pieces of information so that services can be improved. The information includes such details as: connection time, Internet protocol (IP) address of the computer that connected to the server, Player version, Player identification (ID) number, date, protocol, and so on. Most information is neither unique, nor traceable to your machine.

    My god man! What else do they want to take? Not traceable to my static IP? The Player ID Number? Who the hell are they kidding when they say it isn't unique?

    This is a load of horseshit, thats what it is. Microsoft is babbling at the general public with ridiculous lies. I *use* windowsXP because I think it's good software, and I mildly support microsoft in some things, but my lord, this "informative privacy statement" is crap.
  • Microsoft uses secret IE tools known as "HISTORY", "CACHE" and user's "IP ADDRESS" TO TRACK EVERYTHING YOU SEE ON THE INTERNET.

    I bet it gets 500+ comments.

  • by dstone ( 191334 ) on Thursday February 21, 2002 @02:53AM (#3042981) Homepage
    What MediaPlayer is doing is nothing new -- it's equivalent to nearly every other player out there with CDDB (or equiv) capabilities with client-side caching so you don't have to hit the internet database repeatedly for your collection of tunes. BFD. It's not uploading anything back to anyone.

    Of course, mainstream media can spoonfeed the word/concept "log" (eg. history, audit, etc.) easier than it can "cache".
    • by Sarcazmo ( 555312 ) on Thursday February 21, 2002 @09:11AM (#3043926)
      You are wrong, Media Player is sending a globally unique ID to a MS server, along with a fingerprint of the DVD you are watching. This GUID is associated with an email address if you signed up for their newsletter, and also the newsletter encourages you to register for a Passport account.

      Here [] was the original BugTraq post that started this all. Read carefully.

      Serious privacy problems in Windows Media Player for Windows XP by Richard M. Smith

      February 20, 2002

      I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. Thesep problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.

      In particular, the privacy problems with WMP version 8 are: - Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched
      and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer. - The WMP software also builds a small database on the computer hard
      drive of all DVD movies that have been watched on the computer. - As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP "phones home" to get DVD title
      information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers. - There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any
      easy method of clearing out the DVD movie database on the local hard drive.

      Technical Details

      When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator. Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
      The first HTTP GET request sent by WMP identified the movie being played.

      For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD: ndly=true&locale=409&
      cd=1E+ 96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1 151E+13CF9+
      15812+16C5D+1A04F+1BF2D+1ECB7+212E1+2 2E48+25724+27 E9D+2A91A+
      2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D 517+4E51B+4F DBC+51F74
      The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD. This URL is sent to, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
      Here's what this cookie looks like: MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086
      By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated
      with their cookie.

      For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers:

      The same cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can be associated with a cookie value at any time. Also when subscribing to the Windows Media newsletter, I was encouraged
      by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have
      watched. There is no evidence however that Microsoft is making this connection. The cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch
      on my computer.

      After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML file: te/QueryDVDTOC_v3.xml?

      WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All
      Users\Application Data\Microsoft\Media Index". I didn't see any method
      of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer. Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the
      information. Here are some possibilities: - Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be
      customized to offer new movies to a WMP user based on previous movies they have watched. - Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly "top ten" lists. - Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.) Note: The Video Privacy Protection Act of the United States prevents
      video rental stores from using movie titles for direct marketing purposes. The letter of this law does not apply to Microsoft because
      they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.

      I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide.
      In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched. If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent
      Microsoft from tracking individual movie viewing choices.

      Vendor Response
      Response from the Windows Digital Media Division of Microsoft Corporation is available here: se.htm
      Thanks to Ian Hopper of the Associated Press for bringing this issue to the attention of the author.

      Digital Media in Windows XP owsxp.asp
      Media Player for Windows XP Privacy Statement ware/v8/privacy.asp
      The RealJukeBox monitoring system
      TiVo's Data Collection and Privacy Practices ywatch/repo rt.asp?id=62&action=0
      Internet Explorer SuperCookies bypass P3P and cookie controls e.htm Video Privacy Protection Act
      Bill Gate's memo on Trustworthy computing: mo .htm
      • What MediaPlayer is doing is nothing new -- it's equivalent to nearly every other player out there [...] It's not uploading anything back to anyone...

      ...yet. The important difference is that it's a Microsoft player on a Microsoft OS that's registered to you and identifies you uniquely (by default) to Microsoft when you make the queries. Note that Microsoft's answer to "Will you use this information" isn't "We can't", but rather "We're not planning to, but we won't rule it out".

      Better questions to ask them would be:

      • Do you log the CDDB queries on your end (so they don't have to "upload" anything).
      • If not, will you guarantee that you never will.
      • If not, why not?
      • Why do you use a unique ID anyway?
      • When will you be removing the unique ID?
      • Failing that, when will you be turning it off by default?
      • Where is the local cache stored?
      • How do I turn it off?
      • How do I delete it?

      This story raised a lot more questions than it answers.

  • by a3d0a3m ( 306585 ) on Thursday February 21, 2002 @02:54AM (#3042983) Homepage
    Has anyone else noticed that CDDB [.com] does the same thing? Any program that gets CD information from CDDB, which includes Music Match Jukebox and older betas of Exact Audio Copy [a great program [] would require an e-mail address before you could automatically download title and track information for CDs that you would insert? Someone should be checking out their privacy statments, because that would let them garner the same information.

    Fortunately, their privacy policies [] state otherwise:
    Data Aggregation. Gracenote CDDB collects aggregate statistics on which music and artists are most commonly identified by users with the Gracenote CDDB Service. ("Aggregate statistics" means "group statistics" such as the Gracenote Digital Top Ten, not individual statistics about your personal use of the service.) Besides posting these statistics for you and other fans to enjoy, Gracenote CDDB may publish or share this aggregate information with other companies. This aggregate data, by its nature, will not reveal the identity of our users. We also use aggregate data to help us improve our servers and other components of the Gracenote CDDB Service.
    It doesn't now, but if an investor comes along with a big suitcase of cash, I wonder if their privacy policy would change overnight?

    • With a new owner, the privacy policy would probably change, but not much.
      They collect information for a stated purpose.
      The email address is probably to help weed out junk downloads which would poison the statistics.
      They could gather information they shouldn't, but that would tend to interfere with their purpose of getting good aggregate data.
      Since it requires conscious effort, and in the absence of other personal identifications, it shouldn't be a risk to anyone's privacy.

  • Somebody, give me one example where:

    Technology permitted capture of more information about us, our habits, our preferences, our purchases, any activity; and a company or State passed on that opportunity.
  • According to the article, media player is just downloading the title and track listings of cds and dvds and storing them so it can display them whenever you put the same disc in. Winamp has been doing this forever, and so have a billion other media apps. Microsoft may indeed be conspiring to take over the world and subject us all to their evil whims, but this feature doesn't really seem to have much to do with that diabolical plan.
  • Billy Boy (Score:2, Funny)

    by Loki_1929 ( 550940 )
    I'm thinking Bill Gates is just trying to get a nice fat list of popular DVDs so he can run and download them from DALnet.

    <BillGates> Gee fellas, could you please help me download good pornographic films?
    <@Antel> lol, get out of here you l0ser
    <BillGates> But wait, I'm really desperate here. I gotta OC-48 and a 12TB IBM RAID storage tower.
    *** Antel sets mode +b
    *** BillGates was kicked from #pr0n by Antel (get lost you geek!)
  • not just CDDB (Score:4, Insightful)

    by maxpublic ( 450413 ) on Thursday February 21, 2002 @03:01AM (#3043014) Homepage
    As part of downloading the information about songs and movies from the Web site, the program also transmits an identifier number unique to each user on the computer. That creates the possibility that user habits could be tracked and sold for marketing purposes.

    The same company that assigns you a unique number for the downloads you make also has the database you were required to register with in order to activate your WindowsXP. Manipulated properly it would be a rather simple task to match a real name and address with what you watch on media player - especially if this 'unique number' and the registration number for XP were one and the same.

    And note that Microsoft hasn't ruled out using the data for marketing purposes. Imagine the look on your spouse's face when you suddenly start getting free trial issues of Spanking Teen Cheerleaders! . Or the look on your face when the FBI comes crashing through the door because an 'anonymous tip' from a 'reputable source' claims that you were watching illegal porn videos.

  • by NanoGator ( 522640 ) on Thursday February 21, 2002 @03:12AM (#3043058) Homepage Journal
    Just curious. This issue's new to me and I'm curious what the privacy advocates are worried about.

    I'm a little concerned that MS might detect that I ripped a DVD so I could use a particular clip as reference footage for an animation I'm working on, perhaps use the DMCA to fine me for it. Other than that I don't really care if they know what I'm watching or not.

    Is there a larger problem I should be aware of? Could somebody explain to me what MS or anybody else could do with data about what movies I watch, or what websites I visit, or whether I'm attracted to either T or A that would be bad?

    • Ok, I don't think I was clear enough in my first post. Let me re-state. Lets say, hypothetically, that my computer sent back data about every movie I watch, every TV show I watch, and every little thing I do on the web to MS. What could they do with it?
  • by young-earth ( 560521 ) <`moc.esoomjb' `ta' `htrae-gnuoy-hsals'> on Thursday February 21, 2002 @03:38AM (#3043105)
    Remember when Maria Cantwell [] and Real [] got caught tracking [] all the music that was anywhere on your computer?

    The big question is, will Microsoft respond in the same way and back down?

  • This IS a big deal (Score:2, Interesting)

    by foqn1bo ( 519064 )

    But not in and of itself. The thing that is bugging me about windows is that there seems to be more and more spilled about spyware/spyware-type things in XP. Possible universal backdoors for encryption, for example. Nothing bad has ever come of any of it, but what bothers me is that as consumers we're getting used to hearing about this kind of shit regularly, and this is the stuff that Microsoft is willing to admit! I mean, lets be frank, if M$ wanted to lie about something evil in there, they'd more than willing. The question on my mind is can we trust Microsoft(or for that matter any proprietary operating system manufacturer)to not spy on us? There are a lot of people out there, Government/Marketing/et. al, who would be thrilled to get a piece of some secret evil.

  • by gusnz ( 455113 ) on Thursday February 21, 2002 @03:57AM (#3043157) Homepage
    OK, yes WMP from version 7 onwards is a nasty beast.

    This article is mostly scare tactics, as ever since the beginning of time there's been a file named CDPLAYER.INI in the windows folder that stores CDDB info. A local cache should actually enhance your privacy as it will reduce calls to central servers when you play your CDs or whatever.

    WMP 7+ however doesn't use this file. If you look in your Windows folder again, you'll notice a couple of files named WMSysPrx.prx and another one named similarly that actually stores the song database. That's how the 'media library' feature works, it's all stored in there -- you would expect a program that catalogues songs to store a list of media played somewhere, wouldn't you?

    It's true WMP does track how many times you play a song. But discovering the fact isn't aexactly a journalistic coup, it's listed in the program itself. Look in the 'Media Library', this is listed along with all the rest of the ID3 information (at least in WMP 7)... not exactly a huge secret. I have never heard of MS sending this info off to its site before... that sounds a lot like how Real got into trouble a few years back, and also a lot like a very inventive and paranoid reporter. If you're worried, delete those files mentioned above every so often.

    The unique ID is more interesting. I really recommend turning this off in your WMP options, as it's only really useful if you're buying proprietry WMA files online... and somehow I don't think many slashdotters will be doing that ;).

    The worst part is that it opens up the recently discovered SuperCookie [] exploit in which websites can embed a player in a page and get it's ID number. Since it's globablly unique and installed on most computers, it's a great way of tracking users who are savvy enough to turn off cookies.

    So nuke the ID feature quickly from your player options... even if you use *AMP to play your sounds, you could still be vulnerable to this.
  • Ok, clicked on Help->Privacy Statement and was taken to this page: Privacy Statement []
    Seems kind of self explanatory... again this is the same with any software... if you don't like using it, then don't... i really couldn't care if microsoft is keeping track of what music I listen to or dvds... if in the end all it means is i get information on something i might like (like amazon does) then... i suppose thats ok. I think I'd only have a problem with it, if they used it for evil purposes... which I'm failing to see. Now if they somehows used this to help the RIAA, then i'd be pissed because thats none of their business as an Operating System provider. (IMHO of course)
  • Hmm... I got an idea! Lets all get Windows XP, download Morpheus, and download the shit out of Futurama, and then watch it! I bet when MS gets wind of so many people watching Futurama, they'll buy FOX and make them continue the show!! Spyware beats the pants off of Neilson ratings.

    Whatcha think, sirs?
  • by m_evanchik ( 398143 ) <michel_evanchikATevanchik@net> on Thursday February 21, 2002 @04:15AM (#3043217) Homepage
    from the article:

    "This is essentially a case where it (the ID) doesn't serve any purpose and it isn't used," [Microsoft's] Caulton said.

    Which begs the obvious question of why put it in there in the first place.

    The end of the article takes an interesting twist:

    In a recent memo, Microsoft chairman Bill Gates ordered his company to check for privacy and security concerns before adding new features.

    "Users should be in control of how their data is used," Gates wrote. "Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time."


    He said the feature seems to conflict with Gates' directive.

    "You can really see the Microsoft culture coming through that Gates wants to change. These guys are digging in their heels," he said.

    Bill Gates is not a stupid person. Let us suppose for a few moments that he really has seen the writing on the wall and is sincere about this new direction for the company.

    Gates bred this culture that he is now trying to change. And the paradigm shift for his company is much sharper philosophically than the previous one of desktop- to network-centric computing.

    And then there is the very real argument that Microsoft's proprietary, closed-source code policy is antithetical, or at the very least sub-prime for dealing with privacy and security concerns.

    What's an ersatz-visionary computer mogul to do?

  • replied to this on another message board. I'm going to repeat here what I said there, for the main reason that I referenced this place in the original...

    Stuff and nonsense. The conclusion you have drawn is wrong; and the article is a typical example of the mainstream press cottoning on years too late and blowing something out of proportion.

    WMP is doing nothing more than a CDDB lookup, which is then stored locally. THERE ARE COUNTLESS PROGRAMS WHICH DO THIS; any good audio program or CD ripper does the same.

    WMP8 adds a DVD lookup to this, presumably for the purpose of adding a DVD entry to a playlist. I haven't heard of any program which does this before, but it's no more intrusive than the above CDDB lookup.

    The information is never sent to Microsoft after it has been collected. The article somehow leaps to this conclusion from the statement that the data is stored locally.

    The Washington Post is not the place to go for IT information. Nor are its conclusions to be immediately taken and used as propaganda. While MS are a not-nice company in general, this (10-year-late) online tabloid rant can hardly be taken as an example of their wrongdoings.

    This is the kind of thing which tends to get the Linux rabble-rousers on Slashdot worked up, until someone points out the facts of the case. Oh well, false alarm.


    Turns out I'm a prophet, it seems.

    Do carry on; I so love long debates about non-events and factual inaccuracies here.

    - Chris
  • by nemo ( 2417 ) <slashdot&nemo,house,cx> on Thursday February 21, 2002 @04:45AM (#3043289) Homepage
    Microsoft has this patent:
    System and methods for selecting music on the basis of subjective content [].

    I bet they'd love to get their hands on these logs/cache/whatever... if what people choose to listen to doesn't count as subjective, I dunno what does!

    Draw your own conclusions. I am merely presenting facts and opinions.
    • System and methods for selecting music on the basis of subjective content

      With the exception that it's TV, isn't TIVO prior art?

      • by nemo ( 2417 )
        The patent was granted in 1997... (April1 in fact).

        The TiVo came out... when? (I honestly don't know? But I doubt it's development started before 1997)

        Of course, who is to say what patents the TiVo uses...

        Not to mention that prior art is only an issue if the patent is challenged with it. You can have all the prior art in the world, and the patent will stand if it's not used.

  • It's clear from the design of all of Windows XP, not just WMP8, that Microsoft does not want you to have privacy. For example, consider how many holes Windows XP expects you to punch in your firewall.

    This anti-privacy attitude is similar to that of the U.S. government. U.S. government agencies are the biggest, most well-funded surveillance organizations in the history of the world. For support for that statement see What should be the Response to Violence? []

    At the bottom of the anti-privacy attitude is a feeling of superiority. Below that is an inability to make successful connections with other people. It's a kind of mild mental illness that has the characteristic that those who have it find it difficult to realize that they have it.
  • Technical Details (Score:3, Informative)

    by arnoroefs2000 ( 122990 ) on Thursday February 21, 2002 @05:54AM (#3043429) Homepage
    For a bunch of technical details about read this [] posting on Bugtraq.

    "WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index". I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer."
  • by Gordonjcp ( 186804 ) on Thursday February 21, 2002 @06:44AM (#3043523) Homepage
    When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.

    This sounds to me very much like some sort of CDDB cache. XMMS has done this since the first line of code was written.
  • I personally dislike v7.x and v8.x. I still like 6.4 as a simple player. I avoid v7.x and v8.x as much as I can.

  • What total a**holes. Next time someone tells you they work for Microsoft, ask them incredulously why they haven't quit yet!

    Everyone knows that just as with mathematics, you can do anything in software. The point is, only the mentally damaged and egomaniacal build this kind of bloated, smirking, F***ED by Redmond again supercookie loggers into the monopoly operating system.


  • I'm sure I'm one of the few, but I don't think it's bad at all.

    When I first saw the /. article, I got scared. I use mediaplayer to keep track of my CD's. I also rip my CD's into wma format using mediaplayer (I'm sure atleast half the people on /. hates me now). I use it because it's convinient, and I think the GUI is nice.

    However, after reading the article in the Washington Post, I don't think it's bad at all. I expected that the album and songnames downloaded to my computer would be stored in a file somewhere. Kinda hard to apply the names to the songs without storing them somewhere. I think this is another one of those Microsoft bashing stories. I mean, come on, if Microsoft says they are not using the information for marketing purposes, then I believe them.

    I have used linux, I know how program in Assembly and I still spend most of my time in a DOS box. I'm not a "new GUI user", but I don't think that Microsoft are bad and evil. I like some of their products, and I use the ones I like. Mediaplayer happens to be one of them.
  • by bero-rh ( 98815 ) <bero.redhat@com> on Thursday February 21, 2002 @07:55AM (#3043702) Homepage

    From: Microsoft Legal Department
    To: Valued Customer
    Subject: Windows Media Player Usage Report

    we have noticed you have played back pirated episodes
    of Star Trek Enterprise downloaded from the net.

    This is a violation of federal law.

    We charge you $10,000 for this information; if we do not receive this amount of money, your registration information (as well as the information you used to register on any websites, as tracked by Internet Explorer) will be forwarded to the MPAA.
  • Before I read the list of responses, I thought I knew more or less what spyware is.

    I thought it was something that delivered information about me without my permission.

    Much as my fingers burn typing anything kindly towards Microsoft (I still haven't used up all the anger from corrupted PowerPoint files working on a past job), I don't see that here.

    This stuff seems to be potential, not actual, spyware, although Microsoft's reaction would give me the heebie-jeebies if I used the stuff.

    True, the software generates information that could be very interesting to some people and that would royally piss me off if it were being sent out to anybody.

    But that's true of damned near everything I do or use on my computer (Linux, not Windows).

    The sending's the thing, not the collecting. As at least one poster points out, the cache actually improves your privacy by reducing the number of times you go to the original database.

    So long as the info stays on your machine, it ain't spyware.

    Check back tomorrow, though.
  • They'll fidn out all I watch on WMP is internet porno. Which is an interesting metric. Until now, Redmond's stayed out of the pr0nline gig, and I feel the industry has been waiting for a true killer app for a while.

    The time is now for Open Source porno to combat this future menace!
  • by foobar104 ( 206452 ) on Thursday February 21, 2002 @11:14AM (#3044582) Journal
    I just found out this morning that IE 6 on Windows 2000 keeps a record of all the web sites I've visited! Microsoft doesn't tell anybody about this, but you can see if for yourself if you click that mysterious button on the toolbar that looks kind of like a sundial. There it is, a list of all the sites you've visited, sorted by domain and by date!

    The worst part is, Microsoft doesn't deny that they could use this information for marketing!

    The only way these customer-hostile corporations will get the message is if we vote with our wallets. Don't use IE! Use only browsers that don't maintain this so-called "History" log! Power to the people!


    By now, everyone knows that this behavior inside WMP is just CDDB lookup caching. Every CD player I've ever seen has done the same thing. For that matter, so does every program that caches anything, from your web browser to your email program to... well, anything.

    You can all stand down from red alert now. Cancel the march on Washington.
  • How to defeat it (Score:5, Informative)

    by sllort ( 442574 ) on Thursday February 21, 2002 @11:37AM (#3044707) Homepage Journal
    How to disable this feature:

    The file, wmplibrary_v_0_12.db, contains in cleartext the name of every movie you've ever watched with media player. The names are in cleartext but each byte is spaced out with a pad byte, so you can't just grep for the names you're looking for.

    If you delete the file, WMP regenerates it on use.

    But, if you create the file as a zero-byte file, WMP does not fix it and does not store any information about what WMP is playing, ripping, burning, etc.

    Tested Today, 2/21/02, with Windows 2000 and WMP 7.1. Oh, they didn't mention it's not just XP? It's not just XP.

    You're Reading Managed Agreement []
  • by DaveWood ( 101146 ) on Thursday February 21, 2002 @01:34PM (#3045610) Homepage
    The reason your entire viewing habits are available to MS is because every time you insert a DVD, WMP8 contacts an MS website with your GUID and the DVD's TOC. This is in addition to keeping a log of DVD's on your computer. The ostensible purpose for the request is to get the DVD's "title and chapter information."

    This begs the question: what is a DVD's "title and chapter information," anyway?

    What possible purpose does having it serve?

    We all know that CD player programs call up CDDB because there's no track and album titles handy on the disc. That's fine and good: perfectly legitimate use of network callback. Note: there's no need at all for any personally identifying information (GUID, cookie, or whatever) in that transaction... but that's not my main point.

    Unlike a CD, a DVD has every piece of information you already need included, along with a custom interface, etc etc. And in all the coverage I've seen of this issue, no one seems to be catching on to the fact that, as far as anyone can tell:

    DVDs are not CDs. There is no justifiable need for any user to have a DVD's "title and chapter" info at all, let alone for them to give a unique identifier to MS while requesting it.

    So why go to all the trouble of building a scalable web application to service a non-feature?

    Sure, MS is rich, but I guess conservatively that this functionality was a low six figure outlay to start, and it creates a neverending and not inconsiderable ongoing support cost to maintain a database and a server farm. It has to be big: they're servicing every XP/WMP8 user in the world, after all.

    On a final note, let's consider the infamous Windows GUID. It's generated from a variety of sources: your PIII Processor Serial Number, if available, your ethernet MAC address, and I believe several other pieces of optional identifiable hardware are potentially tapped.

    Microsoft is the same company that silently attached GUID's to every Word document you produce, by the way.

    GUIDs don't contain your name or email themselves, but wait... m []

    "However, if a person signs up for the Windows Media newsletter, their email address will be associated with their cookie."

    It gets better.

    "Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched."

    If you are curious, the other shoe dropping will sound like this:

    MS "Passport" registration (which is required for customer support) also collects GUIDs directly.

  • by SimHacker ( 180785 ) on Thursday February 21, 2002 @04:48PM (#3047243) Homepage Journal
    There's a simple and effective way to defeat the Windows XP Media Player spyware, which records a list of all media files you've played. This also applies to older versions of Windows Media Player, as well.

    It's a trivial fix, really. Windows Media Player records the list in a file. Just make the file read-only! Problem solved.

    Here's the file name for Windows XP:
    C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
    Here's the file name for Windows ME:
    c:\Windows\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
    Here's the file name for Windows 98:

    The easiest way to find the file is to search your disk for "wmplibrary". Then right-click up the properties for that file and make it read-only.

    This spying behavior has been around for a long time. I noticed it a year or so ago, and made the log file read-only. It's been working fine ever since, without writing a log.

    You can see the log in the Windows Media Player by pressing the "Media Library" button and opening up the outlines. Just make sure to clear out the log first, before you make it read-only. When you delete an item from the log, it goes into "deleted items" folder. So make sure you finally clear out the "deleted items" section of the log.

    I found the log file by using Igor Arsenin's [] "taskinfo []" utility, that lets you see all the files any process has open. Taskinfo is a great tool for figuring out what logs any Windows programs are keeping. Solid Russian engineering. Use it to spy on the spyware!


"I think trash is the most important manifestation of culture we have in my lifetime." - Johnny Legend