Windows Tracks CDs & DVDs You Watch 421
lcypher writes "The AP is reporting that
there is spyware within Windows Media Player
8(which ships with XP), which records the song
titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. "
This looks like less of a big deal than the article
makes it out to be, but it definitely could be used
for evil.
Pr0n (Score:4, Funny)
file names so they can track them down on
kazaa easier.
Those lazy bastards. (:
eak... (Score:2, Funny)
whatever.the.hell.mediaplayer.uses 127.0.0.1
in the hosts file, and maybe a quick webpage to return
Mlk and a vacume cleaner
the spam-email from that could be veryyy intresting
Re:eak... (Score:5, Informative)
www.zonealarm.com has a great free firewall program that prevents mplayer (and others) from misbehaving.
Re:eak... (Score:2)
Yeah, but you give Media player access to download new codecs, and if it sends spyware data out at the same time, your data is still captured.
Playing right now: (Score:5, Insightful)
---
But anyway, fair enough. What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?
Seems the only way to fight this will be with dis-info
Re:Playing right now: (Score:2, Funny)
Re:Playing right now: (Score:5, Informative)
It doesn't go to Microsoft, it's just a cache of CDDB lookups you've done. AudioCatalyst does the same thing - but it's tracking not only what you play, but also what you rip to MP3. Surely, if you are looking for a conspiracy, that is where to look?
This cache is just a performance enhancement, like your web browser maintaining a cache of pages you've visited. If anything, it improves your privacy: it makes it much more difficult for CDDB to track how often you play a particular CD.
From the article:
unique id (Score:2)
--
Re:unique id (Score:3, Funny)
Re:Playing right now: (Score:5, Informative)
Check it out for yourself the log can be located here:
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
the "_v_0_12" part may vary on your PC but this is the file mentioned in the article.
well duh (Score:5, Interesting)
Media Player will be used to extort money from users, media companies and advertisers. Microsoft wants to be the asshole in the middle and wants to use that position to make money. They have created their own media formats to break at will, a method to do it, and put it all in their EULA. What more can you ask for? Do you really think that they won't sell your information? Oh, I suppose you forgot how they sold "real estate" on your desktop.
The only way for them to keep themselves in that position is to eliminate every other option. If you continue to use M$, your internet will have three channels and you will never be able to contribute. Your money goes to those who would enslave you.
Let's see, M$ can write files to my computer that I can't delete and can access my computer in ways that I can not. They must be root, and I am not.
Re:Playing right now: (Score:2)
It won't be personally identifable? (Score:4, Insightful)
Re:It won't be personally identifable? (Score:3, Interesting)
Re:It won't be personally identifable? (Score:2)
A few thing that a quick Google search turned up: GuUID Explorer [bidali.com] and JunkBusters' [junkbusters.com] web page on GUID and MS' software. The History and Advisory are good reads here.
Microsoft's use isn't the issue... (Score:2, Interesting)
But what other 3rd parties could do with it is really disconcerting. Even assuming MS doesn't sell the information, the information is still being collected and deposited somewhere. Somewhere that maybe a detective or the FBI could trace you down. Or your system administrator, wife or mother-in-lawyer.
Just for innocently checking out that warez movie link...or borrowing a DVD that happened to be ripped..
Re:Microsoft's use isn't the issue... (Score:2, Funny)
Just more data for Carnivore to munch on (Score:2)
This is just a local CDDB mirror (Score:5, Insightful)
It appears they extended to DVDs as well as CDs (just a bigger database I suppose).
The article is a bunch of fluff for a functionality we've used for a long time with numerous programs such as XMCD, AudioCatalyst, etc etc. Microsoft adds it to media player and omg, privacy for getting the disc information for you. I'm pretty sure there's a button to turn it off.
(Gracenote is probably using the CD request data anyway for marketting purposes these days).
Re:This is just a local CDDB mirror (Score:5, Informative)
So no, its a little more than just a mirror of a CDDB database. The traffic is bi-directional, and leaves a log trail.
-
I was so naive as a kid I used to sneak behind the barn and do nothing. - Johnny Carson
Re:This is just a local CDDB mirror (Score:2)
Read the advisory. Each time a new DVD/CD is put in, media player asks Microsoft for a title and track listing, gets the result and stores it in a local database file. It does not request again if you insert the same movie. So other than 'first use' there is no usage log.
I'm not clear on what the id-string is used on the request. Microsoft is no different than Gracenote who gets your IP, operating system, etc if you put a CD in when you're running XMCD and its configured to asks CDDB/Gracenote for CD track listings.
I've been using CDDB for years. This is no different than before. It's a bunch of privacy concerns for an established method of CD title/track requests (extended to DVDs now apparantly).
Re:This is just a local CDDB mirror (Score:5, Interesting)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
I also saw a file wmplibrary_v_0_12.lrd that had my hostname in it, and a file called WMPImage_AlbumArtLarge.
Actually I use FreeDB so I dont have to give any info out. M$ Didnt even tell users they were being tracked till this article, at least they are going to let people know with an updated privacy statement. We really shouldnt have to wait for someone to point out privacy concerns that the vendor should disclose.
-
It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy. - Janov Pelorat in Asimov's Foundation's Edge
Re:This is just a local CDDB mirror (Score:3, Insightful)
Re:This is just a local CDDB mirror (Score:2, Interesting)
I believe this should nip this problem in the bud. Another reason this is really a non-issue: simply block Media Players access to the internet with some sort of firewall. Not the hardest thing to accomplish.
Re:This is just a local CDDB mirror (Score:4, Informative)
It basically stacks up cd details until you get on-line and then downloads the track listings for all the CD's in one go.
Whilst this doesn't sound much to your average connected American, here in the UK where broadband is stupidly expensive and the majority of us are on pay by the minute 56k modems its an absolute godsend because we don't have to keep dialing up every single time we put a new CD in.
Re:This is just a local CDDB mirror (Score:3, Interesting)
Actually this was discovered by Richard M. Smith, who has a good record of finding bugs-by-design, security holes and privacy breaches in MS software. Here's his page on the topic [computerbytesman.com], on the topic, and [slashdot.org]here's Microsoft's response - which is all in the first sentence, really, "we do not believe [this] represents a user privacy concern." All this was in my submission of the story, last night - heh, it's the first time I've submitted a story and someone else's post got there first. Or better.
In reply to those people saying "this is just the same as CDDB, what's the big deal?": this IS a bad thing, for the following reasons:
Think about it: Passport, web services, yuor company's servers, your corporate desktop, your own home PC, all your apps, your phone, set-top box, Palm ripoff, Psion rip-off... apart from washing machines and guided missiles, I can't think of anywhere that software runs which Microsoft doesn't aspire to own. Actually, come to think of it, NT4 at least can allegedly operate as a router; they've been trying to make headway in the embedded market for years, and I fear that "version 3 syndrome" will kick in on their efforts there soon... sheesh, they're even selling firewalls now. When the great day comes that Microsoft own all mass markets for software, they'll buy out some major consulting/services firm and start trying to put independent developers out of business, too. Pray that day never comes...
Microsoft have yet to learn that in privacy and security matters, the correct default is to trsut no-one and nothing. If you prove to your customers or users that you're worthy of trust, you'll get it. Take it for granted, and assume that the user won't MIND if your software starts sending your personal data back to the vendor (or a thrid party) without telling you, and you start getting into people's shitlists. When you're Microsoft, you have to bend over backwards to ensure that not only are you doing the right thing, but that you're SEEN to be doing the right thing. If you give a flying one, that is; if you really are Microsoft, then you couldn't care less, because your Windows monopoly means 99% of users and customers haven't got any choice in the matter.
And what if you're a network security person and spot unauthorised traffic (which is what this is) on your network? You could spend a lot of time & energy investigating. For all I know, this could be a DDoS agent that some kiddie's planted on a cracked XP box, and is now starting to flood windowsmedia.com .
If you really think this is "just like CDDB", ask yourself: why are Microsoft going to the trouble and expense of providing this "service" - given that they don't even tell people they're doing it? What do they hope to gain from it? How does this increase their marketshare or mindshare? Follow the money...
Re:This is just a local CDDB mirror (Score:4, Informative)
The links:
Here's his page on the topic [computerbytesman.com];
Bugtraq post [securityfocus.com]
Microsoft's response [computerbytesman.com].
Re:The real kicker (Score:2, Interesting)
The deal is, Microsoft puts all of this crap on our 100GB hard drives that we can never figure out what it does. They also never give you decent controls over the inner workings of the machines. It's sad to think that Microsoft might be storing information that could come up in a lawsuit against me. The real kicker is that they haven't provided a decent way for me to view this information.
Re:This is just a local CDDB mirror (Score:2)
Anyone who collects "private data" and tries to disguise the fact is most certainly up to no good.
Always trust Microsoft?
Re:This is just a local CDDB mirror (Score:2)
Microsoft does what they do, don't like, don't use it. no biggies, its not rocket science
This is basically CDDB (Score:2, Insightful)
If you look in your home directory on your Linux box, you'll probably find a similar cache.
Someone just noticed that you can reconstruct people's listening habits from their CDDB lookups - no big deal.
Re:This is basically CDDB (Score:5, Insightful)
We'd like to inform you (Score:5, Insightful)
Re:We'd like to inform you (Score:2, Insightful)
Is DVD chapter navigation a needed or useful feature? I'm sure if we ask MS, they will respond with their usual "our customers ASKED us for this feature" response the same way that ALLLL of those customers really, REALLY wanted Product Activation. Sorry, but given MS's track record, this little "feature" will probably be used for their continued little monopoly purposes. Remember, they are trying become the center of your Home Entertainment because after all, thats where the REALLY big dollars are at. If they can show the MPAA and RIAA that they can control what you listen, watch and jack off to, then they out themselves in a very sweet position of becoming THE defacto OS for your next PVR, CD player, DVD player, etc. All it would take is one little service pack to enable that "only a local CDDB" to start being transmitted for complete tracking purposes. And no doubt, you will have given them the right to do it through one of those oh-so-readable click thru EULAs.
As a Winblows user... (Score:2)
Re:As a Winblows user... (Score:2)
That's painful. I stay as far away from 95/98/ME as I can. 2000 and XP, on the other hand, are pretty nice. If you're going to squat on one version of Windows, you ought to at least consider one that's not going to torture you for the rest of your life.
Winamp does this too (Score:3, Interesting)
You can also turn off WMP's unique identifier thing if you're worried about privacy.
Honestly though, set down your tinfoil hats for a second: Why do we really care?
Really?
Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?
I also have very serious doubts that MS would ever sell the information it'd collect from it. The money from that is absolutely tiny and the feedback from the public would be absolutely horrible. What I see instead is a more personalized music service, kind of like Launch.com, where it personalizes and gives you music and movie picks based upon what you watch. Amazon does this too when you're logged in, keeping track of recently viewed items, etc.
Re:Winamp does this too (Score:4, Insightful)
You don't. I do. I don't need a reason to want to keep people out of my personal life. Rather, they need a good reason to butt into it.
Max
Re:Winamp does this too (Score:2)
And they need a damned good reason to butt into it without my knowledge or consent.
I'm an old fart and don't much care who knows what about me, but nobody has a right to my personal information. That right belongs to me. Only.
Misleading titles (Score:2)
False:Windows Tracks CDs & DVDs You Watch
True:Windows Media Player 8 Tracks Media played.
And the most important piece of information in the article is: "If you're watching DVDs you don't want your wife to know about, you might not want to give her your password," said David Caulton, Microsoft's lead program manager for Windows Media."
Windows Media Player IS Windows (Score:2)
At least, according to Microsoft.
This has been going on for ages... (Score:2)
Quoth the article: "Microsoft said the program creates the log file so a user does not have to download repeatedly the same track, album or movie information. The company said the ID number was created simply to allow Media Players users to have a personal account on the Web site dealing with the software."
It's just a client side cache. That's all. The windows CD player has done this since at least windows 3.1 (although the user had to enter the track titles by hand.)
Odd Interpretation (Score:3, Interesting)
So, in other words, Microsoft (having engineered the world's most widely used operating system) still hasn't figured out how to pinpoint where data transfer is coming from. Because it seems to me, oddly, that if I'm sending someone data through a system they set up that I don't know about... they must know about it, and also must know how to analyze the results of all their data-grabbing. And see where the crap is coming from. And keep track of what I'm listening to.
I don't use Windows Media player, personally. But if it ever came down to the log files, I'm sure MS could say to someone who ripped the software: "Actually, you have an unauthorized copy of windowsXP, how else would you be transmitting data through our security loophole with the same key as those twenty thousand other people?"
Turn off Windows Media Player (Score:2)
Does Microsoft not learn? Do they not remember the stink over the tracking in Office documents? The stink over the UID with Intel Processors? Why would they think that collecting a list of CDs and DVDs that we've watched/listened to and then transmitting it back to Microsoft is a good idea? I mean seriously the OS has enough problems without having to worry about the damn thing spying on me.
What do we have to do to communicate to companies that we don't want to give them our information, unless we specifically opt-in. How hard is that? I haven't met many people that don't think it's a good idea to do it that way. Privacy is preserved, but you can choose to give away your privacy if they offer you a good enough deal. I always fill out the various opt out policies, but it's scary how often I have to go hunting in legalese to find out exactly where I need to send it.
Re:Turn off Windows Media Player (Score:2)
Not to sound like an open source bigot (actually, even if a program is open source, most people won't even bother looking at source code, dare you say actually compiling it) but there is a reason that this code was put in, you can be sure that placing a more or less unique code into an online database was a bitch to program, so it wasn't put in there without a reason.
What can I say, at lease MS is changing their privacy policy, even though they aren't doing much else about it.
Arrogant companies piss me off, what can I say...
bah
Re:Turn off Windows Media Player (Score:2)
It's amazing how quickly an otherwise non-story can become a big story with such sensationalist responses simply because Microsoft's name is attached to it.
Re:Turn off Windows Media Player (Score:3, Insightful)
Well, yes. If I am seen boarding a plane headed for Washington DC, that's not news. If Osama Bin Ladin is seen boarding a plane headed for Washington DC, that's news.
No Worries (Score:2, Informative)
A Quote From The Statement: (Score:2)
Logging occurs when information is sent from the Player to a streaming media server. Logging informs the server of various pieces of information so that services can be improved. The information includes such details as: connection time, Internet protocol (IP) address of the computer that connected to the server, Player version, Player identification (ID) number, date, protocol, and so on. Most information is neither unique, nor traceable to your machine.
My god man! What else do they want to take? Not traceable to my static IP? The Player ID Number? Who the hell are they kidding when they say it isn't unique?
This is a load of horseshit, thats what it is. Microsoft is babbling at the general public with ridiculous lies. I *use* windowsXP because I think it's good software, and I mildly support microsoft in some things, but my lord, this "informative privacy statement" is crap.
I plan to submit a /. story soon: (Score:2, Funny)
I bet it gets 500+ comments.
S.
It's not a log, it's a cache (Score:5, Insightful)
Of course, mainstream media can spoonfeed the word/concept "log" (eg. history, audit, etc.) easier than it can "cache".
Re:It's not a log, it's a cache (Score:4, Informative)
Here [securityfocus.com] was the original BugTraq post that started this all. Read carefully.
Serious privacy problems in Windows Media Player for Windows XP by Richard M. Smith
http://www.ComputerBytesMan.com
February 20, 2002
Introduction
============
I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. Thesep problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.
In particular, the privacy problems with WMP version 8 are: - Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched
and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer. - The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer. - As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP "phones home" to get DVD title
information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers. - There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any
easy method of clearing out the DVD movie database on the local hard drive.
Technical Details
=================
When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator. Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being played.
For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD: http://windowsmedia.com/redir/QueryTOC.asp?WMPFri
version=8.0.0.4477&
cd=1E
15812+16C5D+1A04F+1BF2D+1ECB7+212E1+
2D0E6+2F451+38367+3CF64+4A4D6+4C001+4
The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD. This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
Here's what this cookie looks like: MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086
By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated
with their WindowsMedia.com cookie.
For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers: http://windowsmedia.com/mg/Newsletter.asp?eNws=rm
format=HTM
The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can be associated with a cookie value at any time. Also when subscribing to the Windows Media newsletter, I was encouraged
by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have
watched. There is no evidence however that Microsoft is making this connection. The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch
on my computer.
After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML file: http://services.windowsmedia.com/amgvideo_a/templ
TOC=90a1b0d1571524ea
WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All
Users\Application Data\Microsoft\Media Index". I didn't see any method
of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer. Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the
information. Here are some possibilities: - Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies they have watched. - Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly "top ten" lists. - Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.) Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing purposes. The letter of this law does not apply to Microsoft because
they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.
Recommendations
===============
I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide.
In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched. If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent
Microsoft from tracking individual movie viewing choices.
Vendor Response
===============
Response from the Windows Digital Media Division of Microsoft Corporation is available here: http://www.computerbytesman.com/privacy/wmp8respo
Acknowledgements
================
Thanks to Ian Hopper of the Associated Press for bringing this issue to the attention of the author.
Links
=====
Digital Media in Windows XP
http://www.microsoft.com/windows/windowsmedia/win
Media Player for Windows XP Privacy Statement
http://www.microsoft.com/windows/windowsmedia/sof
The RealJukeBox monitoring system
http://www.computerbytesman.com/privacy/realjb.ht
TiVo's Data Collection and Privacy Practices
http://www.privacyfoundation.org/priva
Internet Explorer SuperCookies bypass P3P and cookie controls
http://www.computerbytesman.com/privacy/supercook
http://www.accessreports.com/statutes/VIDEO1.htm
Bill Gate's memo on Trustworthy computing:
http://www.computerbytesman.com/security/billsm
Re:It's not a log, it's a cache (Score:2)
...yet. The important difference is that it's a Microsoft player on a Microsoft OS that's registered to you and identifies you uniquely (by default) to Microsoft when you make the queries. Note that Microsoft's answer to "Will you use this information" isn't "We can't", but rather "We're not planning to, but we won't rule it out".
Better questions to ask them would be:
This story raised a lot more questions than it answers.
CDDB does the same thing (Score:3, Informative)
Fortunately, their privacy policies [gracenote.com] state otherwise:
It doesn't now, but if an investor comes along with a big suitcase of cash, I wonder if their privacy policy would change overnight?
adam
Re:CDDB does the same thing (Score:2)
They collect information for a stated purpose.
The email address is probably to help weed out junk downloads which would poison the statistics.
They could gather information they shouldn't, but that would tend to interfere with their purpose of getting good aggregate data.
Since it requires conscious effort, and in the absence of other personal identifications, it shouldn't be a risk to anyone's privacy.
Reality Forces me Into Cynicism (Score:2, Insightful)
Technology permitted capture of more information about us, our habits, our preferences, our purchases, any activity; and a company or State passed on that opportunity.
Winamp does the same damn thing (Score:2, Insightful)
Billy Boy (Score:2, Funny)
<BillGates> Gee fellas, could you please help me download good pornographic films?
<@Antel> lol, get out of here you l0ser
<BillGates> But wait, I'm really desperate here. I gotta OC-48 and a 12TB IBM RAID storage tower.
*** Antel sets mode +b BGates@microsoft.com
*** BillGates was kicked from #pr0n by Antel (get lost you geek!)
not just CDDB (Score:4, Insightful)
The same company that assigns you a unique number for the downloads you make also has the database you were required to register with in order to activate your WindowsXP. Manipulated properly it would be a rather simple task to match a real name and address with what you watch on media player - especially if this 'unique number' and the registration number for XP were one and the same.
And note that Microsoft hasn't ruled out using the data for marketing purposes. Imagine the look on your spouse's face when you suddenly start getting free trial issues of Spanking Teen Cheerleaders! . Or the look on your face when the FBI comes crashing through the door because an 'anonymous tip' from a 'reputable source' claims that you were watching illegal porn videos.
Max
What could somebody do with this data? (Score:3, Interesting)
I'm a little concerned that MS might detect that I ripped a DVD so I could use a particular clip as reference footage for an animation I'm working on, perhaps use the DMCA to fine me for it. Other than that I don't really care if they know what I'm watching or not.
Is there a larger problem I should be aware of? Could somebody explain to me what MS or anybody else could do with data about what movies I watch, or what websites I visit, or whether I'm attracted to either T or A that would be bad?
Let me be a little clearer... (Score:2)
Real Player used to be worse (Score:3, Informative)
The big question is, will Microsoft respond in the same way and back down?
This IS a big deal (Score:2, Interesting)
But not in and of itself. The thing that is bugging me about windows is that there seems to be more and more spilled about spyware/spyware-type things in XP. Possible universal backdoors for encryption, for example. Nothing bad has ever come of any of it, but what bothers me is that as consumers we're getting used to hearing about this kind of shit regularly, and this is the stuff that Microsoft is willing to admit! I mean, lets be frank, if M$ wanted to lie about something evil in there, they'd more than willing. The question on my mind is can we trust Microsoft(or for that matter any proprietary operating system manufacturer)to not spy on us? There are a lot of people out there, Government/Marketing/et. al, who would be thrilled to get a piece of some secret evil.
Well, actually you can just make this stuff up... (Score:5, Insightful)
This article is mostly scare tactics, as ever since the beginning of time there's been a file named CDPLAYER.INI in the windows folder that stores CDDB info. A local cache should actually enhance your privacy as it will reduce calls to central servers when you play your CDs or whatever.
WMP 7+ however doesn't use this file. If you look in your Windows folder again, you'll notice a couple of files named WMSysPrx.prx and another one named similarly that actually stores the song database. That's how the 'media library' feature works, it's all stored in there -- you would expect a program that catalogues songs to store a list of media played somewhere, wouldn't you?
It's true WMP does track how many times you play a song. But discovering the fact isn't aexactly a journalistic coup, it's listed in the program itself. Look in the 'Media Library', this is listed along with all the rest of the ID3 information (at least in WMP 7)... not exactly a huge secret. I have never heard of MS sending this info off to its site before... that sounds a lot like how Real got into trouble a few years back, and also a lot like a very inventive and paranoid reporter. If you're worried, delete those files mentioned above every so often.
The unique ID is more interesting. I really recommend turning this off in your WMP options, as it's only really useful if you're buying proprietry WMA files online... and somehow I don't think many slashdotters will be doing that
The worst part is that it opens up the recently discovered SuperCookie [securitytracker.com] exploit in which websites can embed a player in a page and get it's ID number. Since it's globablly unique and installed on most computers, it's a great way of tracking users who are savvy enough to turn off cookies.
So nuke the ID feature quickly from your player options... even if you use *AMP to play your sounds, you could still be vulnerable to this.
Microsoft's Own Info on the Subject... (Score:2)
Seems kind of self explanatory... again this is the same with any software... if you don't like using it, then don't... i really couldn't care if microsoft is keeping track of what music I listen to or dvds... if in the end all it means is i get information on something i might like (like amazon does) then... i suppose thats ok. I think I'd only have a problem with it, if they used it for evil purposes... which I'm failing to see. Now if they somehows used this to help the RIAA, then i'd be pissed because thats none of their business as an Operating System provider. (IMHO of course)
Spyware beats the pants off of Neilson ratings. (Score:2)
Whatcha think, sirs?
Re:Spyware beats the pants off of Neilson ratings. (Score:2)
"Cancel it." -- FOX
Ouch (Score:2)
Re:it's a Biblical event (Score:2)
Proof of Microsoft's bad faith (Score:3, Insightful)
"This is essentially a case where it (the ID) doesn't serve any purpose and it isn't used," [Microsoft's] Caulton said.
Which begs the obvious question of why put it in there in the first place.
The end of the article takes an interesting twist:
In a recent memo, Microsoft chairman Bill Gates ordered his company to check for privacy and security concerns before adding new features.
"Users should be in control of how their data is used," Gates wrote. "Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time."
[...]
He said the feature seems to conflict with Gates' directive.
"You can really see the Microsoft culture coming through that Gates wants to change. These guys are digging in their heels," he said.
Bill Gates is not a stupid person. Let us suppose for a few moments that he really has seen the writing on the wall and is sincere about this new direction for the company.
Gates bred this culture that he is now trying to change. And the paradigm shift for his company is much sharper philosophically than the previous one of desktop- to network-centric computing.
And then there is the very real argument that Microsoft's proprietary, closed-source code policy is antithetical, or at the very least sub-prime for dealing with privacy and security concerns.
What's an ersatz-visionary computer mogul to do?
I'm stunned. I've just... (Score:2, Interesting)
*****
Stuff and nonsense. The conclusion you have drawn is wrong; and the article is a typical example of the mainstream press cottoning on years too late and blowing something out of proportion.
WMP is doing nothing more than a CDDB lookup, which is then stored locally. THERE ARE COUNTLESS PROGRAMS WHICH DO THIS; any good audio program or CD ripper does the same.
WMP8 adds a DVD lookup to this, presumably for the purpose of adding a DVD entry to a playlist. I haven't heard of any program which does this before, but it's no more intrusive than the above CDDB lookup.
The information is never sent to Microsoft after it has been collected. The article somehow leaps to this conclusion from the statement that the data is stored locally.
The Washington Post is not the place to go for IT information. Nor are its conclusions to be immediately taken and used as propaganda. While MS are a not-nice company in general, this (10-year-late) online tabloid rant can hardly be taken as an example of their wrongdoings.
This is the kind of thing which tends to get the Linux rabble-rousers on Slashdot worked up, until someone points out the facts of the case. Oh well, false alarm.
*****
Turns out I'm a prophet, it seems.
Do carry on; I so love long debates about non-events and factual inaccuracies here.
- Chris
This microsoft patent... (Score:5, Interesting)
Microsoft has this patent:
System and methods for selecting music on the basis of subjective content [uspto.gov].
OPINION:
I bet they'd love to get their hands on these logs/cache/whatever... if what people choose to listen to doesn't count as subjective, I dunno what does!
Draw your own conclusions. I am merely presenting facts and opinions.
Re:This microsoft patent... (Score:2)
With the exception that it's TV, isn't TIVO prior art?
Re:This microsoft patent... (Score:2, Informative)
The TiVo came out... when? (I honestly don't know? But I doubt it's development started before 1997)
Of course, who is to say what patents the TiVo uses...
Not to mention that prior art is only an issue if the patent is challenged with it. You can have all the prior art in the world, and the patent will stand if it's not used.
Anti-privacy organizations: MS and the U.S. gov. (Score:2)
It's clear from the design of all of Windows XP, not just WMP8, that Microsoft does not want you to have privacy. For example, consider how many holes Windows XP expects you to punch in your firewall.
This anti-privacy attitude is similar to that of the U.S. government. U.S. government agencies are the biggest, most well-funded surveillance organizations in the history of the world. For support for that statement see What should be the Response to Violence? [hevanet.com]
At the bottom of the anti-privacy attitude is a feeling of superiority. Below that is an inability to make successful connections with other people. It's a kind of mild mental illness that has the characteristic that those who have it find it difficult to realize that they have it.
Technical Details (Score:3, Informative)
"WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index". I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer."
Has anybody *read* the article? (Score:3, Interesting)
This sounds to me very much like some sort of CDDB cache. XMMS has done this since the first line of code was written.
Does Media Player v6.4 have this? (Score:2)
Microsofties Quit! (Score:2)
Everyone knows that just as with mathematics, you can do anything in software. The point is, only the mentally damaged and egomaniacal build this kind of bloated, smirking, F***ED by Redmond again supercookie loggers into the monopoly operating system.
CALL TO ARMS!
I don't think it's so bad! (Score:2)
When I first saw the
However, after reading the article in the Washington Post, I don't think it's bad at all. I expected that the album and songnames downloaded to my computer would be stored in a file somewhere. Kinda hard to apply the names to the songs without storing them somewhere. I think this is another one of those Microsoft bashing stories. I mean, come on, if Microsoft says they are not using the information for marketing purposes, then I believe them.
I have used linux, I know how program in Assembly and I still spend most of my time in a DOS box. I'm not a "new GUI user", but I don't think that Microsoft are bad and evil. I like some of their products, and I use the ones I like. Mediaplayer happens to be one of them.
And they're using this for... (Score:4, Funny)
From: Microsoft Legal Department
To: Valued Customer
Subject: Windows Media Player Usage Report
Hello,
we have noticed you have played back pirated episodes
of Star Trek Enterprise downloaded from the net.
This is a violation of federal law.
We charge you $10,000 for this information; if we do not receive this amount of money, your registration information (as well as the information you used to register on any websites, as tracked by Internet Explorer) will be forwarded to the MPAA.
So, what the heck is spyware these days? (Score:2)
I thought it was something that delivered information about me without my permission.
Much as my fingers burn typing anything kindly towards Microsoft (I still haven't used up all the anger from corrupted PowerPoint files working on a past job), I don't see that here.
This stuff seems to be potential, not actual, spyware, although Microsoft's reaction would give me the heebie-jeebies if I used the stuff.
True, the software generates information that could be very interesting to some people and that would royally piss me off if it were being sent out to anybody.
But that's true of damned near everything I do or use on my computer (Linux, not Windows).
The sending's the thing, not the collecting. As at least one poster points out, the cache actually improves your privacy by reducing the number of times you go to the original database.
So long as the info stays on your machine, it ain't spyware.
Check back tomorrow, though.
Marketing use? (Score:2)
The time is now for Open Source porno to combat this future menace!
Even worse: IE tracks your browsing! (Score:3, Insightful)
The worst part is, Microsoft doesn't deny that they could use this information for marketing!
The only way these customer-hostile corporations will get the message is if we vote with our wallets. Don't use IE! Use only browsers that don't maintain this so-called "History" log! Power to the people!
</sarcasm>
By now, everyone knows that this behavior inside WMP is just CDDB lookup caching. Every CD player I've ever seen has done the same thing. For that matter, so does every program that caches anything, from your web browser to your email program to... well, anything.
You can all stand down from red alert now. Cancel the march on Washington.
How to defeat it (Score:5, Informative)
The file, wmplibrary_v_0_12.db, contains in cleartext the name of every movie you've ever watched with media player. The names are in cleartext but each byte is spaced out with a pad byte, so you can't just grep for the names you're looking for.
If you delete the file, WMP regenerates it on use.
But, if you create the file as a zero-byte file, WMP does not fix it and does not store any information about what WMP is playing, ripping, burning, etc.
Tested Today, 2/21/02, with Windows 2000 and WMP 7.1. Oh, they didn't mention it's not just XP? It's not just XP.
--
You're Reading Managed Agreement [slashdot.org]
"Title and Chapter Information"? (Score:3, Informative)
This begs the question: what is a DVD's "title and chapter information," anyway?
What possible purpose does having it serve?
We all know that CD player programs call up CDDB because there's no track and album titles handy on the disc. That's fine and good: perfectly legitimate use of network callback. Note: there's no need at all for any personally identifying information (GUID, cookie, or whatever) in that transaction... but that's not my main point.
Unlike a CD, a DVD has every piece of information you already need included, along with a custom interface, etc etc. And in all the coverage I've seen of this issue, no one seems to be catching on to the fact that, as far as anyone can tell:
DVDs are not CDs. There is no justifiable need for any user to have a DVD's "title and chapter" info at all, let alone for them to give a unique identifier to MS while requesting it.
So why go to all the trouble of building a scalable web application to service a non-feature?
Sure, MS is rich, but I guess conservatively that this functionality was a low six figure outlay to start, and it creates a neverending and not inconsiderable ongoing support cost to maintain a database and a server farm. It has to be big: they're servicing every XP/WMP8 user in the world, after all.
On a final note, let's consider the infamous Windows GUID. It's generated from a variety of sources: your PIII Processor Serial Number, if available, your ethernet MAC address, and I believe several other pieces of optional identifiable hardware are potentially tapped.
Microsoft is the same company that silently attached GUID's to every Word document you produce, by the way.
GUIDs don't contain your name or email themselves, but wait...
http://www.computerbytesman.com/privacy/wmp8dvd.h
"However, if a person signs up for the Windows Media newsletter, their email address will be associated with their WindowsMedia.com cookie."
It gets better.
"Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched."
If you are curious, the other shoe dropping will sound like this:
MS "Passport" registration (which is required for customer support) also collects GUIDs directly.
-David
How to defeat Windows XP Media Player Spyware (Score:3, Informative)
It's a trivial fix, really. Windows Media Player records the list in a file. Just make the file read-only! Problem solved.
Here's the file name for Windows XP:
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows ME:
c:\Windows\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows 98:
c:\Windows\wmplibrary_v_0_12.db
The easiest way to find the file is to search your disk for "wmplibrary". Then right-click up the properties for that file and make it read-only.
This spying behavior has been around for a long time. I noticed it a year or so ago, and made the log file read-only. It's been working fine ever since, without writing a log.
You can see the log in the Windows Media Player by pressing the "Media Library" button and opening up the outlines. Just make sure to clear out the log first, before you make it read-only. When you delete an item from the log, it goes into "deleted items" folder. So make sure you finally clear out the "deleted items" section of the log.
I found the log file by using Igor Arsenin's [iarsn.com] "taskinfo [iarsn.com]" utility, that lets you see all the files any process has open. Taskinfo is a great tool for figuring out what logs any Windows programs are keeping. Solid Russian engineering. Use it to spy on the spyware!
-Don
Re:Exaggeration! (Score:2)
It's spyware when it sends the data back to Microsoft.
Re:marketing data? (Score:2, Interesting)
adam
Re:marketing data? (Score:5, Funny)
You laugh now but soon, all your popups will be for Jergens, Vasoline and inflatable girlfriends.
SD
Re:This is a ways off topic, but... (Score:2)
Re:I'm Flabbergasted! (Score:2)
I can't even play music on my computer any more! (Score:5, Insightful)
And when I use the Sony Media Bar software that came with my Vaio, to try to listen to a CD while browsing the web and performing another task (graphics or HTML editing, for example), the damn thing crashes!
The machine has a perfectly good DVD-ROM drive. If I could just run a headphone jack directly out of it, and play CDs with no stupid software layer involved, I'd be happy. But I can't.
So now, sadly, I have to listen to music on a portable CD player sitting on my desk. My perfectly usable computer has been handicapped by its software.
The worst part is, that when I see what's coming down the pipe -- region-coded everything, RIAA/MPAA copy "protection" lockdowns destroying fair use, the death of webcasting, even more media mega-mergers, and spyware in EVERYTHING -- I know that it's going to get a lot worse.
Re:I can't even play music on my computer any more (Score:2, Informative)
Huh? I'm a faithful winamp user -- have been since it was shareware. When you install, they clearly give you an option to "submit anonymous usage statistics", which you can very easily uncheck.
If you want the term 'spyware' to mean anything, try using it when warranted.
Sam
Re:I can't even play music on my computer any more (Score:2)
Re:I can't even play music on my computer any more (Score:5, Informative)
May I make a few [redhat.com] small [xmms.org] suggestions [sourceforge.net]?
I care. (Score:2)
Don't forget (Score:2)
Re:HA! I knew WMP8 was too good to be true (Score:2)
Damn straight. My biggest peeve with WMP--you can't launch multiple copies at once! I do graphics development, so I can't listen to a CD in WMP and then watch an MPEG at the same time. Yeah, I could use Winamp, but my install has "mysteriously" stopped working in XP. Guess it's time to figure it out...
Re:And yet the TIVO is A-OK... (Score:3, Informative)
Microsoft didn't tell anyone about this crap they put in WMP, and when 'caught,' simply amended their EULA to cover it. Additionally, Microsoft offers no option to opt out of it, and even if they did, anybody who tried to confirm this by the same methods the TiVoers used would probably get whacked by the DMCA.
~Philly