Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Music Media Your Rights Online

RealNetworks to Create Patch to Block Personal Data 98

Quite a number of people have sent us the word that RealNetworks' has apologized for not being clear about what data RealJukeBox was collecting and has updated their privacy statement. Additionally, they are making available a patch for RealJukeBox that will disable the data-collection.
This discussion has been archived. No new comments can be posted.

RealNetworks to Create Patch to Block Personal Data

Comments Filter:
  • by Anonymous Coward
    RealNetworks is a known bad net.citizen: they've been unrepentantly spamming for a while now. As a result much of their IP space was in the RBL as of two months ago. RN's PR toadies tried shining on spamfighters with promises of better behaviour, but darned if that spam server out there didn't crank up the very next day! Don't take my word for it, hit dejanews and look up RealNetworks in news.admin.net-abuse.email. Bring lunch. I'm not surprised to see RN stoop to stealing information from people's computers; their next move was just a matter of how much further they could go beyond spamming.
  • I think we should get lawsuit-happy here -- if only because it's our only recourse. That is, everyone in Europe or Oregon who had this happen to them, who reads /., should see about suing Real.

    Bah.
  • Note that space between "A" and "nonymous" -- s/he's not a real AC. Here's his/her user info [slashdot.org].
  • It's why I don't shop at Amazon anymore.

    IMO, the right to privacy includes the right to privacy in aggregate. In other words, since I personally have an expectation of privacy. I don't see that I give up that right by being a member of a group.

    Consider the smallest possible group, 2 people. Should I be able to track all the purchases a group of two people makes? What is the fundamental difference between tracking a group of 2 people and of 20? Where is the line where it becomes okay to publish purchasing records? 200? 2 million? I don't think that line exists.

    We have the right to privacy in aggregate. We should be insistent on it. Programs like Purchase Circles at Amazon should absolutely be opt-in, not opt-out.

    It's nasty of Real to be collecting this data without prior permission. Claiming that it is somehow okay because the data was 'in aggregate' is specious and false.

    I'll never use their software again, personally. Even Microsoft has more respect for privacy than that.
  • This is nothing new. Go to CDDB's Top Ten [cddb.com] page. They've gathered the information that the most popular CD played by people in their computers is the Backstreet Boys.

    And I don't see any privacy policy. How do you know they're not tracking the IP addresses of every query, building up a tasty wee database of their own?

    Real's mistake was to include the GUID with every CD request. And the patch removes this. But their main task of building up a database of who's listening to what can carry on unabated.

    rOD.
    --

  • Besides that, with the advent of the new moderating system, thats not one of the rules, since almost everyone can at some point in time be a moderator.
  • Yes it's nice that RealNetworks apologized, but they shouldn't have been collecting that kind of data to begin with, of course you have to give them kudos for making the patch, kinda makes you wonder if they hadn't already had it developed? like maybe they knew they were going to get caught sooner or later so they had a solution already made, ready to get it out, something of a PR move perhaps? ah well, the fact remains they could have said, screw you, we're going to collect the data if want to pppttthhh, but they didn't. Any company that can admit they were wrong deserves a little respect.
  • Why not just use streaming mp3, ala Icecast? It does have patent problems, but at least there are open source players/encoders available. Besides, mp3 quality is generally better than Real anyway.
  • Personally, I prefer sales@real.com or support@real.com
  • Too often, I have found myself saying, "This is a minor infraction and the company should be commended for responding so quickly." Now, I am convinced that the only way people concerned about their privacy will be satisfied is if there is an informed concent law with respect to on-line registration and update of software.

    For instance, I have no idea what information is being exchanged between my Windows PC and the server when I use Symantec's or Netscape's Smart Update features. Shouldn't I be concerned about this as well?

    The difficulty I see in creating legislation about this sort of thing would be in differentiating between session tracking devices (like cookies) which often do not compromise user privacy, and more invasive data capture techniques like the one documented in the RealJukebox situation. We can also be sure that any bill would be loaded with all sorts of amendments which would attempt to cater to cyber-Luddites and busybodies who want to control what other people see and do with their computers.

    For the record, I am the president of a small Web integration firm. There is no doubt in my mind that calling for legislation of the kind I am suggesting puts us at the top of a slippery slope. But, I believe that this example is only the beginning of a long line of surreptitious personal data grabs.

  • This is not anything terribly new--RealNetwork's been hyper about gathering userinfo for a looooong time--back to RPlayer 2 at least. Not, admittedly, at this level, and it's been opt-out-able prefviously (I never downloaded jukebox, so I don't know if there's an opt-out feature as usual)

    This is apparently a bit slimier than previous attempts, but hardly a change in fundamental tactics.

    I'd like to see a class-action lawsuit using the new marketing techniques (pay to surf style, etc) as a basis to force RN to pay its customers for the information they were forced to provide.
  • According to someone I know that works at Real, there were already murmurings last week of the impending PR disaster. I'm guessing they already had the patch ready.
  • Let us assume for the moment that Real Networks had decided to ignore the pleas from the Internet community to fix this privacy bug. What could the Internet community do? Boycott Real Networks? If that were to happen, people who needed to use streaming media for their livelihoods, etc, would be screwed. The only choice they'd have is going with Microsoft which has not demonstrated any better tendancies to protect the privacy of users.

    Think about that for a moment. There are only two vendors who are really competing in this marketplace and they have incompatible products. So, if they decide to do something that is bad for people on the Internet there isn't a whole lot that can be done about it.

    This is why open standards are good (what can I say, I love preaching to the choir :). If we have open standards, then neither one of these companies can maintain monopolistic control of the technology. If Real Networks doesn't do it right, we go somewhere else that does meet our needs.

    So, any volunteers to make a streaming media distribution protocol standard???

    ---

  • Fool me once, shame on you, fool me twice, shame on me. -- Commander Scott, USS Enterprise
  • Disclaimer: I am not a lawyer, so basically, I don't know if this is relevant or not.

    Seems to me that this is a criminal activity vis a vis unauthorized use of a private computer system. Hypothetically speaking, of course, if someone visited my website (if I had one :), downloaded a program, ran it, and the program sent data back to my site, what then? I think it would at least earn me a visit from the FBI. I hope the DOJ is paying attention.

    How about theft of bandwidth? I don't recall them asking me if they could borrow a cup 'o bits.

    Anyone with some background in law care to shed some light?

  • This means nothing. They know damn well that 98% of their users will remain completely unaware to the whole issue, and of tose who find out about it, few will bother to download and install a patch.

    This kind fo thing has becoem Standard Operating Procedure for companies these days: worry about privacy only if you get caught, then throw a bone to all the "privacy freaks".

    There's tons of financial incentive to spy on users and have crappy privacy policies. There's pretty much zero incentive to worry about it. Their attitude is "just throw it in there, probably no one will ever find out about it, and if they do, we throw a patch to the weirdos and continue gathering our information from the vast majority of people who will never even be aware of the issue."

    Companies are never punished at all for privacy invasions, so why should they really care?
  • Sorry if this feels a little curt - I'd got a lovely reply written when I stopped concentrating for a moment and closed that window instead on another...

    This sounds suspiciously similar to the Cookie Problem [slashdot.org] and so suffers from the same potential problem [slashdot.org]* as that for us lucky Europeans :) in that you can't collect personal data in the EU and then export it to a less severe jurisdiction to try and bypass data protection legislation.

    If this is the case, which ZDNet UK News think it is - I promise I first hit reply to this article without having read their take on it [zdnet.co.uk], honest! - then this could get quite interesting. If the EU take this one to trial we could end up with this sort of practise made impractical for the whole net as it couldn't be legally used on a pretty large chunk of the users - I'm told we're currently predicted to be bigger than the USA on the net within 5 years, or something like that anyway. I haven't got the figures to hand, but that was the gist of it, OK? :)

    And yes, I know that this article's talking about them releasing the patch and upgrading the privacy statement - but if the software isn't legal without the patch then it gets even nicer as they have to make that the default!

    For those who are interested in the details, the UK law is here [hmso.gov.uk] - as I understand it, other EU countries have roughly the same rules by agreement.


    Greg

    * Sorry to quote myself. It's just that I know I explained it and I can remember that quicker than I can find if anyone else gave a better explanation...
  • Just a tiny little thing, but this was supposed to be a little more restrained - just didn't occurr to me to check it...

    The ! in the subject is a typo, honest. I'm not getting all hysterical about it ;)

    Greg
  • Last time I looked, CDDB doesn't require an email address or your name for lookups. It has even less privacy issues than a web server without cookies or javascript.

    BTW, you give an awful lot of credit to a company that went to great lengths to hide the information being sent, and whose first reaction to the Smith article was a lie("it's all CDDB's fault: they want an email address.")

    There was no mention of this tracking in their privacy statement. Guess what? Their privacy statement was wrong. So now they say that they don't store the info and they expect everyone to believe them?

  • Just remember, if there's a pile of Horse Shit there must be a (trojan) horse around somewhere

    Tag, your it

    Charlie
  • I'd be a lot happier if they didn't have this crap in their software to being with.
  • How many people complaining about Real's 'backdoor' have a listed telephone number?

    Er, is it National Non Sequitur Day in your country?

    It is completely hypocritical to complain about this one lapse of security when you let a much bigger and dangerous one slide by.

    Never mind; the answer to my question is clearly "Yes"....

    You have a choice whether or not to list your number, and you have a choice whether or not to use this product.

    Choice requires informed consent. Fraudulent misreprentation of a product (e.g. wilful installation of hidden snoopware features) negates informed consent. That's why fraud is illegal in civilized countries.

    bkennedy99@Home.com

    You were saying somthing about being "completely hypocritical"...?
    /.

  • Anyone who installed the Real Jukebox had a choice not to.

    What part of the term "informed consent" is unclear?

    By your 'reasoning', if you pick up a word processing program and it secretly sends everything you type to the FBI, you have no complaint coming -- you had a choice not to install a word processor.

    Again, this is why fraud and misrepresentation are illegal in civilized countries.
    /.

  • It seems that a lot of people are kind of missing the technical point
    about what nefarious things Real Jukebox was really doing. When one
    understands the issues the only thing that real can be blamed
    for is bad marketing and documentation not evil technology.

    The issue people that are up in arms about is that everytime a CD was
    introduced into the CDROM of a PC, Real Jukebox sends this information
    back to Real. That in and of itself seems quite a strong violation of
    one's privacy on the face of it, no? When left just at that, I too
    would agree that I wouldn't want Real to know what CDs I'm
    playing. But I think focusing on this without any further context is
    missing the point. And for some reason, this is the point that Real
    doesn't seem to be making for themselves.

    In fact, I would argue that one of the best(value judgement) features
    of Real Jukebox is that when a new CD is introduced to a PC it
    "figures" out the artist and song titles. To me, this is a *good
    thing*. This has value. This means I can be lazy. I'd much rather not
    have to enter all this information by hand. Frankly, I'm quite content
    to give up a bit(*small*, *tiny*) of privacy to have all the CDs in my
    collection show up with full catalog information entered without any
    effort on my part.

    I can appreciate that at some point, I have to "pay" for this useful
    feature. When choosing CD apps for my PC, this is a *required* feature
    for me. I will not use a CD player app that doesn't support CDDB. It's
    just too annoying to not have the artist and song title of what is
    playing immediately available.

    But I also understand that unless some information necessarily needs
    to sent across the wire about *MY* cd collection to have this feature
    to work.. Did the people who were using Real Jukebox, DiscPlay, xmcd,
    whatever think that these programs were somehow magically capable of
    intuiting artist and song information. This seems obvious but seems to
    have been lost in the discussion. If you want the artist name and song
    titles of a new CD you have to be able to look it up in a
    database. And this means that at some point, you're at a minimum
    telling someone your IP address(NAT and other proxies notwithstanding)
    and the CD you're looking for. Of course, the CDDB database also wants
    "an email address" which is what is making things so tense this week.

    What is quite striking about the current press and open source frenzy
    regarding this issue is how Real is getting lambasted for this
    feature. Why are they so special as to receive all this free
    publicity? What about all the others who were doing this long before
    Real?

    In fact, this is not a novel Jukebox feature at all; the CDDB format
    has been around the 'net a long, long time. Why hadn't the privacy
    advocates been blasting those other programs? Was it because for the
    most part, CDDB has been implemented by open-source programs and that
    open-source programs were somehow above that level of scrutiny? No, I
    don't think so. The problem is that Real didn't educate people well
    enough about their program and its features. The types of people who
    were using an open-source CD player tend to also be the kinds of
    people who will automatically "get it" that for the player to know the
    song titles of their CDs they're going to have to give up some
    privacy to do the CDDB lookup. The average person using Real Jukebox,
    on the other hand, might not appreciate this technical point. In fact,
    they're probably more likely to think that Real Jukebox has an on disk
    database of all the CDs ever issued. Okay, they also prolly didn't
    think too hard about the new CDs they're buying either.

    Real can dinged for bad documentation for not making this point better
    but I do not think that Real set out to invade people's
    privacy. They've been on record about not storing information anywhere
    and there is no reason to doubt the veracity of their statement. And
    for those who are offended by this, I recommend them to stop using
    Real Jukebox or DiscPlay and go back to using the CD player app that
    ships with windows, the one where you have to enter all the
    artist/title information by hand. I'll assume that the unix people
    understood the privacy trade off before this was a "NY Times"-worthy
    of an issue.
  • How does that violate the rules? I mean, he's not moderating right now, and hasn't moderated this thread at all, so what's the big deal? I moderate every once in a while, heck, you can easy tell by how high of a karma they would have. I know that someone that has a karma of 120 would moderate, but they can still participate in the threads when they are not moderating that story.

  • I knew many people would misunderstand this post. But if you do actually understand what I'm trying to say, then I COMPLETELY disagree with you. This is not about copy protection, its about privacy. There's nothing wrong with copy protection. The problem here is that under ANY circumstance I don't care what the reason is, if you're a rapist or a pirate, no data should EVER leave your machine without your knowledge. Period.

    In their case, a much more elegant solution would've been to simply make the online registration mandatory, then when you register, you send the serial number. If it's a serial number on their "black list" then they refuse the registration and log your IP. The way it is now, I believe is that the software will work with the number (with their knowledge that you're using a stolen number), but at the same time it is sending data to realnetworks, without your knowledge. This kind of "sneakyness" really freaks me out and it should also scare anyone that has any regard for their privacy.

    I personally code for the palm OS, and have a piece of software that requires payment for a registration code. I could've made it such that with every update, I'd secretly embed a database of stolen codes in the app. If your code matches one of them, I could make my program randomly corrupt data. I thought about it for maybe a second...but it struck me as highly unethical, even though the user was using a stolen code to begin with, so I decided against it.

    -dr0ne


  • Realjukebox is only one of the few apps that realnetworks distributes. What about RealPlayer? Has anyone seen similar activity? Specifically (don't know if this is true or not, I don't use RealPlayer), I've heard that if you try to register RealPlayer with a serial # found on the net, it will work, but everytime you run it, an update window will come up asking if you want to download their "latest update". It ends up that this is really a patch to disable the software if you get the "update".

    Now even though this is sneaky as hell, I can only wonder what _other_ kind of information gets sent to realnetworks about you, if you try to register with a number snatched off the net....

    -dr0ne

  • "Consider the smallest possible group, 2 people. Should I be able to track all the purchases a group of two people makes?"

    I agree that real sucks, always hated them, now I hate them more, will now go out of my way to tell
    others to avoid them. (they have made the dreaded list)

    BUT...
    I think ....

    "....What is the fundamental difference between tracking a group of 2 people and of 20?"

    not 20 but I think it's ok to track the purchasing habits of a group of people that is so large that any one persons purchases are only of statistical significance. (ie not tied to a name) And only if you are going to use the data for recommendations.. Since no company is ever not going to be totally evil and just generally screwed up I think we can be safe to say that it is (in real life) never right to use Aggregate Data...

    I think this is a really big deal by the way, and I hope they get a lawsuit or two. Just to show them that they are not totally above the law..
    (and morality)
  • Actually, most companies automatically record your IP when you hit their site, ftp server etc... and do some sort of measurement and analysis based on it.

    CDDB is just sharing some of that info with the rest of the world, but as far as I know no one will be able to discern that you are a closet Backstreet Boys fan :)
  • That's awesome, dude !
  • If they force you to fill out those forms just give them garbage answers.

    I give them none@ofyourdamnbusiness.com as my email address all the time.
  • I hate to be paranoid (or actually, I might even enjoy it a little), but is there any indepedent way to verify that they have actually stopped collecting this data. I mean, how do we know that this patch is really going to fix the problem? Maybe they'll still be covertly collecting some information from our system and shipping it off to some dark and dusty room filled with cancer-prone government officials poring over our records in glee. I mean, it's scary to think they would even attempt this in the first place, and I don't exactly trust people who've tried to pull one over on me.

    This is just another reason to promote Open Source. If you have access to the source code, there's no way they can get away with something like this. I like to know EXACTLY what my programs are doing.

  • But the fact remains; they shouldn't have done it in the first place. I hope the response they've received from this has helped them learn, and it doesn't happen again.
  • Couldn't you just setup a packet filter to drop everything going out a certain protocall or to a certain place? On a (hopefully) similar topic...if you have linux on a p3, couldnt you watch for your serial number going out in the data, and drop the packet if it is? What would be the chances that real data matches exactly that bit pattern? Anyone? Sorry i don't know the details...these are just some ideas to protect privacy.
  • I only have to be burned once, before I understand that I should not touch a hot flame.
  • Yes. It's clear Real knew exactly what it was doing, took a calculated risk, had the patch prepared well in advance, and probably considers this episode a successful advance of its "learning ecosystem".

    If you've read about Rob Glaser (Real CEO), you've learned he's spawn from the M$ culture, and is eager to reproduce it on his own by a.)gaining ubiquity and b.)leveraging proprietary advantage. He's not to be trusted. But it's hard to trust many shareholder-owned corporate entities these days. And trust is the basis of loyalty, trade, and cooperative advantage.

    In the end, (and this may sound a little outrageous), any company that operates on an "us" (owners) vs. "them" (customers) basis, sneaking around, seeing what they can get away with, etc. is doomed. The corporation that can figure out how to include customers in the equity equation will thrive by generating the most trust (trade). (After all, customers provide attention, cash flow, preferences data, etc.) Sound crazy? Well, it's what Dee Hock envisioned for Visa.. He guessed Visa would be 4 times more powerful today if merchants and cardholders shared ownership..

    Also.. thank god the w3 is challenging the p3p patent.. the more we individuals can control our "own" privacy, the less we'll be under the thumb of big government and big money, the more accountability will free the flow of our info, and the more trust and trade there'll be online.
  • This kind of violation will occur over & over (and most people will never know it's happening) until operating systems provide a foolproof filesystem & network "sandbox"/jail where "untrusted" software is executed by default, and any attempts to escape the jail or either intercepted or decoyed.

    Then, when you catch a process trying to access something it shouldn't need, you'll at least have a clue as to where to start asking questions, before you let everything leak. This should also handle a lot of common Trojan horses.

    W/o such a capability, everybody will pretty much have to rely on the diligence & reports of hackers (used in the context of people who have a great deal of curiousity about their systems) to find out that something is up - and that it's already too late.

  • Operating systems really need to put any "untrusted" process into a filesystem & network "sandbox"/jail, where any attempt by the process to reach "outside" of its jail has to be certified by the user (or perhaps by a trusted privacy group?).
  • So they release software and publish an essentially dishonest privacy statement, collecting data they don't tell you they're collecting. When they get caught, they announce "Oh, okay, we'll stop. Here's a patch." Given that they've already demonstrated a desire and willingness to breach my privacy and lie about it, I see no reason to assume the patch does anything other than disguise the method by which they collect data. It is, after all, closed source.
  • If memory serves, there was a class action lawsuit a while ago against Prodigy. Prodigy was installing the custom "connect to us" software, similar to the contents of an AOL CD, and included, without mentioning it, a bit of code which scanned your hard drive for financial software such as Quicken, and if it found it, it sent your financial data to Prodigy. Prodigy's users eventually discovered this and sued, winning a token settlement (a few free hours of connect time, I think.) I could be wrong about this- does anybody else remember it? In any event, it seems the same idea as RealJukebox, and the fact that Prodigy didn't get slapped hard enough for it makes me think Real won't either.
  • That was fast. I was expecting a true PR meltdown of epic proportions.

    Uhm, now, should i be relieved that they did this so fast, or should I be disappointed that it happened in the first place.

    --
  • The thing is, in today's day and age, if you use the internet in any way other than as a passive surfer you and your personal life are out there.

    Very few of us have been so careful as to never let a name or tidbit of traceable information slip out. How many of us can actually honestly say that we have NEVER gotten a piece of spam? I don't know about you people, but i have a mailbox at hotmail *just for spam*. I use it whenever anything needs an email address.. and i actually care to recieve it. Needless to say that i get about 30-40 spamails a day.

    If some company out there wants to know about you, they will find out about you. Where you live, what your phone number is, perhaps gather information about your interests (newsgroups people, newsgroups!). The only way to avoid this is to *not* be on the internet. For the large majority of us, that statement is not only fantasy, but also heresy.

    Personally, although i found this alarming, i did not find this particularly surprising. How many other companies out there do you believe are doing the same thing?

    --

  • Read _Barbarians led by Bill Gates_. Everyone at Microsoft hated Glaser.

    So if you think Microsoft is bad, where does that leave Real?

  • I don't know if we should trust a company that has to use the word "real" in all of its product names. Any company that needs that kind of self vindication at every turn has some serious image problems, and we can only assume that the image problems are caused by an inferior product and they are over-compensating. "Cmon guys, this patch is really real. Its for a real program.Really!"
  • IMO, very few people seem to think that a violation of privacy is important until someone starts misusing gathered information.

    For example, few people in Europe batted an eyelid when citizens were required to carry ID cards containing, among other things, ones religous affiliations. This of course was an absolute bitch for the Jews after Hitler gained power, because all they had to do was check your ID card (compulsory by then), and bingo, off to the camps.

    Personal choice in music may seem unimportant. But wouldn't music choice be a way for morons to identify 'anti-government sentiment' (Rage Against the Machine), 'satanistic tendencies' (Marilyn Manson), 'suicidal tendences' (Nirvana)?

    This may seem like a pathetic example, but just think of McCarthy and the communist witch-hunts. Belonged to a communist-sympathetic group in your youth? McCarthy used that kind of irrelevant 'information' to destroy many lives.

    My point is, any information gathered about you can be used against you by dictators, government forces, whatever. We must fight against this as hard as we can, and as loudly as we can.
  • One must wonder if the "patch" was created in the last twenty-four hours, or if they already had the "patch" ... just in case they got caught.
  • It's best to remember that Rob Glaser (CEO, RealNetworks) is an ex-Microsoft man. However much he whines about how they mistreat him now, he plays the game the same way they do, and is fundamentally no different from them.
  • This type of activity by companies seems to be more common now; Apple did that amazingly stupid thing with the G4s, and then responded to consumer backlash, and Real is doing it now. Seems like:
    1. Companies are becoming more bold with their plans, and
    2. Consumers are becoming angrier, faster
      _____________
  • Great--they've apologized. And they're issuing a patch so people can prevent data from being transmitted. And they've updated their privacy statement (presumably to "you have no privacy.")

    They've explained that they needed to know what CD you were playing in order to get playlist data from a third-party database. I don't seem to see any explanation of why the program scanned your hard drive for personal information, and the number and names of any MP3s you had.

    And consider how many users of RealJukebox don't read SlashDot (or don't read, period). How many people will install the patch? How many people will read the new privacy statement?

    RealNetworks did not say, "oops. We'll stop doing that, and we'll never do it again." What they said, instead, was:

    Nonetheless the company will cease the collection of the type of data that led to the privacy concerns raised until such time as the company enhances how it provides for clear informed consent."


    Which is manifestly not the same thing.

    What they should do is build new server components that are not compatible with existing installs in the field. Serve a page indicating that "to download a version of RealJukebox that doesn't invade your privacy, click here", and ship a version that specifically warns the user of the privacy risks and requires the user to specifically opt IN--not out--in order to use the Trojan Horse features.

    Till then, this is still a Trojan Horse.
  • Just like WWII bombers used tinfoil to confuse enemy radar, I want a patch that will randomly pick titles from the CDDB and then submit them to Real. It can run any time my machine is idle. Then, Real can enlist the aid of SETI to see if they can find any sign of intelligent musical life in my "tin-eared foil,", the random datastream.

    This patch would have the nice added feature of confusing the pricks at CDDB too, who've stamped a copyright on what once was shared, mutually created data.

    Would this policy annoy Real? I don't think so, it meets their own criteria. First, I would not be accumulating the data, I would submit it and forget it. Second, I would only release or sell aggregate statistics, stuff like "65536 records submitted to two music related websites". And, third, I can go them one better and apologize in advance: Sorry, Real, truly sorry... but, as you know, I was never on the board of the EFF, nor have I received a TRUSTe seal of approval so I can't be expected to be cognizant of on-line privacy issues. And you see, since they never published what the API they were running on my machine was for, who is to say it's not for sending random data to?

    So, is this deciphered data format published someplace?

  • As this is happening again and again I am wondering how users privacy can be protected.

    First I wonder if there is any legal way to respond to this kind of intrusion.
    There are very clear laws about a hacker breaking in to Real Networks computers and stealing data. What is the difference to them stealing data from my and thousand of other computers?

    What do you think is going to happen to the illegaly acuired data? Are they going to delete the whole database :)
    Even if they were legaly requiered to delete all the data, is there anybody out there who is willing an able to force them to comply to the laws?

    Thanks for your comments

    Uli Luckas
  • ... and while I'm at it, I would like to apologize on behalf of all of us outraged netizens that we had the temerity to actually check on what you people at RealNetworks were doing. Why, if someone hadn't had the nerve to investigate what you'd been recording, and if that person hadn't been so crass as to let people know, and if the general user base hadn't had the audacity to complain about the retention of this information (and God only knows how much else was stored!), you would have been saved all this embarrassment! You wouldn't have been forced to shell out the money for public relations people to cover your assets! And you wouldn't have been required to hire your programmers to throw together a patch to disable what you had no right to take in the first place!

    So, yes, I accept your heartfelt and sincere apology, and wish you to know that I will see to it that it never happens again... by refusing to do any business with you. Maybe those who buy your assets after you go into receivership will learn a lesson from this.

  • Why is it that all of the companies that get caught integrating this type of capability always come up with the same line when their caught.

    "We're sorry we wheren't clear. We'll release a patch to disable it for those who wish their privacy respected"

    This has happened to SEVERAL companies in the last few years. Microsoft, Blizzard, Real Networks, and others. When are they going to understand that you CAN'T just start grepping through peoples personal data without making it clear in the first place.

    If anyone reading is developing a product that may even provide the SLIGHTEST amount of feedback to an enitity, do yourselves a favor. MAEK it VERY clear what is going on, or risk taking the wrath of your customers when they relieze that their privacy has been compromised, and you know all about 'Customer Joe's' dirty web site habits.
  • What they did went far beyond simply collecting usage information, general performance issues, etc. It actually sent data back about things you had local that it recognized the extention for. It's see all those wav files, etc, and report 'em back. It wasn't only usage data it was sending back, that, I could understand. It was complete sets of info regarding what you had on your HD..
  • Their action is illegal anywhere in Europe and in the state of Oregon in the US. In Europe, they break EU privacy laws. In Britain, they also break the Computer Misuse Act, by carrying out an unauthorised transaction on people's computers. In Oregon, similar computer misuse laws have been violated.

    Now, I'm =not= saying people should get lawsuit happy, here. What I =am= saying is that computer companies seem to be bowing to the forces of marketroids, putting profit above the law.

    Whether you believe in Government Intervention, the US legal system, or Santa Claus is irrelevent. Clearly, when you get into Might Makes Right, something is seriously wrong. That is NOT a healthy place to be.

    Look beyond this one issue, and see the bigger picture, where profit is all and the only god known is green.

  • I have only one question here: Did the company listen to the outrage of thousands of customers over the privacy violation or the 1-7/8 drop in their stock?

    And me without my moderator points. Ah well, such is the pain for posting in this discussion.

    Excellent observation.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • You obviously work for RealNetworks or otherwise benefit from their largess, so why don't you stop polluting this thread with your corporate PR - /. is a forum for people, not corporations.

    Unfair. Corporations have every right to defend themselves, and there's no reason to believe that A Nonymous Coward is really a RealNetworks employee. (Yes, people can doubt me without having an ulterior motive.)

    His point is rational--the claim could be taken to mean that RealNetworks reports all MP3s encoded by them and nothing else. It's plausable, but I'd be qiote pissed at the Times--Number of MP3s Encoded != Number of MP3s on the Hard Drive. (Still, there's a pretty reasonable amount of privacy violation even without the extra-software spying.)

    The only way to check is to rip out a copy of FileMon and see what RealNetworks is really up to. If I get some free time, I'll do this myself.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • AC--

    (BTW: No reason to be anonymous. I prefer to respond to people, not "entities"--You Are Your Words. Own them.)

    Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.

    This is my evidence(and my first paragraph from the post you responded to). If it's wrong, I self-flagellate myself upon the battered journalistic integrity of the above. RealNetworks didn't particularly refute any of this, and I'm sure they'd be screaming bloody f*cking murder if they were accused of taking one iota of extra data.

    AC, I would be laughing myself to tears if this was all about mere listening patterns. That's NOT what the evidence suggests.

    Do you have any evidence we don't know about?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • Yes I am not anonymous.

    I belive you are reading what you want into Richard Smith's quote, rather than coming to it with an open mind. He does not say it "scans" (your word) for anything. Any ordinary reading of his words discussing what is stored on a drive could just as easily take it as shorthand for the songs that RealJukebox has stored on the drive. In fact, I would bet that most people would take it that way, other than lawyers and wannabe lawyers. Only the paranoid would take it to mean it actually goes looking all over for songs.

    --
  • Go back and peruse the thread. Richard Smith said RealJukebox reports what is stored on the disk; I was responding to a paraphrase of that which claimed it scanned the disk.

    That was the intrepretation I took exception to.

    I wonder what got you so fired up?

    --
  • This is a jukebox -- get it? It plays what you tell it to play. Has it got some way of loading up your MP3 player? Bet so. Therefore it knows what you have. Wakarimasuka? There's no more evidence of it scanning for MP3s or hardware than there is of it scanning for illegal copies of Word or Excel or insider trading or anything else.

    That's quite a rant you've got going on no evidence whatsoever.

    Don't get me wrong; their sneaky snoopy practice os sending this info off to HQ sets my teeth on edge. But the information itself is exactly what you'd expect a jukebox program to need. No disk snooping involved.

    --
  • One also wonders what the patch sends them.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • I don't care if you know what I'm listening to or ripping. I think you make a good product. Don't let the black helicopter crowd worry you.

    "You have no privacy, get over it" -- Scott McNealy
  • What the hell are you talking about? If you purchase RealJukebox you get all rates up to 300kbps, and ultra cool VBR encoding to boot.
  • They were collecting the data for financial reasons. Perhaps not ones that could be used now, but they saw a market and tried to enter it. That market still exists. Companies *do* want to know what music you listen to, and how often.

    They should have 1) offered a complete opt-out (like the patch) and 2) offered to pay those who opted in.

    Most of the people in these threads were upset about the monitoring being secret, not that some company thought the information was worth something.

    They should have two levels. 1) opt out 2) opt in anonymously - get some free CDs or coupons 3) opt in completely - get a lot more stuff.

    The data is valuable to the music companies two ways. First, just knowing how much various CDs are played is valuable marketing data. Second, knowing WHO plays them, which demographic they're in, what else they bought, etc, is worth a LOT more.

    I bet they'd get a lot of kids opting in if at the end of the year they could get $50 worth of CDs or computer games from an online store...

    That would be the best of both worlds. Out-out for the paranoid, or just plain annoyed, and opt-in for the greedy.
  • But after you install it, it scans to see what other patches you've installed and sends that info out to a patch database which will be used to create, "The best of Patches '99" CD-Rom.

  • I have only one question here: Did the company listen to the outrage of thousands of customers over the privacy violation or the 1-7/8 drop in their stock?

    I guess either way it resolves the problem. I hope many other internet enabled software manufacturers are listening too.

  • by satanel ( 34103 ) on Tuesday November 02, 1999 @07:45AM (#1570081)
    This is a VERY serious issue. We cannot accept a patch and let this blow over.

    This was a trojan horse that performed an unauthroized scan of your HD and sent the data back to Real. Let's turn the tables a moment and suppose that an individual had done this to one of Real's servers? They would be pursuing legal redress (as well they should). To let Real off the hook now that they've issued a patch is to forfeit the battle for privacy.

    Real has basically said "we're sorry we got caught". They are not sorry for what they did. If they were, the CEO would resign in disgrace.

    Boycott RealNetworks products permanently. If you owned their jukebox, contact a lawyer and file suit against them for "hacking" your system. File a complaint with the FBI.

    This is the first instance of this type of behavior of which I am aware, and we all need to make an example of it. Accepting an insincere apology and patch lets them off too easily and will implicitly encourage others to follow suit, since the penatly is something most companies can live with. Unless we cause RealNetworks true pain, then we have just lost a crucial battle.
  • by gad_zuki! ( 70830 ) on Tuesday November 02, 1999 @05:56AM (#1570082)
    This isn't some mistake that Real found out about and quickly resolved, but a deliberate plan to mislead its customers. What Real did was this:

    Knowing eventually they would be caught by someone checking out suspicious data packets sent out by their own machine, Real had only x amount of time before they were caught.

    They used to this time to gather as much info that they needed to make a sweet music pref database that would have cost x amount to gather through legitimate means.

    They weighed 2 conditions: What costs more the PR flack from putting a trojan in our software or paying for a legitimate survey? You can guess which ones they picked.

    Now its all about saving face because they've saved the money.

    My doctor calls me, "Oh BTW I wanted to tell you that the medicine I gave you isn't just for syphilis, its also a microcamera to identify girls you sleep with so we can better sell them the syphilis cure." "Umm, thanks Dr. R. Networks"

  • by Ledge Kindred ( 82988 ) on Tuesday November 02, 1999 @07:04AM (#1570083)
    This industry is the best. Especially in this country.

    Oh, you found out we've been scanning your hard drive and sending data on what music you listen to and what kind of files you have on your system without telling you we would be? Sorry, we'll stop! All better!

    Oh, you found out we're using your personal registration information to build mailing lists that we sell to SPAM and junk snail-mail companies without telling you we would be? Sorry, we'll stop! All better!

    Oh, you found out we've been embedding serial numbers in every document you create so we can track them as they travel across the computer systems of the world and we never let you know about it? Sorry, we'll stop! All better!

    Oh, you found out that we've purposely left back-doors into our security products so that gov't agents can come in and look at what you're doing any time they'd like? Well, we deny it therefore it never happened! All better!

    You'd think someone would actually get outraged enough to take some sort of counter-action at all this stupidity. I guess the sheep^H^H^H^H^H citizens of this country are so used to our government doing it that corporations can get away with it with nothing more than an apology and the statement that they'll "stop doing it" which of course, we must all believe is sincere since they were invading our privacy without telling us to begin with.

    -=-=-=-=-

  • by Effugas ( 2378 ) on Tuesday November 02, 1999 @05:02AM (#1570084) Homepage

    Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.


    People, this isn't just RealNetworks incidentally receiving information on what CDs you have by nature of that being the only way to send back the track titles.

    RealNetworks invasively scanned millions of American's computers for content that had nothing to do with the functioning behavior of RealNetworks software. We're talking about code that looked for MP3s, music applications, hardware interface tools, and who else knows--I wouldn't look for RealNetworks to tell.

    Open Source is many things, but I'd seriously rather it not degrade into the only way to trust that code isn't Trojan'd. I expect that kind of paranoia for my cryptology of choice, not to play some Garbage!

    This isn't an issue about a few missing lines from a privacy statement. Should RealNetworks be able to upload any interesting file on your hard drive to the corporate servers as long as they mention that "From time to time, RealNetworks may request feedback from your internal storage systems according to specific parameters to be determined according to your usage profile"? Maybe it'd be fine for them to tap into your computer's microphone, as long as they don't neglect to tack on "User agrees to indemnify RealNetworks from any liability in relation to any data flowing through said user's Sound Card"?

    This isn't about legality, at least, not yet. It's about trust, and RealNetworks is losing mine fast.

    The real question is, whether TrustE will follow.

    I'm no history expert, but there's an aspect of TrustE that just smacks of the ill-fated League of Nations from the first part of the century. Namely, the well-intentioned but utterly toothless, powerless, and secretly mocked nature of it. I think TrustE actually has enough Respect Capital(if there is such a thing) with the press to actually do something, this one time...

    Or never again, because nobody will listen anymore.

    TrustE needs to set up guidelines of what may be buried in the fine print and what needs explicit and large dialogs before the function is completed--yes, this includes specifications like "Default must be no, and the software must still run even if it isn't allowed to insert seven links to the audio playing software like RealPlayer G2 does--we counted." That's clear, from RealNetwork's rather shocking behavior.

    The bottom line is TrustE simply needs to file suit for breach of contract and reach a settlement where RealNetworks needs to contact all possible users, mass deploy a tremendous upgrade, and notify victims of the violations in both online and TV/Magazine forums.

    That, or some combination with what I'd like to call TrustEeth: Privacy Protected for x Days.

    If you think about it, it's really just a much more positive version of "This Site Accident Free for x Days" signs. The system encourages TrustE certification, since the longer one puts it off, the longer it will take to get to privacy levels respected by customers. It will make it progressively more expensive over time for large companies to allow their ego to overpower the rights of their customers--the CEO will be quite peeved at the middle manager who took the nationwide corporation down to one day of privacy protection.

    If not a system using literal days, then an accumulation of points, lowered by violations, maintained by fair and quick resolution of privacy concerns, and accelerated by respectful "voluntary" policies could also be functional.

    The key is, people need to have a gauge by which they can determine whether or not to trust a site and the code it asks them to download, and managers need to know they could get called on the carpet if they try a stunt like RealNetworks did.

    The irony is truly remarkable, if you ask me. The CEO of RealNetworks(then Progressive Networks, if I remember correctly) went and testified in front of The United States House Of Representatives, arguing against everybody's favorite monopolist, Microsoft, was making the playing field unfair.

    Meanwhile, here we are in November of 1999, and RealNetworks is repeating the sin that Microsoft did wayyyy back in the day with its overly nosy Registration Wizard that reported if software like Wordperfect was installed. Incidentally, the above dig at RealPlayer G2 for the seven links it litters all over your desktop(collect them all) is even more beautifully ironic considering the now strangely difficult to find position paper regarding asking the user before doing anything of import.

    On a plus note, I don't think the US Patent Office had anything to do with this one.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com


"There are things that are so serious that you can only joke about them" - Heisenberg

Working...