RealNetworks to Create Patch to Block Personal Data 98
Quite a number of people have sent us the word that RealNetworks' has apologized for not being clear about what data RealJukeBox was collecting and has updated their privacy statement. Additionally, they are making available a patch for RealJukeBox that will disable the data-collection.
Business as usual for RealNetworks (Score:1)
Re:My 0.02 cents worth (Score:1)
Bah.
Off-topic (Score:1)
"Aggregate data" is not an excuse... (Score:1)
IMO, the right to privacy includes the right to privacy in aggregate. In other words, since I personally have an expectation of privacy. I don't see that I give up that right by being a member of a group.
Consider the smallest possible group, 2 people. Should I be able to track all the purchases a group of two people makes? What is the fundamental difference between tracking a group of 2 people and of 20? Where is the line where it becomes okay to publish purchasing records? 200? 2 million? I don't think that line exists.
We have the right to privacy in aggregate. We should be insistent on it. Programs like Purchase Circles at Amazon should absolutely be opt-in, not opt-out.
It's nasty of Real to be collecting this data without prior permission. Claiming that it is somehow okay because the data was 'in aggregate' is specious and false.
I'll never use their software again, personally. Even Microsoft has more respect for privacy than that.
Re:This is both good/bad to see.. (Score:1)
And I don't see any privacy policy. How do you know they're not tracking the IP addresses of every query, building up a tasty wee database of their own?
Real's mistake was to include the GUID with every CD request. And the patch removes this. But their main task of building up a database of who's listening to what can carry on unabated.
rOD.
--
Re:HEY LOOK A MODERATOR ID's HIMSELF AS A MODERATO (Score:1)
This is both good/bad to see.. (Score:1)
Re:The Lurking Danger of non-open standards (Score:1)
Re:Quick Answer (Score:1)
Federal Law Needed in the United States (Score:1)
For instance, I have no idea what information is being exchanged between my Windows PC and the server when I use Symantec's or Netscape's Smart Update features. Shouldn't I be concerned about this as well?
The difficulty I see in creating legislation about this sort of thing would be in differentiating between session tracking devices (like cookies) which often do not compromise user privacy, and more invasive data capture techniques like the one documented in the RealJukebox situation. We can also be sure that any bill would be loaded with all sorts of amendments which would attempt to cater to cyber-Luddites and busybodies who want to control what other people see and do with their computers.
For the record, I am the president of a small Web integration firm. There is no doubt in my mind that calling for legislation of the kind I am suggesting puts us at the top of a slippery slope. But, I believe that this example is only the beginning of a long line of surreptitious personal data grabs.
RA's been gathering info for a long time (Score:1)
This is apparently a bit slimier than previous attempts, but hardly a change in fundamental tactics.
I'd like to see a class-action lawsuit using the new marketing techniques (pay to surf style, etc) as a basis to force RN to pay its customers for the information they were forced to provide.
Re:The "patch" (Score:1)
The Lurking Danger of non-open standards (Score:1)
Think about that for a moment. There are only two vendors who are really competing in this marketplace and they have incompatible products. So, if they decide to do something that is bad for people on the Internet there isn't a whole lot that can be done about it.
This is why open standards are good (what can I say, I love preaching to the choir
So, any volunteers to make a streaming media distribution protocol standard???
---
Re:Well, isn't that nice of them! (Score:1)
What about US Legality?, was - EU Legality?! (Score:1)
Seems to me that this is a criminal activity vis a vis unauthorized use of a private computer system. Hypothetically speaking, of course, if someone visited my website (if I had one :), downloaded a program, ran it, and the program sent data back to my site, what then? I think it would at least earn me a visit from the FBI. I hope the DOJ is paying attention.
How about theft of bandwidth? I don't recall them asking me if they could borrow a cup 'o bits.
Anyone with some background in law care to shed some light?
Big Freakin' Deal (Score:1)
This kind fo thing has becoem Standard Operating Procedure for companies these days: worry about privacy only if you get caught, then throw a bone to all the "privacy freaks".
There's tons of financial incentive to spy on users and have crappy privacy policies. There's pretty much zero incentive to worry about it. Their attitude is "just throw it in there, probably no one will ever find out about it, and if they do, we throw a patch to the weirdos and continue gathering our information from the vast majority of people who will never even be aware of the issue."
Companies are never punished at all for privacy invasions, so why should they really care?
EU Legality?! (Score:1)
This sounds suspiciously similar to the Cookie Problem [slashdot.org] and so suffers from the same potential problem [slashdot.org]* as that for us lucky Europeans
If this is the case, which ZDNet UK News think it is - I promise I first hit reply to this article without having read their take on it [zdnet.co.uk], honest! - then this could get quite interesting. If the EU take this one to trial we could end up with this sort of practise made impractical for the whole net as it couldn't be legally used on a pretty large chunk of the users - I'm told we're currently predicted to be bigger than the USA on the net within 5 years, or something like that anyway. I haven't got the figures to hand, but that was the gist of it, OK?
And yes, I know that this article's talking about them releasing the patch and upgrading the privacy statement - but if the software isn't legal without the patch then it gets even nicer as they have to make that the default!
For those who are interested in the details, the UK law is here [hmso.gov.uk] - as I understand it, other EU countries have roughly the same rules by agreement.
Greg
* Sorry to quote myself. It's just that I know I explained it and I can remember that quicker than I can find if anyone else gave a better explanation...
Re:EU Legality?! (Score:1)
The ! in the subject is a typo, honest. I'm not getting all hysterical about it
Greg
Both.... (Score:1)
BTW, you give an awful lot of credit to a company that went to great lengths to hide the information being sent, and whose first reaction to the Smith article was a lie("it's all CDDB's fault: they want an email address.")
There was no mention of this tracking in their privacy statement. Guess what? Their privacy statement was wrong. So now they say that they don't store the info and they expect everyone to believe them?
Re:Um, So What? (Score:1)
Tag, your it
Charlie
Not good enough (Score:1)
Re:Lets get the bigger picture (Score:1)
Er, is it National Non Sequitur Day in your country?
It is completely hypocritical to complain about this one lapse of security when you let a much bigger and dangerous one slide by.
Never mind; the answer to my question is clearly "Yes"....
You have a choice whether or not to list your number, and you have a choice whether or not to use this product.
Choice requires informed consent. Fraudulent misreprentation of a product (e.g. wilful installation of hidden snoopware features) negates informed consent. That's why fraud is illegal in civilized countries.
bkennedy99@Home.com
You were saying somthing about being "completely hypocritical"...?
/.
Re:Lets get the bigger picture (Score:1)
What part of the term "informed consent" is unclear?
By your 'reasoning', if you pick up a word processing program and it secretly sends everything you type to the FBI, you have no complaint coming -- you had a choice not to install a word processor.
Again, this is why fraud and misrepresentation are illegal in civilized countries.
/.
a marketing fiasco not an engineering one (Score:1)
about what nefarious things Real Jukebox was really doing. When one
understands the issues the only thing that real can be blamed
for is bad marketing and documentation not evil technology.
The issue people that are up in arms about is that everytime a CD was
introduced into the CDROM of a PC, Real Jukebox sends this information
back to Real. That in and of itself seems quite a strong violation of
one's privacy on the face of it, no? When left just at that, I too
would agree that I wouldn't want Real to know what CDs I'm
playing. But I think focusing on this without any further context is
missing the point. And for some reason, this is the point that Real
doesn't seem to be making for themselves.
In fact, I would argue that one of the best(value judgement) features
of Real Jukebox is that when a new CD is introduced to a PC it
"figures" out the artist and song titles. To me, this is a *good
thing*. This has value. This means I can be lazy. I'd much rather not
have to enter all this information by hand. Frankly, I'm quite content
to give up a bit(*small*, *tiny*) of privacy to have all the CDs in my
collection show up with full catalog information entered without any
effort on my part.
I can appreciate that at some point, I have to "pay" for this useful
feature. When choosing CD apps for my PC, this is a *required* feature
for me. I will not use a CD player app that doesn't support CDDB. It's
just too annoying to not have the artist and song title of what is
playing immediately available.
But I also understand that unless some information necessarily needs
to sent across the wire about *MY* cd collection to have this feature
to work.. Did the people who were using Real Jukebox, DiscPlay, xmcd,
whatever think that these programs were somehow magically capable of
intuiting artist and song information. This seems obvious but seems to
have been lost in the discussion. If you want the artist name and song
titles of a new CD you have to be able to look it up in a
database. And this means that at some point, you're at a minimum
telling someone your IP address(NAT and other proxies notwithstanding)
and the CD you're looking for. Of course, the CDDB database also wants
"an email address" which is what is making things so tense this week.
What is quite striking about the current press and open source frenzy
regarding this issue is how Real is getting lambasted for this
feature. Why are they so special as to receive all this free
publicity? What about all the others who were doing this long before
Real?
In fact, this is not a novel Jukebox feature at all; the CDDB format
has been around the 'net a long, long time. Why hadn't the privacy
advocates been blasting those other programs? Was it because for the
most part, CDDB has been implemented by open-source programs and that
open-source programs were somehow above that level of scrutiny? No, I
don't think so. The problem is that Real didn't educate people well
enough about their program and its features. The types of people who
were using an open-source CD player tend to also be the kinds of
people who will automatically "get it" that for the player to know the
song titles of their CDs they're going to have to give up some
privacy to do the CDDB lookup. The average person using Real Jukebox,
on the other hand, might not appreciate this technical point. In fact,
they're probably more likely to think that Real Jukebox has an on disk
database of all the CDs ever issued. Okay, they also prolly didn't
think too hard about the new CDs they're buying either.
Real can dinged for bad documentation for not making this point better
but I do not think that Real set out to invade people's
privacy. They've been on record about not storing information anywhere
and there is no reason to doubt the veracity of their statement. And
for those who are offended by this, I recommend them to stop using
Real Jukebox or DiscPlay and go back to using the CD player app that
ships with windows, the one where you have to enter all the
artist/title information by hand. I'll assume that the unix people
understood the privacy trade off before this was a "NY Times"-worthy
of an issue.
Re:HEY LOOK A MODERATOR ID's HIMSELF AS A MODERATO (Score:1)
Re:Other privacy issues in RealNetwork's software? (Score:1)
I knew many people would misunderstand this post. But if you do actually understand what I'm trying to say, then I COMPLETELY disagree with you. This is not about copy protection, its about privacy. There's nothing wrong with copy protection. The problem here is that under ANY circumstance I don't care what the reason is, if you're a rapist or a pirate, no data should EVER leave your machine without your knowledge. Period.
In their case, a much more elegant solution would've been to simply make the online registration mandatory, then when you register, you send the serial number. If it's a serial number on their "black list" then they refuse the registration and log your IP. The way it is now, I believe is that the software will work with the number (with their knowledge that you're using a stolen number), but at the same time it is sending data to realnetworks, without your knowledge. This kind of "sneakyness" really freaks me out and it should also scare anyone that has any regard for their privacy.
I personally code for the palm OS, and have a piece of software that requires payment for a registration code. I could've made it such that with every update, I'd secretly embed a database of stolen codes in the app. If your code matches one of them, I could make my program randomly corrupt data. I thought about it for maybe a second...but it struck me as highly unethical, even though the user was using a stolen code to begin with, so I decided against it.
-dr0ne
Other privacy issues in RealNetwork's software? (Score:1)
Realjukebox is only one of the few apps that realnetworks distributes. What about RealPlayer? Has anyone seen similar activity? Specifically (don't know if this is true or not, I don't use RealPlayer), I've heard that if you try to register RealPlayer with a serial # found on the net, it will work, but everytime you run it, an update window will come up asking if you want to download their "latest update". It ends up that this is really a patch to disable the software if you get the "update".
Now even though this is sneaky as hell, I can only wonder what _other_ kind of information gets sent to realnetworks about you, if you try to register with a number snatched off the net....
-dr0ne
Re:"Aggregate data" is not an excuse... (Score:1)
"Consider the smallest possible group, 2 people. Should I be able to track all the purchases a group of two people makes?"
I agree that real sucks, always hated them, now I hate them more, will now go out of my way to tell
others to avoid them. (they have made the dreaded list)
BUT...
I think
"....What is the fundamental difference between tracking a group of 2 people and of 20?"
not 20 but I think it's ok to track the purchasing habits of a group of people that is so large that any one persons purchases are only of statistical significance. (ie not tied to a name) And only if you are going to use the data for recommendations.. Since no company is ever not going to be totally evil and just generally screwed up I think we can be safe to say that it is (in real life) never right to use Aggregate Data...
I think this is a really big deal by the way, and I hope they get a lawsuit or two. Just to show them that they are not totally above the law..
(and morality)
Re:This is both good/bad to see.. (Score:1)
CDDB is just sharing some of that info with the rest of the world, but as far as I know no one will be able to discern that you are a closet Backstreet Boys fan
Re:Quick Answer (Score:1)
Quick Answer (Score:1)
I give them none@ofyourdamnbusiness.com as my email address all the time.
Re:The Lurking Danger of non-open standards (Score:1)
This is just another reason to promote Open Source. If you have access to the source code, there's no way they can get away with something like this. I like to know EXACTLY what my programs are doing.
Good. (Score:1)
Re:The Lurking Danger of non-open standards (Score:1)
Too late... (Score:1)
REAL could sink in the waters they're testing (Score:1)
If you've read about Rob Glaser (Real CEO), you've learned he's spawn from the M$ culture, and is eager to reproduce it on his own by a.)gaining ubiquity and b.)leveraging proprietary advantage. He's not to be trusted. But it's hard to trust many shareholder-owned corporate entities these days. And trust is the basis of loyalty, trade, and cooperative advantage.
In the end, (and this may sound a little outrageous), any company that operates on an "us" (owners) vs. "them" (customers) basis, sneaking around, seeing what they can get away with, etc. is doomed. The corporation that can figure out how to include customers in the equity equation will thrive by generating the most trust (trade). (After all, customers provide attention, cash flow, preferences data, etc.) Sound crazy? Well, it's what Dee Hock envisioned for Visa.. He guessed Visa would be 4 times more powerful today if merchants and cardholders shared ownership..
Also.. thank god the w3 is challenging the p3p patent.. the more we individuals can control our "own" privacy, the less we'll be under the thumb of big government and big money, the more accountability will free the flow of our info, and the more trust and trade there'll be online.
Re:On A Scale Unimaginable... (Score:1)
This kind of violation will occur over & over (and most people will never know it's happening) until operating systems provide a foolproof filesystem & network "sandbox"/jail where "untrusted" software is executed by default, and any attempts to escape the jail or either intercepted or decoyed.
Then, when you catch a process trying to access something it shouldn't need, you'll at least have a clue as to where to start asking questions, before you let everything leak. This should also handle a lot of common Trojan horses.
W/o such a capability, everybody will pretty much have to rely on the diligence & reports of hackers (used in the context of people who have a great deal of curiousity about their systems) to find out that something is up - and that it's already too late.
Sandboxes for everyone (Score:1)
Why assume they've stopped? (Score:1)
Prodigy (Score:1)
Wow. (Score:1)
Uhm, now, should i be relieved that they did this so fast, or should I be disappointed that it happened in the first place.
--
The internet and YOU! (Score:1)
Very few of us have been so careful as to never let a name or tidbit of traceable information slip out. How many of us can actually honestly say that we have NEVER gotten a piece of spam? I don't know about you people, but i have a mailbox at hotmail *just for spam*. I use it whenever anything needs an email address.. and i actually care to recieve it. Needless to say that i get about 30-40 spamails a day.
If some company out there wants to know about you, they will find out about you. Where you live, what your phone number is, perhaps gather information about your interests (newsgroups people, newsgroups!). The only way to avoid this is to *not* be on the internet. For the large majority of us, that statement is not only fantasy, but also heresy.
Personally, although i found this alarming, i did not find this particularly surprising. How many other companies out there do you believe are doing the same thing?
--
Re:REAL could sink in the waters they're testing (Score:1)
So if you think Microsoft is bad, where does that leave Real?
Really real? (Score:1)
Re:Over Reaction (Score:1)
For example, few people in Europe batted an eyelid when citizens were required to carry ID cards containing, among other things, ones religous affiliations. This of course was an absolute bitch for the Jews after Hitler gained power, because all they had to do was check your ID card (compulsory by then), and bingo, off to the camps.
Personal choice in music may seem unimportant. But wouldn't music choice be a way for morons to identify 'anti-government sentiment' (Rage Against the Machine), 'satanistic tendencies' (Marilyn Manson), 'suicidal tendences' (Nirvana)?
This may seem like a pathetic example, but just think of McCarthy and the communist witch-hunts. Belonged to a communist-sympathetic group in your youth? McCarthy used that kind of irrelevant 'information' to destroy many lives.
My point is, any information gathered about you can be used against you by dictators, government forces, whatever. We must fight against this as hard as we can, and as loudly as we can.
The "patch" (Score:1)
Uninstall time (Score:1)
This seems to be trendy now... (Score:1)
_____________
Um, So What? (Score:1)
They've explained that they needed to know what CD you were playing in order to get playlist data from a third-party database. I don't seem to see any explanation of why the program scanned your hard drive for personal information, and the number and names of any MP3s you had.
And consider how many users of RealJukebox don't read SlashDot (or don't read, period). How many people will install the patch? How many people will read the new privacy statement?
RealNetworks did not say, "oops. We'll stop doing that, and we'll never do it again." What they said, instead, was:
Which is manifestly not the same thing.
What they should do is build new server components that are not compatible with existing installs in the field. Serve a page indicating that "to download a version of RealJukebox that doesn't invade your privacy, click here", and ship a version that specifically warns the user of the privacy risks and requires the user to specifically opt IN--not out--in order to use the Trojan Horse features.
Till then, this is still a Trojan Horse.
WWII bombers used tinfoil... (Score:1)
This patch would have the nice added feature of confusing the pricks at CDDB too, who've stamped a copyright on what once was shared, mutually created data.
Would this policy annoy Real? I don't think so, it meets their own criteria. First, I would not be accumulating the data, I would submit it and forget it. Second, I would only release or sell aggregate statistics, stuff like "65536 records submitted to two music related websites". And, third, I can go them one better and apologize in advance: Sorry, Real, truly sorry... but, as you know, I was never on the board of the EFF, nor have I received a TRUSTe seal of approval so I can't be expected to be cognizant of on-line privacy issues. And you see, since they never published what the API they were running on my machine was for, who is to say it's not for sending random data to?
So, is this deciphered data format published someplace?
How to avoid this in the future? (Score:1)
First I wonder if there is any legal way to respond to this kind of intrusion.
There are very clear laws about a hacker breaking in to Real Networks computers and stealing data. What is the difference to them stealing data from my and thousand of other computers?
What do you think is going to happen to the illegaly acuired data? Are they going to delete the whole database
Even if they were legaly requiered to delete all the data, is there anybody out there who is willing an able to force them to comply to the laws?
Thanks for your comments
Uli Luckas
Apology accepted, RealNetworks... (Score:1)
So, yes, I accept your heartfelt and sincere apology, and wish you to know that I will see to it that it never happens again... by refusing to do any business with you. Maybe those who buy your assets after you go into receivership will learn a lesson from this.
Hand in the Cookie Jar (Score:2)
"We're sorry we wheren't clear. We'll release a patch to disable it for those who wish their privacy respected"
This has happened to SEVERAL companies in the last few years. Microsoft, Blizzard, Real Networks, and others. When are they going to understand that you CAN'T just start grepping through peoples personal data without making it clear in the first place.
If anyone reading is developing a product that may even provide the SLIGHTEST amount of feedback to an enitity, do yourselves a favor. MAEK it VERY clear what is going on, or risk taking the wrath of your customers when they relieze that their privacy has been compromised, and you know all about 'Customer Joe's' dirty web site habits.
Re:RA's been gathering info for a long time (Score:2)
My 0.02 cents worth (Score:2)
Now, I'm =not= saying people should get lawsuit happy, here. What I =am= saying is that computer companies seem to be bowing to the forces of marketroids, putting profit above the law.
Whether you believe in Government Intervention, the US legal system, or Santa Claus is irrelevent. Clearly, when you get into Might Makes Right, something is seriously wrong. That is NOT a healthy place to be.
Look beyond this one issue, and see the bigger picture, where profit is all and the only god known is green.
Re:A Company That Listens (Score:2)
And me without my moderator points. Ah well, such is the pain for posting in this discussion.
Excellent observation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Speaking of reading what you want to.... (Score:2)
Unfair. Corporations have every right to defend themselves, and there's no reason to believe that A Nonymous Coward is really a RealNetworks employee. (Yes, people can doubt me without having an ulterior motive.)
His point is rational--the claim could be taken to mean that RealNetworks reports all MP3s encoded by them and nothing else. It's plausable, but I'd be qiote pissed at the Times--Number of MP3s Encoded != Number of MP3s on the Hard Drive. (Still, there's a pretty reasonable amount of privacy violation even without the extra-software spying.)
The only way to check is to rip out a copy of FileMon and see what RealNetworks is really up to. If I get some free time, I'll do this myself.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:You're speculating beyond reason (Score:2)
(BTW: No reason to be anonymous. I prefer to respond to people, not "entities"--You Are Your Words. Own them.)
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
This is my evidence(and my first paragraph from the post you responded to). If it's wrong, I self-flagellate myself upon the battered journalistic integrity of the above. RealNetworks didn't particularly refute any of this, and I'm sure they'd be screaming bloody f*cking murder if they were accused of taking one iota of extra data.
AC, I would be laughing myself to tears if this was all about mere listening patterns. That's NOT what the evidence suggests.
Do you have any evidence we don't know about?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Speaking of reading what you want to.... (Score:2)
I belive you are reading what you want into Richard Smith's quote, rather than coming to it with an open mind. He does not say it "scans" (your word) for anything. Any ordinary reading of his words discussing what is stored on a drive could just as easily take it as shorthand for the songs that RealJukebox has stored on the drive. In fact, I would bet that most people would take it that way, other than lawyers and wannabe lawyers. Only the paranoid would take it to mean it actually goes looking all over for songs.
--
Another clarification (Score:2)
That was the intrepretation I took exception to.
I wonder what got you so fired up?
--
You're speculating beyond reason (Score:2)
That's quite a rant you've got going on no evidence whatsoever.
Don't get me wrong; their sneaky snoopy practice os sending this info off to HQ sets my teeth on edge. But the information itself is exactly what you'd expect a jukebox program to need. No disk snooping involved.
--
Re:The "patch" (Score:2)
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Hey Real folks... (Score:2)
"You have no privacy, get over it" -- Scott McNealy
Re:RealDopeBox cripples MP3 (Score:2)
A different solution... (Score:2)
They should have 1) offered a complete opt-out (like the patch) and 2) offered to pay those who opted in.
Most of the people in these threads were upset about the monitoring being secret, not that some company thought the information was worth something.
They should have two levels. 1) opt out 2) opt in anonymously - get some free CDs or coupons 3) opt in completely - get a lot more stuff.
The data is valuable to the music companies two ways. First, just knowing how much various CDs are played is valuable marketing data. Second, knowing WHO plays them, which demographic they're in, what else they bought, etc, is worth a LOT more.
I bet they'd get a lot of kids opting in if at the end of the year they could get $50 worth of CDs or computer games from an online store...
That would be the best of both worlds. Out-out for the paranoid, or just plain annoyed, and opt-in for the greedy.
Oh, the patch works (Score:2)
A Company That Listens (Score:2)
I guess either way it resolves the problem. I hope many other internet enabled software manufacturers are listening too.
We're sorry we got caught! (Score:3)
This was a trojan horse that performed an unauthroized scan of your HD and sent the data back to Real. Let's turn the tables a moment and suppose that an individual had done this to one of Real's servers? They would be pursuing legal redress (as well they should). To let Real off the hook now that they've issued a patch is to forfeit the battle for privacy.
Real has basically said "we're sorry we got caught". They are not sorry for what they did. If they were, the CEO would resign in disgrace.
Boycott RealNetworks products permanently. If you owned their jukebox, contact a lawyer and file suit against them for "hacking" your system. File a complaint with the FBI.
This is the first instance of this type of behavior of which I am aware, and we all need to make an example of it. Accepting an insincere apology and patch lets them off too easily and will implicitly encourage others to follow suit, since the penatly is something most companies can live with. Unless we cause RealNetworks true pain, then we have just lost a crucial battle.
Be not so quick to forgive, kids (Score:3)
Knowing eventually they would be caught by someone checking out suspicious data packets sent out by their own machine, Real had only x amount of time before they were caught.
They used to this time to gather as much info that they needed to make a sweet music pref database that would have cost x amount to gather through legitimate means.
They weighed 2 conditions: What costs more the PR flack from putting a trojan in our software or paying for a legitimate survey? You can guess which ones they picked.
Now its all about saving face because they've saved the money.
My doctor calls me, "Oh BTW I wanted to tell you that the medicine I gave you isn't just for syphilis, its also a microcamera to identify girls you sleep with so we can better sell them the syphilis cure." "Umm, thanks Dr. R. Networks"
Ya gotta love it (Score:3)
Oh, you found out we've been scanning your hard drive and sending data on what music you listen to and what kind of files you have on your system without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we're using your personal registration information to build mailing lists that we sell to SPAM and junk snail-mail companies without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we've been embedding serial numbers in every document you create so we can track them as they travel across the computer systems of the world and we never let you know about it? Sorry, we'll stop! All better!
Oh, you found out that we've purposely left back-doors into our security products so that gov't agents can come in and look at what you're doing any time they'd like? Well, we deny it therefore it never happened! All better!
You'd think someone would actually get outraged enough to take some sort of counter-action at all this stupidity. I guess the sheep^H^H^H^H^H citizens of this country are so used to our government doing it that corporations can get away with it with nothing more than an apology and the statement that they'll "stop doing it" which of course, we must all believe is sincere since they were invading our privacy without telling us to begin with.
-=-=-=-=-
On A Scale Unimaginable... (Score:4)
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
People, this isn't just RealNetworks incidentally receiving information on what CDs you have by nature of that being the only way to send back the track titles.
RealNetworks invasively scanned millions of American's computers for content that had nothing to do with the functioning behavior of RealNetworks software. We're talking about code that looked for MP3s, music applications, hardware interface tools, and who else knows--I wouldn't look for RealNetworks to tell.
Open Source is many things, but I'd seriously rather it not degrade into the only way to trust that code isn't Trojan'd. I expect that kind of paranoia for my cryptology of choice, not to play some Garbage!
This isn't an issue about a few missing lines from a privacy statement. Should RealNetworks be able to upload any interesting file on your hard drive to the corporate servers as long as they mention that "From time to time, RealNetworks may request feedback from your internal storage systems according to specific parameters to be determined according to your usage profile"? Maybe it'd be fine for them to tap into your computer's microphone, as long as they don't neglect to tack on "User agrees to indemnify RealNetworks from any liability in relation to any data flowing through said user's Sound Card"?
This isn't about legality, at least, not yet. It's about trust, and RealNetworks is losing mine fast.
The real question is, whether TrustE will follow.
I'm no history expert, but there's an aspect of TrustE that just smacks of the ill-fated League of Nations from the first part of the century. Namely, the well-intentioned but utterly toothless, powerless, and secretly mocked nature of it. I think TrustE actually has enough Respect Capital(if there is such a thing) with the press to actually do something, this one time...
Or never again, because nobody will listen anymore.
TrustE needs to set up guidelines of what may be buried in the fine print and what needs explicit and large dialogs before the function is completed--yes, this includes specifications like "Default must be no, and the software must still run even if it isn't allowed to insert seven links to the audio playing software like RealPlayer G2 does--we counted." That's clear, from RealNetwork's rather shocking behavior.
The bottom line is TrustE simply needs to file suit for breach of contract and reach a settlement where RealNetworks needs to contact all possible users, mass deploy a tremendous upgrade, and notify victims of the violations in both online and TV/Magazine forums.
That, or some combination with what I'd like to call TrustEeth: Privacy Protected for x Days.
If you think about it, it's really just a much more positive version of "This Site Accident Free for x Days" signs. The system encourages TrustE certification, since the longer one puts it off, the longer it will take to get to privacy levels respected by customers. It will make it progressively more expensive over time for large companies to allow their ego to overpower the rights of their customers--the CEO will be quite peeved at the middle manager who took the nationwide corporation down to one day of privacy protection.
If not a system using literal days, then an accumulation of points, lowered by violations, maintained by fair and quick resolution of privacy concerns, and accelerated by respectful "voluntary" policies could also be functional.
The key is, people need to have a gauge by which they can determine whether or not to trust a site and the code it asks them to download, and managers need to know they could get called on the carpet if they try a stunt like RealNetworks did.
The irony is truly remarkable, if you ask me. The CEO of RealNetworks(then Progressive Networks, if I remember correctly) went and testified in front of The United States House Of Representatives, arguing against everybody's favorite monopolist, Microsoft, was making the playing field unfair.
Meanwhile, here we are in November of 1999, and RealNetworks is repeating the sin that Microsoft did wayyyy back in the day with its overly nosy Registration Wizard that reported if software like Wordperfect was installed. Incidentally, the above dig at RealPlayer G2 for the seven links it litters all over your desktop(collect them all) is even more beautifully ironic considering the now strangely difficult to find position paper regarding asking the user before doing anything of import.
On a plus note, I don't think the US Patent Office had anything to do with this one.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com