iTunes or spyTunes?

[UPDATE: Apple has made a statement regarding the MiniStore data, stating with certainty that they do not collect the data.  It is sent to the iTMS to get the related links, and is discarded.  No information even identifying that data as coming from you is sent to them or Omniture.  They also created a Knowledge Base Article showing how to hide the MiniStore, and telling up front that when hidden that data is not transmitted.  Thanks, Apple!  Could have bypassed a lot of bad press if any of that had been in the iTunes 6.0.2 readme, but late is better than never.]

You may have caught this elsewhere, but iTunes has been updated to 6.02.  A new feature is an iTunes MiniStore panel below the main song browser.  It’s neat because without any work on your part, you’ll instantly have access to the album art for the song you’re playing, exposure to other albums by that artist that you may not have known existed, and a brief compilation of what other types of songs people purchased who bought the song you’re listening to.

Neat, huh?  Except...how are they doing it?  Obviously, it’s interacting with the iTMS.  It seems innocuous, but it meets all the requirements for the definition of spyware.  The main point of the definition, if you moused over it, is that the transmission of data is being done covertly.  The latter part of the definition in this case is met by Apple using your data to both advertise other products that they sell, and is sent to Omniture, a company that provides web analysis and statistics tracking.  This didn’t surprise me, as I did a little digging earlier today on the source code of Apple’s new web pages (trying to see how they did some of the swank things on said new web pages), and there is a javascript code snippet that reveals Omniture as helping them track their site usage patterns as well.

So: is spyware still bad if it’s being used in a non-nefarious way by a trusted company?  To me, yes.  All they had to do to not be identified as spyware, was to transmit this data overtly instead of covertly.  A simple dialog explaining what’s happening, and giving the user an opt-out would satisfy me.  It could even be a “sticky” dialog that comes up every time the issue arises unless the user checkmarks a “Do not ask me this again”.

Fortunately, some quick thinkers dumped their tcp output and discovered that no data is transmitted at all if you hide the MiniStore.  So if you’re like me, perhaps don’t have a problem with the data transmitted, but would rather not support Apple’s decision to not disclose exactly what is being sent and to whom, simply close / hide the MiniStore.  There’s a button on the bottom right to do so, or hit ↑⌘M (that’s ↑+ctrl+M to you Windows users).  The tcp dump verified that when the MiniStore is not visible, it doesn’t transmit any data.

Posted Wednesday January 11, 2006 in by Derek Jones

This is an older entry and as such, it may be by a guest author or contain formatting problems / extraneous code. If you notice something wrong with the entry, please use the Contact page to let me know the entry title and issue.

Comments

Interesting. I’m definitely going to be disabling the mini-store.

By Chris Ruzin on January 12, 2006 at 10:08pm link

Apple has made a statement, and created a KB article.  See the update on the original post.

By Derek Jones on January 13, 2006 at 07:06am link

> No information even identifying that data as coming from you is sent to them or Omniture.

Actually, that’s not true.  According to the research being done by various people, your “Apple ID” ("Apple ID’s are unique to every individual and are used for all of Apple’s services—iTunes, .Mac, Apple Care, OS X registration, pro application use, the online Apple Store, the Apple Developer Connection, and so on.") is sent along with the track information.

So, since the data transmitted apparently does contain personally-indentifying information, why would that data even need to get sent if Apple and Omniture do, indeed, discard all of it?  I don’t think this story is over with yet.  I think more information’s going to be coming to light…

See the various updates to this Boing Boing post (and this earlier one) for details.

By Chris Curtis on January 13, 2006 at 11:00am link

Edited at 11:38am - confirmed using this informative article.  I tried to use strikethrough tags, but it didn’t work, so my recanted statements are in grey.

I’m not thoroughly convinced that what’s being sent is your Apple ID.  The MiniStore still works when you’re signed out of iTunes, and without that key in your plist.  Further, whether I quit iTunes logged in, or logged out, that key is never generated in my plist, although the 5 cookie elements change, none of which contain any identifier to me or my machine.

That said, the MiniStore’s staying off on my machine until the dust settles, heh.

By Derek Jones on January 13, 2006 at 11:31am link

Leave Your Comment

Comments may be edited for content or deleted at any time. Civilized discussion is welcome. Anyone spamming, going way off topic, or otherwise being a jerk will probably be deleted or banned.

User Information

pMcode is allowed for comment formatting. pop-up mini reference

Personalization Options

Comment Security