Windows Tracks CDs & DVDs You Watch

lcypher writes "The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP), which records the song titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. " This looks like less of a big deal than the article makes it out to be, but it definitely could be used for evil.

Winamp does this too

[Glonk]

By default Winamp logs "anonymous usage statistics" unless you turn it off during the install.

You can also turn off WMP's unique identifier thing if you're worried about privacy.

Honestly though, set down your tinfoil hats for a second: Why do we really care?
Really?

Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?

I also have very serious doubts that MS would ever sell the information it'd collect from it. The money from that is absolutely tiny and the feedback from the public would be absolutely horrible. What I see instead is a more personalized music service, kind of like Launch.com, where it personalizes and gives you music and movie picks based upon what you watch. Amazon does this too when you're logged in, keeping track of recently viewed items, etc.

Odd Interpretation

[Ieshan]

"...no information is collected on Microsoft's servers that would be personally identifiable..."

So, in other words, Microsoft (having engineered the world's most widely used operating system) still hasn't figured out how to pinpoint where data transfer is coming from. Because it seems to me, oddly, that if I'm sending someone data through a system they set up that I don't know about... they must know about it, and also must know how to analyze the results of all their data-grabbing. And see where the crap is coming from. And keep track of what I'm listening to.

I don't use Windows Media player, personally. But if it ever came down to the log files, I'm sure MS could say to someone who ripped the software: "Actually, you have an unauthorized copy of windowsXP, how else would you be transmitting data through our security loophole with the same key as those twenty thousand other people?"

What could somebody do with this data?

[NanoGator]

Just curious. This issue's new to me and I'm curious what the privacy advocates are worried about.

I'm a little concerned that MS might detect that I ripped a DVD so I could use a particular clip as reference footage for an animation I'm working on, perhaps use the DMCA to fine me for it. Other than that I don't really care if they know what I'm watching or not.

Is there a larger problem I should be aware of? Could somebody explain to me what MS or anybody else could do with data about what movies I watch, or what websites I visit, or whether I'm attracted to either T or A that would be bad?

Re:This is just a local CDDB mirror

[BrookHarty]

The files are stored in
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
I also saw a file wmplibrary_v_0_12.lrd that had my hostname in it, and a file called WMPImage_AlbumArtLarge.

Actually I use FreeDB so I dont have to give any info out. M$ Didnt even tell users they were being tracked till this article, at least they are going to let people know with an updated privacy statement. We really shouldnt have to wait for someone to point out privacy concerns that the vendor should disclose.
-
It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy. - Janov Pelorat in Asimov's Foundation's Edge

Re:It won't be personally identifable?

[drdink]

Although I agree with you that static IP could possibly be used for tracking, I would consider it too much of a longshot. How would Microsoft know if you were static or dynamic? They would have to have a unique ID that they could assign you at XP registration time and then send back when playing a DVD in WMP8. All the analysis I've seen of this so far show that this is in fact not happening.

This microsoft patent...

[nemo]

FACT:
Microsoft has this patent:
System and methods for selecting music on the basis of subjective content.

OPINION:
I bet they'd love to get their hands on these logs/cache/whatever... if what people choose to listen to doesn't count as subjective, I dunno what does!

Draw your own conclusions. I am merely presenting facts and opinions.

Has anybody *read* the article?

[Gordonjcp]

When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.

This sounds to me very much like some sort of CDDB cache. XMMS has done this since the first line of code was written.

Re:This is just a local CDDB mirror

[Cally]

The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP)

Actually this was discovered by Richard M. Smith, who has a good record of finding bugs-by-design, security holes and privacy breaches in MS software. Here's his page on the topic, on the topic, and here's Microsoft's response - which is all in the first sentence, really, "we do not believe [this] represents a user privacy concern." All this was in my submission of the story, last night - heh, it's the first time I've submitted a story and someone else's post got there first. Or better.

In reply to those people saying "this is just the same as CDDB, what's the big deal?": this IS a bad thing, for the following reasons:

• As with most of the rest of XP's phone home functionality, there's nothing to tell the end user what's happening here. As with previous incidents of unexpected traffic seen from XP machines, Smith had to break out a packet sniffer to discover what the traffic was and where it was going.
  
• You trust Microsoft NOT to start correlating this info to make some use of it further down the line? You trust them NOT to sell it to the MPAA so help them track evil pirates playing non-MPAA titles? As they don't even tell you they're doing it, there's no privacy policy involved - they give no categorical assurance that they won't give the info the CIA or the BSA, for that matter.
  
• Why the hell should Microsoft get to run CDDB as well as everything else? It's just another example of their greed and desire to own all your media.
  

Think about it: Passport, web services, yuor company's servers, your corporate desktop, your own home PC, all your apps, your phone, set-top box, Palm ripoff, Psion rip-off... apart from washing machines and guided missiles, I can't think of anywhere that software runs which Microsoft doesn't aspire to own. Actually, come to think of it, NT4 at least can allegedly operate as a router; they've been trying to make headway in the embedded market for years, and I fear that "version 3 syndrome" will kick in on their efforts there soon... sheesh, they're even selling firewalls now. When the great day comes that Microsoft own all mass markets for software, they'll buy out some major consulting/services firm and start trying to put independent developers out of business, too. Pray that day never comes...

Microsoft have yet to learn that in privacy and security matters, the correct default is to trsut no-one and nothing. If you prove to your customers or users that you're worthy of trust, you'll get it. Take it for granted, and assume that the user won't MIND if your software starts sending your personal data back to the vendor (or a thrid party) without telling you, and you start getting into people's shitlists. When you're Microsoft, you have to bend over backwards to ensure that not only are you doing the right thing, but that you're SEEN to be doing the right thing. If you give a flying one, that is; if you really are Microsoft, then you couldn't care less, because your Windows monopoly means 99% of users and customers haven't got any choice in the matter.

And what if you're a network security person and spot unauthorised traffic (which is what this is) on your network? You could spend a lot of time & energy investigating. For all I know, this could be a DDoS agent that some kiddie's planted on a cracked XP box, and is now starting to flood windowsmedia.com .

If you really think this is "just like CDDB", ask yourself: why are Microsoft going to the trouble and expense of providing this "service" - given that they don't even tell people they're doing it? What do they hope to gain from it? How does this increase their marketshare or mindshare? Follow the money...

well duh

[twitter]

How else is the Digital Rights Denial OS supposed to work? The terms of thier EULA alow them to scan the contents of your computer. Why bother to send it over the web when you have permision to take it at will? People downplaying this have obviously forgotten all M$ news of the last month. All the pieces fit so well.

Media Player will be used to extort money from users, media companies and advertisers. Microsoft wants to be the asshole in the middle and wants to use that position to make money. They have created their own media formats to break at will, a method to do it, and put it all in their EULA. What more can you ask for? Do you really think that they won't sell your information? Oh, I suppose you forgot how they sold "real estate" on your desktop.

The only way for them to keep themselves in that position is to eliminate every other option. If you continue to use M$, your internet will have three channels and you will never be able to contribute. Your money goes to those who would enslave you.

Let's see, M$ can write files to my computer that I can't delete and can access my computer in ways that I can not. They must be root, and I am not.