Slashdot Mirror
Windows Tracks CDs & DVDs You Watch
lcypher writes "The AP is reporting that
there is spyware within Windows Media Player
8(which ships with XP), which records the song
titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. "
This looks like less of a big deal than the article
makes it out to be, but it definitely could be used
for evil.
Turns out they are just tracking all the pron
file names so they can track them down on
kazaa easier.
Those lazy bastards. (:
DVD: "1,000 ways to torture a Billionaire", widescreen format. No region encoding.
...
---
But anyway, fair enough. What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?
Seems the only way to fight this will be with dis-info
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
If your IP address is static as opposed to dynamic, Microsoft may possess the ability to compare it to the one used to register Windows XP.
Do you like German cars?
If you read the article all this "database" is a copy from the CDDB records (or whatever CDDB is called these days) used for caching. You stick a CD in, it generates a checksum and asks CDDB for the artist/track listing and stores it locally, so it doesn't have to ask again later. As far as I'm aware, there isn't any sending of this database.
It appears they extended to DVDs as well as CDs (just a bigger database I suppose).
The article is a bunch of fluff for a functionality we've used for a long time with numerous programs such as XMCD, AudioCatalyst, etc etc. Microsoft adds it to media player and omg, privacy for getting the disc information for you. I'm pretty sure there's a button to turn it off.
(Gracenote is probably using the CD request data anyway for marketting purposes these days).
/// Zoid.
Several weeks ago when you bought our webcam, we decided that for non-related marketing purposes that we would randomly start recording data and sending it back to the company. We don't intend to sell these pictures to anyone.
"Can't sleep. Clowns will eat me"
By default Winamp logs "anonymous usage statistics" unless you turn it off during the install.
You can also turn off WMP's unique identifier thing if you're worried about privacy.
Honestly though, set down your tinfoil hats for a second: Why do we really care?
Really?
Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?
I also have very serious doubts that MS would ever sell the information it'd collect from it. The money from that is absolutely tiny and the feedback from the public would be absolutely horrible. What I see instead is a more personalized music service, kind of like Launch.com, where it personalizes and gives you music and movie picks based upon what you watch. Amazon does this too when you're logged in, keeping track of recently viewed items, etc.
"...no information is collected on Microsoft's servers that would be personally identifiable..."
So, in other words, Microsoft (having engineered the world's most widely used operating system) still hasn't figured out how to pinpoint where data transfer is coming from. Because it seems to me, oddly, that if I'm sending someone data through a system they set up that I don't know about... they must know about it, and also must know how to analyze the results of all their data-grabbing. And see where the crap is coming from. And keep track of what I'm listening to.
I don't use Windows Media player, personally. But if it ever came down to the log files, I'm sure MS could say to someone who ripped the software: "Actually, you have an unauthorized copy of windowsXP, how else would you be transmitting data through our security loophole with the same key as those twenty thousand other people?"
Or .. get a firewall that detects and controls net-bound data.
www.zonealarm.com has a great free firewall program that prevents mplayer (and others) from misbehaving.
On the surface it might look like just a CDDB-a-like lookup, but why do they also send a WMP-unique ID? If it was just a lookup, there wouldn't be this much fuss about it. The use of the unique ID has only one purpose: collect user-specific data.
What MediaPlayer is doing is nothing new -- it's equivalent to nearly every other player out there with CDDB (or equiv) capabilities with client-side caching so you don't have to hit the internet database repeatedly for your collection of tunes. BFD. It's not uploading anything back to anyone.
Of course, mainstream media can spoonfeed the word/concept "log" (eg. history, audit, etc.) easier than it can "cache".
Fortunately, their privacy policies state otherwise:
It doesn't now, but if an investor comes along with a big suitcase of cash, I wonder if their privacy policy would change overnight?
adam
As part of downloading the information about songs and movies from the Web site, the program also transmits an identifier number unique to each user on the computer. That creates the possibility that user habits could be tracked and sold for marketing purposes.
The same company that assigns you a unique number for the downloads you make also has the database you were required to register with in order to activate your WindowsXP. Manipulated properly it would be a rather simple task to match a real name and address with what you watch on media player - especially if this 'unique number' and the registration number for XP were one and the same.
And note that Microsoft hasn't ruled out using the data for marketing purposes. Imagine the look on your spouse's face when you suddenly start getting free trial issues of Spanking Teen Cheerleaders! . Or the look on your face when the FBI comes crashing through the door because an 'anonymous tip' from a 'reputable source' claims that you were watching illegal porn videos.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Just curious. This issue's new to me and I'm curious what the privacy advocates are worried about.
I'm a little concerned that MS might detect that I ripped a DVD so I could use a particular clip as reference footage for an animation I'm working on, perhaps use the DMCA to fine me for it. Other than that I don't really care if they know what I'm watching or not.
Is there a larger problem I should be aware of? Could somebody explain to me what MS or anybody else could do with data about what movies I watch, or what websites I visit, or whether I'm attracted to either T or A that would be bad?
"Derp de derp."
It's gotten ridiculous -- WinAmp is bloated spyware, RealPlayer is the same (plus it's a fscking virus that changes all your settings, sticks its shortcuts everywhere, and inserts itself into your Systray).
And when I use the Sony Media Bar software that came with my Vaio, to try to listen to a CD while browsing the web and performing another task (graphics or HTML editing, for example), the damn thing crashes!
The machine has a perfectly good DVD-ROM drive. If I could just run a headphone jack directly out of it, and play CDs with no stupid software layer involved, I'd be happy. But I can't.
So now, sadly, I have to listen to music on a portable CD player sitting on my desk. My perfectly usable computer has been handicapped by its software.
The worst part is, that when I see what's coming down the pipe -- region-coded everything, RIAA/MPAA copy "protection" lockdowns destroying fair use, the death of webcasting, even more media mega-mergers, and spyware in EVERYTHING -- I know that it's going to get a lot worse.
The big question is, will Microsoft respond in the same way and back down?
Got Wisdom?
OK, yes WMP from version 7 onwards is a nasty beast.
;).
This article is mostly scare tactics, as ever since the beginning of time there's been a file named CDPLAYER.INI in the windows folder that stores CDDB info. A local cache should actually enhance your privacy as it will reduce calls to central servers when you play your CDs or whatever.
WMP 7+ however doesn't use this file. If you look in your Windows folder again, you'll notice a couple of files named WMSysPrx.prx and another one named similarly that actually stores the song database. That's how the 'media library' feature works, it's all stored in there -- you would expect a program that catalogues songs to store a list of media played somewhere, wouldn't you?
It's true WMP does track how many times you play a song. But discovering the fact isn't aexactly a journalistic coup, it's listed in the program itself. Look in the 'Media Library', this is listed along with all the rest of the ID3 information (at least in WMP 7)... not exactly a huge secret. I have never heard of MS sending this info off to its site before... that sounds a lot like how Real got into trouble a few years back, and also a lot like a very inventive and paranoid reporter. If you're worried, delete those files mentioned above every so often.
The unique ID is more interesting. I really recommend turning this off in your WMP options, as it's only really useful if you're buying proprietry WMA files online... and somehow I don't think many slashdotters will be doing that
The worst part is that it opens up the recently discovered SuperCookie exploit in which websites can embed a player in a page and get it's ID number. Since it's globablly unique and installed on most computers, it's a great way of tracking users who are savvy enough to turn off cookies.
So nuke the ID feature quickly from your player options... even if you use *AMP to play your sounds, you could still be vulnerable to this.
<!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
May I make a few small suggestions?
from the article:
"This is essentially a case where it (the ID) doesn't serve any purpose and it isn't used," [Microsoft's] Caulton said.
Which begs the obvious question of why put it in there in the first place.
The end of the article takes an interesting twist:
In a recent memo, Microsoft chairman Bill Gates ordered his company to check for privacy and security concerns before adding new features.
"Users should be in control of how their data is used," Gates wrote. "Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time."
[...]
He said the feature seems to conflict with Gates' directive.
"You can really see the Microsoft culture coming through that Gates wants to change. These guys are digging in their heels," he said.
Bill Gates is not a stupid person. Let us suppose for a few moments that he really has seen the writing on the wall and is sincere about this new direction for the company.
Gates bred this culture that he is now trying to change. And the paradigm shift for his company is much sharper philosophically than the previous one of desktop- to network-centric computing.
And then there is the very real argument that Microsoft's proprietary, closed-source code policy is antithetical, or at the very least sub-prime for dealing with privacy and security concerns.
What's an ersatz-visionary computer mogul to do?
evanchik.net
FACT:
Microsoft has this patent:
System and methods for selecting music on the basis of subjective content.
OPINION:
I bet they'd love to get their hands on these logs/cache/whatever... if what people choose to listen to doesn't count as subjective, I dunno what does!
Draw your own conclusions. I am merely presenting facts and opinions.
Well, yes. If I am seen boarding a plane headed for Washington DC, that's not news. If Osama Bin Ladin is seen boarding a plane headed for Washington DC, that's news.
I don't care if it's 90,000 hectares. That lake was not my doing.
For a bunch of technical details about read this posting on Bugtraq.
"WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index". I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer."
When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.
This sounds to me very much like some sort of CDDB cache. XMMS has done this since the first line of code was written.
From: Microsoft Legal Department
To: Valued Customer
Subject: Windows Media Player Usage Report
Hello,
we have noticed you have played back pirated episodes
of Star Trek Enterprise downloaded from the net.
This is a violation of federal law.
We charge you $10,000 for this information; if we do not receive this amount of money, your registration information (as well as the information you used to register on any websites, as tracked by Internet Explorer) will be forwarded to the MPAA.
This message is provided under the terms outlined at http://www.bero.org/terms.html
What kind of marketing data are they going to get from "user 3453845 watches the hell out of 'tina3.wmv'"?
You laugh now but soon, all your popups will be for Jergens, Vasoline and inflatable girlfriends.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
I just found out this morning that IE 6 on Windows 2000 keeps a record of all the web sites I've visited! Microsoft doesn't tell anybody about this, but you can see if for yourself if you click that mysterious button on the toolbar that looks kind of like a sundial. There it is, a list of all the sites you've visited, sorted by domain and by date!
The worst part is, Microsoft doesn't deny that they could use this information for marketing!
The only way these customer-hostile corporations will get the message is if we vote with our wallets. Don't use IE! Use only browsers that don't maintain this so-called "History" log! Power to the people!
</sarcasm>
By now, everyone knows that this behavior inside WMP is just CDDB lookup caching. Every CD player I've ever seen has done the same thing. For that matter, so does every program that caches anything, from your web browser to your email program to... well, anything.
You can all stand down from red alert now. Cancel the march on Washington.
How to disable this feature:
The file, wmplibrary_v_0_12.db, contains in cleartext the name of every movie you've ever watched with media player. The names are in cleartext but each byte is spaced out with a pad byte, so you can't just grep for the names you're looking for.
If you delete the file, WMP regenerates it on use.
But, if you create the file as a zero-byte file, WMP does not fix it and does not store any information about what WMP is playing, ripping, burning, etc.
Tested Today, 2/21/02, with Windows 2000 and WMP 7.1. Oh, they didn't mention it's not just XP? It's not just XP.
--
You're Reading Managed Agreement
Media Player will be used to extort money from users, media companies and advertisers. Microsoft wants to be the asshole in the middle and wants to use that position to make money. They have created their own media formats to break at will, a method to do it, and put it all in their EULA. What more can you ask for? Do you really think that they won't sell your information? Oh, I suppose you forgot how they sold "real estate" on your desktop.
The only way for them to keep themselves in that position is to eliminate every other option. If you continue to use M$, your internet will have three channels and you will never be able to contribute. Your money goes to those who would enslave you.
Let's see, M$ can write files to my computer that I can't delete and can access my computer in ways that I can not. They must be root, and I am not.
Friends don't help friends install M$ junk.
what unique user id? is this derived from the os install key? if so, i'd say it's not that unique :).
The reason your entire viewing habits are available to MS is because every time you insert a DVD, WMP8 contacts an MS website with your GUID and the DVD's TOC. This is in addition to keeping a log of DVD's on your computer. The ostensible purpose for the request is to get the DVD's "title and chapter information."
t m
This begs the question: what is a DVD's "title and chapter information," anyway?
What possible purpose does having it serve?
We all know that CD player programs call up CDDB because there's no track and album titles handy on the disc. That's fine and good: perfectly legitimate use of network callback. Note: there's no need at all for any personally identifying information (GUID, cookie, or whatever) in that transaction... but that's not my main point.
Unlike a CD, a DVD has every piece of information you already need included, along with a custom interface, etc etc. And in all the coverage I've seen of this issue, no one seems to be catching on to the fact that, as far as anyone can tell:
DVDs are not CDs. There is no justifiable need for any user to have a DVD's "title and chapter" info at all, let alone for them to give a unique identifier to MS while requesting it.
So why go to all the trouble of building a scalable web application to service a non-feature?
Sure, MS is rich, but I guess conservatively that this functionality was a low six figure outlay to start, and it creates a neverending and not inconsiderable ongoing support cost to maintain a database and a server farm. It has to be big: they're servicing every XP/WMP8 user in the world, after all.
On a final note, let's consider the infamous Windows GUID. It's generated from a variety of sources: your PIII Processor Serial Number, if available, your ethernet MAC address, and I believe several other pieces of optional identifiable hardware are potentially tapped.
Microsoft is the same company that silently attached GUID's to every Word document you produce, by the way.
GUIDs don't contain your name or email themselves, but wait...
http://www.computerbytesman.com/privacy/wmp8dvd.h
"However, if a person signs up for the Windows Media newsletter, their email address will be associated with their WindowsMedia.com cookie."
It gets better.
"Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched."
If you are curious, the other shoe dropping will sound like this:
MS "Passport" registration (which is required for customer support) also collects GUIDs directly.
-David
We're on the road to Tycho.
The difference being, TiVo was upfront about what they collected, and people sniffed the outgoing packets from their TiVos and confirmed that what they said was being sent, was all that was being sent. Furthermore, TiVo gives you the option of opting out, and people sniffed the outgoing packets again to confirm that once you opt out, the tracking data is no longer sent.
Microsoft didn't tell anyone about this crap they put in WMP, and when 'caught,' simply amended their EULA to cover it. Additionally, Microsoft offers no option to opt out of it, and even if they did, anybody who tried to confirm this by the same methods the TiVoers used would probably get whacked by the DMCA.
~Philly
It's a trivial fix, really. Windows Media Player records the list in a file. Just make the file read-only! Problem solved.
Here's the file name for Windows XP:
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows ME:
c:\Windows\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
Here's the file name for Windows 98:
c:\Windows\wmplibrary_v_0_12.db
The easiest way to find the file is to search your disk for "wmplibrary". Then right-click up the properties for that file and make it read-only.
This spying behavior has been around for a long time. I noticed it a year or so ago, and made the log file read-only. It's been working fine ever since, without writing a log.
You can see the log in the Windows Media Player by pressing the "Media Library" button and opening up the outlines. Just make sure to clear out the log first, before you make it read-only. When you delete an item from the log, it goes into "deleted items" folder. So make sure you finally clear out the "deleted items" section of the log.
I found the log file by using Igor Arsenin's "taskinfo" utility, that lets you see all the files any process has open. Taskinfo is a great tool for figuring out what logs any Windows programs are keeping. Solid Russian engineering. Use it to spy on the spyware!
-Don
Take a look and feel free: http://www.PieMenu.com