Windows Tracks CDs & DVDs You Watch

lcypher writes "The AP is reporting that there is spyware within Windows Media Player 8(which ships with XP), which records the song titles and DVD titles that a user listens to or views in WMP8. Microsoft execs claim no marketing use right now, but they won't rule it out. " This looks like less of a big deal than the article makes it out to be, but it definitely could be used for evil.

Pr0n

[68030]

Turns out they are just tracking all the pron
file names so they can track them down on
kazaa easier.

Those lazy bastards. (:

Playing right now:

[torpor]

DVD: "1,000 ways to torture a Billionaire", widescreen format. No region encoding.
---

But anyway, fair enough. What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?

Seems the only way to fight this will be with dis-info ...

Re:Playing right now:

[sql*kitten]

What I'd like to know is how easy it is to insert my own random data into that playlist before it goes off to Microsoft?

It doesn't go to Microsoft, it's just a cache of CDDB lookups you've done. AudioCatalyst does the same thing - but it's tracking not only what you play, but also what you rip to MP3. Surely, if you are looking for a conspiracy, that is where to look?

This cache is just a performance enhancement, like your web browser maintaining a cache of pages you've visited. If anything, it improves your privacy: it makes it much more difficult for CDDB to track how often you play a particular CD.

From the article:

When a CD is played, the player downloads the disc name and titles for each song from a Web site licensed by Microsoft. That information is stored on a small file on each computer in the latest version of the software.

Re:Playing right now:

[o0_kave_0o]

Sorry but it isn't just a CDDB cache at all if you bothered to scan through the database you will find every mp3 you have ever played in Media Player listed.

Check it out for yourself the log can be located here:

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

the "_v_0_12" part may vary on your PC but this is the file mentioned in the article.

It won't be personally identifable?

[Scoria]

If your IP address is static as opposed to dynamic, Microsoft may possess the ability to compare it to the one used to register Windows XP.

This is just a local CDDB mirror

[Zoid]

If you read the article all this "database" is a copy from the CDDB records (or whatever CDDB is called these days) used for caching. You stick a CD in, it generates a checksum and asks CDDB for the artist/track listing and stores it locally, so it doesn't have to ask again later. As far as I'm aware, there isn't any sending of this database.

It appears they extended to DVDs as well as CDs (just a bigger database I suppose).

The article is a bunch of fluff for a functionality we've used for a long time with numerous programs such as XMCD, AudioCatalyst, etc etc. Microsoft adds it to media player and omg, privacy for getting the disc information for you. I'm pretty sure there's a button to turn it off.

(Gracenote is probably using the CD request data anyway for marketting purposes these days).

Re:This is just a local CDDB mirror

[BrookHarty]

Yup, logs into a database, gives them an ID based on your computer, your IP, and the multimedia your viewing, also leaves a nice log file on your PC of your activity.

So no, its a little more than just a mirror of a CDDB database. The traffic is bi-directional, and leaves a log trail.
-
I was so naive as a kid I used to sneak behind the barn and do nothing. - Johnny Carson

Re:This is just a local CDDB mirror

[BrookHarty]

The files are stored in
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
I also saw a file wmplibrary_v_0_12.lrd that had my hostname in it, and a file called WMPImage_AlbumArtLarge.

Actually I use FreeDB so I dont have to give any info out. M$ Didnt even tell users they were being tracked till this article, at least they are going to let people know with an updated privacy statement. We really shouldnt have to wait for someone to point out privacy concerns that the vendor should disclose.
-
It seems to me, Golan, that the advance of civilization is nothing but an exercise in the limiting of privacy. - Janov Pelorat in Asimov's Foundation's Edge

Re:This is just a local CDDB mirror

[Mr_Silver]

Another use for it is the neat feature that it has for when you aren't on a perminant dial-up connection.

It basically stacks up cd details until you get on-line and then downloads the track listings for all the CD's in one go.

Whilst this doesn't sound much to your average connected American, here in the UK where broadband is stupidly expensive and the majority of us are on pay by the minute 56k modems its an absolute godsend because we don't have to keep dialing up every single time we put a new CD in.

Re:This is just a local CDDB mirror

[Cally]

Curse this Moz build... damn testing only binaries... :)

The links:
Here's his page on the topic;

Bugtraq post

Microsoft's response.

We'd like to inform you

[Tremul]

Several weeks ago when you bought our webcam, we decided that for non-related marketing purposes that we would randomly start recording data and sending it back to the company. We don't intend to sell these pictures to anyone.

Re:eak...

[phyta]

Or .. get a firewall that detects and controls net-bound data.

www.zonealarm.com has a great free firewall program that prevents mplayer (and others) from misbehaving.

Re:This is basically CDDB

[nrosier]

On the surface it might look like just a CDDB-a-like lookup, but why do they also send a WMP-unique ID? If it was just a lookup, there wouldn't be this much fuss about it. The use of the unique ID has only one purpose: collect user-specific data.

Re:Winamp does this too

[maxpublic]

Maybe it's just me but I honestly don't care if some site logs that I viewed porn from so and so site for so many minutes. Why should I?

You don't. I do. I don't need a reason to want to keep people out of my personal life. Rather, they need a good reason to butt into it.

Max

It's not a log, it's a cache

[dstone]

What MediaPlayer is doing is nothing new -- it's equivalent to nearly every other player out there with CDDB (or equiv) capabilities with client-side caching so you don't have to hit the internet database repeatedly for your collection of tunes. BFD. It's not uploading anything back to anyone.

Of course, mainstream media can spoonfeed the word/concept "log" (eg. history, audit, etc.) easier than it can "cache".

Re:It's not a log, it's a cache

[Sarcazmo]

You are wrong, Media Player is sending a globally unique ID to a MS server, along with a fingerprint of the DVD you are watching. This GUID is associated with an email address if you signed up for their newsletter, and also the newsletter encourages you to register for a Passport account.

Here was the original BugTraq post that started this all. Read carefully.

Serious privacy problems in Windows Media Player for Windows XP by Richard M. Smith

http://www.ComputerBytesMan.com

February 20, 2002

Introduction
============
I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. Thesep problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.

In particular, the privacy problems with WMP version 8 are: - Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched
and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer. - The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer. - As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP "phones home" to get DVD title
information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers. - There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any
easy method of clearing out the DVD movie database on the local hard drive.

Technical Details
=================

When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator. Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being played.

For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD: http://windowsmedia.com/redir/QueryTOC.asp?WMPFrie ndly=true&locale=409&
version=8.0.0.4477&
cd=1E+ 96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1 151E+13CF9+
15812+16C5D+1A04F+1BF2D+1ECB7+212E1+2 2E48+25724+27 E9D+2A91A+
2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D 517+4E51B+4F DBC+51F74
The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD. This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
Here's what this cookie looks like: MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086
By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated
with their WindowsMedia.com cookie.

For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers: http://windowsmedia.com/mg/Newsletter.asp?eNws=rms @computerbytesman.com&
format=HTM

The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can be associated with a cookie value at any time. Also when subscribing to the Windows Media newsletter, I was encouraged
by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have
watched. There is no evidence however that Microsoft is making this connection. The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch
on my computer.

After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML file: http://services.windowsmedia.com/amgvideo_a/templa te/QueryDVDTOC_v3.xml?
TOC=90a1b0d1571524ea

WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All
Users\Application Data\Microsoft\Media Index". I didn't see any method
of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer. Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the
information. Here are some possibilities: - Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies they have watched. - Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly "top ten" lists. - Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.) Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing purposes. The letter of this law does not apply to Microsoft because
they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.
Recommendations
===============

I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide.
In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched. If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent
Microsoft from tracking individual movie viewing choices.

Vendor Response
===============
Response from the Windows Digital Media Division of Microsoft Corporation is available here: http://www.computerbytesman.com/privacy/wmp8respon se.htm
Acknowledgements
================
Thanks to Ian Hopper of the Associated Press for bringing this issue to the attention of the author.

Links
=====
Digital Media in Windows XP
http://www.microsoft.com/windows/windowsmedia/wind owsxp.asp
Media Player for Windows XP Privacy Statement
http://www.microsoft.com/windows/windowsmedia/soft ware/v8/privacy.asp
The RealJukeBox monitoring system
http://www.computerbytesman.com/privacy/realjb.htm
TiVo's Data Collection and Privacy Practices
http://www.privacyfoundation.org/privac ywatch/repo rt.asp?id=62&action=0
Internet Explorer SuperCookies bypass P3P and cookie controls
http://www.computerbytesman.com/privacy/supercooki e.htm Video Privacy Protection Act
http://www.accessreports.com/statutes/VIDEO1.htm
Bill Gate's memo on Trustworthy computing:

http://www.computerbytesman.com/security/billsme mo .htm

not just CDDB

[maxpublic]

As part of downloading the information about songs and movies from the Web site, the program also transmits an identifier number unique to each user on the computer. That creates the possibility that user habits could be tracked and sold for marketing purposes.

The same company that assigns you a unique number for the downloads you make also has the database you were required to register with in order to activate your WindowsXP. Manipulated properly it would be a rather simple task to match a real name and address with what you watch on media player - especially if this 'unique number' and the registration number for XP were one and the same.

And note that Microsoft hasn't ruled out using the data for marketing purposes. Imagine the look on your spouse's face when you suddenly start getting free trial issues of Spanking Teen Cheerleaders! . Or the look on your face when the FBI comes crashing through the door because an 'anonymous tip' from a 'reputable source' claims that you were watching illegal porn videos.

Max

I can't even play music on my computer any more!

[Artifice_Eternity]

It's gotten ridiculous -- WinAmp is bloated spyware, RealPlayer is the same (plus it's a fscking virus that changes all your settings, sticks its shortcuts everywhere, and inserts itself into your Systray).

And when I use the Sony Media Bar software that came with my Vaio, to try to listen to a CD while browsing the web and performing another task (graphics or HTML editing, for example), the damn thing crashes!

The machine has a perfectly good DVD-ROM drive. If I could just run a headphone jack directly out of it, and play CDs with no stupid software layer involved, I'd be happy. But I can't.

So now, sadly, I have to listen to music on a portable CD player sitting on my desk. My perfectly usable computer has been handicapped by its software.

The worst part is, that when I see what's coming down the pipe -- region-coded everything, RIAA/MPAA copy "protection" lockdowns destroying fair use, the death of webcasting, even more media mega-mergers, and spyware in EVERYTHING -- I know that it's going to get a lot worse.

Well, actually you can just make this stuff up...

[gusnz]

OK, yes WMP from version 7 onwards is a nasty beast.

This article is mostly scare tactics, as ever since the beginning of time there's been a file named CDPLAYER.INI in the windows folder that stores CDDB info. A local cache should actually enhance your privacy as it will reduce calls to central servers when you play your CDs or whatever.

WMP 7+ however doesn't use this file. If you look in your Windows folder again, you'll notice a couple of files named WMSysPrx.prx and another one named similarly that actually stores the song database. That's how the 'media library' feature works, it's all stored in there -- you would expect a program that catalogues songs to store a list of media played somewhere, wouldn't you?

It's true WMP does track how many times you play a song. But discovering the fact isn't aexactly a journalistic coup, it's listed in the program itself. Look in the 'Media Library', this is listed along with all the rest of the ID3 information (at least in WMP 7)... not exactly a huge secret. I have never heard of MS sending this info off to its site before... that sounds a lot like how Real got into trouble a few years back, and also a lot like a very inventive and paranoid reporter. If you're worried, delete those files mentioned above every so often.

The unique ID is more interesting. I really recommend turning this off in your WMP options, as it's only really useful if you're buying proprietry WMA files online... and somehow I don't think many slashdotters will be doing that ;).

The worst part is that it opens up the recently discovered SuperCookie exploit in which websites can embed a player in a page and get it's ID number. Since it's globablly unique and installed on most computers, it's a great way of tracking users who are savvy enough to turn off cookies.

So nuke the ID feature quickly from your player options... even if you use *AMP to play your sounds, you could still be vulnerable to this.

Re:I can't even play music on my computer any more

[Chops]

... WinAmp is bloated spyware, RealPlayer is the same ...

... the damn thing crashes!

... My perfectly usable computer has been handicapped by its software.

May I make a few small suggestions?

This microsoft patent...

[nemo]

FACT:
Microsoft has this patent:
System and methods for selecting music on the basis of subjective content.

OPINION:
I bet they'd love to get their hands on these logs/cache/whatever... if what people choose to listen to doesn't count as subjective, I dunno what does!

Draw your own conclusions. I am merely presenting facts and opinions.

And they're using this for...

[bero-rh]

From: Microsoft Legal Department
To: Valued Customer
Subject: Windows Media Player Usage Report

Hello,
we have noticed you have played back pirated episodes
of Star Trek Enterprise downloaded from the net.

This is a violation of federal law.

We charge you $10,000 for this information; if we do not receive this amount of money, your registration information (as well as the information you used to register on any websites, as tracked by Internet Explorer) will be forwarded to the MPAA.

Re:marketing data?

[stinkydog]

What kind of marketing data are they going to get from "user 3453845 watches the hell out of 'tina3.wmv'"?

You laugh now but soon, all your popups will be for Jergens, Vasoline and inflatable girlfriends.

SD

How to defeat it

[sllort]

How to disable this feature:

The file, wmplibrary_v_0_12.db, contains in cleartext the name of every movie you've ever watched with media player. The names are in cleartext but each byte is spaced out with a pad byte, so you can't just grep for the names you're looking for.

If you delete the file, WMP regenerates it on use.

But, if you create the file as a zero-byte file, WMP does not fix it and does not store any information about what WMP is playing, ripping, burning, etc.

Tested Today, 2/21/02, with Windows 2000 and WMP 7.1. Oh, they didn't mention it's not just XP? It's not just XP.

--
You're Reading Managed Agreement

well duh

[twitter]

How else is the Digital Rights Denial OS supposed to work? The terms of thier EULA alow them to scan the contents of your computer. Why bother to send it over the web when you have permision to take it at will? People downplaying this have obviously forgotten all M$ news of the last month. All the pieces fit so well.

Media Player will be used to extort money from users, media companies and advertisers. Microsoft wants to be the asshole in the middle and wants to use that position to make money. They have created their own media formats to break at will, a method to do it, and put it all in their EULA. What more can you ask for? Do you really think that they won't sell your information? Oh, I suppose you forgot how they sold "real estate" on your desktop.

The only way for them to keep themselves in that position is to eliminate every other option. If you continue to use M$, your internet will have three channels and you will never be able to contribute. Your money goes to those who would enslave you.

Let's see, M$ can write files to my computer that I can't delete and can access my computer in ways that I can not. They must be root, and I am not.