Slashdot Mirror
iTunes DRM-Free Files Contain Personal Info
r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."
Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".
I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.
Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.
Let me throw you a hypothetical here.
Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.
Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)
Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".
So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.
UTF-8: There and Back Again
I've mentioned it elsewhere but songs are also encoded with the purchase timestamp. So if you've no access to someone's files then you've essentially zero chance of getting the purchase timestamp right, even if you get the songs they own right.
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
"The owners are allowed to make copies only for private usage, with collective and lucrative uses not allowed."
It would be more correct to say that collective use is technically illegal, because it's most definitely allowed. A Spanish legal precedent was established for this at the end of 1996 by a judgement that exonerated an accused Internet file sharer on the grounds that non-commercial copying not only isn't a crime, but that it's a common social practice that should not therefore to be criminalised. This stance on the part of the Spanish legal authorities was underlined at the end of 1997 when what amounts to their chief copyright cop said that not everything which is technically illegal is a crime, including non-commercial copying via the Internet or any other means, so they have no intention of pursuing anyone who isn't involved in commercial piracy.
The effect of the above has been to leave civil litigation as the only route open to representative bodies of copyright owners, but their efforts are severely hampered by the fact that ISPs refuse to disclose the identities of the people behind specific IP addresses on the grounds that Spanish law (which is based on EU data protection directives) only requires them to do so as part of a criminal investigation or where matters of public safety or national security are concerned. This eventually ended up at the European Court Of Justice subsequent to a request for a definitive ruling from the Spanish courts, and the ECJ found in favour of the ISP (Telefonica), thereby effectively making civil litigation against Internet file sharers almost impossible.
I'm not going to change your sheets again, Mr. Hastings.
If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?
Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
iTunes doesn't sell MP3s, though. They sell lossy AAC files in an MP4 container. So it's unlikely that they'd have ID3 frames in the first place.
I haven't purchased any DRM-free songs from iTunes, but I'd suspect that the information is stored as standard MP4 atoms, and that the iTunes editing interface just doesn't give you the ability to modify them. In which case you could presumably use a standard MP4 tool to remove the information, if you were so inclined.
That's just a guess, of course. It's obviously not clear from TFA.
Sean Daugherty "I have walked in Eternity -- and Eternity weeps."
No, he (she) isn't. The first thing I did after reading the summary was to pick up my Mac Powerbook, cd into my Music/Itunes directory, find a couple of .m4p files, and run the strings command on them. Adding a few greps to filter out the printable binary junk, I quickly found my name and email address.
As for someone writing a tool to replace them, I found that I already had one. Years ago, I wrote a little command-line app that just does a simple string substitution and writes the result to stdout. It's quite handy, and I use it all the time. I told it to copy one of the .m4p files, with my email address replaced by a fake email address of the same length. I then told iTunes to load that file - and it played fine.
Then, of course, I did the same trick, replacing my name with a different name of the same length. As I expected, iTunes popped up a little window saying that it needed to check the tune's registration, showing me the name, and asking for a password. Presumably when DRM goes away, that little window will also go away, and I'll bet that the tunes will play.
I don't think I'll bother posting the program. Any semi-competent beginning C programmer should be able to type it in under a minute. Probably most perl and python programmers can do the same, a bit faster, as could any moderately experienced emacs user. 25 years ago, when I first picked up the C bible, I wouldn't have found it a challenge after my second day with the language.
Just make sure the replacement strings have the same byte count as the old name.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.