Slashdot Mirror

← Back to Stories (view on slashdot.org)

iTunes DRM-Free Files Contain Personal Info

Posted by kdawson on from the musical-steganography dept.

r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."

5 of 693 comments (clear)

  1. Re:Seriously... by myxiplx · · Score: 4, Interesting

    Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".

    I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.

    Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.

  2. Re:Seriously... by halcyon1234 · · Score: 5, Interesting

    Let me throw you a hypothetical here.

    Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.

    Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)

    Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".

    So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.

    --
    UTF-8: There and Back Again
  3. Re:Seriously... by pdbaby · · Score: 5, Interesting

    I've mentioned it elsewhere but songs are also encoded with the purchase timestamp. So if you've no access to someone's files then you've essentially zero chance of getting the purchase timestamp right, even if you get the songs they own right.

    --
    Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  4. Re:Reasonable compromise... by cayenne8 · · Score: 4, Interesting
    I'm guessing this is one reason they aren't going to DRM lossless (CD quality at least) versions.

    If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?

    Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  5. Re:Reasonable compromise... by Wildfire+Darkstar · · Score: 4, Interesting

    iTunes doesn't sell MP3s, though. They sell lossy AAC files in an MP4 container. So it's unlikely that they'd have ID3 frames in the first place.

    I haven't purchased any DRM-free songs from iTunes, but I'd suspect that the information is stored as standard MP4 atoms, and that the iTunes editing interface just doesn't give you the ability to modify them. In which case you could presumably use a standard MP4 tool to remove the information, if you were so inclined.

    That's just a guess, of course. It's obviously not clear from TFA.

    --
    Sean Daugherty "I have walked in Eternity -- and Eternity weeps."