Slashdot Mirror
RealNetworks to Create Patch to Block Personal Data
Quite a number of people have sent us the word that RealNetworks' has apologized for not being clear about what data RealJukeBox was collecting and has updated their privacy statement. Additionally, they are making available a patch for RealJukeBox that will disable the data-collection.
What part of the term "informed consent" is unclear?
Who is doing the informing? I'm not going to blindly trust any piece of software I download, given the track record of many software companies.
By your 'reasoning', if you pick up a word processing program and it secretly sends everything you type to the FBI, you have no complaint coming -- you had a choice not to install a word processor.
Or you could install a word processor you compiled yourself from open source code, and not worry about the FBI reading your key strokes. This is taking responsibility for protecting yourself. Since there is a consistent pattern of software misrepresenting itself, then yes, it is your own fault if you decide to blindly trust a product that screws you, even a word processor.
Again, this is why fraud and misrepresentation are illegal in civilized countries.
Who cares about legality? I'm talking about taking responsibility for protecting yourself from both legal and illegal attempts to take advantage of you. Perhaps if people took more responsibility and did not blindly trust any random piece of software that claims to respect your privacy, fraud would be a lot rampant.
I always use bgates@microsoft.com (and please sign me up for all of your updates and mailing lists).
Yah right.
"Oh, I'm sorry I made copies of everything in your wallet, credit reports, and medical records. Here's a fix so it doesn't happen again." Somehow I don't feel any safer. But the $64,000 question is:
WHAT WILL REAL DO WITH THE DATA THAT WAS ALREADY COLLECTED WHILE REAL WAS SELF-ADMITTEDLY "NOT BEING CLEAR ABOUT WHAT DATA REALJUKEBOX WAS COLLECTING".
This is the real test of Real's sincerity on the issue. Deleting the data is the only right answer.
Wouldn't destrying that data be the Right Thing to do since they admitted to collecting it surrepticiously and without the user's knowledge? Admitting mistakes is easy when the net abruptly brings your actions under world scrutiny. Righting them will demonstrate good character and takes a lot more guts.
(I don't want to encourage anyone to try a denial-of-service attack here, just asking)
If you wanted to stop this kind of thing, is there software you can install on NT or Linux that would require operator intervention (click OK) before connecting? Something like this might also be useful in the other direction for Netbus or BO, although presumably all Slashdot readers check their registries every day if they are unlucky enough to have to run Windoze.
The damage is done. I will never use another Real product. I don't care how malign the data is, they do it without asking and that's just rude.
Does anyone have any evidence that the "monitoring" going on here is anything more than the jukebox performing CDDB-style lookups?
Seems to me cddb.org has the ability to do the same kind of data collecting that everyone is screaming about with real networks... yet nobody's particularly worried about them.
seriously, how did you THINK the artist and title information showed up? Of course it has to send information about what you're doing to Real. And thus Real knows what files you've ripped, what music you play and how often, what your preferred genre is, etc.
I really don't think this is as evil as it sounds.
Let's hope that other manufacturers follow suit...
Ok, so now they've submitted a patch that will fix things - that's nice. All it does is close (we hope) the hole we know about.
With a closed source package like this, which is not subjected to peer review, we have no way of knowing what else is in there and what kind of data it is sending.All sorts of other interesting things could be hidden in there.
This is not to say that each customer is going to take the time to audit the code of every pacakge they use and make sure that it doesn't infringe their privacy. But I for one feel a lot more comfortable knowing the code for software I am using is available and can be looked at.
Perhaps places like EPIC could start auditing open source packages and endorsing them as meeting certian privacy standards.
-Al
I know it's off-topic, and I know it's just your signature, but...
Windows NT was built from the ground-up 100% 32-bit code. I think what you were referring to would be Windows 95. And even then, I don't see where MS-DOS stole any code from (except CP/M).
Why are people so concerned that someone will find out what kind of music they like? I dunno. It just doesn't strike me as a very serious breech of privacy.
Umm.. Id say if you steal their software and use a pirated code to register it, you have no room to bitch that their 'patch' disables it.
:P
Legaly if you steal something and by your own stupidity report your stolen product to the company that makes it, they should beable to have you arrested/fined for doing it..
copy protection is one thing (not saying they would have the right to collect data in the name of copy protection.. simply disabling software, or logging your ip to report to the authorities, is well within what they should be allowed to do.)
stealing their software and getting caught isnt the point here
It does not surprise me that Real Networks did this.
Just look how deceitful they are when you try to download the program-- I cannot tell you how many times I have clicked on the Real Player G2 Plus and cursed the screen.
At least they issued a fix.
Trust me, had they not noticed their shares dropping and deduced that what the cause of that was, they would not have done anything. Anyhow, I made a decision not to use Real Networks products. Not now, not ever.
:)
Even if it's not a big deal, it is up to me what kind of information I want or do not want to give to anyone. And I don't trust Trustee. Empty words are cheap, always.
This post is a proof of that
root@localhost kicks ass everywhere!
How many people complaining about Real's 'backdoor' have a listed telephone number?
l
Er, is it National Non Sequitur Day in your country?
It is completely hypocritical to complain about this one lapse of security when you let a much bigger and dangerous one slide by.
Never mind; the answer to my question is clearly "Yes"....
You have a choice whether or not to list your number, and you have a choice whether or not to use this product.
Choice requires informed consent. Fraudulent misreprentation of a product (e.g. wilful installation of hidden snoopware features) negates informed consent. That's why fraud is illegal in civilized countries.
bkennedy99@Home.com
You were saying somthing about being "completely hypocritical"...?
===
Clearly you have missed my point entirely. Anyone who installed the Real Jukebox had a choice not to. It is *your* responsibility to deal with the consequences. This is why I have little to no sympathy for people who infect themselves with Back Orifice. This is why I keep sensitive data somewhere that is not accessible to any idiot that figures out how to hack on to my box and away from other surreptitious attempts to read it (PGP encrypted drive). Is there any reason to trust Real Jukebox more than any cracked game file you download off the internet? Absolutely not. I think people are just angry because they feel like suckers... and they are. This is not the first time companies have tried something like this, and yet people continue to be outraged when it happens. I'm not trying to blame the victim here, but I am saying that if you act with a degree of apprehension and caution, you will not get suckered so easily.
This being said, there are elements of your privacy you have no control over. Some are public record, but some aspects (credit reports, social security number, etc) can be obtained by anyone by serveral large database companies. If you have a listed telephone number, nearly anyone can find out anything about you. For example, check out this sample search page from CDB-Infotek, one such company:
http://www.cdb.com/public/products/dpsample.htm
And why do these companies never make the front page of every online news site? Because they *dont* make you feel like a sucker when they obtain data about you, mainly becuase you never find out about it and because it gets 0 press. Many of these databases contain driving records, police records, places of residence since birth, etc on a vast majority of people in the US. It is only because people have an unwitting hand in supplying Real Networks with their music preferences that they are so outraged, when more egregious offenses occur every day over everybody in the country.
To conclude, people are more concerned with the fact that their computers have been violated than with privacy itself. If people were actually concerned about privacy, they would be more upset about the the above CDB sample with their own name filled in than the fact that Real Networks knows they listen to the Wu Tang Clan.
-ben kennedy (bkennedy99@home.com)
And yes, I have no qualms about distributing my email address. spam is not the end of the world
You obviously work for RealNetworks or otherwise benefit from their largess, so why don't you stop polluting this thread with your corporate PR - /. is a forum for people, not corporations.
BTW - there is no interpretatino here: the reports specifically state that the program reported what music is on your drive and what format it is in.
>>A different solution... (Score:2) by WNight (wnight@rocketmail.com) on Tuesday November 02, @09:53AM EST (#10) (User Info) They were collecting the data for financial reasons. Perhaps not ones that could be used now, but they saw a market and tried to enter it. That market still exists. Companies *do* want to know what music you listen to, and how often. They should have 1) offered a complete opt-out (like the patch) and 2) offered to pay those who opted in. That would be the best of both worlds. Out-out for the paranoid, or just plain annoyed, and opt-in for the greedy. Sorry, man, but opt-out is another word for cave-in. Opt-in is the ideal solution in every case, though I sometimes fear us antispammers and privacy advocates are fighting a losing battle. The solution to the problem? Don't patronize companies that use opt-out. Don't buy anything from them, and badmouth them to all your friends. My 0.02....
Uh... do you even know what Windows NT is?
So lemme get this straight -- you steal software and are upset when it doesn't work correctly? Hahahahaha.....
How many people complaining about Real's 'backdoor' have a listed telephone number? It is completely hypocritical to complain about this one lapse of security when you let a much bigger and dangerous one slide by. You have a choice whether or not to list your number, and you have a choice whether or not to use this product. Privacy is the responsibility of the individual, not the company. People need to stop being naiive and not be so shocked and angered when something like this happens. This being said, there *are* companies out there who will sell your socical security number to any 2bit organization that claims to have a legitimate purpose. You can get backruptcies, police records, credit reports, etc etc. For example, see: http://www.cdb.com/public/ Real audio is trying to collect statisical data to ty to make their already free product even more appealing. They probably want to advertise things taylored to your music prefs, which is fine. Meanwhile, this is deflecting attention from the CDB infotek's, Lexis-Nexis, and governments sources that offer much more damaging and exposing information about individuals, and its been going of for years. Furthermore, you are listed in these directories whether you like it or not. If you think your privacy is being violated by Real, well at least they apologized. But I think people should take a second and think about who the real enemies to your privacy are. --ben kennedy (bkennedy99@Home.com)
Privacy is a myth.
And yes, I submitted the story to /., but it got dropped.
Let's see: If I ever distribute a program that monitors media access and send that information back to me without user knowldege and consent, would it be in violation of Computer Fraud and Abuse Act? I think it would. I think RN deserves some additional heat from Law enforcement agencies.
Now for the $62,305.32 question: how can we be sure that the patch that RealNetworks has provided will actually prevent this scan? There's got to be a lot more done before I'll trust RealNetworks again!
John Gardner
Anger is often an expensive luxury. -- Italian proverb
I hope someone cracks RealAudio/Video/WhatEO so we can have an open player. Their player sucks anyway; too many weird controls and none of the options you want.
Watch your firewall. You have one, don't you?
RealNetworks is a known bad net.citizen: they've been unrepentantly spamming for a while now. As a result much of their IP space was in the RBL as of two months ago. RN's PR toadies tried shining on spamfighters with promises of better behaviour, but darned if that spam server out there didn't crank up the very next day! Don't take my word for it, hit dejanews and look up RealNetworks in news.admin.net-abuse.email. Bring lunch. I'm not surprised to see RN stoop to stealing information from people's computers; their next move was just a matter of how much further they could go beyond spamming.
I think we should get lawsuit-happy here -- if only because it's our only recourse. That is, everyone in Europe or Oregon who had this happen to them, who reads /., should see about suing Real.
Bah.
--Matthew
Note that space between "A" and "nonymous" -- s/he's not a real AC. Here's his/her user info.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
It's why I don't shop at Amazon anymore.
IMO, the right to privacy includes the right to privacy in aggregate. In other words, since I personally have an expectation of privacy. I don't see that I give up that right by being a member of a group.
Consider the smallest possible group, 2 people. Should I be able to track all the purchases a group of two people makes? What is the fundamental difference between tracking a group of 2 people and of 20? Where is the line where it becomes okay to publish purchasing records? 200? 2 million? I don't think that line exists.
We have the right to privacy in aggregate. We should be insistent on it. Programs like Purchase Circles at Amazon should absolutely be opt-in, not opt-out.
It's nasty of Real to be collecting this data without prior permission. Claiming that it is somehow okay because the data was 'in aggregate' is specious and false.
I'll never use their software again, personally. Even Microsoft has more respect for privacy than that.
And I don't see any privacy policy. How do you know they're not tracking the IP addresses of every query, building up a tasty wee database of their own?
Real's mistake was to include the GUID with every CD request. And the patch removes this. But their main task of building up a database of who's listening to what can carry on unabated.
rOD.
--
Rod Begbie done this, and he's not
Besides that, with the advent of the new moderating system, thats not one of the rules, since almost everyone can at some point in time be a moderator.
Yes it's nice that RealNetworks apologized, but they shouldn't have been collecting that kind of data to begin with, of course you have to give them kudos for making the patch, kinda makes you wonder if they hadn't already had it developed? like maybe they knew they were going to get caught sooner or later so they had a solution already made, ready to get it out, something of a PR move perhaps? ah well, the fact remains they could have said, screw you, we're going to collect the data if want to pppttthhh, but they didn't. Any company that can admit they were wrong deserves a little respect.
Why not just use streaming mp3, ala Icecast? It does have patent problems, but at least there are open source players/encoders available. Besides, mp3 quality is generally better than Real anyway.
Personally, I prefer sales@real.com or support@real.com
For instance, I have no idea what information is being exchanged between my Windows PC and the server when I use Symantec's or Netscape's Smart Update features. Shouldn't I be concerned about this as well?
The difficulty I see in creating legislation about this sort of thing would be in differentiating between session tracking devices (like cookies) which often do not compromise user privacy, and more invasive data capture techniques like the one documented in the RealJukebox situation. We can also be sure that any bill would be loaded with all sorts of amendments which would attempt to cater to cyber-Luddites and busybodies who want to control what other people see and do with their computers.
For the record, I am the president of a small Web integration firm. There is no doubt in my mind that calling for legislation of the kind I am suggesting puts us at the top of a slippery slope. But, I believe that this example is only the beginning of a long line of surreptitious personal data grabs.
-- Dave Aiello
This is not anything terribly new--RealNetwork's been hyper about gathering userinfo for a looooong time--back to RPlayer 2 at least. Not, admittedly, at this level, and it's been opt-out-able prefviously (I never downloaded jukebox, so I don't know if there's an opt-out feature as usual)
This is apparently a bit slimier than previous attempts, but hardly a change in fundamental tactics.
I'd like to see a class-action lawsuit using the new marketing techniques (pay to surf style, etc) as a basis to force RN to pay its customers for the information they were forced to provide.
Returned Peace Corps IT Volunteer
According to someone I know that works at Real, there were already murmurings last week of the impending PR disaster. I'm guessing they already had the patch ready.
Think about that for a moment. There are only two vendors who are really competing in this marketplace and they have incompatible products. So, if they decide to do something that is bad for people on the Internet there isn't a whole lot that can be done about it.
This is why open standards are good (what can I say, I love preaching to the choir
So, any volunteers to make a streaming media distribution protocol standard???
---
This sig has been temporarily disconnected or is no longer in service
Seems to me that this is a criminal activity vis a vis unauthorized use of a private computer system. Hypothetically speaking, of course, if someone visited my website (if I had one :), downloaded a program, ran it, and the program sent data back to my site, what then? I think it would at least earn me a visit from the FBI. I hope the DOJ is paying attention.
How about theft of bandwidth? I don't recall them asking me if they could borrow a cup 'o bits.
Anyone with some background in law care to shed some light?
This means nothing. They know damn well that 98% of their users will remain completely unaware to the whole issue, and of tose who find out about it, few will bother to download and install a patch.
This kind fo thing has becoem Standard Operating Procedure for companies these days: worry about privacy only if you get caught, then throw a bone to all the "privacy freaks".
There's tons of financial incentive to spy on users and have crappy privacy policies. There's pretty much zero incentive to worry about it. Their attitude is "just throw it in there, probably no one will ever find out about it, and if they do, we throw a patch to the weirdos and continue gathering our information from the vast majority of people who will never even be aware of the issue."
Companies are never punished at all for privacy invasions, so why should they really care?
Sorry if this feels a little curt - I'd got a lovely reply written when I stopped concentrating for a moment and closed that window instead on another...
:) in that you can't collect personal data in the EU and then export it to a less severe jurisdiction to try and bypass data protection legislation.
:)
This sounds suspiciously similar to the Cookie Problem and so suffers from the same potential problem* as that for us lucky Europeans
If this is the case, which ZDNet UK News think it is - I promise I first hit reply to this article without having read their take on it, honest! - then this could get quite interesting. If the EU take this one to trial we could end up with this sort of practise made impractical for the whole net as it couldn't be legally used on a pretty large chunk of the users - I'm told we're currently predicted to be bigger than the USA on the net within 5 years, or something like that anyway. I haven't got the figures to hand, but that was the gist of it, OK?
And yes, I know that this article's talking about them releasing the patch and upgrading the privacy statement - but if the software isn't legal without the patch then it gets even nicer as they have to make that the default!
For those who are interested in the details, the UK law is here - as I understand it, other EU countries have roughly the same rules by agreement.
Greg
* Sorry to quote myself. It's just that I know I explained it and I can remember that quicker than I can find if anyone else gave a better explanation...
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
Last time I looked, CDDB doesn't require an email address or your name for lookups. It has even less privacy issues than a web server without cookies or javascript.
BTW, you give an awful lot of credit to a company that went to great lengths to hide the information being sent, and whose first reaction to the Smith article was a lie("it's all CDDB's fault: they want an email address.")
There was no mention of this tracking in their privacy statement. Guess what? Their privacy statement was wrong. So now they say that they don't store the info and they expect everyone to believe them?
Just remember, if there's a pile of Horse Shit there must be a (trojan) horse around somewhere
Tag, your it
Charlie
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
I'd be a lot happier if they didn't have this crap in their software to being with.
It seems that a lot of people are kind of missing the technical point
about what nefarious things Real Jukebox was really doing. When one
understands the issues the only thing that real can be blamed
for is bad marketing and documentation not evil technology.
The issue people that are up in arms about is that everytime a CD was
introduced into the CDROM of a PC, Real Jukebox sends this information
back to Real. That in and of itself seems quite a strong violation of
one's privacy on the face of it, no? When left just at that, I too
would agree that I wouldn't want Real to know what CDs I'm
playing. But I think focusing on this without any further context is
missing the point. And for some reason, this is the point that Real
doesn't seem to be making for themselves.
In fact, I would argue that one of the best(value judgement) features
of Real Jukebox is that when a new CD is introduced to a PC it
"figures" out the artist and song titles. To me, this is a *good
thing*. This has value. This means I can be lazy. I'd much rather not
have to enter all this information by hand. Frankly, I'm quite content
to give up a bit(*small*, *tiny*) of privacy to have all the CDs in my
collection show up with full catalog information entered without any
effort on my part.
I can appreciate that at some point, I have to "pay" for this useful
feature. When choosing CD apps for my PC, this is a *required* feature
for me. I will not use a CD player app that doesn't support CDDB. It's
just too annoying to not have the artist and song title of what is
playing immediately available.
But I also understand that unless some information necessarily needs
to sent across the wire about *MY* cd collection to have this feature
to work.. Did the people who were using Real Jukebox, DiscPlay, xmcd,
whatever think that these programs were somehow magically capable of
intuiting artist and song information. This seems obvious but seems to
have been lost in the discussion. If you want the artist name and song
titles of a new CD you have to be able to look it up in a
database. And this means that at some point, you're at a minimum
telling someone your IP address(NAT and other proxies notwithstanding)
and the CD you're looking for. Of course, the CDDB database also wants
"an email address" which is what is making things so tense this week.
What is quite striking about the current press and open source frenzy
regarding this issue is how Real is getting lambasted for this
feature. Why are they so special as to receive all this free
publicity? What about all the others who were doing this long before
Real?
In fact, this is not a novel Jukebox feature at all; the CDDB format
has been around the 'net a long, long time. Why hadn't the privacy
advocates been blasting those other programs? Was it because for the
most part, CDDB has been implemented by open-source programs and that
open-source programs were somehow above that level of scrutiny? No, I
don't think so. The problem is that Real didn't educate people well
enough about their program and its features. The types of people who
were using an open-source CD player tend to also be the kinds of
people who will automatically "get it" that for the player to know the
song titles of their CDs they're going to have to give up some
privacy to do the CDDB lookup. The average person using Real Jukebox,
on the other hand, might not appreciate this technical point. In fact,
they're probably more likely to think that Real Jukebox has an on disk
database of all the CDs ever issued. Okay, they also prolly didn't
think too hard about the new CDs they're buying either.
Real can dinged for bad documentation for not making this point better
but I do not think that Real set out to invade people's
privacy. They've been on record about not storing information anywhere
and there is no reason to doubt the veracity of their statement. And
for those who are offended by this, I recommend them to stop using
Real Jukebox or DiscPlay and go back to using the CD player app that
ships with windows, the one where you have to enter all the
artist/title information by hand. I'll assume that the unix people
understood the privacy trade off before this was a "NY Times"-worthy
of an issue.
How does that violate the rules? I mean, he's not moderating right now, and hasn't moderated this thread at all, so what's the big deal? I moderate every once in a while, heck, you can easy tell by how high of a karma they would have. I know that someone that has a karma of 120 would moderate, but they can still participate in the threads when they are not moderating that story.
I knew many people would misunderstand this post. But if you do actually understand what I'm trying to say, then I COMPLETELY disagree with you. This is not about copy protection, its about privacy. There's nothing wrong with copy protection. The problem here is that under ANY circumstance I don't care what the reason is, if you're a rapist or a pirate, no data should EVER leave your machine without your knowledge. Period.
In their case, a much more elegant solution would've been to simply make the online registration mandatory, then when you register, you send the serial number. If it's a serial number on their "black list" then they refuse the registration and log your IP. The way it is now, I believe is that the software will work with the number (with their knowledge that you're using a stolen number), but at the same time it is sending data to realnetworks, without your knowledge. This kind of "sneakyness" really freaks me out and it should also scare anyone that has any regard for their privacy.
I personally code for the palm OS, and have a piece of software that requires payment for a registration code. I could've made it such that with every update, I'd secretly embed a database of stolen codes in the app. If your code matches one of them, I could make my program randomly corrupt data. I thought about it for maybe a second...but it struck me as highly unethical, even though the user was using a stolen code to begin with, so I decided against it.
-dr0ne
Realjukebox is only one of the few apps that realnetworks distributes. What about RealPlayer? Has anyone seen similar activity? Specifically (don't know if this is true or not, I don't use RealPlayer), I've heard that if you try to register RealPlayer with a serial # found on the net, it will work, but everytime you run it, an update window will come up asking if you want to download their "latest update". It ends up that this is really a patch to disable the software if you get the "update".
Now even though this is sneaky as hell, I can only wonder what _other_ kind of information gets sent to realnetworks about you, if you try to register with a number snatched off the net....
-dr0ne
That's awesome, dude !
Hates people who have stupid little sigs
If they force you to fill out those forms just give them garbage answers.
I give them none@ofyourdamnbusiness.com as my email address all the time.
Hates people who have stupid little sigs
But the fact remains; they shouldn't have done it in the first place. I hope the response they've received from this has helped them learn, and it doesn't happen again.
Bad things often happen to good people,
It is up to them to see that they remain good.
I only have to be burned once, before I understand that I should not touch a hot flame.
Yes. It's clear Real knew exactly what it was doing, took a calculated risk, had the patch prepared well in advance, and probably considers this episode a successful advance of its "learning ecosystem".
If you've read about Rob Glaser (Real CEO), you've learned he's spawn from the M$ culture, and is eager to reproduce it on his own by a.)gaining ubiquity and b.)leveraging proprietary advantage. He's not to be trusted. But it's hard to trust many shareholder-owned corporate entities these days. And trust is the basis of loyalty, trade, and cooperative advantage.
In the end, (and this may sound a little outrageous), any company that operates on an "us" (owners) vs. "them" (customers) basis, sneaking around, seeing what they can get away with, etc. is doomed. The corporation that can figure out how to include customers in the equity equation will thrive by generating the most trust (trade). (After all, customers provide attention, cash flow, preferences data, etc.) Sound crazy? Well, it's what Dee Hock envisioned for Visa.. He guessed Visa would be 4 times more powerful today if merchants and cardholders shared ownership..
Also.. thank god the w3 is challenging the p3p patent.. the more we individuals can control our "own" privacy, the less we'll be under the thumb of big government and big money, the more accountability will free the flow of our info, and the more trust and trade there'll be online.
This kind of violation will occur over & over (and most people will never know it's happening) until operating systems provide a foolproof filesystem & network "sandbox"/jail where "untrusted" software is executed by default, and any attempts to escape the jail or either intercepted or decoyed.
Then, when you catch a process trying to access something it shouldn't need, you'll at least have a clue as to where to start asking questions, before you let everything leak. This should also handle a lot of common Trojan horses.
W/o such a capability, everybody will pretty much have to rely on the diligence & reports of hackers (used in the context of people who have a great deal of curiousity about their systems) to find out that something is up - and that it's already too late.
Operating systems really need to put any "untrusted" process into a filesystem & network "sandbox"/jail, where any attempt by the process to reach "outside" of its jail has to be certified by the user (or perhaps by a trusted privacy group?).
So they release software and publish an essentially dishonest privacy statement, collecting data they don't tell you they're collecting. When they get caught, they announce "Oh, okay, we'll stop. Here's a patch." Given that they've already demonstrated a desire and willingness to breach my privacy and lie about it, I see no reason to assume the patch does anything other than disguise the method by which they collect data. It is, after all, closed source.
If memory serves, there was a class action lawsuit a while ago against Prodigy. Prodigy was installing the custom "connect to us" software, similar to the contents of an AOL CD, and included, without mentioning it, a bit of code which scanned your hard drive for financial software such as Quicken, and if it found it, it sent your financial data to Prodigy. Prodigy's users eventually discovered this and sued, winning a token settlement (a few free hours of connect time, I think.) I could be wrong about this- does anybody else remember it? In any event, it seems the same idea as RealJukebox, and the fact that Prodigy didn't get slapped hard enough for it makes me think Real won't either.
That was fast. I was expecting a true PR meltdown of epic proportions.
Uhm, now, should i be relieved that they did this so fast, or should I be disappointed that it happened in the first place.
--
rJames.org - illustration
The thing is, in today's day and age, if you use the internet in any way other than as a passive surfer you and your personal life are out there.
Very few of us have been so careful as to never let a name or tidbit of traceable information slip out. How many of us can actually honestly say that we have NEVER gotten a piece of spam? I don't know about you people, but i have a mailbox at hotmail *just for spam*. I use it whenever anything needs an email address.. and i actually care to recieve it. Needless to say that i get about 30-40 spamails a day.
If some company out there wants to know about you, they will find out about you. Where you live, what your phone number is, perhaps gather information about your interests (newsgroups people, newsgroups!). The only way to avoid this is to *not* be on the internet. For the large majority of us, that statement is not only fantasy, but also heresy.
Personally, although i found this alarming, i did not find this particularly surprising. How many other companies out there do you believe are doing the same thing?
--
rJames.org - illustration
I don't know if we should trust a company that has to use the word "real" in all of its product names. Any company that needs that kind of self vindication at every turn has some serious image problems, and we can only assume that the image problems are caused by an inferior product and they are over-compensating. "Cmon guys, this patch is really real. Its for a real program.Really!"
One must wonder if the "patch" was created in the last twenty-four hours, or if they already had the "patch" ... just in case they got caught.
It's best to remember that Rob Glaser (CEO, RealNetworks) is an ex-Microsoft man. However much he whines about how they mistreat him now, he plays the game the same way they do, and is fundamentally no different from them.
_____________
They've explained that they needed to know what CD you were playing in order to get playlist data from a third-party database. I don't seem to see any explanation of why the program scanned your hard drive for personal information, and the number and names of any MP3s you had.
And consider how many users of RealJukebox don't read SlashDot (or don't read, period). How many people will install the patch? How many people will read the new privacy statement?
RealNetworks did not say, "oops. We'll stop doing that, and we'll never do it again." What they said, instead, was:
Which is manifestly not the same thing.
What they should do is build new server components that are not compatible with existing installs in the field. Serve a page indicating that "to download a version of RealJukebox that doesn't invade your privacy, click here", and ship a version that specifically warns the user of the privacy risks and requires the user to specifically opt IN--not out--in order to use the Trojan Horse features.
Till then, this is still a Trojan Horse.
This patch would have the nice added feature of confusing the pricks at CDDB too, who've stamped a copyright on what once was shared, mutually created data.
Would this policy annoy Real? I don't think so, it meets their own criteria. First, I would not be accumulating the data, I would submit it and forget it. Second, I would only release or sell aggregate statistics, stuff like "65536 records submitted to two music related websites". And, third, I can go them one better and apologize in advance: Sorry, Real, truly sorry... but, as you know, I was never on the board of the EFF, nor have I received a TRUSTe seal of approval so I can't be expected to be cognizant of on-line privacy issues. And you see, since they never published what the API they were running on my machine was for, who is to say it's not for sending random data to?
So, is this deciphered data format published someplace?
As this is happening again and again I am wondering how users privacy can be protected.
:)
First I wonder if there is any legal way to respond to this kind of intrusion.
There are very clear laws about a hacker breaking in to Real Networks computers and stealing data. What is the difference to them stealing data from my and thousand of other computers?
What do you think is going to happen to the illegaly acuired data? Are they going to delete the whole database
Even if they were legaly requiered to delete all the data, is there anybody out there who is willing an able to force them to comply to the laws?
Thanks for your comments
Uli Luckas
So, yes, I accept your heartfelt and sincere apology, and wish you to know that I will see to it that it never happens again... by refusing to do any business with you. Maybe those who buy your assets after you go into receivership will learn a lesson from this.
Strike while the irony is hot! -- The Freethinker
Why is it that all of the companies that get caught integrating this type of capability always come up with the same line when their caught.
"We're sorry we wheren't clear. We'll release a patch to disable it for those who wish their privacy respected"
This has happened to SEVERAL companies in the last few years. Microsoft, Blizzard, Real Networks, and others. When are they going to understand that you CAN'T just start grepping through peoples personal data without making it clear in the first place.
If anyone reading is developing a product that may even provide the SLIGHTEST amount of feedback to an enitity, do yourselves a favor. MAEK it VERY clear what is going on, or risk taking the wrath of your customers when they relieze that their privacy has been compromised, and you know all about 'Customer Joe's' dirty web site habits.
-- I'm the root of all that's evil, but you can call me cookie..
Now, I'm =not= saying people should get lawsuit happy, here. What I =am= saying is that computer companies seem to be bowing to the forces of marketroids, putting profit above the law.
Whether you believe in Government Intervention, the US legal system, or Santa Claus is irrelevent. Clearly, when you get into Might Makes Right, something is seriously wrong. That is NOT a healthy place to be.
Look beyond this one issue, and see the bigger picture, where profit is all and the only god known is green.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I have only one question here: Did the company listen to the outrage of thousands of customers over the privacy violation or the 1-7/8 drop in their stock?
And me without my moderator points. Ah well, such is the pain for posting in this discussion.
Excellent observation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You obviously work for RealNetworks or otherwise benefit from their largess, so why don't you stop polluting this thread with your corporate PR - /. is a forum for people, not corporations.
Unfair. Corporations have every right to defend themselves, and there's no reason to believe that A Nonymous Coward is really a RealNetworks employee. (Yes, people can doubt me without having an ulterior motive.)
His point is rational--the claim could be taken to mean that RealNetworks reports all MP3s encoded by them and nothing else. It's plausable, but I'd be qiote pissed at the Times--Number of MP3s Encoded != Number of MP3s on the Hard Drive. (Still, there's a pretty reasonable amount of privacy violation even without the extra-software spying.)
The only way to check is to rip out a copy of FileMon and see what RealNetworks is really up to. If I get some free time, I'll do this myself.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
AC--
(BTW: No reason to be anonymous. I prefer to respond to people, not "entities"--You Are Your Words. Own them.)
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
This is my evidence(and my first paragraph from the post you responded to). If it's wrong, I self-flagellate myself upon the battered journalistic integrity of the above. RealNetworks didn't particularly refute any of this, and I'm sure they'd be screaming bloody f*cking murder if they were accused of taking one iota of extra data.
AC, I would be laughing myself to tears if this was all about mere listening patterns. That's NOT what the evidence suggests.
Do you have any evidence we don't know about?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Yes I am not anonymous.
I belive you are reading what you want into Richard Smith's quote, rather than coming to it with an open mind. He does not say it "scans" (your word) for anything. Any ordinary reading of his words discussing what is stored on a drive could just as easily take it as shorthand for the songs that RealJukebox has stored on the drive. In fact, I would bet that most people would take it that way, other than lawyers and wannabe lawyers. Only the paranoid would take it to mean it actually goes looking all over for songs.
--
Infuriate left and right
Go back and peruse the thread. Richard Smith said RealJukebox reports what is stored on the disk; I was responding to a paraphrase of that which claimed it scanned the disk.
That was the intrepretation I took exception to.
I wonder what got you so fired up?
--
Infuriate left and right
This is a jukebox -- get it? It plays what you tell it to play. Has it got some way of loading up your MP3 player? Bet so. Therefore it knows what you have. Wakarimasuka? There's no more evidence of it scanning for MP3s or hardware than there is of it scanning for illegal copies of Word or Excel or insider trading or anything else.
That's quite a rant you've got going on no evidence whatsoever.
Don't get me wrong; their sneaky snoopy practice os sending this info off to HQ sets my teeth on edge. But the information itself is exactly what you'd expect a jukebox program to need. No disk snooping involved.
--
Infuriate left and right
I don't care if you know what I'm listening to or ripping. I think you make a good product. Don't let the black helicopter crowd worry you.
"You have no privacy, get over it" -- Scott McNealy
DrLunch.com The site that tells you what's for lunch!
They were collecting the data for financial reasons. Perhaps not ones that could be used now, but they saw a market and tried to enter it. That market still exists. Companies *do* want to know what music you listen to, and how often.
They should have 1) offered a complete opt-out (like the patch) and 2) offered to pay those who opted in.
Most of the people in these threads were upset about the monitoring being secret, not that some company thought the information was worth something.
They should have two levels. 1) opt out 2) opt in anonymously - get some free CDs or coupons 3) opt in completely - get a lot more stuff.
The data is valuable to the music companies two ways. First, just knowing how much various CDs are played is valuable marketing data. Second, knowing WHO plays them, which demographic they're in, what else they bought, etc, is worth a LOT more.
I bet they'd get a lot of kids opting in if at the end of the year they could get $50 worth of CDs or computer games from an online store...
That would be the best of both worlds. Out-out for the paranoid, or just plain annoyed, and opt-in for the greedy.
But after you install it, it scans to see what other patches you've installed and sends that info out to a patch database which will be used to create, "The best of Patches '99" CD-Rom.
I guess either way it resolves the problem. I hope many other internet enabled software manufacturers are listening too.
NT is based on the premise that anyone who can manipulate a mouse can administer a system. Huh?!?
This is a VERY serious issue. We cannot accept a patch and let this blow over.
This was a trojan horse that performed an unauthroized scan of your HD and sent the data back to Real. Let's turn the tables a moment and suppose that an individual had done this to one of Real's servers? They would be pursuing legal redress (as well they should). To let Real off the hook now that they've issued a patch is to forfeit the battle for privacy.
Real has basically said "we're sorry we got caught". They are not sorry for what they did. If they were, the CEO would resign in disgrace.
Boycott RealNetworks products permanently. If you owned their jukebox, contact a lawyer and file suit against them for "hacking" your system. File a complaint with the FBI.
This is the first instance of this type of behavior of which I am aware, and we all need to make an example of it. Accepting an insincere apology and patch lets them off too easily and will implicitly encourage others to follow suit, since the penatly is something most companies can live with. Unless we cause RealNetworks true pain, then we have just lost a crucial battle.
Knowing eventually they would be caught by someone checking out suspicious data packets sent out by their own machine, Real had only x amount of time before they were caught.
They used to this time to gather as much info that they needed to make a sweet music pref database that would have cost x amount to gather through legitimate means.
They weighed 2 conditions: What costs more the PR flack from putting a trojan in our software or paying for a legitimate survey? You can guess which ones they picked.
Now its all about saving face because they've saved the money.
My doctor calls me, "Oh BTW I wanted to tell you that the medicine I gave you isn't just for syphilis, its also a microcamera to identify girls you sleep with so we can better sell them the syphilis cure." "Umm, thanks Dr. R. Networks"
Oh, you found out we've been scanning your hard drive and sending data on what music you listen to and what kind of files you have on your system without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we're using your personal registration information to build mailing lists that we sell to SPAM and junk snail-mail companies without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we've been embedding serial numbers in every document you create so we can track them as they travel across the computer systems of the world and we never let you know about it? Sorry, we'll stop! All better!
Oh, you found out that we've purposely left back-doors into our security products so that gov't agents can come in and look at what you're doing any time they'd like? Well, we deny it therefore it never happened! All better!
You'd think someone would actually get outraged enough to take some sort of counter-action at all this stupidity. I guess the sheep^H^H^H^H^H citizens of this country are so used to our government doing it that corporations can get away with it with nothing more than an apology and the statement that they'll "stop doing it" which of course, we must all believe is sincere since they were invading our privacy without telling us to begin with.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
People, this isn't just RealNetworks incidentally receiving information on what CDs you have by nature of that being the only way to send back the track titles.
RealNetworks invasively scanned millions of American's computers for content that had nothing to do with the functioning behavior of RealNetworks software. We're talking about code that looked for MP3s, music applications, hardware interface tools, and who else knows--I wouldn't look for RealNetworks to tell.
Open Source is many things, but I'd seriously rather it not degrade into the only way to trust that code isn't Trojan'd. I expect that kind of paranoia for my cryptology of choice, not to play some Garbage!
This isn't an issue about a few missing lines from a privacy statement. Should RealNetworks be able to upload any interesting file on your hard drive to the corporate servers as long as they mention that "From time to time, RealNetworks may request feedback from your internal storage systems according to specific parameters to be determined according to your usage profile"? Maybe it'd be fine for them to tap into your computer's microphone, as long as they don't neglect to tack on "User agrees to indemnify RealNetworks from any liability in relation to any data flowing through said user's Sound Card"?
This isn't about legality, at least, not yet. It's about trust, and RealNetworks is losing mine fast.
The real question is, whether TrustE will follow.
I'm no history expert, but there's an aspect of TrustE that just smacks of the ill-fated League of Nations from the first part of the century. Namely, the well-intentioned but utterly toothless, powerless, and secretly mocked nature of it. I think TrustE actually has enough Respect Capital(if there is such a thing) with the press to actually do something, this one time...
Or never again, because nobody will listen anymore.
TrustE needs to set up guidelines of what may be buried in the fine print and what needs explicit and large dialogs before the function is completed--yes, this includes specifications like "Default must be no, and the software must still run even if it isn't allowed to insert seven links to the audio playing software like RealPlayer G2 does--we counted." That's clear, from RealNetwork's rather shocking behavior.
The bottom line is TrustE simply needs to file suit for breach of contract and reach a settlement where RealNetworks needs to contact all possible users, mass deploy a tremendous upgrade, and notify victims of the violations in both online and TV/Magazine forums.
That, or some combination with what I'd like to call TrustEeth: Privacy Protected for x Days.
If you think about it, it's really just a much more positive version of "This Site Accident Free for x Days" signs. The system encourages TrustE certification, since the longer one puts it off, the longer it will take to get to privacy levels respected by customers. It will make it progressively more expensive over time for large companies to allow their ego to overpower the rights of their customers--the CEO will be quite peeved at the middle manager who took the nationwide corporation down to one day of privacy protection.
If not a system using literal days, then an accumulation of points, lowered by violations, maintained by fair and quick resolution of privacy concerns, and accelerated by respectful "voluntary" policies could also be functional.
The key is, people need to have a gauge by which they can determine whether or not to trust a site and the code it asks them to download, and managers need to know they could get called on the carpet if they try a stunt like RealNetworks did.
The irony is truly remarkable, if you ask me. The CEO of RealNetworks(then Progressive Networks, if I remember correctly) went and testified in front of The United States House Of Representatives, arguing against everybody's favorite monopolist, Microsoft, was making the playing field unfair.
Meanwhile, here we are in November of 1999, and RealNetworks is repeating the sin that Microsoft did wayyyy back in the day with its overly nosy Registration Wizard that reported if software like Wordperfect was installed. Incidentally, the above dig at RealPlayer G2 for the seven links it litters all over your desktop(collect them all) is even more beautifully ironic considering the now strangely difficult to find position paper regarding asking the user before doing anything of import.
On a plus note, I don't think the US Patent Office had anything to do with this one.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com