Slashdot Mirror
RealNetworks to Create Patch to Block Personal Data
Quite a number of people have sent us the word that RealNetworks' has apologized for not being clear about what data RealJukeBox was collecting and has updated their privacy statement. Additionally, they are making available a patch for RealJukeBox that will disable the data-collection.
Why is it that all of the companies that get caught integrating this type of capability always come up with the same line when their caught.
"We're sorry we wheren't clear. We'll release a patch to disable it for those who wish their privacy respected"
This has happened to SEVERAL companies in the last few years. Microsoft, Blizzard, Real Networks, and others. When are they going to understand that you CAN'T just start grepping through peoples personal data without making it clear in the first place.
If anyone reading is developing a product that may even provide the SLIGHTEST amount of feedback to an enitity, do yourselves a favor. MAEK it VERY clear what is going on, or risk taking the wrath of your customers when they relieze that their privacy has been compromised, and you know all about 'Customer Joe's' dirty web site habits.
-- I'm the root of all that's evil, but you can call me cookie..
What they did went far beyond simply collecting usage information, general performance issues, etc. It actually sent data back about things you had local that it recognized the extention for. It's see all those wav files, etc, and report 'em back. It wasn't only usage data it was sending back, that, I could understand. It was complete sets of info regarding what you had on your HD..
-- I'm the root of all that's evil, but you can call me cookie..
Now, I'm =not= saying people should get lawsuit happy, here. What I =am= saying is that computer companies seem to be bowing to the forces of marketroids, putting profit above the law.
Whether you believe in Government Intervention, the US legal system, or Santa Claus is irrelevent. Clearly, when you get into Might Makes Right, something is seriously wrong. That is NOT a healthy place to be.
Look beyond this one issue, and see the bigger picture, where profit is all and the only god known is green.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I have only one question here: Did the company listen to the outrage of thousands of customers over the privacy violation or the 1-7/8 drop in their stock?
And me without my moderator points. Ah well, such is the pain for posting in this discussion.
Excellent observation.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You obviously work for RealNetworks or otherwise benefit from their largess, so why don't you stop polluting this thread with your corporate PR - /. is a forum for people, not corporations.
Unfair. Corporations have every right to defend themselves, and there's no reason to believe that A Nonymous Coward is really a RealNetworks employee. (Yes, people can doubt me without having an ulterior motive.)
His point is rational--the claim could be taken to mean that RealNetworks reports all MP3s encoded by them and nothing else. It's plausable, but I'd be qiote pissed at the Times--Number of MP3s Encoded != Number of MP3s on the Hard Drive. (Still, there's a pretty reasonable amount of privacy violation even without the extra-software spying.)
The only way to check is to rip out a copy of FileMon and see what RealNetworks is really up to. If I get some free time, I'll do this myself.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
AC--
(BTW: No reason to be anonymous. I prefer to respond to people, not "entities"--You Are Your Words. Own them.)
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
This is my evidence(and my first paragraph from the post you responded to). If it's wrong, I self-flagellate myself upon the battered journalistic integrity of the above. RealNetworks didn't particularly refute any of this, and I'm sure they'd be screaming bloody f*cking murder if they were accused of taking one iota of extra data.
AC, I would be laughing myself to tears if this was all about mere listening patterns. That's NOT what the evidence suggests.
Do you have any evidence we don't know about?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Yes I am not anonymous.
I belive you are reading what you want into Richard Smith's quote, rather than coming to it with an open mind. He does not say it "scans" (your word) for anything. Any ordinary reading of his words discussing what is stored on a drive could just as easily take it as shorthand for the songs that RealJukebox has stored on the drive. In fact, I would bet that most people would take it that way, other than lawyers and wannabe lawyers. Only the paranoid would take it to mean it actually goes looking all over for songs.
--
Infuriate left and right
Go back and peruse the thread. Richard Smith said RealJukebox reports what is stored on the disk; I was responding to a paraphrase of that which claimed it scanned the disk.
That was the intrepretation I took exception to.
I wonder what got you so fired up?
--
Infuriate left and right
This is a jukebox -- get it? It plays what you tell it to play. Has it got some way of loading up your MP3 player? Bet so. Therefore it knows what you have. Wakarimasuka? There's no more evidence of it scanning for MP3s or hardware than there is of it scanning for illegal copies of Word or Excel or insider trading or anything else.
That's quite a rant you've got going on no evidence whatsoever.
Don't get me wrong; their sneaky snoopy practice os sending this info off to HQ sets my teeth on edge. But the information itself is exactly what you'd expect a jukebox program to need. No disk snooping involved.
--
Infuriate left and right
One also wonders what the patch sends them.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
I don't care if you know what I'm listening to or ripping. I think you make a good product. Don't let the black helicopter crowd worry you.
"You have no privacy, get over it" -- Scott McNealy
DrLunch.com The site that tells you what's for lunch!
What the hell are you talking about? If you purchase RealJukebox you get all rates up to 300kbps, and ultra cool VBR encoding to boot.
DrLunch.com The site that tells you what's for lunch!
They were collecting the data for financial reasons. Perhaps not ones that could be used now, but they saw a market and tried to enter it. That market still exists. Companies *do* want to know what music you listen to, and how often.
They should have 1) offered a complete opt-out (like the patch) and 2) offered to pay those who opted in.
Most of the people in these threads were upset about the monitoring being secret, not that some company thought the information was worth something.
They should have two levels. 1) opt out 2) opt in anonymously - get some free CDs or coupons 3) opt in completely - get a lot more stuff.
The data is valuable to the music companies two ways. First, just knowing how much various CDs are played is valuable marketing data. Second, knowing WHO plays them, which demographic they're in, what else they bought, etc, is worth a LOT more.
I bet they'd get a lot of kids opting in if at the end of the year they could get $50 worth of CDs or computer games from an online store...
That would be the best of both worlds. Out-out for the paranoid, or just plain annoyed, and opt-in for the greedy.
But after you install it, it scans to see what other patches you've installed and sends that info out to a patch database which will be used to create, "The best of Patches '99" CD-Rom.
I guess either way it resolves the problem. I hope many other internet enabled software manufacturers are listening too.
NT is based on the premise that anyone who can manipulate a mouse can administer a system. Huh?!?
This is a VERY serious issue. We cannot accept a patch and let this blow over.
This was a trojan horse that performed an unauthroized scan of your HD and sent the data back to Real. Let's turn the tables a moment and suppose that an individual had done this to one of Real's servers? They would be pursuing legal redress (as well they should). To let Real off the hook now that they've issued a patch is to forfeit the battle for privacy.
Real has basically said "we're sorry we got caught". They are not sorry for what they did. If they were, the CEO would resign in disgrace.
Boycott RealNetworks products permanently. If you owned their jukebox, contact a lawyer and file suit against them for "hacking" your system. File a complaint with the FBI.
This is the first instance of this type of behavior of which I am aware, and we all need to make an example of it. Accepting an insincere apology and patch lets them off too easily and will implicitly encourage others to follow suit, since the penatly is something most companies can live with. Unless we cause RealNetworks true pain, then we have just lost a crucial battle.
Knowing eventually they would be caught by someone checking out suspicious data packets sent out by their own machine, Real had only x amount of time before they were caught.
They used to this time to gather as much info that they needed to make a sweet music pref database that would have cost x amount to gather through legitimate means.
They weighed 2 conditions: What costs more the PR flack from putting a trojan in our software or paying for a legitimate survey? You can guess which ones they picked.
Now its all about saving face because they've saved the money.
My doctor calls me, "Oh BTW I wanted to tell you that the medicine I gave you isn't just for syphilis, its also a microcamera to identify girls you sleep with so we can better sell them the syphilis cure." "Umm, thanks Dr. R. Networks"
Oh, you found out we've been scanning your hard drive and sending data on what music you listen to and what kind of files you have on your system without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we're using your personal registration information to build mailing lists that we sell to SPAM and junk snail-mail companies without telling you we would be? Sorry, we'll stop! All better!
Oh, you found out we've been embedding serial numbers in every document you create so we can track them as they travel across the computer systems of the world and we never let you know about it? Sorry, we'll stop! All better!
Oh, you found out that we've purposely left back-doors into our security products so that gov't agents can come in and look at what you're doing any time they'd like? Well, we deny it therefore it never happened! All better!
You'd think someone would actually get outraged enough to take some sort of counter-action at all this stupidity. I guess the sheep^H^H^H^H^H citizens of this country are so used to our government doing it that corporations can get away with it with nothing more than an apology and the statement that they'll "stop doing it" which of course, we must all believe is sincere since they were invading our privacy without telling us to begin with.
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!
Richard Smith, a Brookline, Massachusetts-based independent security consultant, said the numbers of songs stored on a user's hard drive, the kind of file formats in which the songs are stored, the user's preferred genre of music, and the type of portable music player, if any, the user has connected to the computer are sent to the company, the Times said.
People, this isn't just RealNetworks incidentally receiving information on what CDs you have by nature of that being the only way to send back the track titles.
RealNetworks invasively scanned millions of American's computers for content that had nothing to do with the functioning behavior of RealNetworks software. We're talking about code that looked for MP3s, music applications, hardware interface tools, and who else knows--I wouldn't look for RealNetworks to tell.
Open Source is many things, but I'd seriously rather it not degrade into the only way to trust that code isn't Trojan'd. I expect that kind of paranoia for my cryptology of choice, not to play some Garbage!
This isn't an issue about a few missing lines from a privacy statement. Should RealNetworks be able to upload any interesting file on your hard drive to the corporate servers as long as they mention that "From time to time, RealNetworks may request feedback from your internal storage systems according to specific parameters to be determined according to your usage profile"? Maybe it'd be fine for them to tap into your computer's microphone, as long as they don't neglect to tack on "User agrees to indemnify RealNetworks from any liability in relation to any data flowing through said user's Sound Card"?
This isn't about legality, at least, not yet. It's about trust, and RealNetworks is losing mine fast.
The real question is, whether TrustE will follow.
I'm no history expert, but there's an aspect of TrustE that just smacks of the ill-fated League of Nations from the first part of the century. Namely, the well-intentioned but utterly toothless, powerless, and secretly mocked nature of it. I think TrustE actually has enough Respect Capital(if there is such a thing) with the press to actually do something, this one time...
Or never again, because nobody will listen anymore.
TrustE needs to set up guidelines of what may be buried in the fine print and what needs explicit and large dialogs before the function is completed--yes, this includes specifications like "Default must be no, and the software must still run even if it isn't allowed to insert seven links to the audio playing software like RealPlayer G2 does--we counted." That's clear, from RealNetwork's rather shocking behavior.
The bottom line is TrustE simply needs to file suit for breach of contract and reach a settlement where RealNetworks needs to contact all possible users, mass deploy a tremendous upgrade, and notify victims of the violations in both online and TV/Magazine forums.
That, or some combination with what I'd like to call TrustEeth: Privacy Protected for x Days.
If you think about it, it's really just a much more positive version of "This Site Accident Free for x Days" signs. The system encourages TrustE certification, since the longer one puts it off, the longer it will take to get to privacy levels respected by customers. It will make it progressively more expensive over time for large companies to allow their ego to overpower the rights of their customers--the CEO will be quite peeved at the middle manager who took the nationwide corporation down to one day of privacy protection.
If not a system using literal days, then an accumulation of points, lowered by violations, maintained by fair and quick resolution of privacy concerns, and accelerated by respectful "voluntary" policies could also be functional.
The key is, people need to have a gauge by which they can determine whether or not to trust a site and the code it asks them to download, and managers need to know they could get called on the carpet if they try a stunt like RealNetworks did.
The irony is truly remarkable, if you ask me. The CEO of RealNetworks(then Progressive Networks, if I remember correctly) went and testified in front of The United States House Of Representatives, arguing against everybody's favorite monopolist, Microsoft, was making the playing field unfair.
Meanwhile, here we are in November of 1999, and RealNetworks is repeating the sin that Microsoft did wayyyy back in the day with its overly nosy Registration Wizard that reported if software like Wordperfect was installed. Incidentally, the above dig at RealPlayer G2 for the seven links it litters all over your desktop(collect them all) is even more beautifully ironic considering the now strangely difficult to find position paper regarding asking the user before doing anything of import.
On a plus note, I don't think the US Patent Office had anything to do with this one.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com