Slashdot Mirror

← Back to Stories (view on slashdot.org)

RealPlayer Uploads Your ID Too

Posted by jamie on from the just-tell-me-who-DOESN'T-send-a-GUID dept.

Wired revealed this morning a "New Privacy Glitch" which may actually be years old. Real Networks' RealJukebox isn't its only software to send a Globally Unique Identifier (GUID): RealPlayer does too. The free RealPlayer has 69 million users of all its versions; Real isn't saying which versions send the GUID. It's sad when the "good news" is that RealPlayer doesn't scan your hard drive. Oh - and by the way - Windows Media Player sends one too but it's OK because registration is not required. Are we living in cuckooland? Update: 11/08 08:44 by J : On the just-launched real.com site, their Software Privacy Statement says: "the Globally Unique Identifier - GUID has been disabled for electronic registration so it cannot be used to identify you." This is for RealPlayer 7: still, apparently, no word on earlier versions.

9 of 166 comments (clear)

  1. Only criminals want privacy. by Anonymous Coward · · Score: 3
    Anyone who complains about this is obviously a child molester or a drug dealer or a DVD encryption cracker or other horrible deviant. Next thing you know people will be complaining when the police start installing cameras in peoples' houses to catch burglars.

    Face it people, government and big business is your friend. They only want what's best for you. Now stop resisting, go back to work, and buy some of those fine products you see advertised on TV and the web.

  2. Is this helped by proxying? by Christopher+B.+Brown · · Score: 3
    It's not evident whether this is helped or hindered by having proxy servers in between you and remote sites...

    There most certainly are cases where it is very nice to have something like Junkbuster= and/or Squid in between me and remote places, as both can help keep things a bit more anonymous.

    I'm looking forward to cable modems being more ubiquitous; this will mandate having personal firewall machines, and this will encourage the development of little easily-managed boxes to help with such.

    Little Linux boxes would be perfect candidates for this sort of thing; a minimal distribution that has some proxying software, and something like Linuxconf or COAS that can be configured remotely through a secure connection (e.g. SSL) would be a killer app.

    --
    If you're not part of the solution, you're part of the precipitate.
  3. Privacy never has existed by Uruk · · Score: 3

    What do you expect companies to do? Pass up an opportunity to gather important marketing information?

    Privacy hasn't been really possible ever since the real marketing sharks started to hit the internet. Remember, even though companies aren't ethical for the most part, they're not stupid. They wouldn't bother getting their codejockeys to put this stuff into the software if it wasn't making them big bucks in one way or another. It doesn't give companies a stiffy to have power over you and use your information, it's just that they're making money off of it, and that's why they do it.

    Public companies are a real bitch, because of the diffusion of responsibility. Even if they have people inside the organization that realize something is legal, yet unethical, it still gets done, because there really isn't a big boss that can say "We're doing this, and not that". There is to a point, in the CEO/CFO, but at the same time, they owe their jobs to the board and the stockholders. Failure to be ruthless and relentless in the name of corporate profits for the shareholders results in losing your job if you live in CEO land.

    Privacy hasn't existed for years and years. My first internet experience was when AOL was brand new, and I got connected with my state-of-the-art 14.4 modem. Wow was that fast. Even back then I remember getting UCE, and having marketing things tossed at me that were quite strange in their approach. (i.e. why is it that when I started, I saw ads for generic things, but the more I go along, the more specifically computer targetted ads I see? Does that have anything to do with the bulk of information I'm after?)

    The only way you can really have privacy is to use other people's networks, never sign up for an ISP or give out your name, address, email, phone, or other information, and keep changing computers so as to dodge cookies, and other "features" of the software that we don't know about yet.

    Has it ever occurred to anybody that every once in a while, people will discover one of these privacy violating features and everybody will be shocked and outraged about it - ever wonder how many of them are out there that we don't know about?

    --
    -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
  4. No, it doesn't... by Otto · · Score: 3

    A long time ago I was writing a simple CD player program for myself, mainly to do Auto-DJing with. I never finished it, but one of the things I did look at very hard was the CDDB protocol.

    When you send an update to the database, you are sending an e-mail with a special format.

    However, when you QUERY for info, all you send is data about the CD so it can return the cd data. NO EMAIL ADDRESS IS SENT in the query.

    Now, they have a new protocol, called cddb2 (cddb-squared, actually), and I haven't looked at it. So I don't know about it. But the standard CDDB protocol does NOT gather personal info in this way.

    They do gather info on number of queries as a whole done to their database, of course. This is a handy way to determine popular playing choices. But they have no way to determine an individual's popular playing choices.



    ---

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  5. privacy and the registration requirement by ottffssent · · Score: 3

    I don't know about the rest of you, but 'back in the day' when I had no better place to put a webpage than on Geocities, I too was required to register. I'm sure they kept every scrap of information I gave them, and I'd like them to know that it was all bullshit.

    According to geocities, my name is John A. Doe. I live at 1234 main street, LA California. I make over $150,000 per year, am married, and am female.

    Though I'm not going to tell you the truth either, I will say that I'm male, live far far away from LA california, make a small fraction of the listed income, am not married, and don't even know anyone whose initials are JAD.

    The USPS is happy to provide the zip+4 address that many registration programs require to verify that you really do live there. Go to http://www.usps.gov/ncsc/lookups /lookup_zip+4.html and give them an address. Many sites also require you to enter an area code for similar reasons. This is also easily spoofed. Go to http://www.555-1212.com/area_codes.html and list the place you've decided to tell them you live at. Some place (LA, for example) have several area codes. All will be listed, and you'll have to try them until they work. For example, LA has 323, 213, 310, and 424 so you'll be shooting in the dark. Fortunately, not many places are as big as LA, and if it's only got 4 area codes, your favorite burg likely has only 1.

    In short, while I'm distressed by the business practice of grabbing what info they can however they can so you don't know about it, I've developed ways to give them verifiable but totally useless information to satisfy registration requirements. As a matter of course, I provide such bogus information even to reputable institutions like the new york times, where I have over a half-dozen registrations for myself and various friends.

    But wait! you say. What about scams where I have to provide an email address so I can get a registration key? That brings us back to geocities. Or hotmail. Or any one of a hundred different similar services. Hotmail and their ilk are probably the best in this instance because they're webmail (as opposed to geocities' pop server, which while slow is very nice if it's your main email address) and don't require any re-configuring of your mail settings to get at. Send the key there. Then ignore all the mail you get. If you don't use the service anymore, it'll delete you. If you do keep using it, just ignore the junk mail that piles up and grab the keys you need.

    --
    High-speed Road Trip (18.000KPH)
  6. RealPlayer IDs by chown · · Score: 3

    All versions of RealPlayer G2 Send it, and I beleive all versions of 5.0 did as well. They look like this:

    22a7cc46-7962-11d2-8612-006097a1ae04

    It gets logged by RealServer G2, which is sort of funny, since it doesn't really do RealServer admins a whole lot of good, I guess you could get accurate numbers of how many REALLY unique hits you got, on a per-player basis, but I usually just do it by IPs and nobody seems to care. So one would assume that RBN is tracking this in some fashion for their own use.

  7. Privacy Panda by gad_zuki! · · Score: 4
    Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

    If we're lucky some guy in a Panda suit will follow around the fed's new anti-hacking mascot around to all the gradeschools.

    If we're really lucky he'll pick a fight with the anti-hack gerbil as he tries get converts for the CIA kids program. "No kids, snitching is bad, take that you filthy gerbil!"

  8. Win98 does it too by spectro · · Score: 3

    I was updating from win95 to win98 and have a small home network with a linux machine as a dial-on-demand router to the internet. I remember when win98 installation was almost finish the linux started calling the internet. The trigger was a DNS query I couldn't log at that moment, but unplugged the net connection to the win98 box. It was hanging for about two minutes before continued and finished win98 install.

    --
    HTML is obsolete. It's time for a new, simpler and richer markup language.
  9. A few concerns by Raindeer · · Score: 3

    When hearing this story, it sounds like I am hearing the same story that I have heard way too often in the last 5 years, but now with Real's name in subject header. I really start to wonder the following things.

    1. Why does everything have to be recorded with a GUID embedded in the program. If anything use cookies that are only sent back to the site they originate from. This way it will be a bit harder to cross referencing, but they are still useful for the purpose of figuring out what certain groups like.

    2. Why does it seem that these things are always found by the same people. It doesn't sound too difficult to me to monitor what is going in and out of your machine.. (but I am not a techie, so shoot if I am wrong) Basically, why is there no group that are occupied with this? A concerted action might make that certain companies think twice before doing it.

    3. Why do these things allways get called bugs and glitches. I have seen some pretty stupid coding in my life, but I have the faint idea that you don't get this by letting your cat walk over the keyboard. (Again, correct me if I am wrong). Somebody put them there for a reason and I get the idea that there are alot more then we know...

    Well those are my two cents. I am waiting for the day my teachers call me and tell me that their data shows, that my reading of Slashdot is negatively affecting my grades :-)

    -----------------

    --
    Use Adsense for Charity