iSpy: Still More on the iTunes MiniStore and Privacy

Some things just go on getting worse. If it wasn’t enough that iTunes 6.0.2 contains spyware and adware, now it turns out that the program not only sends information about the song you have selected to Apple’s servers, but also sends your Apple ID, or, at least, its numerical equivalent. (If you’ve missed an installment, the story begins with the link just above, then continues here.Michael Griffin first noticed this, as reported on Boing Boing, and I had trouble reproducing it at first. But I quickly found out that he was right, with the exception that his Apple ID is six digits and mine is eight. (See the updates to the Boing Boing story for more on how I discovered this.)

So, after Apple claimed that they were not “collecting” information, it now turns out that the information they send is directly linked to a user’s account identifier, if, of course, the user has an Apple ID. If you have never logged into your iTunes Music Store account, you won’t have this ID, and Apple can’t track you. But if you have, even once, this ID is stored in a preference file on your computer, and sent with each iTunes MiniStore request.

Here is an example of the raw data that is sent, taken from tcpdump output. What is being transmitted is, first of all, song info: the name of the song, the artist and the genre. Then it sends the Apple ID, shown as ######## below. (Note: I’ve inserted link breaks for readability.)


....GET./WebObjects/MZSearch.woa/wa/ministoreMatch?an=Brian%20Eno&gn=Alternative 
&kind=song&pn=Another%20Day%20On%20Earth.HTTP/1.1..X-Dsid:.########..
X-Apple-Tz: .3600..X-Apple-Store-Front:.143441..Referer:.http://
ax.phobos.apple.com.edgesuit e.net/WebObjects/MZStore.woa/wa/ministore?
a=38124&kind=song&p=21770107..User-Agent:.iTunes/6.0.2.
(Macintosh;.U;.PPC.Mac.OS.X.10.4.4)..Accept-Language:.en-us,.en ;q=0.50..X-Apple-
Validation:.2EE9F6C3-D8415CAF7FE49AF74A1B7CF92DDDC842..
Accept-E ncoding:.gzip,.x-aes-cbc..Connection:.close..
Host:.ax.phobos.apple.com.edgesuite .net.... 

You can also see such things as the version of iTunes, the language, and some other cookie stuff (after Apple-Validation).

It then sends this, which is more of the same (without the Apple ID), but with some more stuff from the iTunes cookies files:



c6..HTTP/1.1.200.OK..Last-Modified:.Thu,.12.Jan.2006.12:46:27.GMT..Content-
Type: .text/xml;.charset=UTF-8..x-apple-lok-response-date:.Thu.Jan.12.04:46:27.PST.200 6..
Vary:.Accept-Encoding..x-webobjects-loadaverage:.0..x-apple-lok-filelastmodif ied-date:.
Tue.Jan.10.21:14:37.PST.2006..x-apple-lok-path:./opt/itms_lokamai/Loka mai/MZSearch/
ministore/12/57/wa_ministoreMatch?an=Brian%20Eno&gn=Alternative&
kin d=song&pn=Another%20Day%20On%20Earth-143441-Ak..x-apple-date-
generated:.Wed,.11. Jan.2006.05:14:36.GMT..x-apple-request-store-front:.
143441..x-apple-max-age:.360 0..x-apple-max-age:.64800..x-apple-application-instance:.
150..x-apple-asset-vers ion:.14571..x-apple-lok-filesize:.1693..x-apple-lok-current-
stor efront:.143441.. Content-Encoding:.gzip..Expires:.Thu,.12.Jan.
2006.12:46:27.GMT..Cache-Control:.m ax-age=0,.no-cache..Pragma:.no-cache..Date:.Thu,.
12.Jan.2006.12:46:27.GMT..Content-Length:.551..Connection:.close 

Here’s more (with my Apple ID hidden again):



HTTP/1.1..X-Dsid:.########..X-Apple-Tz:.
3600..Cookie:.asbid=sKUKC49DKFC7T4CHC;.s _vi=
[CS]v1|53C501E3-85ACC277[CE];.s_vi_jx7Bx7Bgnbx7Ffxxej=
[CS]v4|53C58647-6EC2D2 32|0[CE];.s_vi_jx7Bx7Bgnbx7Ffxxx7Exx=
[CS]v4|53C58647-6EC2D232|0[CE];.s_vi_ox7Ex7 Ebkx7Bx7Dyyygzcx7D=
[CS]v4|53C58647-6EC2D232|0[CE] 

Most of what is in this part I have found in my iTunes cookies (in the com.apple.itunes.plist file).

And for a minute, I was thinking that this would all blow over quickly…


See other articles about the iTunes MiniStore:

iTunes: Apple’s New Spyware and Adware Application?

The iTunes MiniStore Debacle: What Apple Did Wrong

iSpy: Still More on the iTunes MiniStore and Privacy

The iTunes MiniStore: Fact and Fiction

6 thoughts on “iSpy: Still More on the iTunes MiniStore and Privacy

  1. I passed yesterday on commenting, but today you make it far to easy to comment. If you haven’t figured it out yet, its called marketing. Everyone does it. Why does Radio Shack ask for your phone number when buying batteries ? Why does Best cuts or Great Clips ask for your phone number when you get your hair cut ? Ever use the customer cards at grocery stores ( Such as Topps or Giant Eagle ) What do you think they do with the data ? toss it ?? I don’t recall seeing a eula agreement along those lines. IF anything at least the data is being used to highlight items I might like based on pass purchases. Otherwise then it would be a problem for now its becomes unwanted spam about music I wouldn’t purchase. Wake up….your living in the digitial age.

    • About your “phone numbers” marketing theory… When Radio Shack salesperson asks you for a phone number, you have a liberty of asking: “Why do want my phone number?” and then refuse to give it to them if marketing is the purpose, and you wish not to participate. Also, when you give them your phone, you don’t automatically entitle them to trace your calls, to track what your calling habits are, to lean about who you are and what you do.
      Yes, marketing practices are getting out of hands, and our laws somehow aren’t keeping up with a fast pace of technology and new ways of solicitation. No matter how you slice it, 2 wrongs don’t make it right. We need to draw the line where our privacy is being violated.
      If you feel comfortable with giving away your personal information without questioning its focus, that is your right. I wish not to, and I demand a clear explanation.

  2. I passed yesterday on commenting, but today you make it far to easy to comment. If you haven’t figured it out yet, its called marketing. Everyone does it. Why does Radio Shack ask for your phone number when buying batteries ? Why does Best cuts or Great Clips ask for your phone number when you get your hair cut ? Ever use the customer cards at grocery stores ( Such as Topps or Giant Eagle ) What do you think they do with the data ? toss it ?? I don’t recall seeing a eula agreement along those lines. IF anything at least the data is being used to highlight items I might like based on pass purchases. Otherwise then it would be a problem for now its becomes unwanted spam about music I wouldn’t purchase. Wake up….your living in the digitial age.

    • About your “phone numbers” marketing theory… When Radio Shack salesperson asks you for a phone number, you have a liberty of asking: “Why do want my phone number?” and then refuse to give it to them if marketing is the purpose, and you wish not to participate. Also, when you give them your phone, you don’t automatically entitle them to trace your calls, to track what your calling habits are, to lean about who you are and what you do.
      Yes, marketing practices are getting out of hands, and our laws somehow aren’t keeping up with a fast pace of technology and new ways of solicitation. No matter how you slice it, 2 wrongs don’t make it right. We need to draw the line where our privacy is being violated.
      If you feel comfortable with giving away your personal information without questioning its focus, that is your right. I wish not to, and I demand a clear explanation.

  3. Aren’t you guys making a volcano out a zit? Apple owns the only store that sells iTunes. They already know which tunes you have bought.

    D’oh! On second thought, I can see where this could be a problem for some people. Nevermind.

  4. Aren’t you guys making a volcano out a zit? Apple owns the only store that sells iTunes. They already know which tunes you have bought.

    D’oh! On second thought, I can see where this could be a problem for some people. Nevermind.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.