As more pixels are being spilled about the potential spyware and adware in the latest version of Apple’s iTunes, a great deal of misunderstanding about this issue is prevalent. I’ve written about this issue several times, beginning with this article, which outlined what the iTunes MiniStore does , followed up by this examination of what Apple did wrong, and how apologists seem to want to forgive every mistake that Apple makes, and, finally, a presentation of the actual data that iTunes sends to the iTunes Music Store, including a unique use ID.
In this article, I would like to examine some of the claims that have been made about what the iTunes Mini Store actually does, and explain what is fact and what is fiction. There is a bit of both in some of the articles on the web, especially in the comments on sites like Slashdot. So read on for a reality check.
- The iTunes MiniStore sends personal information to Apple’s servers. True, in part. It also sends information to a company called Omniture. The since1968 blog has a great article explaining more about Omniture.
- The iTunes MiniStore sends personal information to Apple’s servers, and other servers, for every song you play, the contents of your entire library, etc. False. The iTunes MiniStore only sends this information when you click a song. If you double-click a song from an album or playlist, for example, the first song’s information is sent to Apple’s servers, but subsequent songs are not. iTunes also sends information for CDs that you insert into your computer (if iTunes is running) to either play or rip. iTunes also does not send the contents of your entire library or anything else to Apple’s servers.
- The iTunes MiniStore sends a personal ID to these servers. True. As I explain in this article, the iTunes MiniStore sends your Apple ID (or at least its numerical equivalent) with each request for information. It also sends song information (name, artist, and genre) for music you have ripped yourself, or a unique identifier for songs you have purchased from the iTunes Music Store (iTMS). The Apple ID is used for the iTunes Music Store, for .Mac (if you have a subscription), for Apple’s developer program and other Apple services, including purchase you make from the Apple Store. The Apple ID can therefore be linked to your credit card, your address, and your purchasing habits with Apple.
- The iTunes MiniStore does not send any information to the iTunes Music store or other servers when it is hidden. True. If you want to be sure that your personal information is protected, just hide the iTunes MiniStore by clicking the fourth button from the right at the bottom of the iTunes window, or by selecting Edit > Hide MiniStore.
- The iTunes MiniStore sends a personal ID to these servers even if you are not signed in to your iTunes Music Store account. False. If you sign out of your iTunes Music Store account, or if you have never created one, no personal ID is sent.
- The iTunes MiniStore sends other cookie information to these servers. True. And I have no idea what these cookies contain.
- The information sent to the iTunes Music Store is used for the Just For You feature (a recommendation section on the iTMS main page). False. Just For You seems to only use either your iTMS purchases, or other albums that you have told the recommendation engine that you own.
- The iTunes MiniStore display is no different from the Just For You recommendations. False. In my case, it displays albums that I have purchased from the iTMS, so, while information is being sent to the iTMS with a personal ID, it is clearly not (yet) being used to check on your purchases.
- The iTunes MiniStore display is no different from clicking the arrows in iTunes that take you to the iTMS and show you similar music. False. Clicking an arrow is active; the iTunes MiniStore is passive (it requires you to click a song, but you may be doing this simply to play the song). There is a difference, in my opinion.
- The iTunes license does not mention anything about personal information being shared via iTunes. True. But…
- The iTunes license refers back to Apple’s generic privacy license. True. It links to the Apple Customer Privacy Policy. However, this document does not seem to cover the type of information that the iTunes MiniStore is sending to the iTMS. It first discusses information obtained during service calls, when you register your computer, and then says, “We also collect information regarding customer activities on our website, .Mac, the iTunes Music Store, and on related websites.” It is hard to imagine that the use of iTunes on your personal computer fits into the definition of “our website, .Mac, the iTunes Music Store, and on related websites.” Perhaps Apple is stretching it by considering that the iTunes MiniStore is part of the iTunes Music Store, but, in most users’ eyes, this is not the case–users “enter” the iTMS when clicking on the Music Store icon, not when they simply click on a song in their library.
- Apple has said that they are not collecting any information from the iTunes MiniStore. As of now, Apple has made no official statement regarding this. The author of an article on Macworld was contacted by “an Apple official” who “told Macworld that the iTunes MiniStore feature does not collect any information from users.” However, at the time this article was written, it was not known that users’ unique IDs were being sent. While Apple may not be collecting any information now, this does not mean that they will not do so in the future.
- Apple’s approach to collecting information is illegal. That’s for the courts to decide, should it get to that point. It is interesting to point out that Real Networks was sued in 1999 for a very similar usage of unique identifiers in its music player software. Note that European privacy laws, more stringent than those in the United States, might see things differently. Since iTunes is available around the world, it has to comply with the laws of the country in which it is provided.
- If Apple can connect song information to unique user IDs, the RIAA might be able to subpeona this information to track down people who have illegally copied music. Um, maybe. This is stretching things a bit, but let’s look at a hypothetical. Before U2 released their last album, a master was stolen then found its way onto file sharing sites on the Internet. Assuming that this were to occur to another band, the iTunes MiniStore could potentially track users who 1) have the MiniStore displayed, 2) have such songs that are not yet officially released, and 3) click them in iTunes. Even if Apple were to collect song information and link it to user IDs, could a court force them to release this information? I’m not a lawyer, and don’t want to speculate. But the technology clearly exists for such tracking to occur.
- Apple should have realized that there would be a privacy issue surrounding the introduction of the iTunes MiniStore. True. It astonishes me that, given the number of people involved in a product such as iTunes, from programmers to marketing people, that a red flag did not go up at some point. Or, if it did, that it was ignored. Apple should have been proactive and explained this feature from the get-go, rather than wait for users to sniff packets and find out what it is doing.
- Apple clearly indicates this new feature on its web page. True. The iTunes web page and download page mention this feature. However, Mac users who used Software Update to update iTunes saw no information regarding this feature, but only this: “iTunes 6.0.2 includes stability and performance improvements over iTunes 6.0.1.” So Mac users were not aware of this feature, unless they went to the iTunes download page to get the update.
See other articles about the iTunes MiniStore:
iTunes: Apple’s New Spyware and Adware Application?
The iTunes MiniStore Debacle: What Apple Did Wrong