Slashdot Log In
iTunes DRM-Free Files Contain Personal Info
Posted by
kdawson
on Tue Jan 13, 2009 02:39 AM
from the musical-steganography dept.
from the musical-steganography dept.
r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."
Related Stories
[+]
News: Apple Hides Account Info in DRM-Free Music 669 comments
Alvis Dark writes "Apple launched iTunes Plus earlier today, the fruit of its agreement with EMI to sell DRM-free music. What they didn't say is that all DRM-free tracks have the user's full name and account e-mail embedded in them. Is this to discourage people from throwing the tracks up on their favorite P2P platform? 'It would be trivial for iTunes to report back to Apple, indicating that "Joe User" has M4As on this hard drive belonging to "Jane Userette," or even "two other users." This is not to say that Apple is going to get into the copyright enforcement business. What Apple and indeed the record labels want to watch closely is, will one user buy music for his five close friends?'"
Submission: Personal info discovered inside iTunes Plus files by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Seriously... (Score:5, Insightful)
I don't see the problem. I didn't want them to remove DRM so I could ignore the copyright on the music, I wanted them to remove it so I could use it on any device I wanted to listen to it on. They did that; now I can, as far as I'm concerned, we're all good now.
If you interpret the lack of DRM as permission to ignore copyright, and you end up in trouble because you did so...
Nope, don't see the problem.
Good grief. "Sharing" copyrighted music files on a P2P network was always an extremely bad idea. If you ever had any fraction of an excuse for doing it (and frankly, I don't really think you did, but...) it is gone now, at least as far as iTunes purchases go. What has changed is it is now reasonable to purchase music, because you'll actually get to own it, use it on *all* your gear, back it up, etc.
The only thing I can think of that is really affected by this is your ability to legitimately resell recording of a tune you own, because you bought it. And for that issue, I give it.... maybe an hour before someone comes up with a tool to ZOT that name and email address right out of there. Maybe it'll even put the new one in. Pride of ownership and all that.
Re:Seriously... (Score:5, Insightful)
Parent
Reasonable compromise... (Score:4, Insightful)
Sure, so long as they make it abundantly clear that this is what they're up to.
Is this the case? I assume it isn't, because Slashdot and others are acting all surprised about it.
Parent
Re:Reasonable compromise... (Score:5, Informative)
Parent
Re:Reasonable compromise... (Score:5, Informative)
this is the second or third article about apple putting said info into their music files over the years. It isn't surprising. Apple even states it somewhere in the fine print of the EULA's.
Slashdot suffers from ADD and forgets what it duped yesterday.
Parent
Re:Reasonable compromise... (Score:5, Interesting)
If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?
Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.
Parent
Re:Reasonable compromise... (Score:5, Interesting)
iTunes doesn't sell MP3s, though. They sell lossy AAC files in an MP4 container. So it's unlikely that they'd have ID3 frames in the first place.
I haven't purchased any DRM-free songs from iTunes, but I'd suspect that the information is stored as standard MP4 atoms, and that the iTunes editing interface just doesn't give you the ability to modify them. In which case you could presumably use a standard MP4 tool to remove the information, if you were so inclined.
That's just a guess, of course. It's obviously not clear from TFA.
Parent
Re:Reasonable compromise... (Score:5, Informative)
Sure, so long as they make it abundantly clear that this is what they're up to.
Choose any iTunes plus song, and select "get info" from the main menu. On the left side of the "Summary" pane, you'll see "Purchased By", "Account Name", and "Purchase Date". IIRC, those were there on the DRM versions too.
-jcr
Parent
Re:Reasonable compromise... (Score:5, Informative)
This has always been the case since the iTunes store opened! It's not news, it's several years old. Heck, when Hymn was available (removed FairPlay from purchased music, and this was 5+ years ago), it kept the personal information to prevent people from P2P'ing the newly unlocked music.
So the very first time you used the iTunes store years ago, personal information was attached - it wouldn't have shown up with change bars because that part has not changed. You can probably find the news articles about it from years ago, and again from a couple of years ago when iTunesPlus was started about how the AppleID of the purchaser was embedded in the file.
People are acting like this is completely new, when it's been happening for years now.
Parent
Re:Seriously... (Score:5, Insightful)
Apple wants DRM free stuff and RIAA doesn't. Apple stuffs personal info in there so there will be some accountability should the file get P2P'd. Sounds like compromise to me.
As far as reasonableness? Your scenarios sound pretty darn unlikely. Almost as unlikely as someone stealing my iPod with my contact info in it, then deliberately leaving it at the scene of a murder in order to frame me. Or maybe space aliens will steal the music on my iPod and accidentally broadcast it back to Earth. NASA will pick it up, magically determine the email address associated with it, send spooks to pick me and perform experiments on me for the rest of my life.
Parent
Re:Seriously... (Score:5, Insightful)
1) Apple does negotiate with the RIAA [slashdot.org] about the terms of the DRM service [slashdot.org] that Apple has to maintain and run. I'm far from an Apple fanboy, but there have been stories over the years going off on how the DRM wasn't Apple's idea and so forth. There are even quotes of Steve Jobs saying that DRM is bad [apple.com], and that guy sure as hell isn't the type to just take it. I seem to remember a Slashdot story telling of how they were forcing the RIAA to accept their terms, but over the years the opposite [slashdot.org] I admit has been more likely.
Of course, the actual music execs have been saying [slashdot.org] for years that DRM is bad [slashdot.org] but the lawyers at the RIAA seem to be running their companies into the ground for them.
2)The private info consists of the email address related to the account that purchased it. I do not believe it actually contains a lot of 'personal information' such as your name, or social security number, or bank account numbers. I don't personally buy DRM'd music (which means I've yet to buy an iTunes track) so I can't be 100% positive, but I'm fairly sure there would of been an article on Slashdot before given this is nothing new to iTunes.
By the way, how is it any different than leaving a card or sticker with your name and phone number on an item in case you lose it so a good Samaritan (in the unlikely event your stuff is found by one) can return it to you? Honestly I think this is a non-argument.
3)You're the kind of person that would put a kid in a bubble to keep him from getting hurt, but not thing of how to feed him aren't you? The 'private info' consists of an e-mail address. Your pedophile argument is no better than the morons who scream "think of the children" in politics, equally pointless and used as an exaggeration of a problem to prove your point.
A pedophile isn't going to go track down someone by their bloody email address when they can just watch the school and pick their target in person. They wouldn't even know its a kids iPod until they found out who owned the email address, it could be a teacher's. Never mind the difficulties in actually associating a face to an email address when all you have to go by is the address itself and the fact they have an iPod.
The scams are equally as bad. Worst case, you have someone use the email address on a few porn sites so they get some XXX spam mail. If you are a mature parent, you can deal with that easy enough and if you are a tech savvy parent it shouldn't be a problem anyways unless you don't supervise your kids online experience (which means ALL online aspects, not just browsing and IRC).
So tell me. What would you do with my email address? How will you track me down with mine if I don't use it on Myspace? What if its only used on iTunes?
I think people are knee-jerking a bit much.
Parent
Re:Seriously... (Score:5, Insightful)
I think the concern is the following scenario: 1. Download from iTunes onto an iPod, 2. The iPod is stolen, 3. The tunes on the iPod are uploaded to file sharing networks, 4. I get sued by the RIAA. Of course, I think the CYA thing to do is just make sure you file a report whenever your iPod is stolen, and that should make short work of any lawsuit defense.
Parent
Re:Seriously... (Score:5, Insightful)
This sort of thing has been a risk for a while. For instance, your car might be stolen, then used as a getaway car for an armed bank robbery. Witnesses make note of the license plate, and the police come to your door.
This doesn't make license plates a bad idea.
Parent
Re:Seriously... (Score:5, Insightful)
"3) Imagine how many iPods are lost at schools. How many scams can you think of that take advantage of the owner's desire to get their iPod back. Worst of all, show me a pedophile that wouldn't love to pretend to be some kid's classmate wanting to return their beloved iPod in order to lure them somewhere private. Lost iPod + email address of owner = "Meet me by the white van with tinted windows""
Yes, won't somebody please think of the children?
Pirates: "No good music is available onine! I'll stop pirating when the record labels wake up and embrace online distribution."
Record industry: "Okay, our entire catalogs are online now."
Pirates: "But now it's too expensive! Good god, do you think we're rich? I'll stop pirating when music is less than a buck a track. That's a fortune!"
Record industry: "Okay, you win. Now by shopping around, you can find lots of music for $0.80 a track or less."
Pirates: "But you still have that DRM which impedes my fair use rights! I'll stop pirating when DRM is dead. Until then, it's off to TPB for me."
Record industry: "Hey, you know, you were right all along. It took us a while to realize it, but you're right. We've removed the DRM."
Pirates: "PEDOPHILES! PEDOPHILES! YOU'RE ENCOURAGING AND ASSISTING THE KIDNAPPING OF CHILDREN! Because of this despicable act, I'm going to pirate TWICE as much music now!"
Parent
Re:Seriously... (Score:5, Insightful)
The email addresses have always been in clear-text. Even in the encrypted song files.
Seriously, am I the only person in the entire world who runs strings or emacs on binary files just to see what might be in them?
Parent
Re:Seriously... (Score:5, Funny)
Parent
Re:Seriously... (Score:5, Insightful)
While I agree with you, here is the problem I have with it:
Person A is the target
Person B is the attacker
RIAA is the litigious groups of assholes
Person B decides to harm Person A. Person B knows Person A's email address. Person B modifies a bunch of MP3s to contain Person A's email address and then posts them to every torrent site imaginable. RIAA is famous for ignoring what "reasonable doubt" might suggest or imply and immediate goes into litigation. Even if it is later revealed that Person A was a victim in this scenario and is completely innocent of wrong doing, Person A just spend a LOT of money in the process. (It can be reasonably assumed that Person A spent a lot of money because without having spent money, a defendant most likely will lose.)
Parent
Re:Seriously... (Score:5, Insightful)
Couldn't you correlate your purchase record, or lack thereof, to validate or disprove the claims against you in that scenario?
It seems like a quick comparative analysis there would pretty quickly mitigate *most* of that concern.
Parent
Re:Seriously... (Score:5, Interesting)
Let me throw you a hypothetical here.
Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.
Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)
Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".
So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.
Parent
Re:Seriously... (Score:5, Interesting)
Parent
Not everywhere in the world has the same laws (Score:5, Informative)
Parent
Re:Seriously... (Score:5, Interesting)
Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".
I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.
Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.
Parent
Re:Seriously... (Score:4, Insightful)
I mean, seriously, if you want to implement digital right protection, you either do it completely (hint : you can't) or not at all. Partial implementation like this one are completely useless.
Parent
Re:Seriously... (Score:5, Insightful)
Well, Apple could sign the file with their private key after adding your user ID. It wouldn't stop people from blanking it out, but it would securely prevent impersonation.
Parent
Re:Seriously... (Score:5, Insightful)
Parent
Re:Seriously... (Score:5, Insightful)
Oh please, if you're the copyright holder are you really paying Apple and downloading it off itunes?
No. You're not.
GP is correct.
--Q
Parent
Re:Seriously... (Score:5, Informative)
AAC ( http://en.wikipedia.org/wiki/Advanced_Audio_Coding [wikipedia.org] ) is an industry standard, and even if it weren't, iTunes helpfully provides a "Convert to MP3" item in the context menu of non-DRM'd AAC files that does exactly what it says.
Parent
Re:Seriously... (Score:5, Informative)
Parent
Re:Seriously... (Score:5, Informative)
Converting to MP3 is lossy, regardless of the source format.
Parent
Re:Seriously... (Score:5, Insightful)
Listening to music on headphones while on the train is lossy but people still do it. We can't all sit in silent rooms with reference quality speakers 6 ft in front of us and £1000 amplifiers. The quality loss is totally irrelevant as it cannot be heard under normal listening conditions by the vast majority of people.
Parent
Re:Seriously... (Score:5, Insightful)
Of course there's loss, but to imply a lack of transcoding loss is a prerequisite before anyone can use it anywhere is absolute madness.
No one who lives outside of their mum's basement cares. Really. Your average MP3 player is not hifi, and your average consumer doesn't give two shits about the quality loss.
Also, last I checked, Steve Jobs didn't repeatedly smash your face into a MacBook keyboard whilst pointing a shotgun at your head with his free hand until you bought music from iTunes. If you don't want it, don't buy it.
Parent
Re:Seriously... (Score:5, Funny)
Parent
Re:Seriously... (Score:5, Insightful)
Please... We've done blind tests with orchestra and studio musicians, and the detection rate of MP3 vs. CD on $500 studio headphones was not statistically significant. Get over it already.
Parent
Re:Seriously... (Score:5, Insightful)
If you think $500 headphones are high quality, you're sorely mistaken.
If you think the intended audience for things like iTunes and the Amazon MP3 store DON'T think $500 are high quality, you might be the mistaken one.
Parent
Re:Seriously... (Score:5, Funny)
If you think $500 headphones are high quality, you're sorely mistaken. http://www.stax.co.jp/ [stax.co.jp] [stax.co.jp]
I only have one question regarding those $5,000 headphones: Can I get them with a white wire? ;)
Parent
Re:Seriously... (Score:4, Informative)
AAC in a a run-of-the-mill MPEG-4 container, with ID3-formatted tags stored in a separate atom (permissible in the MPEG-4 standard).
Anything that uses libavcodec/libavformat as a base (ffmpeg, VLC, mplayer, etc) can read these files. They may not have the code to extract the ID3 tags from the atom and feed the data blob to something like libid3... but as long as the player software can read standard MPEG-4 files with basic AAC... it can play these suckers.
The format just isn't as prevalent as MP3, but that doesn't automatically make it proprietary.
Parent
Re:Seriously... (Score:5, Insightful)
i seriously doubt that an email which can be easily changed in a file can be used as the sole grounds for pressing charges. It ma however bolster a case where a user has been tracked by IP and the files have his email too.
As we're talking about purchased music, all Apple would have to do is lookup the record of the credit card used to purchase the song.
So unless you always use iTunes redeemable gift cards, it's probably fairly easy to track a user definitively.
Parent
Re:Seriously... (Score:5, Informative)
The English is fine, just not the information!
Like many places, Spanish law has exemptions for private use, which probably makes removing DRM completely legal. However the owners are allowed to make copies only for private usage, with collective and lucrative uses not allowed. Sharing on P2P would definitely constitute a collective use.
Although as with almost everywhere else, P2P itself is not illegal.
Parent
hmmm (Score:5, Insightful)
Re:hmmm (Score:5, Funny)
As a member of the iTunes Police, I take strong exception to this. Firearms safety has always been a core tenet of iTP training. An iTP officer will only open fire if a copyright violation is in progress, or the officer has reasonable belief that lethal force is the only way to prevent a copyright violation.
iTunes Police would never "come crashing through a window with guns blazing". The very thought of it!
Parent
Re:hmmm (Score:4, Insightful)
What if the disk also contained word processed documents? Or a backup of your emails? Or you lost your MP3 player and it had your calendar and address book on? Or even your mobile phone with its list of phone numbers? We put lots of personal data on devices that can be lost, some of which is worse from an identity standpoint than an email address.
Besides, I'd expect most people who pick up a disk and don't hand it in to the police are likely to either a) nuke it and use it or b) look for bank details and other things they can sell, rather than music that they need to use their own bandwidth to share for no profit.
Parent
No worries (Score:5, Insightful)
Never again buy anything related to music and you'll be safe.
Alternatively, you can buy music in small stores, in cash. In that case, it's better to wear sunglasses and a hat. You wouldn't want anyone to discover you're one of those people who actually are paying clients of the music industry.
You can see the info in iTunes (Score:5, Informative)
You can see the info within iTunes.
Get Info on the Song/Video/Etc
Then go to the Summary Tab, Second column.
Old news (Score:5, Informative)
http://business.timesonline.co.uk/tol/business/industry_sectors/media/article1871173.ece [timesonline.co.uk]
Or at least for about a year and a half, I think slashdot reported on it then, too.
Re:Old news (Score:4, Insightful)
That'd be
Note to editors: even if it's nearly two years old, it's still a dupe
Parent
Hidden? (Score:5, Informative)
the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download
How is this "hidden"? If you select an audio file purchased from the iTunes Store (with or without DRM), and go to File->Get Info, you'll see the following fields in the summary:
Purchased by:
Account Name:
Purchase Date:
Apple's not trying to hide anything here.
Old News (Score:5, Insightful)
http://yro.slashdot.org/article.pl?sid=07/05/30/2014222 [slashdot.org]
I think it's OK. Even if I really buy from iTunes to burn a cd as gift, at that point the account info will be gone, so what's the matter?
Old story (Score:5, Insightful)
This is an almost 2 year old story: Apple's DRM Whack-a-Mole [slashdot.org] (Posted by CmdrTaco on 10.06.2007 17:08)
If it bothers you to have an identifying tag in your music files, well remove it or overwrite it.
As far as I understand, it's stored in a standard MP4 atom.
And if you don't know how to do it, ask Google [google.com], or try this suggestion [tech-recipes.com] which explains how to use AtomicParsley for windows [sourceforge.net] or mac [sourceforge.net].
Old news (Score:5, Informative)
This came up when they introduced iTunes plus ages ago. It's been discussed back then. Yes, the info is there. You can simply look it up, no problem. Your ID3-Tag-Editor might not be able to chanxge it since we're not talking MP3 here. That's it.
Just use a different editor, clean out the information and start the copyrightinfringement-frenzy you seem to have been waiting for for so long. Oh no, you already do that, I guess.
Or, if you don't like finding an editor that can delete the info, just go to a record store and steal the CD.
Keep your private stuff private: keep your privacy (Score:5, Insightful)
So... if I keep the music I purchased for private use private, I have no privacy violation? Right?
Also, despite the summary's between the lines implication that Apple is hiding the info from ID3 tag editors, the audio files are MPEG4. This means they don't contain ID3 tags. Since MPEG4 is based on QuickTime, a QuickTime atom editor will happily show you the tags and let you remove them.
You could also have guessed the purchaser info was in these files based on the fact that iTunes shows it to you if you get info on a song.