Forgot your password?
typodupeerror
Music Businesses Media Privacy Apple Your Rights Online

iTunes DRM-Free Files Contain Personal Info 693

Posted by kdawson
from the musical-steganography dept.
r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."
This discussion has been archived. No new comments can be posted.

iTunes DRM-Free Files Contain Personal Info

Comments Filter:
  • Re:Seriously... (Score:3, Interesting)

    by dynamo52 (890601) on Tuesday January 13, 2009 @02:59AM (#26429393)
    Fair enough so long as there is no additional lossiness in the conversion.
  • Re:hmmm (Score:2, Interesting)

    by ani23 (899493) on Tuesday January 13, 2009 @03:08AM (#26429467)
    I agree. instead of storing the users name or email why couldn't they store an encrypted string which they can map back to if needed. it the least they can do in protecting the users identity from strangers.
  • Re:Seriously... (Score:5, Interesting)

    by myxiplx (906307) on Tuesday January 13, 2009 @03:36AM (#26429665)

    Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".

    I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.

    Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.

  • by Dieppe (668614) on Tuesday January 13, 2009 @03:57AM (#26429765) Homepage

    I don't see a problem with this. Apple is providing a file without DRM, and you can then load it on any of your personal devices. Heck, you could even share it with a friend.

    But, it might make you a little more careful NOT to put music files you purchase from Apple on a P2P network. Sheesh. It might add a little value to those files you downloaded at a buck a piece. It'll be worth it to you to keep those files safe.

    And why not? People should be safeguarding their personal data.

    And think about it.. if your iPod were stolen, and all of your files had an email address on it. It could help with the recovery of stolen property, hm?

  • Re:Seriously... (Score:0, Interesting)

    by Anonymous Coward on Tuesday January 13, 2009 @04:30AM (#26429945)
    I'm not against the identifying information being put in the audio files but just to respond to one point,

    i seriously doubt that an email which can be easily changed in a file can be used as the sole grounds for pressing charges. It ma however bolster a case where a user has been tracked by IP and the files have his email too.

    In New Zealand there are Guilt Upon Accusation [creativefreedom.org.nz] laws that punish before any trial, and now in the UK they are pushing for Guilt Upon Accusation laws [bcs.org].

    So this isn't a major point really, I just mean to respond to the idea that it will get to the stage of pressing charges before punishment.

  • by jabuzz (182671) on Tuesday January 13, 2009 @04:36AM (#26429987) Homepage

    Or someone steals your iPod. How many iPod's get stolen every year? You can get your bottom dollar that this is a none zero number. Someone willing to steal a iPod is likely to have no compunctions about sharing the songs they find on them with others.

  • Take some, its free (Score:2, Interesting)

    by Slashdotgirl (912338) on Tuesday January 13, 2009 @05:05AM (#26430199)
    When will anybody learn on this forum that:
    1. You do not need Itunes.
    2. You do not need ' Music Stores ' per se.

    and you can get rid of:

    1. DRM
    2. RIAA
    3. MPAA
    4. Watermarks

    Simply by saying; "We made some music, would you like some? take it, it's free" Eben Moglen [youtube.com]

    Oh Brother, "When will they ever learn? When will they ever learn?" (Song) [arlo.net]

    Regards Slasdotgirl

  • Re:Seriously... (Score:5, Interesting)

    by halcyon1234 (834388) <halcyon1234@hotmail.com> on Tuesday January 13, 2009 @05:18AM (#26430315) Journal

    Let me throw you a hypothetical here.

    Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.

    Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)

    Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".

    So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.

  • Re:I see a problem. (Score:3, Interesting)

    by SeaFox (739806) on Tuesday January 13, 2009 @05:24AM (#26430357)

    A big part of the problem is that you are not getting the product you ordered. You are getting a product that has been altered in a significant way.

    What you ordered was a music file at higher quality than Apple's standard fare without any DRM, paying a premium for it. That's exactly what Apple gave you. Having you name on the file does not degrade the quality or prevent it from playing on your Zune or HTPC.

    By the way, I'm pretty sure this name tagging is covered somewhere in the iTMS terms of usage. So yeah, when you clicked "I Agree", you did give them permission.

  • Re:Seriously... (Score:3, Interesting)

    by dargaud (518470) <slashdot2NO@SPAMgdargaud.net> on Tuesday January 13, 2009 @05:44AM (#26430481) Homepage
    There is certainly more than one place where the owner's info is inserted: once in plain text, once watermarked through the music stream, once using steganography inside the music stream, once encrypted in precise spot that in itself gives info about the source, etc... And only Apple and selected **AA will know about those. Still, it's a progress.
  • Re:Seriously... (Score:5, Interesting)

    by pdbaby (609052) on Tuesday January 13, 2009 @06:40AM (#26430849)
    I've mentioned it elsewhere but songs are also encoded with the purchase timestamp. So if you've no access to someone's files then you've essentially zero chance of getting the purchase timestamp right, even if you get the songs they own right.
  • Re:Seriously... (Score:4, Interesting)

    by Weedlekin (836313) on Tuesday January 13, 2009 @06:44AM (#26430865)

    "The owners are allowed to make copies only for private usage, with collective and lucrative uses not allowed."

    It would be more correct to say that collective use is technically illegal, because it's most definitely allowed. A Spanish legal precedent was established for this at the end of 1996 by a judgement that exonerated an accused Internet file sharer on the grounds that non-commercial copying not only isn't a crime, but that it's a common social practice that should not therefore to be criminalised. This stance on the part of the Spanish legal authorities was underlined at the end of 1997 when what amounts to their chief copyright cop said that not everything which is technically illegal is a crime, including non-commercial copying via the Internet or any other means, so they have no intention of pursuing anyone who isn't involved in commercial piracy.

    The effect of the above has been to leave civil litigation as the only route open to representative bodies of copyright owners, but their efforts are severely hampered by the fact that ISPs refuse to disclose the identities of the people behind specific IP addresses on the grounds that Spanish law (which is based on EU data protection directives) only requires them to do so as part of a criminal investigation or where matters of public safety or national security are concerned. This eventually ended up at the European Court Of Justice subsequent to a request for a definitive ruling from the Spanish courts, and the ECJ found in favour of the ISP (Telefonica), thereby effectively making civil litigation against Internet file sharers almost impossible.

  • Re:Seriously... (Score:1, Interesting)

    by Anonymous Coward on Tuesday January 13, 2009 @07:06AM (#26430995)

    Actually, you could convert a sound consisting of a simple sine wave to MP3 in a lossless fashion.

    It's a pointless boundary case, but an interesting by-product of the way mp3 works.

  • Re:Seriously... (Score:2, Interesting)

    by TyFoN (12980) on Tuesday January 13, 2009 @07:28AM (#26431139)

    And still, some people like me can't hear the diffrence on FLAC or 128 kbps MP3 ;)
    But I don't have audiophile golden ears that's for sure...
    Still I got maximum score in the military when they tested my hearing.

  • by sdo1 (213835) on Tuesday January 13, 2009 @07:56AM (#26431329) Journal

    The reason I don't like this is because of First Sale Doctrine. I should be able to sell these files the same way I'd sell a CD (ie, not keeping a copy). So if I sell them, and delete them, and the person I sell them to decides it's a good idea to Pirate Bay them, now what? My email address is all over the place and I did nothing illegal. Great.

    So while I support Apple for going DRM free, for the time being I'll continue to buy from Amazon because they do none of this nonsense. See http://blog.wired.com/music/2007/09/some-of-amazons.html [wired.com] "there is no information on the tracks that identifies the customer".

    So until I have a very quick and easy way of removing that info from the iTunes tracks, I won't be buying from there.

    -S

  • by cayenne8 (626475) on Tuesday January 13, 2009 @10:13AM (#26433311) Homepage Journal
    I'm guessing this is one reason they aren't going to DRM lossless (CD quality at least) versions.

    If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?

    Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.

  • Re:Seriously... (Score:3, Interesting)

    by penguinbrat (711309) on Tuesday January 13, 2009 @11:01AM (#26434173)

    You normally will report the given vehicle stolen or what not, and that likewise will give you the out. The local PD will give a rats ass if you lost your $100 IPod, I'm sure they will either hangup on you out right, or follow up with "What do you want us to about it?" - I wouldn't be surprised if they would feel the same about the $100 toy being supposedly stolen either.

    Now that the RIAA/Apple has allowed this to happen, they need to also setup some kind of system where you can report a loss and or theft of the golden nugget(s). My concern is that now the RIAA lawyers don't have to contend with the IP address mysteries and all - they have your email address buried in the illegal song file, proving with out a doubt that it was yours and it has now been distributed in the wild. If you have a brain at all, your first defence will be that you lost it, or it was stolen whether legit or not...

  • Social DRM (Score:3, Interesting)

    by Dragoness Eclectic (244826) on Tuesday January 13, 2009 @11:02AM (#26434193)

    Cool! Apple is using Social DRM [teleread.org] on their music files.

  • by Wildfire Darkstar (208356) on Tuesday January 13, 2009 @01:39PM (#26437005)

    iTunes doesn't sell MP3s, though. They sell lossy AAC files in an MP4 container. So it's unlikely that they'd have ID3 frames in the first place.

    I haven't purchased any DRM-free songs from iTunes, but I'd suspect that the information is stored as standard MP4 atoms, and that the iTunes editing interface just doesn't give you the ability to modify them. In which case you could presumably use a standard MP4 tool to remove the information, if you were so inclined.

    That's just a guess, of course. It's obviously not clear from TFA.

  • Only one issue I see (Score:2, Interesting)

    by huzur79 (1441705) on Tuesday January 13, 2009 @02:36PM (#26437981)
    I only see one issue in this. First its not new, its always been that way. With music that is DRM'ed even if it was shared on a P2P network it couldn't be played with out the password. The issue I see coming up one day, soon perhaps is a lost ipod of a older generation (like the one I own) that has its songs ripped off of it using one of the many tools out there to do so. The person finding the ipod, and ripping the songs off of it could share it out and the original owner would look like he shared it out. This is a valid issue because now the songs can be played by who ever downloads it. Recently about 6 months ago I found a iPod Nano and the library was pretty good so I picked a few songs off of it with a utility. Those songs are now in my library and none of them where ever bought in iTunes, I suspect they where all downloaded songs to begin with but had they been from itunes the users info would be in the songs to and any one I shared it with would have the songs with the info and sooner or later it might have ended up on a P2P. That said I posted a note outside my door saying lost ipod found, email me if its yours. Please include a few songs on it and the color and type of ipod it is so I know its yours. I never got any emails with that up for a week. The good thing about having the info in the songs is if an honest person finds a lost ipod it will make it easier to contact the person to give it back. Because I already have 4 ipods I had no need for a extra ipod and would have been glad to give it back to the poor kid who lost it. So the RIAA will still need to prove in the future a person intestinally made there songs available to the online community in order to get any conviction. Just because a song has a email address or other info does not automatically mean a crime was committed by that person as there has to be intent or proof they did it. Other methods of losing songs - MP3/AAC CD stolen from car, or lost - Unauthorized access and coping from computer hard drive. A pesky brother could do that and share with friends. - Replaced hard drive with the old one not being erased right - Sold used computer and a recovery program used to restore files (ive done this too) - Stolen computer that didn't have a password on it
  • Re:Seriously... (Score:4, Interesting)

    by jc42 (318812) on Tuesday January 13, 2009 @11:04PM (#26443809) Homepage Journal

    Seriously, am I the only person in the entire world who runs strings or emacs on binary files just to see what might be in them?

    Yes. Yes you are.

    No, he (she) isn't. The first thing I did after reading the summary was to pick up my Mac Powerbook, cd into my Music/Itunes directory, find a couple of .m4p files, and run the strings command on them. Adding a few greps to filter out the printable binary junk, I quickly found my name and email address.

    As for someone writing a tool to replace them, I found that I already had one. Years ago, I wrote a little command-line app that just does a simple string substitution and writes the result to stdout. It's quite handy, and I use it all the time. I told it to copy one of the .m4p files, with my email address replaced by a fake email address of the same length. I then told iTunes to load that file - and it played fine.

    Then, of course, I did the same trick, replacing my name with a different name of the same length. As I expected, iTunes popped up a little window saying that it needed to check the tune's registration, showing me the name, and asking for a password. Presumably when DRM goes away, that little window will also go away, and I'll bet that the tunes will play.

    I don't think I'll bother posting the program. Any semi-competent beginning C programmer should be able to type it in under a minute. Probably most perl and python programmers can do the same, a bit faster, as could any moderately experienced emacs user. 25 years ago, when I first picked up the C bible, I wouldn't have found it a challenge after my second day with the language.

    Just make sure the replacement strings have the same byte count as the old name.

Did you know that for the price of a 280-Z you can buy two Z-80's? -- P.J. Plauger

Working...