Forgot your password?
typodupeerror
Music Businesses Media Privacy Apple Your Rights Online

iTunes DRM-Free Files Contain Personal Info 693

Posted by kdawson
from the musical-steganography dept.
r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."
This discussion has been archived. No new comments can be posted.

iTunes DRM-Free Files Contain Personal Info

Comments Filter:
  • Seriously... (Score:5, Insightful)

    by fyngyrz (762201) * on Tuesday January 13, 2009 @03:39AM (#26429241) Homepage Journal

    I don't see the problem. I didn't want them to remove DRM so I could ignore the copyright on the music, I wanted them to remove it so I could use it on any device I wanted to listen to it on. They did that; now I can, as far as I'm concerned, we're all good now.

    If you interpret the lack of DRM as permission to ignore copyright, and you end up in trouble because you did so...

    Nope, don't see the problem.

    ....sharing the files on P2P networks may be an extremely bad idea

    Good grief. "Sharing" copyrighted music files on a P2P network was always an extremely bad idea. If you ever had any fraction of an excuse for doing it (and frankly, I don't really think you did, but...) it is gone now, at least as far as iTunes purchases go. What has changed is it is now reasonable to purchase music, because you'll actually get to own it, use it on *all* your gear, back it up, etc.

    The only thing I can think of that is really affected by this is your ability to legitimately resell recording of a tune you own, because you bought it. And for that issue, I give it.... maybe an hour before someone comes up with a tool to ZOT that name and email address right out of there. Maybe it'll even put the new one in. Pride of ownership and all that.

    • Re:Seriously... (Score:5, Insightful)

      by Tubal-Cain (1289912) * on Tuesday January 13, 2009 @03:42AM (#26429251) Journal
      Agreed. This is a fairly reasonable compromise on Apple's part.
      • by Joce640k (829181) on Tuesday January 13, 2009 @05:00AM (#26429785) Homepage

        Sure, so long as they make it abundantly clear that this is what they're up to.

        Is this the case? I assume it isn't, because Slashdot and others are acting all surprised about it.

        • by Naturalis Philosopho (1160697) on Tuesday January 13, 2009 @06:45AM (#26430489)
          It's clear. A certain percentage of slashdotters act all surprised every time it's repeated though. Of course, most /.'ers also act all surprised every time some wack-job blames video games for violence too. At least some people are pointing out that the account information has been part of iTunes files for forever and isn't news to most people who know how to do a Google search.
        • by peragrin (659227) on Tuesday January 13, 2009 @07:59AM (#26430953)

          this is the second or third article about apple putting said info into their music files over the years. It isn't surprising. Apple even states it somewhere in the fine print of the EULA's.

          Slashdot suffers from ADD and forgets what it duped yesterday.

          • by cayenne8 (626475) on Tuesday January 13, 2009 @11:13AM (#26433311) Homepage Journal
            I'm guessing this is one reason they aren't going to DRM lossless (CD quality at least) versions.

            If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?

            Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.

            • Re: (Score:3, Insightful)

              by Fluffeh (1273756)
              This is high quality non-DRM music. It's just like buying a CD with your name on it - If you are really buying it for yourself, what do you care that it's got a name sticker on it?
          • Re: (Score:3, Informative)

            by againjj (1132651)
        • by jcr (53032) <jcr@NOsPAM.mac.com> on Tuesday January 13, 2009 @08:12AM (#26431045) Journal

          Sure, so long as they make it abundantly clear that this is what they're up to.

          Choose any iTunes plus song, and select "get info" from the main menu. On the left side of the "Summary" pane, you'll see "Purchased By", "Account Name", and "Purchase Date". IIRC, those were there on the DRM versions too.

          -jcr

      • Re:Seriously... (Score:4, Informative)

        by Silas is back (765580) on Tuesday January 13, 2009 @05:57AM (#26430135) Homepage Journal
        Just to note, the email address has always been part of iTunes Plus files. This in nothing new.
    • Re: (Score:3, Insightful)

      by Thanshin (1188877)

      So if tomorrow a file with your personal information is shared on the web and you simply don't know how is it possible, so you're fined a couple thousand bucks, I guess you won't mind?

      Or you're so sure of the infalibility of Apple's system that you're willing to bet a couple thousand bucks, in exchange for... Nothing?

      Great odds.

      P.S.: Avoid casinos.

      • Re: (Score:2, Insightful)

        by ani23 (899493)
        i seriously doubt that an email which can be easily changed in a file can be used as the sole grounds for pressing charges. It ma however bolster a case where a user has been tracked by IP and the files have his email too.
        • Re:Seriously... (Score:5, Insightful)

          by DA-MAN (17442) on Tuesday January 13, 2009 @04:23AM (#26429581) Homepage

          i seriously doubt that an email which can be easily changed in a file can be used as the sole grounds for pressing charges. It ma however bolster a case where a user has been tracked by IP and the files have his email too.

          As we're talking about purchased music, all Apple would have to do is lookup the record of the credit card used to purchase the song.

          So unless you always use iTunes redeemable gift cards, it's probably fairly easy to track a user definitively.

      • Re: (Score:3, Informative)

        by sumdumass (711423)

        Why would you think that you would get fined just because your name is in something?

        Nothing is going to happen until it goes to court. The guberment can't give you a fine for this like a speeding ticket or anything. They would have to collect enough evidence and present it and then either hope that the government picks it up or sue you directly. Even then, your lawyer will probably get you off before it costs any money because you won't be the first person it happened to. All it will take is one Virus going

      • Re: (Score:3, Insightful)

        by yttrstein (891553)
        It's not a nefarious move. It's how iTunes (and therefore Apple) recognize purchased music. This is necessary for a number of benevolent reasons, including a strong layer of insurance against selling you the same track twice.

        If you really don't like it, write the two-liner (one line if you know sed and awk) that blows your personal info out of every purchased track automatically.

        I fail to see the issue.
    • Re:Seriously... (Score:5, Insightful)

      by erroneus (253617) on Tuesday January 13, 2009 @03:52AM (#26429329) Homepage

      While I agree with you, here is the problem I have with it:

      Person A is the target
      Person B is the attacker
      RIAA is the litigious groups of assholes

      Person B decides to harm Person A. Person B knows Person A's email address. Person B modifies a bunch of MP3s to contain Person A's email address and then posts them to every torrent site imaginable. RIAA is famous for ignoring what "reasonable doubt" might suggest or imply and immediate goes into litigation. Even if it is later revealed that Person A was a victim in this scenario and is completely innocent of wrong doing, Person A just spend a LOT of money in the process. (It can be reasonably assumed that Person A spent a lot of money because without having spent money, a defendant most likely will lose.)

      • Re:Seriously... (Score:5, Insightful)

        by zachdms (265636) on Tuesday January 13, 2009 @04:09AM (#26429483) Homepage

        Couldn't you correlate your purchase record, or lack thereof, to validate or disprove the claims against you in that scenario?

        It seems like a quick comparative analysis there would pretty quickly mitigate *most* of that concern.

        • Re:Seriously... (Score:5, Interesting)

          by halcyon1234 (834388) <halcyon1234@hotmail.com> on Tuesday January 13, 2009 @06:18AM (#26430315) Journal

          Let me throw you a hypothetical here.

          Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.

          Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)

          Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".

          So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.

          • Re:Seriously... (Score:4, Insightful)

            by zachdms (265636) on Tuesday January 13, 2009 @06:37AM (#26430427) Homepage

            Right, we both saw those possibilities. And then I point out that there's no record of me purchasing those tracks and it's kind of game over and I'm sad that that's an effective use of your time.

            As long as there's an actual correlation between those embedded email addresses and the purchase logs at Apple, it should be child's play to disprove "plants" like that.

            Granted you have a window of malice here, but I believe it's a lot smaller than is being suggested. Those plants could be checked by Apple without me ever having to know. Your narrow window of malice (hoping to hit a subset and NOT a superset of whatI've purchased) would be even further mitigated by them simply setting "Bar For Kicking In Your Door" to some non-tiny number. So you don't even necessarily get to waste my time. Just your own. ;)

            You might with your project succeed with redistributing music files around the net ... but that's kind of where things are now.

          • Re:Seriously... (Score:5, Interesting)

            by pdbaby (609052) on Tuesday January 13, 2009 @07:40AM (#26430849)
            I've mentioned it elsewhere but songs are also encoded with the purchase timestamp. So if you've no access to someone's files then you've essentially zero chance of getting the purchase timestamp right, even if you get the songs they own right.
    • by Rix (54095) on Tuesday January 13, 2009 @03:59AM (#26429397)
      In many places, it's perfectly legal to share you music collection. Here in Canada we pay a tax on recordable media for that right.
      • Re: (Score:3, Informative)

        by Synchis (191050)

        I'm going to raise a red light on this...

        1. We pay a *levy*, not a tax, on recordable media.

        2. This levy does not allow you to distribute your collection online. Distributing copyrighted works online is still infringing activity.

        3. The levy *does* cover you borrowing a CD from the library and making a *personal* copy of it to blank media. But, if you are recording the copyrighted work to a media that the levy is not applied to, it is still infringing activity.

        4. The Canadian gov't has repeatedly made promis

    • Re:Seriously... (Score:5, Interesting)

      by myxiplx (906307) on Tuesday January 13, 2009 @04:36AM (#26429665)

      Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".

      I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.

      Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.

      • Re:Seriously... (Score:4, Insightful)

        by Yvanhoe (564877) on Tuesday January 13, 2009 @05:41AM (#26430021) Journal
        And this is doubly great : now if someone shares a file by putting myxiplx@slashdot.org instead of their own address, they will immediately be able to track the pirate.

        I mean, seriously, if you want to implement digital right protection, you either do it completely (hint : you can't) or not at all. Partial implementation like this one are completely useless.
        • Re:Seriously... (Score:5, Insightful)

          by paul248 (536459) on Tuesday January 13, 2009 @06:04AM (#26430195) Homepage

          Well, Apple could sign the file with their private key after adding your user ID. It wouldn't stop people from blanking it out, but it would securely prevent impersonation.

  • hmmm (Score:5, Insightful)

    by JimboFBX (1097277) on Tuesday January 13, 2009 @03:43AM (#26429261)
    so what happens when you send it to someone else in a "hey check out this song" kind of way, then that person is stupid and sticks it in their lime wire folder?
    • The idea is to discourage such exchanges in the first place. At the very least, since it is DRM-free you can strip out the personal data re-encoding it to another format.
  • No worries (Score:5, Insightful)

    by Thanshin (1188877) on Tuesday January 13, 2009 @03:44AM (#26429265)

    Never again buy anything related to music and you'll be safe.

    Alternatively, you can buy music in small stores, in cash. In that case, it's better to wear sunglasses and a hat. You wouldn't want anyone to discover you're one of those people who actually are paying clients of the music industry.

  • by barius (1224526)

    Just so long as the music industry doesn't come back in 10 years with new lawsuits targeting little-old-lady-X because 10 mil. people somehow ended up with 'pirated' copies of music with her name in it.

    Since this watermark must be fairly easy to modify, I can't really see how useful it would be in tracking piracy. It could probably have some uses for marketing research. Though, honestly, I can't think of any myself...

    • Since this watermark must be fairly easy to modify, I can't really see how useful it would be in tracking piracy.

      It'll slow it down for a while. Much easier to insert a user's name in the data than to write a program removing it.

  • by Anonymous Coward on Tuesday January 13, 2009 @03:50AM (#26429309)

    You can see the info within iTunes.

    Get Info on the Song/Video/Etc

    Then go to the Summary Tab, Second column.

  • I've bought a few songs and checked them. My personal information is only on the itunes files. I converted the m4a files to mp3's using itune's built in file converter and I do not see any of my personal information in them, at least in plain text.
  • Old news (Score:5, Informative)

    by AmaranthineNight (1005185) <amaranthinenight ... com minus distro> on Tuesday January 13, 2009 @03:53AM (#26429339)
    This has been the case for AGES

    http://business.timesonline.co.uk/tol/business/industry_sectors/media/article1871173.ece [timesonline.co.uk]

    Or at least for about a year and a half, I think slashdot reported on it then, too.
  • Hidden? (Score:5, Informative)

    by 1729 (581437) <slashdot1729@[ ]il.com ['gma' in gap]> on Tuesday January 13, 2009 @03:53AM (#26429345)

    the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download

    How is this "hidden"? If you select an audio file purchased from the iTunes Store (with or without DRM), and go to File->Get Info, you'll see the following fields in the summary:

    Purchased by:
    Account Name:
    Purchase Date:

    Apple's not trying to hide anything here.

    • by JimboFBX (1097277)
      I was going to say, I don't think this is a watermark as it is just part of the file format.
  • Old News (Score:5, Insightful)

    by Star_Gazer (25473) on Tuesday January 13, 2009 @03:55AM (#26429363)

    http://yro.slashdot.org/article.pl?sid=07/05/30/2014222 [slashdot.org]

    I think it's OK. Even if I really buy from iTunes to burn a cd as gift, at that point the account info will be gone, so what's the matter?

  • If some form of steganography is used to alter a file, then somewhere and in some way the quality of that file will be compromised. Bitmaps lose sharpness, audio files lose certain audio data.

    A big part of the problem is that you are not getting the product you ordered. You are getting a product that has been altered in a significant way.

    There are people who were pissed enough at Microsoft for embedding personal information in their .doc and .xl and other files, that they were willing to hack the soft
    • Re: (Score:3, Interesting)

      by SeaFox (739806)

      A big part of the problem is that you are not getting the product you ordered. You are getting a product that has been altered in a significant way.

      What you ordered was a music file at higher quality than Apple's standard fare without any DRM, paying a premium for it. That's exactly what Apple gave you. Having you name on the file does not degrade the quality or prevent it from playing on your Zune or HTPC.

      By the way, I'm pretty sure this name tagging is covered somewhere in the iTMS terms of usage. So yea

  • by Facegarden (967477) on Tuesday January 13, 2009 @04:09AM (#26429473)

    I suppose it's pertinent again and all, but seriously, I already know this guys, why are we pretending like this is new?

    On some level, I'm not sure why i care if it's repeat news. I mean really, repeat it all you want i guess, my life still goes on, but i dunno, journalistic integrity and all that, i feel like we should at least mention that this is a complete copy of an older story....
    -Taylor

  • Old story (Score:5, Insightful)

    by rduke15 (721841) <rduke15@ g m a i l .com> on Tuesday January 13, 2009 @04:22AM (#26429571)

    This is an almost 2 year old story: Apple's DRM Whack-a-Mole [slashdot.org] (Posted by CmdrTaco on 10.06.2007 17:08)

    If it bothers you to have an identifying tag in your music files, well remove it or overwrite it.
    As far as I understand, it's stored in a standard MP4 atom.

    And if you don't know how to do it, ask Google [google.com], or try this suggestion [tech-recipes.com] which explains how to use AtomicParsley for windows [sourceforge.net] or mac [sourceforge.net].

  • Old news (Score:5, Informative)

    by phooka.de (302970) on Tuesday January 13, 2009 @04:27AM (#26429607)

    This came up when they introduced iTunes plus ages ago. It's been discussed back then. Yes, the info is there. You can simply look it up, no problem. Your ID3-Tag-Editor might not be able to chanxge it since we're not talking MP3 here. That's it.

    Just use a different editor, clean out the information and start the copyrightinfringement-frenzy you seem to have been waiting for for so long. Oh no, you already do that, I guess.

    Or, if you don't like finding an editor that can delete the info, just go to a record store and steal the CD.

  • by HumanEmulator (1062440) on Tuesday January 13, 2009 @04:39AM (#26429687)

    So... if I keep the music I purchased for private use private, I have no privacy violation? Right?

    Also, despite the summary's between the lines implication that Apple is hiding the info from ID3 tag editors, the audio files are MPEG4. This means they don't contain ID3 tags. Since MPEG4 is based on QuickTime, a QuickTime atom editor will happily show you the tags and let you remove them.

    You could also have guessed the purchaser info was in these files based on the fact that iTunes shows it to you if you get info on a song.

  • by Dieppe (668614) on Tuesday January 13, 2009 @04:57AM (#26429765) Homepage

    I don't see a problem with this. Apple is providing a file without DRM, and you can then load it on any of your personal devices. Heck, you could even share it with a friend.

    But, it might make you a little more careful NOT to put music files you purchase from Apple on a P2P network. Sheesh. It might add a little value to those files you downloaded at a buck a piece. It'll be worth it to you to keep those files safe.

    And why not? People should be safeguarding their personal data.

    And think about it.. if your iPod were stolen, and all of your files had an email address on it. It could help with the recovery of stolen property, hm?

  • by Renderer of Evil (604742) on Tuesday January 13, 2009 @05:37AM (#26429991) Homepage

    Way to sensationalize something which has been known for years. Everything that is purchased on iTunes is stamped with user account and a unique transaction ID. Apps, videos, movies, rentals, etc.

    It doesn't bother me because I don't share my music on p2p networks and I'm not paranoid like some people. I dislike DRM because I want to easily play my music on whatever device I want, not because of some ideological drive to stick it to THE MAN.

    This is a non-issue.

  • Social DRM (Score:3, Interesting)

    by Dragoness Eclectic (244826) on Tuesday January 13, 2009 @12:02PM (#26434193)

    Cool! Apple is using Social DRM [teleread.org] on their music files.

  • Really old news? (Score:3, Informative)

    by Nabeel_co (1045054) on Tuesday January 13, 2009 @12:03PM (#26434203) Homepage

    Correct me if I'm wrong, but didn't this issue come up back when Apple first released DRM-Free songs?

    To add to that, the post is misleading, it's not actually hidden unless you are a complete and utter tool. In the info window of iTunes, it clearly shows the information they have "hidden" in the file...

Competence, like truth, beauty, and contact lenses, is in the eye of the beholder. -- Dr. Laurence J. Peter

Working...