iTunes DRM-Free Files Contain Personal Info 693
r2k writes "Apple's iTunes Plus files are DRM-free, but sharing the files on P2P networks may be an extremely bad idea. A report published by CNet highlights the fact that the account information and email address of the iTunes account holder is hidden inside each and every DRM-free download. I checked, and I found I couldn't access the information using an ID3 tag editor, but using Notepad I found my email address stored inside the audio file itself."
Re:Seriously... (Score:3, Interesting)
Re:hmmm (Score:2, Interesting)
Re:Seriously... (Score:5, Interesting)
Exactly. My first thought on reading this was "sweet, somebody's finally gone about it the sensible way".
I mean seriously, I've been waiting for somebody to implement this for nearly 10 years now. It's an obvious way to combat piracy since you can identify the source of the leak, and it's a massive benefit that digital distribution offers the record labels. Users get cheaper tracks and can download them instantly from the comfort of their own home. Record labels get to discourage piracy and have an easy way to track down the source when it happens.
Honestly, it's such a simple solution I thought there must have been something I was missing for the record companies to not implement this. It's win win as far as I can see.
Well.... Be more protective of your tunes then! (Score:3, Interesting)
I don't see a problem with this. Apple is providing a file without DRM, and you can then load it on any of your personal devices. Heck, you could even share it with a friend.
But, it might make you a little more careful NOT to put music files you purchase from Apple on a P2P network. Sheesh. It might add a little value to those files you downloaded at a buck a piece. It'll be worth it to you to keep those files safe.
And why not? People should be safeguarding their personal data.
And think about it.. if your iPod were stolen, and all of your files had an email address on it. It could help with the recovery of stolen property, hm?
Re:Seriously... (Score:0, Interesting)
In New Zealand there are Guilt Upon Accusation [creativefreedom.org.nz] laws that punish before any trial, and now in the UK they are pushing for Guilt Upon Accusation laws [bcs.org].
So this isn't a major point really, I just mean to respond to the idea that it will get to the stage of pressing charges before punishment.
Re:Seriously... (really?) (Score:3, Interesting)
Or someone steals your iPod. How many iPod's get stolen every year? You can get your bottom dollar that this is a none zero number. Someone willing to steal a iPod is likely to have no compunctions about sharing the songs they find on them with others.
Take some, its free (Score:2, Interesting)
and you can get rid of:
Simply by saying; "We made some music, would you like some? take it, it's free" Eben Moglen [youtube.com]
Oh Brother, "When will they ever learn? When will they ever learn?" (Song) [arlo.net]
Regards Slasdotgirl
Re:Seriously... (Score:5, Interesting)
Let me throw you a hypothetical here.
Suppose I hated you. I see you have a link to your homepage-- many users do. That page, being an expression of personal taste, might have information about music you like. Yours does. Now, yours is a "CD collection", but it could just as easily be a list of songs you bought of iTunes (as many other users do, in a list, in their blog, etc). So I pick something from your list, say A Perfect Circle - Emotive (good choice, BTW). Google tells me your real name is Zach Robinson. One of your email addresses is zachd at microsoft dot com (obfuscated for your benefit). So I whip up a batch of itunes encoded A Perfect Circle with your name and mail address in it. I throw them on all the P2P sites I can find, wait a couple weeks, then drop a dime to the RIAA. It's trivial moments of effort for me.
Now you have copyrighted music with a label that says "owned by Zach Robinson" floating around, and a group of lawyers looking to extort a couple grand out of you. Sure you could make up a fake name and a fake email address that you use exclusively for purchasing from iTunes-- but why should the onus of not being sued be on you? Or, why couldn't Apple instead have taken a secret internal customer id number, hashed it using the date/time of purchase as a salt, run it through a secret algorithm, and slapped that into the "owned by" field so that I couldn't reproduce it? (Until their method is cracked and we're back to square one, that is)
Really, it all comes down to normalization. What describes a song? The artist, the album, the year of release, the genre-- all that fun stuff. Does YOUR name and email address describe the song? No. Then it doesn't belong in a song file. It belongs in your iTunes account, along with a list of songs you "own".
So it only serves to harm the innocent, is a poor method of tracking ownership, and introduces unrelated data to a set. There is NO reason for it to be there.
Re:I see a problem. (Score:3, Interesting)
What you ordered was a music file at higher quality than Apple's standard fare without any DRM, paying a premium for it. That's exactly what Apple gave you. Having you name on the file does not degrade the quality or prevent it from playing on your Zune or HTPC.
By the way, I'm pretty sure this name tagging is covered somewhere in the iTMS terms of usage. So yeah, when you clicked "I Agree", you did give them permission.
Re:Seriously... (Score:3, Interesting)
Re:Seriously... (Score:5, Interesting)
Re:Seriously... (Score:4, Interesting)
"The owners are allowed to make copies only for private usage, with collective and lucrative uses not allowed."
It would be more correct to say that collective use is technically illegal, because it's most definitely allowed. A Spanish legal precedent was established for this at the end of 1996 by a judgement that exonerated an accused Internet file sharer on the grounds that non-commercial copying not only isn't a crime, but that it's a common social practice that should not therefore to be criminalised. This stance on the part of the Spanish legal authorities was underlined at the end of 1997 when what amounts to their chief copyright cop said that not everything which is technically illegal is a crime, including non-commercial copying via the Internet or any other means, so they have no intention of pursuing anyone who isn't involved in commercial piracy.
The effect of the above has been to leave civil litigation as the only route open to representative bodies of copyright owners, but their efforts are severely hampered by the fact that ISPs refuse to disclose the identities of the people behind specific IP addresses on the grounds that Spanish law (which is based on EU data protection directives) only requires them to do so as part of a criminal investigation or where matters of public safety or national security are concerned. This eventually ended up at the European Court Of Justice subsequent to a request for a definitive ruling from the Spanish courts, and the ECJ found in favour of the ISP (Telefonica), thereby effectively making civil litigation against Internet file sharers almost impossible.
Re:Seriously... (Score:1, Interesting)
Actually, you could convert a sound consisting of a simple sine wave to MP3 in a lossless fashion.
It's a pointless boundary case, but an interesting by-product of the way mp3 works.
Re:Seriously... (Score:2, Interesting)
And still, some people like me can't hear the diffrence on FLAC or 128 kbps MP3 ;)
But I don't have audiophile golden ears that's for sure...
Still I got maximum score in the military when they tested my hearing.
What about First Sale Doctrine? (Score:2, Interesting)
The reason I don't like this is because of First Sale Doctrine. I should be able to sell these files the same way I'd sell a CD (ie, not keeping a copy). So if I sell them, and delete them, and the person I sell them to decides it's a good idea to Pirate Bay them, now what? My email address is all over the place and I did nothing illegal. Great.
So while I support Apple for going DRM free, for the time being I'll continue to buy from Amazon because they do none of this nonsense. See http://blog.wired.com/music/2007/09/some-of-amazons.html [wired.com] "there is no information on the tracks that identifies the customer".
So until I have a very quick and easy way of removing that info from the iTunes tracks, I won't be buying from there.
-S
Re:Reasonable compromise... (Score:5, Interesting)
If it were in AAC Lossless...then it would be easy I guess to convert it to FLAC with no degradation of signal...and in doing so, delete the identifying information?
Darn...if they'd just sell me CD or better quality, non-DRM music, I'd be in line with the rest of them to buy online.
Re:Seriously... (Score:3, Interesting)
You normally will report the given vehicle stolen or what not, and that likewise will give you the out. The local PD will give a rats ass if you lost your $100 IPod, I'm sure they will either hangup on you out right, or follow up with "What do you want us to about it?" - I wouldn't be surprised if they would feel the same about the $100 toy being supposedly stolen either.
Now that the RIAA/Apple has allowed this to happen, they need to also setup some kind of system where you can report a loss and or theft of the golden nugget(s). My concern is that now the RIAA lawyers don't have to contend with the IP address mysteries and all - they have your email address buried in the illegal song file, proving with out a doubt that it was yours and it has now been distributed in the wild. If you have a brain at all, your first defence will be that you lost it, or it was stolen whether legit or not...
Social DRM (Score:3, Interesting)
Cool! Apple is using Social DRM [teleread.org] on their music files.
Re:Reasonable compromise... (Score:5, Interesting)
iTunes doesn't sell MP3s, though. They sell lossy AAC files in an MP4 container. So it's unlikely that they'd have ID3 frames in the first place.
I haven't purchased any DRM-free songs from iTunes, but I'd suspect that the information is stored as standard MP4 atoms, and that the iTunes editing interface just doesn't give you the ability to modify them. In which case you could presumably use a standard MP4 tool to remove the information, if you were so inclined.
That's just a guess, of course. It's obviously not clear from TFA.
Only one issue I see (Score:2, Interesting)
Re:Seriously... (Score:4, Interesting)
No, he (she) isn't. The first thing I did after reading the summary was to pick up my Mac Powerbook, cd into my Music/Itunes directory, find a couple of .m4p files, and run the strings command on them. Adding a few greps to filter out the printable binary junk, I quickly found my name and email address.
As for someone writing a tool to replace them, I found that I already had one. Years ago, I wrote a little command-line app that just does a simple string substitution and writes the result to stdout. It's quite handy, and I use it all the time. I told it to copy one of the .m4p files, with my email address replaced by a fake email address of the same length. I then told iTunes to load that file - and it played fine.
Then, of course, I did the same trick, replacing my name with a different name of the same length. As I expected, iTunes popped up a little window saying that it needed to check the tune's registration, showing me the name, and asking for a password. Presumably when DRM goes away, that little window will also go away, and I'll bet that the tunes will play.
I don't think I'll bother posting the program. Any semi-competent beginning C programmer should be able to type it in under a minute. Probably most perl and python programmers can do the same, a bit faster, as could any moderately experienced emacs user. 25 years ago, when I first picked up the C bible, I wouldn't have found it a challenge after my second day with the language.
Just make sure the replacement strings have the same byte count as the old name.