iTunes: Apple's New Spyware and Adware Application?

["Richard M. Smith" <rms () computerbytesman com>]

http://www.mcelhearn.com/article.php?story=20060111150127268

iTunes: Apple's New Spyware and Adware Application?

Yesterday's update to iTunes 6.0.2 comes with a surprise: it's spyware and
adware. 

Since Apple launched the iTunes Music Store, iTunes has been a compromise:
both a music management program and sales portal, it clearly separated the
two, offering separate icons for your Library and the Music Store in its
Source list. But the latest update adds something new that I find invading:
when you go to your library, you see a "MiniStore" at the bottom of the
window. This is easily removed (either by clicking the MiniStore button in
the bottom-right section of the iTunes window, or by selecting Edit > Hide
MiniStore), but it's not just its presence that's a problem.

Cory Doctorow, writing on BoingBoing today, pointed out that this MiniStore
displays songs that are similar to those you are playing, if you listen to
music with iTunes. (If not, you see a generic display with New Releases, Top
Songs and Top Albums.) Cory's comments are very clear: 

I love iTunes because it's a clean music player. But no amount of clean UI
is worth surrendering my privacy for -- I wouldn't buy a stereo that phoned
home to Panasonic and told it what I was listening to; I wouldn't buy a
shower radio that delivered my tuning preferences to Blaupunkt. I certainly
am not comfortable with Apple shoulder-surfing me while I listen to digital
music, particularly if they're doing so without my meaningful, informed
consent and without disclosing what they intend on doing with that data. 

I stand firmly beside Cory's comments. Apple has overstepped its limits, and
this spyware (because it sends information to a server) and adware (because
it displays information to attempt to sell you products) is a very serious
breach of the trust I have long had in Apple's products. 

In order to examine this further, I used the trusty tcpdump command (a
Terminal command that examines every packet of data that leaves a computer),
and checked its output while playing music both with the MiniStore visible
and with it hidden. In the former case, when the MiniStore is displayed,
iTunes sends queries to the iTunes Music Store (this domain:
ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore.woa/wa/ministore) and
to an Apple metrics server (metrics.apple.com). It also send some cookie
information, which I have not yet been able to decipher. (And this is not
limited to music--when I started playing an audiobook, the MiniStore changed
accordingly as well.) 

However, when the MiniStore is hidden, iTunes does not send these requests.
You can therefore protect yourself from Apple's prying eyes by simply hiding
the MiniStore. Nevertheless, the fact that Apple is both sending information
from your copy of iTunes, along with cookie information that may identify
you, as well as sending song information to a metrics server, seems to be a
serious breach of trust. (And their end-user license agreement, or EULA,
contains no language that suggests they will do so.) Also, playing music via
the Party Shuffle does not display the MiniStore, nor does it cause the
MiniStore's display to change when you shift to your Library. 

[Edit: after more analysis, this does not send info to Apple when you are
playing music, but rather when you click on a song. So if you start playing
a song by double-clicking, it will send info to the iTunes Music Store and
retrieve suggestions. But if the song is in a playlist, the MiniStore
display will not change when the next song begins.] 

So, for now, if you don't want iTunes phoning home--and you may not want
Apple to record the music you listen to--you can simply hide the MiniStore.
I find Apple remiss for not being forthright about this feature, both in its
EULA and other information in iTunes. But I have a feeling that this issue
will be making some waves in the immediate future. 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.