Company hit new low in snooping

November 15, 1999|By Mike Himowitz

Some people think I'm paranoid about Internet privacy, and occasionally I agree. But often enough, something outrageous happens to convince me that I shouldn't stop looking over my shoulder.

The latest incident was sponsored by RealNetworks -- the Internet company that popularized streaming audio broadcasts. It seems that RealNetworks slipped some code into its RealJukebox music player that surreptitiously transmitted all kinds of information about the individual listening habits of its 13.5 million users to the company's servers.

The program secretly searched the users' hard drives for every type of music file and even worse, it made a note of every music disc they played in their CD-ROM drives. And naturally, RealNetworks made no mention of this little intrusion in the privacy statement posted on the company's Web site.

This clandestine snooping went on for months until Richard Smith, a Massachusetts Internet consultant who likes to expose Internet privacy threats, discovered it and blew the whistle. Not surprisingly, users of the software were outraged. RealNetworks hurriedly amended its privacy statement, issued a patch to disable the transmission of information and promised to eliminate the "feature" from future versions of the software.

Shortly afterward, in a backhanded announcement, RealNetworks confirmed that its even more popular RealPlayer software -- which plays music and video broadcast directly over the Internet -- has also been transmitting a unique user identifier. The company said the latest release of the program, RealPlayer 7, doesn't do that.

Rob Glaser, RealNetworks' chief executive, took the presidential denial route and said he wasn't aware that the information was being gathered by RealJukebox. This guy is a former Microsoft executive who more or less invented the Internet broadcasting business and runs one of the Web's most popular sites. And he doesn't know what his people are doing? Right.

In any case, the company said it would hire an outside auditor to make sure that RealNetworks lived up to the terms of its privacy statement in the future. Which is about all you can do when you get caught with your hand in the cookie jar.

Why collect this information at all? RealNetworks said it was trying to tailor the service to users' individual tastes, which is nice if you believe it. The fact is that this kind of information is priceless to businesses who want to sell you things and, in the case of music files, to recording industry snoops looking for illegal digital copies of album tracks.

By now, of course, it's well known that the movements of almost everyone who uses the Internet can be tracked in one way or another. Privacy advocates have warned about this danger for years, but the government has taken a hands-off approach, other than requiring parents' consent for the gathering of information directly from children.

Last week, the Federal Trade Commission held a conference on Internet privacy where critics predictably called for government regulation and the industry predictably said it could regulate itself by posting privacy policies on Web sites andving consumers an opportunity to opt out.

Trying to head off regulation, nine of the biggest gatherers of consumer information on the Web announced the creation of a Web site where consumers can get information on how to maintain their privacy (

How well has self-regulation worked so far? Well, in the RealNetworks case, an outfit called TrustE that the industry set up to monitor privacy -- its model of self regulation -- said it didn't have jurisdiction because RealNetworks technically wasn't using its Web site to gather information. In other words, a cop-out. It's not surprising. Despite numerous complaints, TrustE hasn't yet revoked a single certificate of approval from any of its clients.

What's particularly troubling about the RealJukebox case is that it takes snooping to a new level. While you can reasonably expect a company to track your interactions with its Web site, RealNetworks used its software to root around users' hard disks and secretly develop a profile of their musical tastes. In doing so, it not only checked out songs downloaded over the Internet, but kept track of what CDs users played.

How would you feel if your VCR secretly recorded the title of every videotape you played, hijacked your phone and sent the information to people you don't know and never heard of? It's the same thing.

The RealJukebox case also raises this chilling question: Can we trust our software anymore?

Sure, sure, we've never really trusted our software. It crashes our computers and mangles our data. But that happens in the open. Even viruses, nasty as they are, announce themselves at some point -- that's how their creators get their kicks. But RealJukebox is more insidious because it was designed to work in the shadows, forever.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.