|
||
 |
||
|
| Real Software’s Privacy Gaffe |
 Email This
 Print ThisView My Personal Library |
|
Privacy Bloopers April 2000 • Vol.8 Issue 4 |
Real Software’s Privacy Gaffe Learn More About The Finding That Made Privacy Groups Reel | ||
 Within the span of a few days, RealNetworks (http://www.real.com) went from basking in the glow of Best of 1999 awards for its RealJukeBox software to fielding stiff accusations of privacy invasion of the software's estimated 14 million users. RealJukeBox is a program that allows users to play and record CDs as well as MP3 files. It was enjoying good marketshare and buzz in 1999. Then in October, Internet Consultant Richard Smith decided to include RealJukeBox in a privacy review of five music software programs. He was surprised at what he found. "It's a very talkative program," Smith said of RealJukeBox at the time. "It was much more talkative than anything else out there." The problem was, Smith said, that the program was talking about his usage patterns without getting his consent. He alerted the company to what he considered privacy violations. On October 31, the New York Times picked up the story. On November 1, the company was responding to accusations of privacy invasion while revising its privacy policy and releasing a patch to disable the functions in question. By December, class action lawsuits were filed against the company and by 2000, RealNetworks had initiated litigation of its own. While company officials scrambled to downplay the blunder, Internet privacy specialists screamed loudly for the need for change and legislation. "This RealNetworks violation is huge," said Jason Catlett, president of Junkbusters (http://www.Junkbusters.com). "It's a spectacular example of the failure of self-regulation." Andrew Shen, policy analyst with the Electronic Privacy Information Center (http://www.epic.org) agreed. "You just see the serious breakdown of a company that wasn't taking seriously the privacy of their users," he said. The company appears anything but broken down after responding swiftly to the event. Keela Robison, acting privacy compliance officer, insisted that allegations ranged from misleading to blatantly false. "There was never a time in which individual privacy was jeopardized," she said. Despite privacy advocates calling for legislation and a number of RealJukeBox users filling bulletin boards with complaints, even more users appeared unaware or unconcerned. "We haven't seen a very significant effect on our download rate," Robison said.  What Happened. Smith, who specializes in Internet security issues, decided to review five different music programs for privacy in the fall of 1999. RealJukeBox happened to be the first Smith reviewed, and in the end, seemingly the most intrusive. "It took me less than a half hour to figure out there was a problem," he said. Using what's called a packet sniffer, Smith detected a Globally Unique Identifier (GUID) being used by the software. This string of random numbers and letters identifies a unique installation of software. The company's privacy statement did not mention the use of GUIDs, so Smith invested 30 to 40 hours over a two-week span to find out exactly what the GUID was doing, even enlisting help from an Australian colleague when he found he couldn't decrypt the company's coding himself.
He also found that a daily status report was being sent to RealNetworks from his PC, using the same GUID. This status report included such fields as Genre Preference, Portable Devices, Total Tracks and Encoded Tracks. In theory that again meant that RealNetworks could detect if Smith was using an MP3 player or a different portable device, as well as how much and what kinds of music he selected to play. The problem wasn't so much what RealNetworks was doing, but that it was doing this without informing him. Still, Smith said, "Any snooping that goes on is a bad thing in my mind." Smith contacted the company to question their practices. He then spoke with a New York Times reporter, whose story prompted immediate public reaction, especially among Internet privacy advocates. "It was a pretty gross violation if you think about it," said Shen. RealNetworks Responds. Within hours of the New York Times story, RealNetworks was changing the privacy policy detailed on their Web site, releasing a patch and fielding intense media questioning. "I don't know if we could have reacted more positively and more swiftly than we did," said Robison. RealNetworks' privacy statement was expanded to include a statement on GUIDs. In part, it said, "RealNetworks uses GUIDs for statistical purposes and to personalize the services that are offered within our products." The same day, November 1, RealNetworks released a patch to allow its users to block transmission of personal data and disable the GUID. Robison insisted that the company never actually stored personal data, but that the software simply appeared to include that functionality. To cool down the controversy, that functionality had to be removed. "That's why we released the patch," Robison said. TRUSTe, an independent organization that provides a seal of approval to sites that comply with their privacy guidelines, at first ordered an investigation of RealNetworks, which it had endorsed, but then backed off with the statement that its seal didn't apply to the software, only to the actual Web site. RealNetworks has since begun putting together a privacy committee including members outside the company and has submitted to a privacy audit, though Robison declined to name committee members or the company performing the audit. The emphasis now, she said, is on overcommunicating about privacy to their users. And The Media. Robison contends that some of Smith's findings were blown out of proportion. She blamed the ensuing controversy on theoretical possibilities. "People were speculating very wildly about what might be possible," she said. Robison went on to question the validity of Smith's findings. "There were things in his report [found at http://www.tiac.net/users/smiths/privacy/realjb.htm] that were at best misleading and, at times, false," she said. For example, Robison said, the Genre Preference field in the daily report was misleading because it was always set to a New Music default. That means the company was not building listener profiles based on music choice. "We can clearly state that we've never monitored the listening habits of our users," she said.
Smith Responds. Smith said he would happily go over the details of his findings with the company. He has spoken to its product managers many times already. He was also bemused at the company's insistence that it never stored the GUIDs. "That's the ‘do not inhale' excuse," Smith said. "It's very suspicious when a piece of software sends out information and then drops it on the floor." What matters, Smith said, is that the data collection was going on without notification by the company and consent by the user. "It doesn't matter what you do with it," he said. Smith likened failing to store collected data to invading a person's house without stealing anything. "There's this sort of credibility problem," he said of the company. Litigation Ensues. In November, a class-action suit filed in Pennsylvania charged that RealNetworks misrepresented their collection and use of personal data. Plaintiffs contend this violates federal and state law. That suit came on the heels of another filed in California, which contends RealNetworks violated state business statutes by failing to pay its users the market value of the information it supposedly captured. While similar, the two suits differ widely in requested damages. The California plaintiffs want market value for the data, an estimated $500 per user. The Pennsylvania suit requests only software refunds, an estimated $30 per user. RealNetworks initiated their own suit in December. Filed in a state court in Seattle, the suit contends that any disputes against RealNetworks must be settled through arbitration, as stated in the company's software licensing agreement. JunkBusters' Catlett was specifically dismayed at RealNetworks' contention that all complainants be forced into arbitration. "That's deplorable that they're trying to deprive people of their right to redress by that clause," he said. No criminal charges have been filed against RealNetworks, though Catlett cited the Computer Fraud and Abuse Act of 1986. This act makes criminal "exceeding authorized access" to consumer information. "Plainly I think what RealNetworks has done has exceeded the authorized access," Catlett said.
Industry-Wide Issues. It's the dollar value of user profiles that puts a spotlight on any unauthorized data collection, industry experts say. "Information is probably the most valuable commodity on the Internet right now," says Shen. That commodity enjoys scant protection while the medium works out regulatory issues. "Privacy cases like this show that the whole self-regulatory system is not working." Companies are not bound by enforceable laws without legislation. "It is the Wild Wild West. There are no rules." Smith sees the tide turning as more consumers become aware of their vulnerability. "Surely there's going to be more legislation around privacy," said Smith. "Here your video rental titles are protected but other things are not." Catlett concurred. "We need laws in this country that protect the data, not the medium." According to Smith, individual users should hold their personal privacy as their most valuable commodity. "If we allow companies to start snooping on us in ways without telling us, we're on a very slippery slope." Right now, consumers uninterested in litigation have little recourse. "All they can do is stop using their products," says Shen. by Sonja Carberry |
|
Home Copyright & Legal Information Privacy Policy Site Map Contact Us