Is that Steganography? More adventures in iTunes Plus tagging

by Erica Sadun

Let me start this story at the punchline with a quick abstract: After removing all atomic meta information from my iTunes plus purchases, the music files still retain distinguishable trace differences that could be used to track the data if loaded illegally to peer-to-peer networks. Now that you've heard the punchline, let's rewind to the beginning and see how I ended up at this conclusion.

Looks like MacRumors has discovered that the enema is not as thorough as I thought it was. Read this.

More after the jump...

27 Comments

domo
2007-06-01 10:06:32
As a matter of interest, does the difference go away if you transcode the stripped files to AIFF or WAV? The EFF's on the case too, and their findings are that it does. If so, and if it's a watermark, it's a very washable one. Thanks for the pointer to Atomic Parsley, BTW: saves me hacking up Perl one-liners using Image::ExifTool. Well, for .m4a's at least.
David
2007-06-01 10:08:37
Try this: 'man cmp'
Erica Sadun
2007-06-01 10:08:42
I haven't tried transcoding. I'll give that a try and report back.
Erica Sadun
2007-06-01 10:19:40
David: Thanks. I usually use diff. Sometimes the blindingly obvious just passes us by.
Erica Sadun
2007-06-01 10:20:42
Domo: Transcoding the stripped files to AIFF produces identical results. I added an update above.
Stewart Walker
2007-06-01 10:24:54
If I buy tracks, I don't mind if they've got a "sticker" on them indicating I own them.

2007-06-01 10:31:20
The watermark might be innocuous. It could be a timestamp or something like that. Or it could signify which of Apple's servers actually did the encoding.


I can think of other things that aren't nefarious or traceable.


But there's no way of knowing what the real cause is without lots more digging. And since AIFF "rinses out" the watermark, I doubt the digging is worthwhile, except intellectually.


2007-06-01 11:30:30
It's too bad you can't buy The Planets' "A one minute silence" (on Classical Graffiti), or John Cage's 4'33" on iTunes.


It seems like that would simplify cryptanalysis.

Brianary
2007-06-01 11:34:09
I'd take "bookplates" over DRM any day.
Nate
2007-06-01 16:30:39
> Update: Converting both files to AIFF produced identical output:


So why don't you say what this means? That it totally contradicts your findings, that "No, that isn't steganography," that metadata left behind by AtomicParsley explains the difference, and that you jumped the gun on this? That explanation should go at the top, right by your "punchline."

red
2007-06-01 17:23:47
Agreed. The "Update" at the bottom is almost hidden past the point anyone would get to...almost as if there was a watermark of shock value on the article itself.
gnasher
2007-06-01 18:11:03
The first sets of differences (groups of three bytes) are in the movieheader, trackheader and mediaheader atoms, and there within the modification date. If you look at the numbers, old = 0x84d67f, new = 0x858d2e, the difference is about 46000 (seconds), that is about 13 hours, and that is exactly the difference in time between your two downloads; one at 19:46 and one at 08:45 the next day. So no steganographie there, the server has just truthfully filled out the time when the file was modified.
Jeff Longo
2007-06-01 20:20:38
Erica-


MacRumors furthered the research you did, and has found that it looks like Steganography is NOT taking place.


http://www.macrumors.com/2007/06/01/apple-using-steganography-in-itunes-plus-songs/

Erica Sadun
2007-06-01 20:27:55
Nate: Relax, dude.


Everyone else: Added the Mac Rumors link up to the front. I still don't find things conclusive one way or the other but Mac Rumors looks like it's definitely taking things in the right direction.

Ben Jamieson
2007-06-01 21:26:40
I don't get why there's so much static about this.


Your email address and itunes account name are stored on your computer in files you buy?


So what? Your iTunes account name and email are stored on your computer in iTunes. Your email address probably occurs quite often on your computer (i.e. every email you've sent or received) Clearly not a privacy issue - its *your* computer, after all.


So, this only matters in any way if you intend to distribute these purchased tracks and don't wish to be liked to them.


And if you're doing that, you're lower than whale sh*t anyway, so who cares?



2007-06-02 17:09:57
Why didn't you get your facts straight before you published the story instead of sending everyone into an uproar for nothing? If you don't know one way or the other, why even write the story? Maybe you should write for the tabloids. Journalists that print inaccurate garbage shouldn't be working at reputable news sources.
Erica Sadun
2007-06-02 17:19:29
Hey Anonymous, good points there to respond to. First, this is not journalism. It's an informal web log. Second, although my initial conclusion (that it might be steaganography or fingerprinting of some kind) looks more and more like it is probably wrong, by putting out the method and the data encouraged exploration and peer review.

2007-06-02 17:47:03
Undoubtedly this ain't journalism.


The way you handled the "update"... burying it after a hex dump, merely crossing out your totally wrong innuendo, and not even speaking in plain English... reeks of unprofessionalism.


2007-06-02 21:43:03
Why so complicated?


strings file1 > x
strings file2 > y
diff x y


2007-06-03 05:33:16
Erica: First, this is not journalism. It's an informal web log.


You, of all people, should realise that such a distinction is increasingly blurred these days. This weblog is self-promotion for you in order to increase your reputation within the community and hence influence future sales of your books and/or to encourage publishers to use your articles etc. Doesn't sound too different to modern mainstream technology journalism to me.



Erica: Second, although my initial conclusion (that it might be steaganography or fingerprinting of some kind) looks more and more like it is probably wrong,


Your initial conclusion is not "probably wrong". Other, more thorough, researchers, using the same data, have categorically *proven* it wrong. At least have the decency to recognise your mistake and the moral fibre to accept it instead of trying to weasel out of it.


Erica:... by putting out the method and the data encouraged exploration and peer review.
You did not offer your method out for peer review. Your peers, not trusting your method and the conclusion you had arrived at, took it upon themselves to investigate and debunk your theory. Your article bears little resemblance to scientific method; while the title seems like a question you had already jumped to the conclusion before all the facts were in: " the music files still retain distinguishable trace differences that could be used to track the data if loaded illegally to peer-to-peer networks. Now that you've heard the punchline, let's rewind to the beginning and see how I ended up at this conclusion."


If you'd framed it as a question, and asked for people to review your method and come to their own conclusions instead of the sensationalist headline you used, not nearly as many people would have visited your site. So it's obviously not your way of asking for peer review, but clearly yet more self-promotion. In this case, it does appear to have backfired (one can only hope).


2007-06-03 07:04:20
Hey Erica, why don't you spend less time censoring comments on this page and more time cleaning up the mess you've made? All you've done up to this point is punish Apple by dragging its name through the mud when, by all indications, they were only trying to do the right thing. The least you could do now is issue a retraction (please note, a cryptic statement buried two paragraphs deep in your original article, otherwise unedited, is NOT a retraction).

2007-06-03 07:23:02
AnonymousHey Erica, why don't you spend less time censoring comments on this page and more time cleaning up the mess you've made?


Seconded. I've had two comments axed now because I dared to suggest that the person at fault here was Ms Sadun, not Apple Inc.


Think it might be time to write a letter of complaint to O'Reilly about this silent moderation of critical voices.

Joe
2007-06-03 11:14:55
Erica, it might be appropriate for you to use your favorite online dictionary to look-up the phrase "jumping the gun".


gnasher
2007-06-03 13:59:14
Erika, you wrote in a comment "Second, although my initial conclusion (that it might be steaganography or fingerprinting of some kind) looks more and more like it is probably wrong.. "


Your original conclusion wasn't that it might be steganography. Your conclusion was "Clearly some sort of fingerprinting/steganography is going on in the data itself". That was what you wrote in your blog, and it was completely unjustified. There is not only no evidence, I can't see a reasonable explanation why you would have come to that conclusion at all.


I wonder why no one has asked the obvious question: Why on earth would Apple want to include hidden information about a customer in a music file? There is open information clearly visible: Geeks find it by searching for strings, normal people click on "Get Info" in iTunes. But why would Apple include hidden information? How would Apple benefit from this? You can get all paranoid about this and come up with some weird big brother theories, but please tell us just one scenario describing how Apple could benefit from this.

pauldwaite
2007-06-04 11:56:28
> "Think it might be time to write a letter of complaint to O'Reilly about this silent moderation of critical voices."


I'm sure you must be looking forward to receiving their reply. Should they send it to anonymous@anonymous.com?


Pointing out inaccuracies and mistakes is fine, but there's no need to be nasty. I think Apple's good name, and Erica's, will be just fine.

Havelock
2007-06-04 13:55:44
Anonymous excoriation for a mistake owned-up to with grace and honesty is reprehensible. Perhaps Anonymous could have simply provided an ID or a link to his/her own site with a discussion of the mistake and a correction, as LongoFest did on the MacRumors forum. Then again, perhaps not, because Anonymous is just a garden variety heckler. Thanks to Erica Sadun for working through the steganography question, publicly and professionally.
Ben
2007-06-21 05:28:24
Wow, this article is misleading. If one only reads the abstract, one draws a conclusion (steganography) that is contradicted by an update at the bottom. Immediately after the abstract, there is a sentence about 'enemas' which, I think is an update, but is not labelled as such. Many people (myself included) will have no idea what an 'enema' is in this context without reading the whole article. What a misleading mess.