Update: EFF on iTunes Plus data

by Erica Sadun

More on iTunes Plus data and possible privacy issues: EFF has found two fields ("a 1024 bit variant field labeled sign and a 630 byte variant field labeled chtb") that seem be unique for each combination of user and track. Beyond that, the data difference between files may be due to cover art duplication (two copies rather than one copy). Read all about it here.

4 Comments

Mike ES
2007-06-07 03:09:45
Frankly, the EFF has cried wolf so many times, this being perhaps the most egregious example--


http://arstechnica.com/journals/apple.ars/2007/06/03/itunes-7-2-bug-may-prevent-ipods-from-syncing


--that I'm beginning to get a little tired of them.


They also announced at one point that their "tests" had shown that removing the account name from an iTunes Plus file caused it not to play. I suspect what the "test" actually showed was that audio files don't mix well with a hex editor operated by someone who doesn't know what he's doing.


But this post is mildly interesting, although hardly evidence that Apple is a wolf.


I see neither of those fields is in the metadata, as shown by AtomicParsley, nor is either visible in the Atom tree.


Interestingly, if you give an iTunes Plus file a metaEnema, then import it into iTunes, then do a GetInfo, iTunes still knows it is a "Purchased AAC file" and who the purchaser is.

Mike ES
2007-06-07 04:35:37
Here's another thought. One could imagine EMI's saying to Apple, "OK, we'll go for removing copy-protection, but these files must still be trackable." However, EMI also said that online stores could sell the downloads in any format they wished, and it's not clear to me that older formats are as extensible in the same way. Did anyone look at the Good, the Bad, and Queen download, anyway?


http://www.paidcontent.org/entry/419-emi-releases-first-album-with-drm-free-option-artists-selling-direct-fr


That suggests to me that whatever is in the file is more likely to do with Apple's own administration needs than anything else. It would feel more comfortable if these fields were normal MP4 atoms, but there's no evidence that panic is a good idea.

John J
2007-06-07 08:08:03
They also announced at one point that their "tests" had shown that removing the account name from an iTunes Plus file caused it not to play. I suspect what the "test" actually showed was that audio files don't mix well with a hex editor operated by someone who doesn't know what he's doing.


If this most recent finding is true, that other unique field could be being used as a checksum, which, if it doesn't pass after the user ID change, keeps the file from loading. EFF probably isn't crying wolf here, but it may be acting a bit too paranoid. In general however, I would prefer for there to be organizations out there that are overly paranoid about privacy issues rather than only have organizations that don't worry about privacy.

Mike ES
2007-06-07 11:02:23
"I would prefer for there to be organizations out there that are overly paranoid about privacy issues rather than only have organizations that don't worry about privacy."


That's a false dichotomy. We don't have to make a choice between those two options.


"If this most recent finding is true, that other unique field could be being used as a checksum, which, if it doesn't pass after the user ID change, keeps the file from loading."


An entirely spurious claim, since Erica, and others, have removed the ID field and that *doesn't* happen. I've done it myself.


Let's all invent non-existent scenarios, eh?


FWIW, I feel the EFF deserves a certain amount of contempt, because it accuses first and does its research afterwards -- see the linked Ars Technica article.


As for "paranoia", I'm not a medical doctor, but I don't think paranoia is at work here. These are simpler emotions at work. The EFF people would like us to look up to them -- that's a pervasive human motive. It's probably why people join the EFF (and any number of other human organizations and groups) in the first place, and it's almost certainly why they didn't check their facts before throwing mud at others. They were looking for approbation for doing so.


I don't have to play along.