Apple's Accused of Privacy Violations With ITunes - InformationWeek
06:39 PM
Connect Directly

Apple's Accused of Privacy Violations With ITunes

Apple doesn't disclose that iTunes reports back to a third-party marketing agency with lists of what songs a user is listening to. That's led bloggers to start calling the software "SpyTunes."

Apple on Tuesday released iTunes 6.02, an update that’s quickly earned the derisive nickname "Spytunes" among bloggers.

The new version of iTunes offers Intel compatibility, improved stability and performance, and a new, controversial feature, the MiniStore.

The MiniStore is a closeable frame in the iTunes application window that recommends songs the user can buy with bit of cash—and privacy.

The MiniStore bases its song recommendations on music played by the user. Because these songs are stored locally on the user's computer, iTunes has to transmit information to other computers in order to generate a related suggested purchase. Since the software does this without user notice or consent, it's arguably a privacy violation.

On Wednesday in his blog legal and technical writer Marc A. Garrett was among the first to note the undocumented way that the iTunes MiniStore collects information.

In an E-mail message Garrett explains, "When the MiniStore is open, iTunes 6.0.2 sends two bursts of data each time the user selects a new song: one to Apple itself, and the second to a third party site called, a site owned by the marketing firm Omniture. The problem with this is that it's done surreptitiously: Apple doesn't mention Omniture in the iTunes license, or in the iTMS Terms of Service, or in its Customer Privacy Statement. You don't even know this is happening unless you're running a program like Little Snitch which alerts you when your software attempts to connect to external sites."

Garrett points out that Apple can implement such features properly, as it does with GraceNote, the music database that provides iTunes with song data. The iTunes End User License Agreement (EULA) spells out the information Apple shares with GraceNote.

"The core issues are trust and transparency," Garrett continues. "I want to do business with companies that respect my privacy; I want them to tell me clearly when they’re collecting my data; and I’d prefer to opt-in to data collection programs rather than opt-out. Is that so much to ask?"

Apple is not known for its transparency. Indeed, under Steve Jobs, it has nurtured a culture of secrecy and has aggressively litigated against online news sites that have revealed upcoming products in order to protect what it considers to be trade secrets.

At Macworld on Wednesday and several more times thereafter via phone and E-mail, Apple's iTunes and iPod publicity manager was asked for comment. He said he would try to provide one. Yet at the time this story was filed on Thursday at noon Pacific Time, Apple had not responded with an explanation.

An Apple spokesman said the company would comment on the issue, but, more than a day later, the company still had no comment.

Whether Apple's privacy policy spells out its actions and intentions in sufficient detail to meet its contractual obligations is a question best left to lawyers.

Apple's reluctance to address the issue may be because it's possibly in violation of its contract with Omniture. As Gail Ennis, VP of marketing at Web analytics company Omniture explains, "We have a pretty rigorous privacy policy in that we contractually require our customers to inform their Web site visitors what kind of data they're collecting and how it's going to be used."

According to Ennis, Omniture acts as an agent for its customers, collecting whatever data the customer requests and hosting it in a secure data center. That data is made available only to the customer, not to third-party marketers.

As for, Ennis explains it's a legacy domain used by the company's application as a result of corporate name changes. She says the company's customers are in the process of migrating to a scheme that utilizes a domain name identified with the customer rather than the service provider. "They don't want their customers to think there's something nefarious going on, so they just want to keep their own domain name," she says.

Many bloggers said the issue was much ado about nothing, particularly since the MiniStore frame can be closed at will, ending any data transmission.

Richard Forno, a computer security author and consultant, suggests that Apple clarify its actions and intentions in the iTunes EULA and ship the program with the MiniStore turned off by default. While he notes that he has not tested this latest version of iTunes, he writes in an E-mail that "it does feel like something Microsoft did during the 90s with many new product 'features' in Windows and other products. As a security professional, I'm concerned with such practices by a mainstream OS vendor."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll