Apple's Accused of Privacy Violations With ITunes

Apple doesn't disclose that iTunes reports back to a third-party marketing agency with lists of what songs a user is listening to. That's led bloggers to start calling the software "SpyTunes."
Apple on Tuesday released iTunes 6.02, an update that’s quickly earned the derisive nickname "Spytunes" among bloggers.

The new version of iTunes offers Intel compatibility, improved stability and performance, and a new, controversial feature, the MiniStore.

The MiniStore is a closeable frame in the iTunes application window that recommends songs the user can buy with bit of cash—and privacy.

The MiniStore bases its song recommendations on music played by the user. Because these songs are stored locally on the user's computer, iTunes has to transmit information to other computers in order to generate a related suggested purchase. Since the software does this without user notice or consent, it's arguably a privacy violation.

On Wednesday in his blog legal and technical writer Marc A. Garrett was among the first to note the undocumented way that the iTunes MiniStore collects information.

In an E-mail message Garrett explains, "When the MiniStore is open, iTunes 6.0.2 sends two bursts of data each time the user selects a new song: one to Apple itself, and the second to a third party site called, a site owned by the marketing firm Omniture. The problem with this is that it's done surreptitiously: Apple doesn't mention Omniture in the iTunes license, or in the iTMS Terms of Service, or in its Customer Privacy Statement. You don't even know this is happening unless you're running a program like Little Snitch which alerts you when your software attempts to connect to external sites."

Garrett points out that Apple can implement such features properly, as it does with GraceNote, the music database that provides iTunes with song data. The iTunes End User License Agreement (EULA) spells out the information Apple shares with GraceNote.

"The core issues are trust and transparency," Garrett continues. "I want to do business with companies that respect my privacy; I want them to tell me clearly when they’re collecting my data; and I’d prefer to opt-in to data collection programs rather than opt-out. Is that so much to ask?"

Apple is not known for its transparency. Indeed, under Steve Jobs, it has nurtured a culture of secrecy and has aggressively litigated against online news sites that have revealed upcoming products in order to protect what it considers to be trade secrets.

At Macworld on Wednesday and several more times thereafter via phone and E-mail, Apple's iTunes and iPod publicity manager was asked for comment. He said he would try to provide one. Yet at the time this story was filed on Thursday at noon Pacific Time, Apple had not responded with an explanation.

An Apple spokesman said the company would comment on the issue, but, more than a day later, the company still had no comment.

Whether Apple's privacy policy spells out its actions and intentions in sufficient detail to meet its contractual obligations is a question best left to lawyers.

Apple's reluctance to address the issue may be because it's possibly in violation of its contract with Omniture. As Gail Ennis, VP of marketing at Web analytics company Omniture explains, "We have a pretty rigorous privacy policy in that we contractually require our customers to inform their Web site visitors what kind of data they're collecting and how it's going to be used."

According to Ennis, Omniture acts as an agent for its customers, collecting whatever data the customer requests and hosting it in a secure data center. That data is made available only to the customer, not to third-party marketers.

As for, Ennis explains it's a legacy domain used by the company's application as a result of corporate name changes. She says the company's customers are in the process of migrating to a scheme that utilizes a domain name identified with the customer rather than the service provider. "They don't want their customers to think there's something nefarious going on, so they just want to keep their own domain name," she says.

Many bloggers said the issue was much ado about nothing, particularly since the MiniStore frame can be closed at will, ending any data transmission.

Richard Forno, a computer security author and consultant, suggests that Apple clarify its actions and intentions in the iTunes EULA and ship the program with the MiniStore turned off by default. While he notes that he has not tested this latest version of iTunes, he writes in an E-mail that "it does feel like something Microsoft did during the 90s with many new product 'features' in Windows and other products. As a security professional, I'm concerned with such practices by a mainstream OS vendor."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing