ITunes Data Trail: How Much Personal Info Do You Give Up With Your Downloads?

DRM-free tracks embed personal information, but iTunes is not the only site that records your data.

With freedom comes responsibility.

While fans and some critics cheered iTunes’ Friday roll-out of iTunes Plus — which offers songs from the EMI catalog sans digital rights management but at a premium price — you can bet that Apple wouldn’t give up DRM without getting something in return, and that something is information about you.

Just days after the new downloads became available on iTunes, tech bloggers began furiously jumping on what seemed like a security system that embeds the customer’s name and Apple I.D./e-mail address in the purchased tracks. While Apple deferred comment on the matter, experts downplayed the seriousness of the issue, and other leading digital stores assured MTV News that their tracks don’t contain any widely accessible personal information.

Before the DRM-free iTunes Plus store opened, you could only legally play songs downloaded from iTunes on authorized computers, so having that same personal information embedded (as it already was on the earlier DRM tracks, by the way) was not as big a deal, because you couldn’t legally share those songs on peer-to-peer systems.

But what if you decide, let’s say, to share that DRM-free version of Lily Allen’s “Alright, Still” on a peer-to-peer system? Will the track be easily traced back to you?

“People jumped to the conclusion that this is about an anti-piracy thing, and I’m not entirely sure that’s true,” said Fred von Lohmann, a senior staff attorney at the consumer watchdog group Electronic Frontier Foundation, of the iTunes Plus “fingerprint.” For one thing, if Apple were going to design something that would allow them to trace a track back to a consumer, this is a “pretty weak and pathetic” attempt to do that, von Lohmann said, since it is relatively simple to convert the iTunes files to MP3 and eliminate that information.

“It’s different from an audio watermark, and off the record Apple is saying that it’s more of a proof-of-purchase thing so that when you do an album upgrade, they know you’re the person who originally bought the track,” he said.

A spokesperson for iTunes declined to comment directly on the matter, instead pointing MTV News to a blog posting from Jupiter Research’s Michael Gartenberg, who wrote that the proof-of-purchase embed is pretty standard practice for online stores and besides, “it’s hard to garner sympathy for folks concerned about uploading music to file-sharing sites and being able to be found. I think the fact that you’re concerned about being found might tell you that you’re doing something wrong, so don’t do that.”

A spokesperson for EMI deferred comment to Apple on the matter, but a major-label executive who requested anonymity said, “Labels don’t require that personal information be included in files from any download retailers.”

EFF staff technologist Peter Eckersley offered another take on the Apple flap. While you can go in and change the code or rip the iTunes Plus songs to MP3 to erase the code, the fact is that a lot of people won’t do that. That means if you forward a song to a friend and they pass it along and it ends up on a P2P site, the track could be easily traceable back to you. “I believe this is the first time an effective way of tracing the way music is circulated in terms of people giving a few songs to friends in their network,” said Eckersley.

All of which raises the question: What other information is embedded in songs we download from popular digital stores?

eMusic: Has more than 2 million DRM-free tracks from hundreds of indie labels, making it the only major service to currently offer its entire catalog without DRM restrictions. According to spokesperson Cathy Halgas Nevins, eMusic’s tracks have “no identifying information at all.” Nevins said because the service’s average user is in their mid-30s and not likely to be trolling P2P networks, very few eMusic files have ended up on illegal file-sharing sites. But when eMusic does a deal with a label like Yep Roc, for instance, which is releasing a solo album from X’s John Doe, eMusic can send out an e-mail to its user database to all the people who bought the last John Doe record to alert them about the new one using the company’s internal database (which is not linked to any personal information on individual downloads).

Napster: All songs streamed or licensed using Napster’s subscription service have a customer I.D. number attached to them, but no personal I.D., according to spokesperson Becky Farina, who added that the customer I.D. is attached to the user’s personal information only in the company’s protected data warehouse. “If you send a track to someone else, there is no way to track it,” Farina said. Additionally, none of the tracks downloaded permanently from the service have any personal information in them, either.

Rhapsody: Like most major services, Rhapsody uses DRM to protect its files. According to spokesperson Matt Graves, neither the subscription nor download services the company offers contain any personal information that might identify the user. “There are metadata fields that are not visible to the consumer that have a Rhapsody song I.D. so we can tell the song came from us,” he said. “But even if you pick it apart, you would not find a name, address, e-mail or anything else.”

URGE: MTV’s subscription-based download service has DRM protection that allows users to play songs on a computer and/or any MP3 player. Spokesperson Mariana Agathoklis said because they are DRM-protected, the downloads “do not embed any unique information in each downloaded track related to either the user or the specific transaction.”

Yahoo! Music: “Because we use Windows Media DRM, there is no way for anyone to extract any knowledge out of those files,” said Yahoo! Music General Manager Ian Rogers. “The file identifies you as the purchaser and says it was licensed to you, but the file works separately from the license, so the number we record is more like a proof of purchase.” The fact is, Rogers said, Yahoo! would love for customers to upload their purchased tracks to P2P services because anyone who tries to play them will get a message inviting them to become a member of Yahoo! Music if they want to hear the track. “It’s the beauty and the nuisance of DRM.”

A spokesperson for Zune could not be reached for comment at press time.

For complete digital music coverage, check out the Digital Music Reports.

Can't stop, won't stop.