November 1, 1999
WASHINGTON (AP) -- One of the most popular software programs for listening to music on computers is secretly sending details back to a Seattle company about customers' music preferences, including the CDs each listens to and how many songs he copies, a security expert found.
The company, RealNetworks Inc., acknowledged that information from its free "RealJukebox" software, used by more than 12 million people, is sent over the Internet to its headquarters. But it said records are not kept about consumers.
Privacy groups expressed outrage that RealNetworks never disclosed the practices in the privacy statement on its Web site or in the software's license.
Online discussion groups were filled Monday with blistering comments about the company, such as a person who called it "something else entirely when you entice that user to install (software) on their system which then surreptitiously monitors their activities."
Some experts went so far as to call the company's software a "Trojan horse," malicious computer code that promises to perform one function but secretly commits nefarious digital deeds.
In response, RealNetworks updated its privacy promise on its Web site this weekend, saying its tracking technology is intended "to understand the interests and needs of our users so that we can offer valuable personalized services."
A security expert, Richard M. Smith of Brookline, Mass., discovered the practices by monitoring data sent over the Internet by the music software, including scrambled information that contained his e-mail address and other details about his computer.
"It just seems like it crosses the line to do this kind of monitoring," Smith said. "It looked odd to me. There was a little hands-in-the-cooke jar aspect to this."
Jason Catlett, a nationally known privacy advocate, wrote in a letter Monday to RealNetworks that its practices were "unacceptable violations of consumer privacy."
Catlett and others suggested the software's surreptitious surveillance may even violate the Computer Fraud and Abuse Act or other federal and state laws.
A spokesman for RealNetworks, Jay Wampold, said details about music CDs playing on its software need to be sent to activate one of the program's niftiest features: When a CD is played, the software automatically shows its title, artist and list of songs _ based on data retrieved through a third company, Berkeley, Calif.-based CDDB Inc.
But Wampold said personal details, such as a customer's name or e-mail address, were stripped before information was forwarded through RealNetworks computers to CDDB for matching against its huge database of albums and artists. And Wampold said information about each customer's tastes was never logged by RealNetworks.
The company's decision to suddenly change its Internet privacy policy drew concern Monday from Truste, the nonprofit group that monitors and enforces corporate privacy policies of its members. Truste was formed to stem calls for new federal privacy laws over the online industry.
"We're really concerned about what's going on," said Dave Steer, a spokesman for Truste. "We're aware that RealNetworks changed the privacy statement over the weekend and didn't call us about it, (even though) Truste certifies the privacy statement."
Steer said Truste will investigate whether RealNetworks violated its privacy promises and whether its previous statement had been adequate. "We're not going to knee-jerk on this," he said.