iSpy: Still More on the iTunes MiniStore and Privacy

01/12/2006

Some things just go on getting worse. If it wasn’t enough that iTunes 6.0.2 contains spyware and adware, now it turns out that the program not only sends information about the song you have selected to Apple’s servers, but also sends your Apple ID, or, at least, its numerical equivalent. (If you’ve missed an installment, the story begins with the link just above, then continues here.Michael Griffin first noticed this, as reported on Boing Boing, and I had trouble reproducing it at first. But I quickly found out that he was right, with the exception that his Apple ID is six digits and mine is eight. (See the updates to the Boing Boing story for more on how I discovered this.)

So, after Apple claimed that they were not “collecting” information, it now turns out that the information they send is directly linked to a user’s account identifier, if, of course, the user has an Apple ID. If you have never logged into your iTunes Music Store account, you won’t have this ID, and Apple can’t track you. But if you have, even once, this ID is stored in a preference file on your computer, and sent with each iTunes MiniStore request.

Here is an example of the raw data that is sent, taken from tcpdump output. What is being transmitted is, first of all, song info: the name of the song, the artist and the genre. Then it sends the Apple ID, shown as ######## below. (Note: I’ve inserted link breaks for readability.)


....GET./WebObjects/MZSearch.woa/wa/ministoreMatch?an=Brian%20Eno&gn=Alternative 
&kind=song&pn=Another%20Day%20On%20Earth.HTTP/1.1..X-Dsid:.########..
X-Apple-Tz: .3600..X-Apple-Store-Front:.143441..Referer:.http://
ax.phobos.apple.com.edgesuit e.net/WebObjects/MZStore.woa/wa/ministore?
a=38124&kind=song&p=21770107..User-Agent:.iTunes/6.0.2.
(Macintosh;.U;.PPC.Mac.OS.X.10.4.4)..Accept-Language:.en-us,.en ;q=0.50..X-Apple-
Validation:.2EE9F6C3-D8415CAF7FE49AF74A1B7CF92DDDC842..
Accept-E ncoding:.gzip,.x-aes-cbc..Connection:.close..
Host:.ax.phobos.apple.com.edgesuite .net.... 

You can also see such things as the version of iTunes, the language, and some other cookie stuff (after Apple-Validation).

It then sends this, which is more of the same (without the Apple ID), but with some more stuff from the iTunes cookies files:



c6..HTTP/1.1.200.OK..Last-Modified:.Thu,.12.Jan.2006.12:46:27.GMT..Content-
Type: .text/xml;.charset=UTF-8..x-apple-lok-response-date:.Thu.Jan.12.04:46:27.PST.200 6..
Vary:.Accept-Encoding..x-webobjects-loadaverage:.0..x-apple-lok-filelastmodif ied-date:.
Tue.Jan.10.21:14:37.PST.2006..x-apple-lok-path:./opt/itms_lokamai/Loka mai/MZSearch/
ministore/12/57/wa_ministoreMatch?an=Brian%20Eno&gn=Alternative&
kin d=song&pn=Another%20Day%20On%20Earth-143441-Ak..x-apple-date-
generated:.Wed,.11. Jan.2006.05:14:36.GMT..x-apple-request-store-front:.
143441..x-apple-max-age:.360 0..x-apple-max-age:.64800..x-apple-application-instance:.
150..x-apple-asset-vers ion:.14571..x-apple-lok-filesize:.1693..x-apple-lok-current-
stor efront:.143441.. Content-Encoding:.gzip..Expires:.Thu,.12.Jan.
2006.12:46:27.GMT..Cache-Control:.m ax-age=0,.no-cache..Pragma:.no-cache..Date:.Thu,.
12.Jan.2006.12:46:27.GMT..Content-Length:.551..Connection:.close 

Here’s more (with my Apple ID hidden again):



HTTP/1.1..X-Dsid:.########..X-Apple-Tz:.
3600..Cookie:.asbid=sKUKC49DKFC7T4CHC;.s _vi=
[CS]v1|53C501E3-85ACC277[CE];.s_vi_jx7Bx7Bgnbx7Ffxxej=
[CS]v4|53C58647-6EC2D2 32|0[CE];.s_vi_jx7Bx7Bgnbx7Ffxxx7Exx=
[CS]v4|53C58647-6EC2D232|0[CE];.s_vi_ox7Ex7 Ebkx7Bx7Dyyygzcx7D=
[CS]v4|53C58647-6EC2D232|0[CE] 

Most of what is in this part I have found in my iTunes cookies (in the com.apple.itunes.plist file).

And for a minute, I was thinking that this would all blow over quickly…


See other articles about the iTunes MiniStore:

iTunes: Apple’s New Spyware and Adware Application?

The iTunes MiniStore Debacle: What Apple Did Wrong

iSpy: Still More on the iTunes MiniStore and Privacy

The iTunes MiniStore: Fact and Fiction