As reported here yesterday (an article that got picked up on Slashdot which, of course, killed my web server–sorry Nico), Apple introduced a new feature in the latest version of iTunes: the MiniStore. Several articles have been making waves about this, beginning with a post on since1968, then Boing Boing, and this editorial on the Macworld web site by Rob Griffiths, and the comments to this and other stories have been quite vehement. After Rob Griffiths posted his article, he was contacted by a high-level Apple official who stated that “the iTunes MiniStore feature does not collect any information from users”. Also, Apple yesterday published a knowledge base article explaining how to disable the MiniStore (which I reported in my article as well).
In this article, I would like to examine why this hit the fan, what Apple did wrong, but also address some of the most frequently made comments to this story that have appeared on various web sites. I think that there was a failure of adequate communication by Apple, and a misunderstanding of some of the issues by many users. First, Apple is remiss in not providing appropriate information about this new feature to users. While the iTunes download page includes this grammatically ambiguous sentence, “Discover new music as you enjoy your collection or import new CDs with MiniStore–right from your iTunes library,” Mac users who used Software Update to get the latest version of iTunes saw only this uninformative information: “iTunes 6.0.2 includes stability and performance improvements over iTunes 6.0.1.” Therefore, they did not see the presentation of this new function on the Apple web site. (Windows users don’t have the same functionality, and, when iTunes detects a new version of the software, they click a button to go to the web site where they would have read the above description of this feature.) Apple should therefore have required users to opt in (that is, approve this feature by clicking a button or checking a box) rather than requiring them to opt out (hide the pane) to turn it off.
Apple should have been more forthcoming about what this feature does, and how it works. For those who missed the first episode, here’s what the MiniStore does. By default, the MiniStore displays at the bottom of the iTunes window when you look at your Library or a playlist. (It does not display when you click the Party Shuffle icon, your iPod, the Radio icon, or others.) If you click a song–and if you have an active Internet connection–iTunes sends the song name, along with some other data, to the iTunes Music Store to provide “recommendations” for music that you can buy.
Now, some people have criticized the use of the terms “spyware” and “adware”. Spyware, by definition, harvests data from your computer and sends it to another server. QED. Adware displays ads (recommendations?) on your computer. QED.
So the problem here is two-fold: first, Apple added a feature (which many people may appreciate) designed to increase their revenue stream. However, they did not tell users what type of information is being sent and where (at least the song name and artist are being sent when you click on a song, but there is also a cookie being sent, and no one has yet explained the purpose and content of this cookie). A simple warning dialog at first launch might have resolved this problem. (And, since the license does not even grant Apple the right to “obtain” this information from users’ computers, there may be legal issues that should have been addressed.)
Second, this information is being processed by another company, Omniture, which is a marketing company, and no one knows what they do with it. While Apple claims to not “collect” any information, what does Omniture do with this information, and why is some information sent to metrics.apple.com?
Perhaps this is all benign, and the song information is simply being processed then tossed in the bit bucket. But perhaps not. Apple should have been more forthright and explained this–if not in the iTunes help, where there is no mention of the MiniStore, at least in its knowledge base article–so users would not have to worry. (I find it astounding that, of all the people at Apple who are involved in a product like iTunes, that the question of privacy was not raised; or, if it was, remained ignored.)
Again, there may be nothing nefarious about this, but in a time when much software tracks users’ habits with impunity, when librarians are asked to record and report readers’ book selections, when the US government wire-taps people without court orders, and when cellphone records are available for sale on the Internet, it is no surprise that some people get worried about tiny encroachments to privacy.
Yet the comments to articles on various web sites mention some things that surprise me. While many people feel Apple was remiss in not being up-front about this feature, many people have posted comments such as the following (and I paraphrase, rather than directly quote anyone):
- But every computer company does this or all the media players do this. Well, is that any reason for Apple to do so? Does the fact that other companies harvest personal data mean that it is legal and moral to do so?
- This happens all the time on Windows. Well, get a Mac.
- It’s the same thing as the Just For You section of the iTunes Music Store. This is incorrect. The Just For You section of the iTMS is based on your purchases, not the contents of your music library and the songs you click. I think many people did not understand the difference between the MiniStore and the Music Store itself. (More about that below.)
- It’s the same thing as using your web browser and clicking links, since web sites can record your browsing history. No, that’s not true. When you use a web browser, you know you are clicking on a link to go to another page. Here, you don’t know that clicking on a song (that you own; that is on your computer) is sending information to a server.
- But Amazon makes recommendations to me too. What’s the difference? The difference is very important. When you go to the Amazon web site, you are entering a (virtual) store, with the full knowledge that you are on a company’s web site. iTunes, with this new feature, has blurred the lines between the part of the software that acts as a portal to the iTunes Music Store and the part that you use to manage your music library. And, again, these suggestions are not made according to your previous purchases, but rather the result of just clicking on a song in your library.
- What about the Gracenote CDDB that looks up your CDs when you rip them? This is clearly addressed in the iTunes license, and a dialog displays when iTunes connects to the Gracenote CDDB.
- Only totally naive computer users wouldn’t understand that iTunes is sending data to a server to display information in the MiniStore pane. Well, the vast majority of computer users are technically un-savvy, so this is a moot point.
What is astounding is how many people rationalize data collection; how this practice is now considered to be acceptable. This said, many of the people posting the above comments did not understand the technical aspects of this issue.
But a broader issue has appeared in this discussion: the blurring between software applications and the web. Most people do not realize that iTunes is a combination music management program and web browser. Yes, that’s right; the iTunes Music Store is simply a bunch of web pages that display in the iTunes interface. Users are very aware when they use a browser that they are accessing web sites, and many people are aware of the security issues involved, such as cookies and browsing history being recorded. Modern browsers offer security settings that control these breadcrumbs, but iTunes, part of which is a browser, does not offer any such security settings. You cannot, for example, check or delete cookies used by iTunes, nor can you ensure that your your browsing history in the iTunes Music Store is not recorded. (Yes, you can sign out from your iTMS account, but could there still be a cookie trail as you browse?) I admit that, too me, these are non-issues, but the conflation of the web browser with other programs means that many users do not realize that security issues that affect the former may also affect the latter.
(An aside: some time ago, iTunes had an option that allowed you to decide whether iTunes could connect to the Internet automatically for Gracenote CDDB lookups or whether it would ask you first. This option is gone, and one effect the MiniStore will have, at least for those who have dialup connections, is that iTunes will attempt to open an Internet connection. This can be very annoying.)
Aside from viruses, it turns out that the music industry is the biggest source of security problems on computers in recent times. With Sony’s rootkit (a number of recent Sony CDs installed nefarious software on Windows computers, without user approval, opening these computers to possible intrusion), many companies have banned the used of music CDs in the workplace. Interestingly, if the recording industry wants to sell more CDs, this action is counter-productive. Now, with iTunes sending information to other servers–and regardless of what information is being sent, some network administrators will see this as a security risk–is the next step for companies to ban the use of iTunes, for those employees who are able to listen to music at work?
Apple blew it here, as mentioned above, by not being forthcoming about what this feature was doing, and lost some of the credibility that the company had developed over the years. It would not have taken much to correctly present this feature and reassure users as to the type of information that it transmits to Apple and other companies. In the meantime, until Apple is totally clear about what this feature does and what information it harvests, one can only assume that it is indeed collecting information, or that, at a minimum, the potential to do so exists.
See other articles about the iTunes MiniStore: