Apple's Plus files contain lots
Do you think "no DRM" means "no tracking"? Think again...
Reports have been surfacing across the net over the weekend that the new tracks contain some user info, and they are dead-on. The new tracks do indeed have the purchaser's username encoded directly into the .m4a file. The trend was further investigated by the EFF (Electronic Frontier Foundation), a world-wide digital rights group. Apparently, downloading the same song on two different computers can amount to substantially different files.
According to the study, there is no auditory watermark, which was the first thing considered. The audio signature in two similar files indeed produced the same checksum once converted to .wav format. However, one file was 360KB larger than the other file - which is no small difference. On closer examination of the .m4a files, there appears to be a rather large table buried in the song that contains different data in each version.
The huge size difference means that this isn't likely just a user name, which has already been identified as present in the header. It also isn't just a mild encryption that would help keep the song's origin identifiable even if it were stripped of that header information. No, whatever it is will likely be examined very thoroughly, but it is quite unknown at the moment. What ARE you keeping in there, Apple?
In some respects, this should be a non-issue. The point of the DRM-free music is not so everyone can share it, so a unique identifier as to the legal source of a file should not be a cause for concern (though it undoubtedly will be). However, we've learned a hard lesson from Sony's rootkit debacle that people do not like "unknown" information encoded - particularly when it could be personal information above what Apple is normally entitled to.
We may be waiting a little while before the truth of the table is found - but maybe Apple will be wiser than Sony and come clean about what it contains before a hacker has to. It might go a long way toward building trust with a company that has been making its name recently as a hero in the fight for user rights.
Do you have a thought on the inclusions? Is it enough to put you off from buying those DRM-free tracks until you know exactly what is being put in there? Sing us your song in our forums.
Previous Article
24 Comments
Discuss in the forums ReplyAnd this sounds great to catch the ones that spread illegal music..
As Glider said, great for catching the naughty ones. A benefit as a whole imo.
I'm sure people will be finding ways to rip the extra data off the song soon, anyways ;)
Question, though...does anyone know if these tables stay on the file even if they're burned to a CD?
Edit:
there is no way apple would do the same as Sony did, they are not that stupid.
No DRM means that I can play it on any device I want in any way I want .... Now if only movies would come out like this.
If you get raided and police see a huge stash of music on your PC, you can say "hey look, my files are encoded with my personal information to prove I own it"
This way there is identifiable info in the files for proof of purchase, plus you can move it to whatever device you want. The only worry is that someone could get on your PC, copy your music to a USB stick and then nick it and share it. How are they gonna get round that because previously if someone did that, then DRM wouldnt let them play it on another machine/account.
I'm still waiting to hear that artists are getting a fair cut before I start snapping up tons of music. Once that happens, I'll buy every CD I've downloaded that I actually listen to. After having dealt with DRM on some early iTunes purchases, I quickly decided 'never again' on that front, so this is a major step in the right direction. It's not like the DRM-encoded files didn't have this same information in them as well, and supposedly this is being done, at least in part, for the reverse-syncing off of iPods for purchased music (if this header wasn't in there, you couldn't identify the tracks as purchased versus ripped from CD).
I think if we're to be honest about it, the very fact that people are getting up on their high horses about a few hundred KB of extra data in a legal .m4a file just belies their intentions with the file.
As others here have said, if it's just personally-identifying information, then there's no problem, since you're not supposed to share it, and people getting pissy about that just does the Anti-DRM cause more harm than good.
It would make the Anti-DRM campaign as a whole look a lot less legitimate if people start getting pissy at personally-identifying info in the files, when that info would obviously only be for the sake of tracking down illegal sharing.
I'm no M£tallica and I detest the RI/MP-AA as much as everyone else, but if we want a fair and legal DRM-free industry, then we'll have to live up to our own side of the deal too.
I remember the first time I bought and installed my first legal or non-preinstalled copy of Windows, and I felt a distinct sense of pride at using something legitimate and legal, knowing that I wasn't breaking any laws to use my PC, even if I had to pay through the nose to get to that point.
I don't know about other people, but I'd feel the very same again after buying & downloading some DRM-Free, legal music from Apple, and knowing that I got my hands on some music at a dirt-cheap price (when compared to paying 25-30 for an album in HMV or Virgin), legally and legitimately.
I'd feel a lot better about listening to legally-downloaded albums since at least *some* of the money I spend might be getting to the people who deserve it (that 0.0001% or so that goes to the actual artists), as opposed to downloading albums off P2P and contributing nothing to the industry or the artists, regardless of my ethical stance.
Like everyone else interested in the matter, I'm curious to see what else is stored in the files.
Maybe it's naieve of me to think so, but I don't think Apple would be stupid enough to walk the same road as Sony and end up with a PR nightmare on their hands.....at least I hope not.
Maybe someone could enlighten me as to why it really matters what personal information is stored in my .m4a files if nobody else is ever supposed to get their hands on my files anyway, since that's illegal and is the 'our side of the deal that we have to live up to' that I mentioned earlier?
In response to the fear that someone could steal your mp3s and distribute them, getting you into trouble...well, it's just a matter of being careful.
You don't leave your credit/debit card lying around for people to take it and use it to buy illegal items on the black market or somesuch, so why would you let anyone get their hands on your legal, non-shareable songs?
pendragon, do you buy your CDs from high street stores with a debit or credit card? The marketing companies know what you're buying. Big brother is watching you. ;)
i guess im saying that its just not nice to be constantly treated like a criminal when youre doing nothing wrong. whether or not it invades your privacy.
Now I try and pay for all of my software, I've realised it's not so good for the industry and pirating often leads to a bunch of problems. I don't need photoshop, paint.net is perfectly reasonable.
On this issue I support Apple, it don't work but better than some shitty DRM.
There's a significant difference though, between having some personally-identifying details stored in a song file that nobody else is supposed to see in the first place (if you obey the law), and being under constant surveillance.
It's not a black/white comparison, and I don't think Big Brother fears can really be applied to this unless we see something genuinely disturbing in the unaccounted-for data, a la Sony's Rootkit.
I think it's safe to say that a large portion of the people who use Itunes, or would use it in the future, are people who have been availing of the free, convenient and illegal music on filesharing networks within the past few years and recently made the switch.
I don't advocate treating innocent music-listeners like criminals, but then, when offered the option of downloading free but illegal music from p2p networks, the majority of people in the past couple of years didn't turn that offer down, and they are, technically, criminals.
Apple have offered their side of the deal, and by doing away with DRM at all, regardless of the added price (a few extra cents in currency, or a few hundred kilobytes in filesize and ID info), they've made a step in the right direction.
I think it'd be immature of the opponents of DRM to not recognise that, and to not act accordingly in a fair and legal manner.
This reminds me of the recent debate in Ireland over whether random breathalyzer tests on drivers by the police should be allowed, in an effort to combat drink-driving.
I don't drink-and-drive, and apart from the minor inconvenience of having to stop for the procedure in the rare, off chance that I'd be one of the few drivers chosen to be tested, I don't mind.
I'd be glad to prove my innocence, and proud that I'm a sensible, conscientous driver who isn't as likely to kill someone else on the road because of alcohol.
Of course, in the interests of "human rights and freedom", this proposal was strongly opposed by many here.
Whatever happened to the human rights of the victims of drunk-driving accidents?
The freedom and human rights of someone who has done no wrong and who is a victim of illegality are a lot more important to me than a minority of criminals who can negatively impact on the rights of others, and I'll gladly compromise some of my own rights to protect those innocent people.
The same rings true, for me, with Apple's ID information in the songs, while it's a far lesser inconvenience than being stopped and breathalyzed.
I have nothing to hide if I don't share the songs illegally, and some innocuous ID info in a song that nobody else will see isn't the same as having my every action surveilled.
Sure, my money is going to the 'big, evil' corporations like Apple, and the detestable RIAA, but some of it is also going to the artists, and no laws are being broken nor any harm done, when someone buys and downloads a song from iTunes.
Don't get me wrong, I'm no fascist, and If the unnaccounted-for data turns out to have anything bearing even remote resemblance to a rootkit, or anything that genuinely compromises the consumer's rights in some way other than merely identifying them, then my stance would change, but until then I'd be comfortable with that extra data in the songs.
I agree that there's nothing wrong with encrypting the purchasers name in the song as that's only a good thing to stop piracy - however we should be being told what else is there and then having the choice whether to use this service or not (personally I don't use iTunes at all - I'd rather listen to quality music).
I agree with you there, actually. That argument can be taken too far, and there needs to be an element of common sense in the decisions that are made.
The only thing I'd preach about the whole situation is exactly that; common sense.
I'd rather see people acting rationally about all of this, than jumping to sensationalist conclusions about something which we don't even know all the details of yet.
Agreed again, I didn't think of that issue, but Apple should really have told its (potential) customers that it was doing this.
I don't use iTunes myself, either, I still buy CDs since my favoured music isn't usually available on iTunes, but my hope is that it will eventually incorporate more labels and genres and more of the obscure music out there, or that serious competitors to iTunes will form, along with smaller 'specialty' stores of a similar nature.
i guess the best i can do to describe this feeling would be if you bought a cd in a store and before they gave it to you they somehow (if they could) tagged your info into the cd data. not to write you name on it saying you own it, but to be able to fingerprint you if your music were to end up somewhere else.
or you go to buy anything else that could feasibly used for crime...hang on buddy before you buy that spray paint we have to tag it incase you vandalize something. wait up, before you get that cd burner we need to write your info in the rom so we can find you if you burned a copy of some software. we have no reason to believe you might do that but what if you do!!!!?! what ever happened to innocent untill proven guilty?
assinine.
also, what if you want to sell this stuff? its all tagged to you, can we suddenly not sell this stuff if we dont want it anymore? (is that an agreement on itunes, that you can't sell your license). DRM free? not really, its just been lessened. If i can treat this music like a cd i buy in a store, then it will be drm free. move it to a different device to playback, back it up, resell it, buy it 2nd hand...etc
Either way, I could care less what apple does. All the music on my computer come from my cd's that I rip into MP3.
I agree with the spirit of what you say there, but when it comes to thinking about the personal freedom, rights and privacy you have to ask how they are being infringed and who it benefits. In this case it only benefits the music industry and the RIAA. To me this is not a good enough reason at all, even though the infringement is tiny as the motivation is simply profit and greed.
The only acceptible reasons are those that directly relate to public safety, and then only after careful consideration of the implications.
Gun ownership registration is a good example of this, as controlling the circulation of guns can reduce the number of crime related killings. This tagging serves only a parasitic organisation (mainly the RIAA).
I don't really see the problem with measures like that, you're still innocent until you commit the crime, and you're being treated as such.
Having your details encoded into the product as a preventative measure against crime isn't the same as prosecuting someone for the crime - It bears no impact on their legal use of the product and simply doesn't affect their rights.
If you're suggesting that not being allowed burn illegal copies of your CDs is an infringement of your rights, then by that token so is every law in civilized society that you abide to.
By that token, there should be no laws against theft or murder, because we're all innocent until proven guilty and apparently 'nobody' will do those things anyway.....right?......right? Wrong.
When you consider that the majority of people who listen to music on their computer or mp3 players would, and have, broken copyright laws with what they think are harmless actions, you can perhaps see the justification of seeing anyone as a potential copyright-infringer.
We're all guilty of it, and we can't get pissy because someone takes away our potential to break a law already in place that we should be abiding anyway.
I'm not sure that I agree with this line of thought.
Do the publishers, distributors and creative artists not deserve to get money for their product?
It benefits someone with an entirely negligible impact on the consumer (as far as we can tell right now).
Just because it benefits the 'evil' corporations, alongside the artists who deserve to get paid for their creations, doesn't make it a bad thing, when you consider that maybe they actually deserve to get paid for the product that they market.
The artists need the labels and publishers to get their music out there, and without one or the other we'd have no music industry.
I'd prefer to see 90% of the money going to the artists who actually created the music, and the rest going to Apple and the 'evil' corporations, but then that's not going to happen in the foreseeable future in the real world and it's a different matter for discussion.
As far as I'm concerned; if protecting the relatively small percentage of profit going to the artists who deserve it comes with the necessary evil of also protecting the money going to the publishers, RIAA, etc then so be it -
The artists already get screwed over enough as it is, without their fans doing it to them too.