It's only been a few days since Apple released DRM-free music
upon the world but already the critical eye is upon it. If you think that no DRM means that there's no personally identifiable info in your music, you'd best think twice. The new iTunes Plus files contain more than you might think
Reports have been surfacing across the net over the weekend that the new tracks contain some user info, and they are dead-on. The new tracks do indeed have the purchaser's username encoded directly into the .m4a file. The trend was further investigated by the EFF (Electronic Frontier Foundation), a world-wide digital rights group. Apparently, downloading the same song on two different computers can amount to substantially different files.
According to the study, there is no auditory watermark, which was the first thing considered. The audio signature in two similar files indeed produced the same checksum once converted to .wav format. However, one file was 360KB larger than the other file - which is no small difference. On closer examination of the .m4a files, there appears to be a rather large table buried in the song that contains different data in each version.
The huge size difference means that this isn't likely just a user name, which has already been identified as present in the header. It also isn't just a mild encryption that would help keep the song's origin identifiable even if it were stripped of that header information. No, whatever it is will likely be examined very thoroughly, but it is quite unknown at the moment. What ARE you keeping in there, Apple?
In some respects, this should be a non-issue. The point of the DRM-free music is not so everyone can share it, so a unique identifier as to the legal source of a file should not be a cause for concern (though it undoubtedly will be). However, we've learned a hard lesson from Sony's rootkit debacle that people do not like "unknown" information encoded - particularly when it could be personal information above what Apple is normally entitled to.
We may be waiting a little while before the truth of the table is found - but maybe Apple will be wiser than Sony and come clean about what it contains before a hacker has to. It might go a long way toward building trust with a company that has been making its name recently as a hero in the fight for user rights.
Do you have a thought on the inclusions? Is it enough to put you off from buying those DRM-free tracks until you know exactly what is being put in there? Sing us your song in our forums