RealNetworks changes privacy policy under scrutiny

The practice was reportedly discovered by Richard Smith, a Massachusetts-based independent security consultant, who had examined information generated from RealNetworks' RealJukebox software. The story was first reported in this morning's editions of the New York Times.

The company confirmed today that an identifier existed that could be used to keep tabs on what users are playing and recording. Although many Web sites track users' habits, RealNetworks had not previously disclosed its practices in its privacy policy, which is certified by the Web privacy seal program Truste.

Without explanation this weekend, RealNetworks added a section to its privacy policy stating that users are assigned a "Globally Unique Identifier" (GUID) when they download its RealJukebox software to copy or play digital music via their computers. RealNetworks confirmed that the policy was changed and that it would release details about it later today.

"I don't know when that change took place, but we'll get a response out by noon," RealNetworks chief operating officer Thomas Frank said today. "Any of the information we've been collecting has been designed to make the best experience for the user."

While writing a letter to Truste calling for an investigation of RealNetworks' privacy practices, Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures, discovered that the policy had been changed.

"When I was writing that letter on Sunday night, I found that suddenly the GUID was described in their policy, and that wasn't there on Friday, because I have a copy of the policy that was there on Friday," Catlett said in an interview.

The revised privacy policy makes clear how the GUID is used. "We may use GUIDs to understand the interests and needs of our users so that we can offer valuable personalized services such as customized RealPlayer channels," the new policy states. "GUIDs also allow us to monitor the growth of the number of users of our products and to predict and plan for future capacity needs for customer support, update servers, and other important customer services."

Privacy advocates warn that user IDs can be used to build profiles on Net users, combining surfing habits with personal information such as the home addresses and credit card numbers gathered by RealNetworks in its licensing agreement with RealJukebox users.

The profiles could be used for marketing, but if they are stored by a company they also could be subpoenaed by law enforcement officials during an investigation.

Although the policy discloses the practice, Catlett says that the practice is still invasive and that Truste should reprimand the company. "It's shameful and unacceptable that they are tracking people like packages without telling them," he said. "I have asked Truste to determine whether this is a breach."

Truste, which licenses out its privacy seals and monitors whether companies are in compliance with their data-collection policies, said today that it will investigate RealNetworks' practices.

"Anytime the privacy statement changes, it's of critical concern for us because we certify that the practices are in line with the policy," said Dave Steer, Truste's communications manager.

"We will look at whether they knew what they were doing, why they were doing it, and [whether] they intentionally left it out of their statement until there was public outcry," he added. "We are really concerned about what is going on, and we're going to look at whether RealNetworks is breaching its contract with Truste."

Another test for self-regulation
How Truste handles the RealNetworks complaint will be closely watched by privacy advocates, who have long contended that industry guidelines are no substitute for stricter consumer-protection laws.

Voluntary programs such as Truste have been lauded by the White House and the Net industry as a key solution for protecting consumers' online privacy, but consumer groups argue that they lack enforcement. If a site fails to comply with its Truste-certified privacy policy, it could have its privacy seal revoked, or in the worst case a complaint could be filed with the Federal Trade Commission.

But as the RealNetworks privacy policy switch also shows, sometimes the policies themselves are not true reflections of a company's online data-collection practices, or they may not be detailed enough. This is not uncommon, according to a study released in May by Mary Culnan of Georgetown University's McDonough School of Business.

Culnan's Georgetown Internet Privacy Policy Survey examined 364 ".com" sites that were randomly selected from the 7,500 most-visited Web sites. Although 65.7 percent of the sites have privacy policies or give notice that personal information has been securely transmitted, only 9.5 percent of the sites had an "adequate" privacy policy, the study found.