EU expands privacy probe to music apps

Because many European nations have strict privacy laws, the EU is trying to hammer out policies to deal with the numerous new products that share people's personal information--even if the data is only collected and stored in aggregate form.

In a new working document adopted May 30 and recently made public, an EU data-protection group studied the many challenges of enforcing privacy protections when it comes to technology that tracks people without their knowledge, such as cookies and scripts.

It also extended the group's privacy study to include music software.

"The directive would also apply to information collected through spywares, which are pieces of software secretly installed in the individual's computer, for instance, at the occasion of the downloading of bigger software (e.g. a music-player software) in order to send back personal information related to the data subject (e.g. the music titles the individual tends to listen to)," the working document said.

Microsoft and RealNetworks produce the most popular music-player software. Last week, RealNetworks renewed its deal with Gracenote, whose software provides computer users with information about the songs on a CD. The company's data can be aggregated for marketing purposes to learn, for example, that a certain number of people listened to a particular U2 song.

A RealNetworks spokeswoman said the EU has not contacted the company and that it doesn't tie information about listening habits to individual consumers.

"We're very open in our privacy policy," said RealNetworks spokeswoman Erika Shaffer, adding that people can opt out of using the Gracenote software. "We are always happy to work with organizations that have issues around privacy."

EU representatives could not be immediately reached for comment.

The EU is actively trying to ensure that its citizens are protected from privacy violations and is particularly concerned with companies and sites outside the EU that may have more lax rules about the sharing of personal information. The regulators already are examining the privacy implications of Microsoft's Passport network and have suggested laws that would prohibit sending spam or cookies to Web users without their explicit permission.

In addition, file-swapping services and other software have raised privacy concerns by installing tracking software on people's computers without notifying them directly.

The list of companies using so-called adware and spyware has grown longer in recent months, as music and instant messaging companies have jumped into the consumer-tracking fray in an effort to improve their bottom lines. For example, the popular Kazaa file-swapping program has been installing software that essentially gives advertisers a direct pipeline into people's computers.

The privacy issue highlights the challenges of jurisdiction on the Internet, including whether a particular country can pursue a foreign company just because citizens there can access its Web site. Differing privacy standards already have led to clashes between the European Union and the United States, which lacks strict privacy laws. The Bush administration has told EU regulators that their strict privacy standards could hinder companies from doing legitimate business in the region.

But the EU isn't entirely against data collection. Regulators are also working on crime-fighting initiatives that would require some telecommunications companies to store unprecedented amounts of data, a move that's come under fire from some European privacy groups.