Is Apple collecting information about you?

My turn in the barrel? Here we go...

The way I see it, Apple has been at the very least, irresponsible in their handling of the Ministore, and quite possibly deceitful. One thing is certain. It's been almost three months since iTunes 6.0.2 and the Ministore were released, and all of the big questions are still unanswered. As a Mac user, some of the blame for it goes to me, and to all of the Macintosh loyal base, for defending Apple without question, as we have been in the habit of doing for years. We have gotten so good at it that Apple only had to keep quiet while the Mac faithful shouted down the critics, but never answered them. If only Sony had invested in customer loyalty instead of the Xbox.

When iTunes 6.0.2 came out on January 10th, the new "Ministore feature" was not announced to the public. There were no press releases for the new Ministore, and the press had no advance notice, as is usually the case.
On that same day, Steve Jobs was on stage at Macworld, giving his keynote speech and showing off all the cool new stuff, but he never mentioned the Ministore.
When Software Update popped onto my screen, and said that there was a new version of iTunes, there was no mention of the Ministore. I was told by Software Update that 6.0.2 was a performance, stability update, and that's all it said.

I guess the first question would be, If Ministore is a feature, put there to enhance the Mac experience, why was Apple trying to hide it, or at the very least not draw attention to it?

Those who were paying attention, or using "Little Snitch," figured out quickly that this new feature was phoning home, a lot! At that point things got a bit pear shaped because people assumed the Ministore was sending A) their entire Hard Drive, or B, their entire iTunes catalog to somebody.
Neither of these things were true, but the main issue was unavoidable.

Apple had installed software that was monitoring and reporting back to them about files on our local networks. It did it without asking, without telling us what information was being reported, without telling us who the information was being sent to, and without telling us what the information was to be used for.

You know, ... Spyware!

Every Mac blog and website was writing about "Apple's Spyware". Anyone reading this who doesn't think Apple was watching and probably sweating a little, must have missed the Sony drama just two months earlier. I'm not saying that the Ministore is as bad as a rootkit. I'm saying that bad PR can take on a life of it's own, and everyone on the internet was a already a bit paranoid because of Sony. Apple knew the situation, so what do you think they did?

Did they speak up and explain? Not a word. Did they post about peoples concerns on their website? Not a pixel!
It was left to the online community to find out what was going on, and to their credit, they did.

Merlinmann and Since1968.com found that... "if you launch iTunes on a Mac with the new MiniStore open (and it?s open by default), iTunes attempts to contact 207.net, otherwise known as Omniture." http://since1968.com/article/155/omniture-itunes
To make matters worse, Omniture tries to hide behind a fake local address, to fool users into believing that what they are seeing is a LAN communication. Why would a company with nothing to hide do something so deceitful? Hmmm.

Michael Griffin and Kirk McElhearn discovered that the Ministore was sending quite a bit more than just the name of a song. Part of the information sent is your Apple ID. http://www.mcelhearn.com/article.php?story=20060112175208864
That's important enough to say again.
PART OF THE INFORMATION SENT IS YOUR APPLE ID!
To make matters worse, all of the information sent, including the Apple ID, is sent in cleartext, which is a violation of Apple's own "Customer Privacy Statement".
It says, in part....
"The Apple Online Store and iTunes Music Store use Secure Sockets Layer (SSL) encryption on all web pages where personal information is required. To make purchases from the Apple Online Store or iTunes Music Store, you must use an SSL-enabled browser such as Safari, Netscape Navigator 3.0 or later, or Internet Explorer. Doing so protects the confidentiality of your personal and credit card information while it?s transmitted over the Internet." http://www.apple.com/legal/privacy/
Is your Apple ID "personal information? I'm pretty sure mine is.

So, do you think Apple recalled the software? Not on your life! Did they call a press conference or issue a public statement or send e-mails to everyone at .Mac? No. The only sign that Apple was aware of the problem at all, was from a Macworld editor, who said that, "an Apple official told Macworld that the iTunes MiniStore feature does not collect any information from users." http://www.macworld.com/weblogs/editors/2006/01/ministore/index.php

Ah, well, case closed then, right? Nothing to see here, right?

This is where I must part ways with the "loyal Mac base".
As far as I'm concerned a second hand statement from an un-named source isn't quite good enough to clear up issues this serious. Add the fact that the "answer" did not clear up or even address most of the issues, and was in direct opposition to the facts ( I'll explain in a moment), and you may see why I didn't consider it any comfort.

The Mac fans, on the other hand, took this information and ran with it like Johnny Appleseed on crack. Every blog and every forum, had a Johnny ready to jump on anyone who who typed the word spyware, or adware, or privacy. Within days that one statement had grown into every tool needed to defend Apple.
An actual post.
Post: Well, it seems Apple is responsible for developing spyware and adware in the latest version of iTunes
Johnny: This is false, total BS, and should not be propagated, it has been debunked numerous times.

Boing Boing and Slashdot reported it as "An Apple spokesman" (reliable word has it that it was Steve Jobs himself) told MacWorld that Apple discards the personal information that the iTunes MiniStore transmits to Apple while you use iTunes." http://www.boingboing.net/2006/01/11/steve_jobs_apple_dis.html
So now we have a third hand statement that it was Steve Jobs who made the call to Macworld. I'll go out on a limb here and speculate that if it was Steve, Macworld would have said so.

The Channel Register in the UK reported, "...Apple this week contacted a number of websites to insist that the feature not only doesn't record the data it grabs, but when the MiniStore is disabled, no such data is sent back to the ITMS servers." http://www.channelregister.co.uk/2006/01/12/itunes_602_spyware_claim/

So far, I have run across exactly one of these sites other than Macworld above. It was MacOSXhints Rob Griffiths, and you'll never guess what he wrote!
"I have just received confirmation from Apple directly (from a confirmed source I trust implicitly) that absolutely no information is being collected from the MiniStore (though clearly data is sent to make the feature work)... ...So I'll apologize for jumping to conclusions, but not for helping bring the issue to light. And thanks to Apple for clarifying that no data is collected; you didn't have to contact me directly, yet you did, and I appreciate that." http://www.macosxhints.com/article.php?story=20060111071001306&lsrc=osxh

That's right! Another second hand quote from an un-named source! I'm starting to see a pattern here, and a puzzle.

Apple Computer is a multinational company with a public relations department that knows how to issue a press release, and a website that is designed to inform their customers about Apple products, so why was such an important statement only issued second hand by a source who didn't want to be named?
I can think of one reason. Deniability. Please feel free to post any other reasons that you feel I might have missed.

Why do I say that the "statement" was in direct opposition to the facts?
1) Omniture's main source of income is reading log data from web sites, and reporting trends over time. What use is sending them information, if they don't keep it long enough to establish any useful trends?
2) The Apple ID is sent to Omniture. Not only is this the mother of all "personally identifiable" information, but it has no use here if the information is not kept. The IP address, sent with every internet transmission, is all that is needed to get the right ads to the right computers.
3) As a former webmaster, I know that the servers where those ads are stored keep logs of every request for information, and of every ad sent out.

Apple's "Customer Privacy Statement" confirms this.
"As is true of most Web sites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data.
We use this information, which does not identify individual users, to analyze trends, to administer the site, to track users? movements around the site and to gather demographic information about our user base as a whole. Apple will not use the information collected to market directly to that person." http://www.apple.com/legal/privacy/

Doesn't the last sentence sound kind of silly, considering what the Ministore is for?

When you add the Apple ID to the server logs, every bit of information is "personally identifiable".

Some people are thinking... "Where's the problem? I don't care who knows what music I listen to".

There are many problems. Here's one. Apple makes it plain in the EULAs and the Privacy Statement, that they collect information when you "interact" with them. Go to their web site, go to the iTunes music store. call them, visit the Apple store, or post on their forums, and you can expect Apple to collect some information. They tell you they are going to do it.

Everyone understands that when you are on the internet or Apple's servers (the WAN), you are being observed and the information is logged. Now Apple is getting you comfortable with the idea that it's OK to observe you and collect data while you are on your private system (the LAN). They are doing it with small unimportant bits of information so you don't really notice or care, but the precedent has been set. Using an unimportant bit of data like what song you are listening to, Apple has made a huge step tward blurring the line between public and private.

I suppose a good lawyer could make the case that when you use the iTunes software, you are "interacting" with Apple. If you accept this, opening the door for other software developers to make the same claim, who will be next? QuickBooks? Adobe? Microsoft? Is it OK for them to look over your shoulder while you use their software?

To date, Apple has not made a single public statement on any of this.

To be fair, I should point out that Apple has put a page up in their Knowledge Base (#303066), titled "How to show and hide the Ministore in iTunes".

I don't consider this very relevant because, A) it does not address any of the important questions, and B) a single page, buried deep in Apple's site, with no obvious links to it, didn't really help anybody. The only relevant information on it was; "iTunes sends data about the song selected in your library to the iTunes Music Store to provide relevant recommendations. When the MiniStore is hidden, this data is not sent to the iTunes Music Store."

Hardly a complete answer, in so many ways.

On the Apple forums, any thread that was critical was locked. Any post that was critical or asked to many pointed questions, was removed. If I put this post on Apple's forum, in the iTunes area, it wouldn't last an hour. I know this because Apple has removed two of my posts, and locked 4 threads after I posted on them.

Of course I could be wrong about all of this.

It may turn out that Omniture being sent information was a mistake, and that sending your Apple ID was a software bug. The press release got sent to the wrong e-mail address, a server crashed without backing up first, and the only information lost was for the Ministore, and for the how-to page titled "Running OSX on a Dell". Since the beginning, the information from the server logs has been automatically wiped 512 times a second ... and I need a tin foil hat.

Well Apple? is that what happened? How about filling us in? How come you didn't call me?

Anyone else have the answers and want to speak on Apple's behalf? I'm all ears (and tinfoil).


Lampie The Clown
Mac Addict since 1985

Well, all I know is I was thinking of buying an Apple system because I was unhappy with Windows crashing at some of the worst times for me. I am just a regular user of word processing and play an occasion game with my computer. Nothing fancy here. I resent any company knownly collecting information without my explicit permission from me. Or, if they intend to harvest that information, I have the choice of whether or not I want them to have it. These techo pimps that offer me a product or service, than hide behind my back and start collecting data on my buying habits or use of certain software or where I choose to visit on the Web make me sick. It is that kind of arogance that makes the general public (people like me)want to have legislation created to outlaw such activity. If the upper echelons of these companies can't see the harm that they allow or allow any subordinate to violate the public trust then it shouts loudly that they have zero moral character and they like their products should be shunned by the public and if they go out of business - OH WELL!!
But since boundaries have no borders these days and we find ways to explain our actions away or just ignore the criticism and squash dissent the likely idea of this being exposed for what it is is unlikely.
If they only cared enough about the harm they are doing.

It is obviously unacceptable for any organisation to harvest information from individuals, not only covertly but without stating the information they are gathering, who will have access to it and how that information will be used. (But it's happening more and more.)

The sad irony is that I am sure many of us would willingly hand over certain types of personal information providing there was a guarantee that it would be acted on. In particular, I would like the following information to be logged by agencies worldwide:

- I do not need V-I-A-G-R-A, regardless of how many variations you can create on the spelling. Please stop emailing me.

- I do not buy junk bonds. Please see above.

- I do not believe that you can sell me any piece of software Microsoft has ever developed for $49. (For legal reasons, I am not prepared to comment on whether this proposition represents value for money.) Please see above.

- My business does not need any drinks/food vending equipment. Please seriously consider how much better both our lives would be if you threw off your telephone headset, made love and expired.

- We also have a photocopier. Please see above.

- And enough stationery. Please see above.

- No you can't speak to the managing director. Please see above.

...and that's before we get onto the topics of the junk we get fed on our mobiles and home phone numbers.

Technology is making us more and more connected. But we are paying a price for that. More and more, we are seeing services we didn't ask for 'in our faces'.

When we pay to gain connectivity to the outside world - whether that be ISPs, computer suppliers, phone companies, whatever - the deal should be simple.

We pay money. They deliver.

I believe that there should be international legislation to cover data collection but there should be equal attention to limiting the use of individual's contact details.

What worries you most: the idea that someone out there knows you downloaded the latest Franz Ferdinand album, or the fact that you've just started eating when someone calls you out of nowhere to ask if you're intertested in installing a swimming pool?

I noticed without even LittleSitch, that as soon as I start playing some tune with iTunes, picture of its album mysteriously appears. I did not load that tune from Apple. Is that picture embedded in music?
To me it is not that important what Apple knows about me. Thay can observe me with my wife and my lover, for what I care, but what do they do with that information worries me. If they broadcast that information to some countries when certain sex acts are punishable by stonning and their religious leader sends assasins to kill me and/or my partners, the whole North America is in big trouble.

I wrote Apple an e-mail, addressed to privacy@apple.com, asking for answers to some privacy questions. For the record, here's the e-mail I sent.

Apple,
I'm writing to ask some questions that were brought up on the CNET Mac forum concerning privacy, and Apple's collection of personal information.

Most of them have to do with the Ministore. While you have covered the privacy issues in other areas, the Ministore is a different animal, and much of what is presented does not apply,

1) Cookies. As I understand it, the Ministore stores it's cookies in the plist, and they are used by the Ministore. The Privacy Statement tells how to turn off cookies in a web browser, but not in the Ministore. Please instruct.

2)The Apple website says ''iTunes sends data about the song selected in your library to the iTunes Music Store to provide relevant recommendations''. Now I'm told that there is more information transmitted, including my Apple ID. Once and for all, what information, including the cookies from question one, is transmitted, to who, for what purpose?

3) Apple has stated that they do not collect the information sent by the Ministore. The Privacy Statement says that you keep and use the server logs. Which is correct? Couldn't the server logs be used with the Apple ID to rebuild all of the information sent by the Ministore?

4) What service is Omniture performing with the information sent to them from the Ministore?

5) when will the privacy statement and the EULA be updated to reflect the Ministore?

Thank you for your time.


Here's the reply I got!

Dear Customer,


Thank you for bringing to our attention your concerns about the new MiniStore feature in iTunes 6.0.2. Please be assured that we take our customers' concerns about our products and services very seriously, and that Apple is committed to respecting the privacy of its customers. We are looking further into the concerns you have raised. Please note that we do not store any data sent to the iTunes Music Store in connection with this feature. You also may turn off the feature in iTunes, so that no such data is sent to the iTunes Music Store, by choosing Hide MiniStore in the Edit menu. For additional information and instructions, please read this technical support article, available from Apple's website:
http://www.info.apple.com/kbnum/n303066

Thank you for your interest in iTunes and the iTunes Music Store.

Sincerely,

The iTunes Music Store Team
http://www.apple.com/support/itunes/ww/

Question: Did ANY of the questions get answered?

At first glance their statement, ''We are looking further into the concerns you have raised.'' might make one think something was accomplished, but think about it. It doesn't take a genius to figure out that 3 months after the Ministore was released, the answers to these questions shouldn't require ''looking into''. They KNOW the answers. These are not tricky questions.

''The iTunes Music Store Team'' doesn't know what information is sent?
They don't know who it is sent to?
They don't know why?
They don't know what information is available from the Music Store server logs?
They don't know why Omniture is involved?
They don't know when the privacy statement or the EULA will be updated?

After 3 months, my e-mail has caused them to ''look further''?

Quick, before the magic runs from my keyboard, what's the e-mail for the White House, Kremlin, and Post Cereal? ( I like the old Alpha-bits better than the ''improved'' version. What can I say? )

For all other Apple software titles these questions are answered in the privacy statement and the EULA. When it comes to the Ministore, Apple for some reason, thinks it's better if we don't know.
On top of that, The iTunes Music Store Team would rather look like idiots than admit they know the answers to these simple questions.

Anyone want to guess why?


Lampie

Saw this posted at The Tribe. http://osx.tribe.net
It's a rewrite of Apple's description of the Ministore. The author of the post goes by Trog.

''As you select items in your Library, information about that item is sent to both Apple and a data analysis firm in Ogden, Utah. Your Apple ID, which uniquely identifies you, your address, and your TRW report in the event you have ever bought anything from the Apple store, is sent as well. The MiniStore will then show you related songs or videos. What the firm in Ogden does we'd prefer not to say.
Apple does not keep any information related to the contents of your music Library. Note that we said Apple does not keep the information. Apple is not in Ogden. We aren't prepared to make a statement about whether the firm in Ogden keeps your private data and we'd like it if you would stop asking.''


Sounds about right to me.

Lampie