API tools faq
paste
Guest User

The RealJukeBox monitoring system

a guest
Feb 7th, 2020
347
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.96 KB | None | 0 0
raw download clone embed print report
  1. The RealJukeBox monitoring system
  2.  
  3.  
  4. Richard M. Smith ([email protected])
  5. October 31, 1999
  6.  
  7. Recently, I downloaded and installed the RealJukeBox player software on my Windows 98 laptop. The player is available at no charge from RealNetworks at http://www.real.com. It can be used to play music CDs, as well as record them to music files on a hard disk for future playback. Since its release in the summer of 1999, more than 12 million copies of the software have been downloaded.
  8.  
  9. Unfortunately, I quickly discovered that the RealJukeBox software is sending off information to RealNetworks about what music CDs I listen to, along with a unique player ID number that identifies who I am. I also found that the RealJukeBox sends back to RealNetworks, on a daily basis, information on how I am using the product. It reports things like how many songs I have recorded on my hard drive, the type of portable MP3 player I own, and my music preferences.
  10.  
  11. This monitoring system, built into the RealJukeBox software, has the potential for being used as a powerful profiling system to help market new CDs and related products at the expense of personal privacy. The remainder of this write-up documents how the monitoring system is implemented and some of its potential uses and/or misuses.
  12.  
  13. The RealJukeBox is now the default music CD player on my Windows system. I noticed that each time I play a music CD in my computer CD-ROM drive, that RealJukeBox player shows the name of the CD, the artist, and a list of all songs on the CD. This is a pretty handy feature if one wants to only listen to or record one or two tracks on a CD. All of this information about the music CD is obtained from a Web server at RealNetworks. This information is downloaded in parallel when a CD starts playing.
  14.  
  15. I decided to put a packet sniffer on the RealJukeBox player to see exactly what information is being transmitted from my computer to the Real Networks servers. Mucmh to my dismay, I found that in the HTTP GET request for the CD information, the player is including a unique GUID serial number for my copy of the software.
  16.  
  17. Here was what a sample request looks like:
  18.  
  19. GET /query.html?cmd=cddb+query+6f0fe407+7+150+74670+107840+146875+
  20. 196050+215005+256182+4068&hello=realuser+real.com+
  21. "RealNetworks+RealJukebox"+1.0&proto=4 HTTP/1.0
  22. Accept: text/html
  23. user-agent:RealNetworks RealJukebox
  24. host:cdinfo.real.com
  25. X-Taiko-AppGUID:3d7460c0-83b6-11d3-a67f-444553540000
  26. X-Taiko-AppVersion:1.0.0.438
  27. X-Taiko-AppDistCode:RJ04
  28. X-Taiko-AppBuildType:FREE
  29.  
  30. The music CD I am listening to is identified by a "electronic fingerprint" called TOC numbers which are passed in the query string of the URL. These TOC numbers are read from the CD. My unique player ID number is sent in the "X-Taiko-AppGUID" HTTP header of the GET request.
  31.  
  32. My assumption is that the same GUID was sent to RealNetworks when I registered my copy of the player. Checking in the Windows 98 registry, I found the following URL that was used by the RealJukeBox player to register my software:
  33.  
  34. http://registration.real.com/60ereg/RealJukebox.html?
  35. cw19q1wnACrfizsCrekm6u92mxx5zgi3t6zgtxort
  36. 6w4w6C1wmB2zgxl3k3ccijdsee4E2b7sA786074fh
  37. 4etx2qmfllpcghsmc4E6smc4E6Csc4E6tmc4E6ehs
  38. 4o9Aj29E6Cpd4E6avhA6awz54E6v2hjuabpfEqcjB
  39. Cm48rdDvx71x12Eep35s2fvng2E69tABm7kg25i7j
  40. c2uy7Ehqjm6Et0ry7vCdBke8rtAy744yCm7bvczs7smc4E6
  41.  
  42. Unfortunately the registry entry is encrypted so that it cannot be easily read. However, a computer consultant from Australia that I know, Geoff Chappell, volunteered to decrypt the URL for me. With a few hours of work, he was successful. He found the following registration information is sent to RealNetworks:
  43.  
  44. RealJukebox
  45. [email protected]
  46. United States
  47. 02446
  48. RealJukebox
  49. 000000000000100001B6000500007FF7FF00
  50. RJ04
  51. Win98
  52. 586
  53. English
  54. 1.0.0.438
  55. 3d7460c0-83b6-11d3-a67f-444553540000
  56.  
  57. (Geoff's home page is http://www.ozemail.com.au/~geoffch/)
  58.  
  59. Geoff was also able to decode the following registry entry for the RealJukeBox player which contains my player GUID:
  60.  
  61. [HKEY_LOCAL_MACHINE\Software\CLASSES\Software\RealNetworks\RealJukebox\1.0\Preferences]
  62. "Rotuma"="gfejehcihjekeicmeoioqpqtprjrktlufkhgkihlhjhkjiplnnmolplqqrlsotoujfighhgi"
  63.  
  64. It is very unclear to me why all of this secrecy is needed on my own computer.
  65.  
  66. Because the same GUID (3d7460c0-83b6-11d3-a67f-444553540000) is sent to RealNetworks both at registration time and when I play an audio CD, then in theory, they know what audio CDs I am listening to. They could, for example, be creating a list of all my CDs and putting this list in a database with my Email address. For pretty obvious reasons this is very valuable marketing information that could be used by CD retailers to pitch me via Email other CDs that match up with my musical tastes.
  67.  
  68. In addition, the RealJukeBox tracking system might also be useful for detecting music piracy although I do not have the time right now to investigate this possibility.
  69.  
  70. The CD Info feature for RealJukeBox is documented in the product and can also be turned off. However, there is no mention of the player GUID number in the documentation and nothing is said about RealNetworks ability to identify individual users. In addition, the RealNetworks' original privacy policy does not talk at all about the player GUID number even though it goes into great detail about things like IP address, cookies, referring URLs, etc.
  71.  
  72. However after notifying RealNetworks of the various privacy problems in the RealJukeBox they did update their privacy policy on Saturday, October 30, 1999 to talk about GUIDs and some the places they are used. The new privacy policy is available at:
  73.  
  74. http://www.real.com/company/privacy.html
  75.  
  76. Unfortunately even this version of the privacy policy does not talk about the many uses of GUIDs in RealJukeBox. In addition, the privacy policy does not make it clear that the RealNetworks registration database can be used to turn a GUID into a person's Email address. I've attached the October 30 language to the end of this write-up for review.
  77.  
  78. I also found that the same player GUID number is sent to RealNetworks for most commands on the "Sites" and "Help" menus of the RealJukeBox software. For example, the "Product Feedback..." selection on the Help menu initially goes to this URL:
  79.  
  80. http://presets6.real.com/sitesmenu/rjbhurl.html?
  81. ms10paElp957kCqldbatljkexuakEfskutu9dhdw581kb30i
  82. q9g8Cbxm93wabnxhaesD9Cpbkv28ng2C5Epbhai9s6oDads6
  83. wruzEhkg25i7jc2uy7Ehqjm6Et0ry7vCdBke8rtAy744yCm7
  84. bvczs7smc4E6xae20ibpfEqctel958rut157CqoBg748d20i
  85. vpz8sed8pr3c3ujlA85zeoec9iz8se6x4a66b0xcz8n2Cri7nEa6A8
  86.  
  87. The query string of this URL decrypts as follows:
  88.  
  89. ID=618|SN=bad range|
  90. CS=28800|
  91. PN=RealJukebox|
  92. PT=Free|
  93. PV=1.0.0.438|
  94. GU=3d7460c0-83b6-11d3-a67f-444553540000|
  95. OS=Win98 4.10.33044|OL=en-US|
  96. LP=en-US, en, *|
  97. LI=1033|DC
  98. =Unk
  99.  
  100. The Feedback page asks for your Email address, but of course, RealNetworks already has it. (As an aside, it probably is important to say only nice things here on this page.)
  101.  
  102. The same thing happens at the "Sites" menu. When one goes to a music Web site from inside of RealJukeBox, the player GUID is sent in with a URL. This allows RealNetworks to synchronize a Web site cookie with registration information. What Web pages you visit can then be matched with your Email address.
  103.  
  104. Another interesting discovery I made of the RealJukeBox player is that in the morning it sends out information about my usage of the product to RealNetworks. This information includes how many songs that I have recorded to my hard disk, what brand of portable MP3 player I own, and my music preferences. My player GUID number is also sent along with this information. All of this information goes inside of an HTTP GET request. Here is what my player tells RealNetworks about me in its morning "status report":
  105.  
  106. GET /getmusic/msearch.rmp HTTP/1.0
  107. user-agent:RealNetworks RealJukebox
  108. host:getmusic.real.com
  109. X-Taiko-AppGUID:3d7460c0-83b6-11d3-a67f-444553540000
  110. X-Taiko-AppDistCode:RJ04
  111. X-Taiko-AppVersion:1.0.0.438
  112. X-Taiko-AppBuildType:FREE
  113. X-Taiko-GenrePreference:New Music
  114. X-Taiko-BackWebInstalled:0
  115. X-Taiko-EncodingOptions:95780 bps G2 - Un-Encrypted
  116. X-Taiko-PortableDevices:
  117. X-Taiko-TotalTracks:11
  118. X-Taiko-EncodedTracks:12
  119.  
  120. Pretty obviously this information can be used for both market research and as well as "one-on-one" targeting of advertisments. Like the GUID and CD tracking, I didn't find any mention in the RealJukeBox documentation of this "status report" feature in the software.
  121.  
  122. I got in touch with RealNetworks and I received verification that the RealJukeBox player software is indeed doing all the different things I saw with my packet sniffer. However, I was told that Real Networks servers do not log what CDs individual customers are listening to. However, the person I spoke to agreed that logging is possible with the current RealJukeBox player software. The only changes to implement such a logging system would be required at the Real Networks servers.
  123.  
  124. The person I spoke to also clarified one point. If the same CD is played multiple times, the RealJukeBox player only asks for information about a CD once and it saves the result on the local hard disk.
  125.  
  126. So why then is the GUID sent to RealNetworks servers when my player software is requesting information about a CD? I was told that the GUID is used to validate that someone is a RealNetworks customer. This validation is apparently a requirement of the company supplying the CD data base, CDDB, Inc. (http://www.cddb.com). Unfortunately, in my testing this validation feature did not seem to work. I was able to request CD information from the RealNetworks server from Internet Explorer 5 which never sends in a player GUID.
  127.  
  128. This validation scheme also does not explain why the player GUID number is sent in when the RealJukeBox "Sites" and "Help" menus are used.
  129.  
  130. All and all, the RealJukeBox software does entirely too much tracking of how it is being used and reporting this information back to RealNetworks. I only hope it does not represent a "Brave New World" of consumer electronic devices which send back to media companies what music we listen to, what DVDs we watch, and what TV stations we tune into. As RealNetworks has shown, with an Internet connection, these kinds of monitoring systems are far too easy to implement and deploy.
  131.  
  132. Going forward, I hope to see RealNetworks immediately remove the player GUID number from the RealJukeBox player software. This one small change will eliminate most of the tracking possibilities that exist in the product today. In addition, the daily status report that is sent out about product usage needs to be stopped. For current users of the RealJukeBox software, I believe the right thing for RealNetworks to do is to notify users via Email of the privacy problems and offer them a patch on the RealNetworks Web site that can be downloaded to fix the problems.
  133.  
  134. Copyright (C) 1999 Richard M. Smith
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!