RealNetworks' Privacy Intrusion

  Background

For background on this campaign see our news page.

  Open Letter 1999/11/1 to RealNetworks

This letter was faxed to RealNetworks at approximately 1am EST on November 1

Mr Thomas F. Frank
Chief Operating Officer
RealNetworks, Inc.

Dear Sir

This letter advises RealNetworks Inc. of various actions and demands by Junkbusters following the revelation of previously secret data collection and reporting functions in RealJukeBox software. Based on the independent analysis of Richard M. Smith (attached) we consider these functions to be unacceptable violations of consumer privacy which RealNetworks must cease and remediate. We also believe that RealNetworks may have breached both civil and criminal laws, so we are alerting various agencies for possible enforcement actions, to discourage further incidents of this kind. In an age of Internet-enabled appliances it is vital to privacy that consumers understand and control the information reported about their behavior.

The reporting functions of this software are especially objectionable because they were actively kept secret. Until Sunday 31 October nothing in the Privacy Policy at http://www.real.com/company/privacy.html mentioned the reporting, nor the existence of a Globally Unique Identifier (GUID). Previous newspaper reports suggest that RealNetworks has been trying to conceal the GUID's existence. On April 8 the Seattle Weekly reported the existence of the GUID, adding ``RealNetworks officials did not respond to numerous requests from Seattle Weekly to discuss the subject of GUIDs.'' On April 15 the New York Times also reported the existence of the GUID, adding ``Real Networks did not respond to repeated requests for comment.''

On Saturday October 30, RealNetworks's privacy policy was expanded to include three paragraphs discussing the GUID. The policy is unclear and still fails to disclose that both the GUID and the email address in the registration data for the RealJukeBox player and the RealPlayer G2 are sent to the server, making the statement that ``A GUID does not contain or identify any personal information such as your name or email'' appear somewhat misleading. Further, at the time of this writing there was no disclosure of the software's reporting of the number of and nature of songs stored on the user's hard drive, nor of the type of portable music players that have been connected to the consumer's PC.

Nor was there any language in the online license for RealJukeBox that even suggests their existence of a GUID nor the reporting functions, let alone providing details of the specific information reported. Worse, some transmissions were actually encrypted, which suggests an intention to conceal a wrongdoing.

This surreptitious transfer of information without the consumer's knowledge or consent is a kind of ``Trojan Horse'' attack that should constitute ``exceeding authorized access'' under the Computer Fraud and Abuse Act of 1986, 18 USC 47 § 1030. This is a criminal offense. Accordingly, I am forwarding a copy of this letter to the Seattle office of the Federal Bureau of Investigations.

Take notice that the Act also includes a private right of action, which could form the basis of individual and class action lawsuits. I call on you to show cause why RealNetworks should not be considered to have broken this law.

In addition to the question of criminal actions, RealNetworks may also face civil liability. For example, the following statement from http://www.real.com/company/privacy.html would seem to be contradicted by the facts in this incident. ``At RealNetworks, it is our intent to give you as much control as possible over your privacy in regard to your personal information and the use we make of it in the course of our business.'' False claims are illegal under various US laws including the Lanham Act and Section 5 of the Federal Trade Commission Act. I am forwarding a copy of this letter to the FTC's Bureau of Consumer Protection and to the New York Attorney General's Internet Bureau, asking them to consider this and any other legal basis on which they could enjoin RealNetworks' covert violation of privacy.

I am also asking TRUSTe to determine whether they consider RealNetworks breached consumer privacy or its TRUSTe license.

This letter is also being sent to privacy and consumer groups asking them to join Junkbusters in issuing the following demands to RealNetworks. We consider the reporting functions to be intentional defects in the product that are harmful to consumers. These defects require remediation. This list of demands may be expanded or amended in future.

I call on RealNetworks to commit the following points.

1. Fully disclose and publish on real.com details of the information that the RealJukeBox software reports and collects, and what is done with this information. If earlier versions had different functionality, provide details.
2. Either cease all shipments of the defective software (both directly and via distributors), or place clear and conspicuous notice of the defect on all old product that ships, warning the consumer of the risks and indicating where amended versions are either currently available or will be made available.
3. Remove misleading statements about privacy from the real.com site, such as the one objected to above.
4. Publish the RealJukebox online license agreement on real.com. (The version distributed with the software contains a copyright notice prohibiting redistribution.)
5. Engage a major firm of independent auditors experienced in privacy consulting (such as PriceWaterhouseCoopers or Ernst and Young) to perform a comprehensive investigation into the processing of personal information by and from RealNetworks software (including the RealJukeBox reporting function) under the direction of and reporting to a supervisory board constituted with a majority of representatives of the Federal Trade Commission, other governmental entities concerned with privacy, and consumer and privacy groups.
6. Expedite as a priority the auditor's reporting on what personally identifiable information (PII) has been recorded by RealNetworks, whether it was authorized by the consumer, and whether it has been provided to any other parties. As PII is found, destroy the personally identifiable component of the data but retain a record of its existence.
7. Develop and publish a remediation plan in conjunction with the supervisory board, to include:
   
   1. Alerting each registered user by email with a text approved by the supervisory board;
   2. Developing a new version without the intrusive collection; and
   3. Distributing the new version to current users via the Internet using the "Autoupdate" facility.

As you commit to or complete each point, please indicate the relevant action to me, rather than waiting until you can respond to all points. I will annotate responses on the copy of this letter at http://www.junkbusters.com/real.html on our Web site.

Junkbusters is issuing an advisory to consumers recommending they discontinue using and to uninstall all RealNetworks products, at least until these demands are met.

Finally, I urge you to be open and honest in your response to this situation. Everyone knows that companies make mistakes, and people can forgive them. What is unlikely to be forgiven is repeated deception and evasiveness. The history of the Johnson & Johnson's exemplary handling of the Tylenol incident shows that by behaving responsibly and openly companies can recover from even seemingly unsalvagable crises and emerge with their brands strengthened, not destroyed.

Sincerely

Jason Catlett
President
Junkbusters Corp.

Copy to:
Robert Lewin, TRUSTe
David Medine, Federal Trade Commission
Eric A. Wenger, Office of the NY State Attorney General
Seattle Office, Federal Bureau of Investigations

  Assessment of RealNetwork's remediation

Junkbusters has conducted a brief preliminary assessment of the state of remediation by RealNetworks, and will reassess it in late January 2000. Several of the elements in the demands have been addressed, but each specific response requires closer assessment, which will take time.

1. The company posted a software update (patch) that neuters the GUID, stops the daily reporting function, and stops the ID being sent during requests for CD information. This appears to be good progress. Company officials told Junkbusters they are also addressing the question of whether the GUID in the RealPlayer should be neutered. This may present difficulties for back-end server; two suggestions by Richard M. Smith are to generate a new GUID each day, and to delete the MAC address from the GUID and put in some sort of random number. [Wired News]
2. The company posted a statement indicating the communications by the software. As the saying goes, ``better late than never.''
3. In a statement to the media issued the afternoon of 11/1 the company said ``RealNetworks has begun an immediate review of its privacy practices and its historical data collection practices, with appropriate action to be taken upon conclusion of the review. Subsequent to internal review, RealNetworks plans to bring in outside privacy experts to verify that its internal practices are consistent with its policies.'' This falls short of committing to an independent audit. The company should provide more detail.

  Junkbusters Advisory to Consumers

Junkbusters recommended early November 1 that consumers discontinue using and uninstall all RealNetworks products until the company has removed the privacy-invasive features of its products. After RealNetworks issued a patch to RealJukeBox that afternoon Junkbusters suspended the recommendation pending a review.

Although it is to early to tell, the patched RealNetwork product may now be more privacy-friendly than other competing alternatives. We do not have information on whether MusicMatch or any directly competing products to RealJukeBox have intrusive features. The streaming audio player products of the two major competing suppliers, Microsoft and Nullsoft, may have some objectionable features. We cannot recommend Microsoft's products because of the company's awful privacy record on privacy. The other major product, Winamp by Nullsoft, is now owned by America Online. AOL's history on privacy could most generously be described as checkered, but it has made substantial improvements in its policy in the past two years, and reports of incidents have been minor in comparison. Other products available from other sources might of course be preferable; we simply do not have time to assess the question. We welcome reader suggestions.

  RealNetworks Additions on the GUID 10/30

The following three paragraphs were added to http://www.real.com/company/privacy.html on Saturday 10/30. A previous version was cached by Google.

A Globally Unique Identifier (GUID) is an alpha-numeric identifier that is randomly generated by a RealNetworks consumer application during installation. RealNetworks uses publicly documented standards to create a GUID. A GUID is used to indicate a unique installation of one of RealNetworks products, and is found in many popular software applications. A GUID does not contain or identify any personal information such as your name or email.

A RealPlayer GUID is sent to a RealServer when you initiate a streaming media session. The RealServer only uses the GUID for authentication when you request limited-access streaming content.

RealNetworks uses GUIDs for statistical purposes and to personalize the services that are offered within our products. We may use GUIDs to understand the interests and needs of our users so that we can offer valuable personalized services such as customized RealPlayer channels. GUIDs also allow us to monitor the growth of the number of users of our products and to predict and plan for future capacity needs for customer support, update servers, and other important customer services.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/real.html