[CrackMonkey] Fwd: Why is Microsoft watching us watch DVD movies?

[dep]

what's sad is that microsoft has been doing this kind of shit so 
thoroughly and for so long that a report like this one, which should 
rouse the peasantry to lift pitchfork and torch to storm the castle 
gates, so to speak, just imparts yawns, a belch at most . . .

----------  Forwarded Message  ----------

Subject: Why is Microsoft watching us watch DVD movies?
Date: Wed, 20 Feb 2002 17:46:24 -0500
From: "Richard M. Smith" <rms at computerbytesman.com>
To: <bugtraq at securityfocus.com>

Serious privacy problems in Windows Media Player for Windows XP

by Richard M. Smith
http://www.ComputerBytesMan.com
February 20, 2002

Introduction
============

I found a number of serious privacy problems with Microsoft's Windows
Media Player (WMP) for Windows XP. A number of design choices were
 made in WMP which allow Microsoft to individually track what DVD
 movies consumers are watching on their Windows PC. These problems
 which introduced in version 8 of WMP which ships preinstalled on all
 Windows XP systems.
In particular, the privacy problems with WMP version 8 are:

- Each time a new DVD movie is played on a computer, the WMP software
contacts a Microsoft Web server to get title and chapter information
 for the DVD. When this contact is made, the Microsoft Web server is
 giving an electronic fingerprint which identifies the DVD movie
 being watched and a cookie which uniquely identifies a particular
 WMP player. With this two pieces of information Microsoft can track
 what DVD movies are being watched on a particular computer.

- The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer.

- As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8
does not disclose that the fact that WMP "phones home" to get DVD
 title information, what kind of tracking Microsoft does of which
 movies consumers are watching, and how cookies are used by the WMP
 software and the Microsoft servers.

- There does not appear to be any option in WMP to stop it from
 phoning home when a DVD movie is viewed. In addition, there does not
 appear any easy method of clearing out the DVD movie database on the
 local hard drive.

Technical Details
=================

When a DVD movie is played by the WMP, one of the first thing that
 WMP does is to query via the Internet a Microsoft server for
 information about the DVD. The query is made using the standard HTTP
 protocol that is also used by Web browsers like Internet Explorer or
 Netscape Navigator.

Using a packet sniffer I was able to observe WMP making these queries
 to a Microsoft server each time a new DVD movie was played. The
 packet sniffer also showed the movie information which was returned
 to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being
played. For example, an HTTP GET request is made for this URL for the
"Dr. Strangelove" DVD:

http://windowsmedia.com/redir/QueryTOC.asp?WMPFriendly=true&locale=40
9& version=8.0.0.4477&
cd=1E+96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1151E+13CF9+
15812+16C5D+1A04F+1BF2D+1ECB7
+212E1+22E48+25724+27E9D+2A91A+
2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D517+4E51B+4FDBC+51F74

The hex numbers at the end of the URL are an electronic fingerprint
 for the DVD table of contents which uniquely identify the "Dr.
 Strangelove" DVD.

This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated
 to the WMP software.

The HTTP GET request also included a ID number in cookie which
 uniquely identifies my WMP player. Here's what this cookie looks
 like:

   MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086

By default, this cookie is anonymous. That is, no personal
 information is associated with the cookie value. However, if a
 person signs up for the Windows Media newsletter, their email
 address will be associated with their WindowsMedia.com cookie. For
 example, when I signed for the Windows Media newsletter, the
 following URL was sent to Microsoft servers:

http://windowsmedia.com/mg/Newsletter.asp?eNws=rms@computerbytesman.c
om& format=HTM

The same windowsmedia.com cookie value will be sent back to Microsoft
servers when signing up for the newsletter and when a DVD moive is
played. In addition, using various well-known "cookie synch" tricks,
 an email address can be associated with a cookie value at any time.

Also when subscribing to the Windows Media newsletter, I was
 encouraged by an email message from the Microsoft newsletter
 department to create a Passport account based on my email address.
 In theory, yet more personal information from Passport could be
 matched with what DVD movies I have watched. There is no evidence
 however that Microsoft is making this connection.

The WindowsMedia.com cookie was assigned to my computer the first
 time I ran WMP. The lifetime of the cookie was set to about 18
 months. This cookie gives Microsoft the ability to track the DVD
 movies that I watch on my computer.

After a series of redirects from the WindowsMedia.Com server,
information about the "Dr. Strangelove" movie was returned in this
 XML file:

http://services.windowsmedia.com/amgvideo_a/template/QueryDVDTOC_v3.x
ml? TOC=90a1b0d1571524ea

WMP extracted movie information from this file and then added this
information to a database file, named wmplibrary_v_0_12.db, which is
located on my hard disk in the directory " C:\Documents and
 Settings\All Users\Application Data\Microsoft\Media Index". I didn't
 see any method of removing movie information from this file, so it
 appears to me that the file keeps a complete record of all movies
 watched that have ever been watched on my computer.

Because as of Feb. 14, 2002 the Windows Media privacy policy is
 silent about what is done with DVD information sent to Microsoft
 servers by the WMP software, we can only speculate what Microsoft is
 doing with the information. Here are some possibilities:

- Microsoft can be used DVD title information for direct marketing
purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies
they have watched.

- Microsoft can be keeping aggregrate statistics about what DVD
 movies are the most popular. This information can be published as
 weekly or monthly "top ten" lists.

- Microsoft might be doing nothing with the DVD information. (In my
discussions with Microsoft, I was told this option is their current
practice.)

Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing
purposes. The letter of this law does not a pply to Microsoft because
they are not a video rental store. However, clearly the spirit of the
law is that companies should not be using movie title information for
marketing purposes.

Recommendations
===============

I believe that the Microsoft should remove the DVD movie information
feature from WMP version 8 altogether. The value of feature seems
 very small given that almost all DVD movies include a built-in
 chapter guide. In addition, the Microsoft movie information feature
 is not available when DVD movies are shown in full-screen which is
 how DVD are typically watched.

If Microsoft feels that this feature is important to leave in WMP,
 then I think it should be turned off by default. The feature can be
 made privacy-friendly very easily, by having WMP never send in
 cookie information with movie title requests. This change will
 prevent Microsoft from tracking individual movie viewing choices.

Vendor Response
===============

Response from the Windows Digital Media Division of Microsoft
Corporation is available here:

   http://www.computerbytesman.com/privacy/wmp8response.htm

Acknowledgements
================

Thanks to Ian Hopper of the Associated Press for bringing this issue
 to the attention of the author.

Links
=====

  Digital Media in Windows XP
  http://www.microsoft.com/windows/windowsmedia/windowsxp.asp

  Media Player for Windows XP Privacy Statement
 
 http://www.microsoft.com/windows/windowsmedia/software/v8/privacy.as
p

  The RealJukeBox monitoring system
  http://www.computerbytesman.com/privacy/realjb.htm

  TiVo's Data Collection and Privacy Practices
http://www.privacyfoundation.org/privacywatch/report.asp?id=62&action
=0

  Internet Explorer SuperCookies bypass P3P and cookie controls
  http://www.computerbytesman.com/privacy/supercookie.htm

  Video Privacy Protection Act
  http://www.accessreports.com/statutes/VIDEO1.htm

  Bill Gate's memo on Trustworthy computing memo
  http://www.computerbytesman.com/security/billsmemo.htm

-------------------------------------------------------

-- 
dep

Reasonable people adapt themselves to the world. Unreasonable people 
attempt to adapt the world to themselves. All progress, therefore, 
depends on unreasonable people. - George Bernard Shaw