Apple's Non-Denial Denial · 678 words posted 01/12/2006 02:38 PM
According to Rob Griffiths at macosxints, Apple has denied collecting data via the MiniStore. I’ll quote at length because I don’t want to take anything out of context:
I have just received confirmation from Apple directly (from a confirmed source I trust implicitly) that absolutely no information is being collected from the MiniStore (though clearly data is sent to make the feature work). Therefore, the following article is now simply a hint about an obvious feature (disabling the MiniStore), which I wouldn’t typically run. However, in the interest of not rewriting history to avoid my mistakes, I have not changed any of the original text, though I did change the hint’s title, and move the rest of the story ‘below the break.’
Apparently, Rob considers the issue closed. Full disclosure: Rob and I corresponded yesterday about the iTunes MiniStore and my complaints; he originally posted his article on macosxhints based on my reporting and he later issued the retraction/clarification based on his inside Apple source.
Cory Doctorow at boingboing reports that the reliable source is Steve Jobs (Cory also posts many more updates on the issue from various sources; the link is worth following).
Moreover, slashdot notes that Apple has a knowledge base article covering the MiniStore, and that the article was available on the day the MiniStore debuted.
Finally, many since1968 readers have pointed out that the iTunes page prominently advertises the new MiniStore as a feature.
Case closed right? Apple told us they were going to send our song data to the MiniStore, and Steve Jobs tells us that they don’t hang on to that data. What’s the big worry, you pinko commie privacy-hound?
Not so fast.
Let’s read the relevant portion of the Knowledge Base article:
iTunes sends data about the song selected in your library to the iTunes Music Store to provide relevant recommendations. When the MiniStore is hidden, this data is not sent to the iTunes Music Store.
And that’s it. The knowledge base article clearly doesn’t cover the issue of iTunes sending data to Omniture. Once again: there is no way to know that Apple is sending some data from your computer to a third party marketing firm unless you sniff outbound traffic on your machine.
And, while reasonable people can disagree, I believe a plain-language reading of the various documents governing Apple’s relationship with third-party marketers indicates that Apple should have disclosed its relationship with Omniture, if not in the interface of iTunes then at least within the EULA language. See, e.g., Apple’s properly disclosed relationship with GraceNote.
Here’s what we know:
- Assuming the MiniStore is open, iTunes 6.0.2 sends information to a server run by Omniture when you click a new song in iTunes. (More on how we know this in the next post).
- Omniture is an information aggregating firm. Some people might even say it’s a marketing firm.
- Apple does not disclose its relationship with Omniture in the publicly available documents governing the use of iTunes or iTMS.
I have contacted both Apple and Omniture to give them a chance to tell their side of the story, but they have not responded. In fairness to both companies, I had to use public email addresses so my emails might be sitting at the bottom of a very large pile and I don’t expect an immediate response.
I’d like to know the answers to the following questions:
- Why shouldn’t the MiniStore feature be opt-in instead of opt-out?
- What data does Apple send to Omniture when I click a song in iTunes 6.0.2?
- Why does Apple have a KB article about sending data to the MiniStore but nothing about Omniture?
- Why doesn’t Omniture appear in any of the publicly available EULA, TOS, or Privacy Statements?
I’m not so vain to think Steve Jobs actually reads my blog, but I know someone at Apple does (or they do now, at any rate). So Steve, or anyone at Apple or Omniture who cares to respond, I’ll post unedited any correspondence you send to me, and I’ll even let you post directly to my blog.
* * *
2. On Jan 12, 05:49 PM since1968 said:
John wrote:
Most users wouldn’t discover this feature if it were opt-in.
But that doesn’t address privacy concerns, does it?
I would guess because for all practical purposes, Omniture == Apple for the data they’re talking about. It’s extraneous info.
I don’t understand that assertion at all, John. Apple clearly feels that it needs to disclose some third party contacts: GraceNote and Kerbango in the current license. It also feels the need to put language that constrains the information it shares with marketers in its Privacy Statement. I won’t speak for other people, but I don’t perceive Apple and marketers to be one and the same, and if they want to have equal access to my data I’d at least prefer to make an informed decision.
Finally,
I’m surprised you want to continue to take Apple to task on this, but then I’m responding once again.
Heh. Well, we deserve each other. #
3. On Jan 13, 11:09 AM licopin said:
1) The moment info is sent to Omniture, Apple is forwarding private information to a third party without user consent.
2) I don’t care if the “reliable info” ultimately came from Steve Jobs—as long as the source is anonymous, the corporate entity “Apple Computer” has not made a public statement.
3) I sincerely hope it wasn’t Steve Jobs who called macosxhints. If that were the case, Jobs in effect tried to silence negative press just by granting macosxhints the honor of directly talking with God Himself—as this was (presumably) not an official Apple statement anyhow. #
4. On Jan 13, 11:32 AM hedgehog said:
Jason Schultz from the EFF says it best:
“Apple should come clean,” Schultz said. “They owe it to their user base. It’s not going to kill their market. My question to them is, what are they afraid of? If this is something that is standard run of the mill, it should be transparent.” #
5. On Jan 13, 12:22 PM nate said:
It sort of begs the question—if Apple really is on the straight and narrow path, why don’t they amend their official privacy policy to address the specifics of this issue? The anonymously-sourced statement to Griffiths is just bizarre. Apple needs to be on the record about this—otherwise, why have policies and licenses at all? #
7. On Jan 13, 05:34 PM Thomas said:
Great post. I, too, would like to know where Omniture comes into play in all of this. There has been no official statement as to whether or not the data sent is retained, so Apple is not so much lying outright, but there is something dubious about this whole thing.
Then again, take a step back: Apple just wants more money, and what better way to make you spend money than to entice you with what you like? That’s really the only information that can be gleaned from your listening habits.
I know that’s not the point, but it’s worth considering. #
8. On Jan 13, 05:48 PM Paul Turnbull said:
Regarding GraceNote Apple may be explicit on that because they have no legal relationship with them. But that’s just a guess.
For Omniture I think they’re covered by:
There are also times when it may be advantageous for Apple to make certain personal information about you available to companies that Apple has a strategic relationship with or that perform work for Apple to provide products and services to you on our behalf.
and
These companies are also obligated to protect your personal information in accordance with Apple’s policies. Without such information being made available, it would be difficult for you to purchase products, have products delivered to you, receive customer service, provide us feedback to improve our products and services, or access certain services, offers, and content on the Apple website.
From the Apple Customer Privacy Policy and meaning essentially Apple uses third party companies for things like marketing but these companies are required to handle the data as if they were Apple.
A similar example of this is where I work. We’ve contracted out some of the development of our new database and we supplied the developer with copies of the old system complete with all the data in them. The developer signed a contract keeping that data secure and private and agreeing to destroy the data on completion of the contract.
This is not unusual or sinister in any way. It’s pretty standard business practices. #
9. On Jan 14, 05:31 AM Michael Bailey said:
I agree with others who have basically said, “Who the hell cares?” How is Apple knowing the songs I listen to causing me any harm? I guess I just don’t understand almost any of the whole privacy debate. Shouldn’t people have the right to monitor how people use their site and systems in order to improve their bottom line? This paranoia just makes no sense. No one has yet to explain why Apple watching what songs we play causes any harm. The only response I hear is simply that some people don’t like it. It’s not really a very strong argument until you put forth why it should matter. #
11. On Jan 14, 02:18 PM Harry said:
Apple is not making full disclosure of what is done with user purchasing data.
That Apple goes to the trouble of making a EULA and privacy statement that is incomplete leaves it open to accusations of misrepresentation.
OTOH Apple could simply pass the info on from it’s own servers and nobody would be the wiser.
Does this data matter?
Assume that everything you do online is monitored.
If you don’t like Apple don’t buy iPod.
After all there are better and cheaper competitive products if not as pretty.
And/or don’t use iTunes, there are alternatives. #
12. On Jan 14, 02:29 PM Michael Griffin said:
I’m surprised you hadn’t already known about Omniture / 2o7.net / metrics.apple.com.
For more revelations, review your browser’s cookies and search for .207.net. The session ID’s will match Apple’s cookies exactly.
P.S.—You’ll find my name listed in Kirk and Cory’s blogs as the first one to discover that the X-Dsid tag represented the user’s Apple ID, and that personal information was therefore being transmitted. #
1. On Jan 12, 05:40 PM John said:
Most users wouldn’t discover this feature if it were opt-in.
If the song was purchased through itunes its product id is sent. Otherwise the artist, album, genre, and the kind of media are sent.
I would guess because for all practical purposes, Omniture == Apple for the data they’re talking about. It’s extraneous info.
This is the most valid point you raise. I don’t read any legalese documents like these, but it would make sense to divulge every last detail of business relationships here. I would guess that it’s again because they’re one and the same for all practical purposes. It might be an oversight.
I’m surprised you want to continue to take Apple to task on this, but then I’m responding once again. :/ #