http://www.jms1.net/mmjb.html

MusicMatch Jukebox - SpyWare?

I have been a registered user of MusicMatch Jukebox (also known as "MMJB") for several years. The software itself is great- their library interface is one of the best I've seen, and the newest versions have a feature which reads the ID3 tags and uses the information to automatically rename the files- very handy for me, since I have ripped every CD I own and carry the MP3 files on an Archos Jukebox FM Recorder 20 player.

Until now, my only complaint has been that MMJB doesn't know how to play or create OGG files... I guess they enjoy paying those huge licensing fees to Thomson when they could support OGG files for free (but what do I know, I'm not in bed with the record companies...)

Anyway.

Recently my ZoneAlarm firewall popped up an alert when I ran MusicMatch, asking whether or not I wanted to allow it to connect to the IP address 216.206.179.200. I tried to reverse-resolve the IP address and came back with no name; I looked up the IP address in ARIN's WHOIS server to see who owned it and it pointed to a co-location facility in Denver.

I then pulled out ethereal, an open-source packet sniffer program, started monitoring my own machine, and ran MusicMatch again- but this time I told ZoneAlarm to allow the connection. Ethereal captured the DNS queries that MMJB had done, showing queries for the names "sc.musicmatch.com", "mmjb.musicmatch.com", and "cdinfo.musicmatch.com". It also captured the exact information sent by the software, and the responses which were received from those servers.

These requests contained my MMJB registration code, which means that the MusicMatch people know exactly when I run their software, as well as a rough idea of where I am (by virtue of my IP address.) This by itself bothers me, but keep reading...

My next step was to insert a CD that I had received for Chrismas and rip the tracks for download to my MP3 player. MMJB sent a request to their servers again, with the ID numbers from the CD, asking for information about the CD- the artist, album name, and track names. This is fine, and is almost exactly what I expected to see, although I think it should have asked for permission before sending any query at all.

However, these requests ALSO contained my MMJB registration key, which means they also know what CD's I'm listening to, even though I have turned off the checkbox to participate in their music-listening database.

Their privacy policy states (in section 2) that the program will use the CDDB service "OR" their own service. However, the software automatically went to their servers, and doesn't have any way to choose which service to use. I would prefer to use a public CDDB service, but there is no way to change this in the software.

In addition, their privacy policy states that the software sends an "MMUID" code instead of any personally identifiable information. The fact is that my copy of the software is sending a blank MMUID along with my registration code. This is a direct contradiction of their privacy policy. Since I purchased my original copy of MMJB from them, and have registered the software, my registration code is "personally identifiable information".

I have sent them an email about this... keep watching this page to see what kind of response I get. (Note: the email I sent them contained the actual registration code, I have masked it in the copy on this web site in order to prevent my code from ending up all over the internet.)


As of 2003-07-22 I have not heard a word from them. Having switched to a Linux-based desktop since then, it's not a major issue for me anymore. However, anybody running MMJB should be concerned- VERY concerned.
[hacker emblem] Copyright 2002-2003 John M. Simpson <jms1@spamcop.net>
Last updated 2003-07-22