Until now, my only complaint has been that MMJB doesn't know how to play or create OGG files... I guess they enjoy paying those huge licensing fees to Thomson when they could support OGG files for free (but what do I know, I'm not in bed with the record companies...)
Recently my ZoneAlarm firewall popped up an alert when I ran MusicMatch, asking whether or not I wanted to allow it to connect to the IP address 188.8.131.52. I tried to reverse-resolve the IP address and came back with no name; I looked up the IP address in ARIN's WHOIS server to see who owned it and it pointed to a co-location facility in Denver.
I then pulled out ethereal, an open-source packet sniffer program, started monitoring my own machine, and ran MusicMatch again- but this time I told ZoneAlarm to allow the connection. Ethereal captured the DNS queries that MMJB had done, showing queries for the names "sc.musicmatch.com", "mmjb.musicmatch.com", and "cdinfo.musicmatch.com". It also captured the exact information sent by the software, and the responses which were received from those servers.
These requests contained my MMJB registration code, which means that the MusicMatch people know exactly when I run their software, as well as a rough idea of where I am (by virtue of my IP address.) This by itself bothers me, but keep reading...
My next step was to insert a CD that I had received for Chrismas and rip the tracks for download to my MP3 player. MMJB sent a request to their servers again, with the ID numbers from the CD, asking for information about the CD- the artist, album name, and track names. This is fine, and is almost exactly what I expected to see, although I think it should have asked for permission before sending any query at all.
However, these requests ALSO contained my MMJB registration key, which means they also know what CD's I'm listening to, even though I have turned off the checkbox to participate in their music-listening database.
I have sent them an email about this... keep watching this page to see what kind of response I get. (Note: the email I sent them contained the actual registration code, I have masked it in the copy on this web site in order to prevent my code from ending up all over the internet.)