Date: Fri, 27 Dec 2002 01:58:05 -0600 From: John Simpson To: privacy@musicmatch.com Subject: privacy concerns howdy- i have been a registered user of mmjb for a few years now, and am currently running the "7.20.0166Gateway" version which came pre-loaded on a new laptop. while configuring some other software (zone alarm) i have found three causes for concern with the software. (1) i have disabled the options which allow the product to automatically check for updates and which send my music preferences to your server. however, even with these options turned off, whenever i run the product it initiates a connection to your "sc.musicmatch.com" server. the data sent by this connection contains, among other things, my registration key. the response from your server contains a cookie, with an order to tell my system to keep the cookie for five years. why is the server "phoning home" like this, and why does it need to include my registration key with the request? if it's not checking for updates (which i have told it not to do) the only reason i could see is if your company wants to know about every time i run the software. (2) when i inserted a cd, the software sent a request to your server asking for the artist, album time, and track names. this is perfectly understandable, and is precisely what i expected to see. however, this request also contained my mmjb registration key. according to the help file which comes with the product... > (And in case you're wondering, CD Lookup is not a music spy! It is > a free service as committed to the livelihood of digital music as > you are. Use this automated service with confidence!) if this statement is true, why does my registration key need to be sent along with the request? what other possible use could you have for this information, other than to build a profile of my listening habits? this really worries me, because with me being a registered owner you already have my name and other personally identifiable information associated with the key. it wouldn't take ANY effort for you to gather a list of the CD's which have been identified with my key over the last two years, and use that to build a profile of my listening habits, EVEN THOUGH I HAVE SPECIFICALLY CHOSEN NOT TO PROVIDE THIS INFORMATION. why is the software still sending you this information? (3) your privacy policy states the following, at the beginning of section 2, "COMPACT DISC IDENTIFICATION": > The MUSICMATCH Jukebox contains either the CDDB Service or the > MUSICMATCH CD lookup service for compact disc identification. how do i choose which service i prefer to use? the software doesn't have any option to specify which CDDB server to use, while this is a standard feature on most other players (notably winamp.) in addition, the end of section 2 contains the following: > With the MUSICMATCH CD lookup service, when you use the MUSICMATCH > Jukebox CD player or recorder to look up an album, MUSICMATCH collects > your unique MUSICMATCH Jukebox user identifier (MMUID) and anonymous > information about the album to allow you to have the name of the > artist, album and tracks automatically entered. The MMUID identifies > the individual jukebox, but not the user. however, the packet sent by the software contained the following information (formatted for easier reading): GET /mmjb/process.cgi ?REQUEST=QCF &MMJB_KEY=XXXXX-XXXXX-XXXXX-XXXXX &KEY_STATE=1 &CERT_STATE=1 &MMUID= &grant=0 &VERSION=7.20.0166Gateway &OEM=Gateway &OOEM=Gateway &LANG=ENU as you can see, there is no MMUID and my registration key is sent instead. YOUR PRIVACY POLICY DOES NOT ACCURATELY REFLECT THE ACTIVITIES OF YOUR SOFTWARE. i feel that these concerns could be laid to rest by the release of a new version of the software which: - does not send the registration key with ANY web requests (other than those connections specifically associated with gathering listening habits, approved by the users of the software); - only connects to your servers in order to check for updates, only does so when the user has given permission, and does so without sending a registration key; and - allows the user to specify their choice of CDDB servers. copies of this email, along with any responses I may receive, will be available for public inspection at the following address: http://www.jms1.net/mmjb.html i look forward to your response. -- ---------------------------------------- | John Simpson Programmer at Large | | http://www.jms1.net/ | ----------------------------------------