The Real Deal: Music Industry in Denial Over Privacy Concerns

By Robin D. Gross
November 1999

Digital music fans were reeling recently after the NY Times revealed that the popular music software manufactured and distributed by RealNetworks, Inc. monitors and records users' listening habits and reports personal information back to the company -- all without the customers' knowledge or consent.

Faced with angry protest and hordes of consumers deleting the program from their computers, the streaming music company immediately apologized and posted a "patch" to halt the secret data collection.  RealNetworks, which boasted 13.5 million registered users of its software, also instituted a series of privacy policy changes in its attempt to win back consumer trust following the incident, including allowing third-party audits, the creation of a new, in-house privacy officer, as well an external privacy advisory committee, and developing a consumer education program.

The story came to light after an independent Internet security consultant disassembled and analyzed RealNetworks' Real Jukebox music software.  Richard Smith discovered the program was assigning each person a globally unique identifier (GUID) when they registered the software and reported back to company headquarters with each user's personal information every day.  Before the Times article hit the stands, the software would report, among other things, the number and format of songs on the person's computer, the type of music the person preferred, the type of audio player the person used, and the quality level of his or her recordings.

RealNetworks is not the first Internet company to face consumer backlash over compromising customer privacy.  But the news should serve as a wake-up call to the music industry as it follows down the same dangerous path with the Secure Digital Music Initiative (SDMI), which also requires unique identifiers embedded into music and devices.

Embedding unique serial numbers into the music and audio players allows companies to collect and monitor personal information for purposes such as marketing or perceived protection against piracy.  But this brave new world of entertainment devices that track each person's listening habits and viewing tastes enables the profiling of individuals by revealing personal lifestyle choices.  An individual's audio choices, from music preferences to speeches or sermons, are very personal and revealing.

Databases of who listens to what songs and other streaming media present a potential to seriously compromise people's privacy in unintended ways.  Even though companies may have no immediate intent to use the information they collect, once it exists there are numerous ways the data could be used that the consumer, or even the company, will neither expect nor desire.  For example, law enforcement could easily subpoena an artist or record label for records of who has downloaded songs.  The ability to read, listen, associate, and think anonymously is part of a strong First Amendment tradition in this country that protects people who share dissenting, unpopular, or controversial ideas.  Article Twelve of the Universal Declaration of Human Rights which was adopted by the U. N. General Assembly also guarantees individual privacy to all citizens.

While RealNetworks demonstrated real leadership by backing away from requiring unique identifiers in its products in response to its customers' concerns, the recording industry still refuses to acknowledge that SDMI is making the same intrusive mistake.  The SDMI FAQ attempts to comfort users concerned about their privacy by stating that they are free to not use SDMI if they desire anonymity. (SDMI FAQ: Q13).  This response will likely prove insufficient in the coming months, as online music distribution takes off and consumers have no other way to legally download the most popular music.  Digital audio listeners have shown that they want their privacy by their loud protests when privacy breaches come to light.  Internet music fans choose to protect their privacy when given the opportunity.  As a result, many have chosen to use MP3, an alternative audio technology that does not require personally identifiable information or tracking.

In addition to a cold reception in the marketplace, such surveillance tactics raise legal concerns that call into question the business models of many companies that are designed around the collection and trade of personal data.  Three class-action lawsuits have been filed against RealNetworks, charging the company violated state unfair business practices and consumer protections laws and the federal Computer Fraud and Abuse Act by secretly collecting the personal data.  The European Union has enacted privacy laws that strictly prohibit much online personal information collection.  The FTC recently issued guidelines forbidding the collection of a minor's information via the Web without explicit parental consent as U.S. lawmakers gain interest in protecting consumer privacy.

An Internet company's reputation for customer trust is its most important asset.  Music sites that value their customers will not betray their privacy.  Smart artists will avoid putting themselves in a position where they could reveal private data about their fans.  By refusing to collect the personal information in the first place, it cannot be sold, stolen, traded, or subpoenaed down the line.  It is time the music industry understood that on the Internet, protecting customer privacy is the killer app.