Written: 2006-01-13
There’s been some discussion lately about a new feature of Apple’s iTunes v 6.0.2. This update adds a feature whereby each time you click on a song in iTunes, information about that song is transmitted to a remote server which then populates a (new) MiniStore pane with purchase suggestions related the the item you clicked.
There’s discussion of this feature at: http://since1968.com/ and http://www.boingboing.net/2006/01/11/itunes_update_spies_.html
Most of the talk is of the “Apple didn’t tell us it was going to do this” variety. “If Apple had been ‘open’ about this, we wouldn’t have a problem.”
Well, I have a problem with it.
This feature is enabled by using a company named Omniture, Inc. Omniture uses the domain 2o7.net to receive the information transmitted by the MiniStore feature. Omniture’s site says:
2o7.net is an Internet domain used by Omniture, Inc. on behalf of our customers to improve Web site design and to generally improve the user experience on the Web. This domain is used by Omniture’s data collection systems, and is the domain under which Omniture places cookies. These cookies are NOT spyware – they are simple text files that help Omniture customers measure usage of their Web sites and performance of their marketing campaigns.
Note that “performance of their marketing campaigns” phrase. What they’re talking about here is web bugs. Web bugs can appear in html-encoded email. Basically, they permit the sender to know if, and even when, you open the marketing or other email that was sent to you. If you value your privacy, web bugs should be a concern.
Note: I’m not singling out 2o7.net. There are lots of different companies doing the same/similar things. It all amounts to spying on you.
The web bug below is pulled from an email and the html code even includes the notation that it is for “message detection.” The third line is the actual web bug.
Web bugs are image files that are requested by your email program in order to display within the email. Typically, they are minimum size — a one by one pixel image, as in the example below. It’s an image you’re not really intended to see at all. Actually, it’s probably not an image at all. It’s a call to a cgi script (masquerading as an embedded image) that logs the requested bug and I doubt that it actually sends a 1 x 1 image. Maybe it does. Doesn’t matter.
Anyhow, this is what they look like. It will always say <img src=”http:// and then there will be a URL that is encoded with information identifying the intended recipient of the email. Each web bug in a mailing is unique. Each represents a particular individual that was sent the mailing. Note that not all instances of ‘<img src=”http://’ are web bugs. Most are just images that the sender wants you to see. The ones that contain a unique identifier are the ones spying on you. Web bugs often contain a question mark and will often be from a different domain than all the other images in the email. Sometimes they even include your actual email address rather than containing a code they have to look up.
When the server listed in the URL of the web bug sees (in this case) 0jlGqqqZA3wp56TKzUH, it translates it into the recipient’s ID. The server notes the time that the web bug image file file was requested and saves this in a log file so they know exactly when you opened your email.
By the way, I changed the domain and the letters and numbers in the web bug below. This is just a look at what a web bug might look like; it is not an actual web bug.
Here the (modified) code I pulled from a bugged email.
<!– The following image is included for message detection –>
<img src=”http://WebBugs.com/1×1.dyn” border=”0″ alt=”” width=”1″ height=”1″>
<img src=”http://WebBugs.com/1×1.dyn?0jlGqqqZA3wp56TKzUH” width=1 height=1>
In my case, I have my email program, Eudora, set up to note which incoming email is html-encoded and change the mailbox entry to a different color. So, just by looking at the unopened email in my e-mailboxes, I know which ones are html-encoded and potentially bugged. I also have Eudora set to not automatically download images from the web.
I never open these html emails without first checking for web bugs. I do this with an AppleScript (Yes, I’m a Mac user.) that does the equivalent, I think, of selecting “Properties” in programs like Outlook Express. Then I open the email in question and look over the html code looking for web bugs. If I find any, I either cut them out or, if I’m feeling frisky, edit the web bug to contain different letters and numbers. Once I’ve rendered the html-encoded email safe to view normally, I open it and read as one normally would. I never open html email without first checking. Not even email from my friends and family. Sometimes they forward html email to me from elsewhere.
Privacy Policies:
I should note too that for a long time, whenever I received a bugged email, I visited the offending company’s web site to review their privacy policy. Not a single privacy policy that I have seen mentions monitoring to see if/when you open their marketing emails.
Much of html-encoded email is spam. When you open it and trigger a web bug, you’ve just tipped them off that:
- Your email address is active and
- You open spam email
Boy, do spammers love it when you do that!
Sure, detecting and eliminating web bugs is a hassle. I consider web bugs and similar technologies to be little different from snooping on me by peeking in my window. These people have no right to know when or even if I read their email.
Neither 2o7.net or any of their customers has a right to peek in my window and watch to see if/when I open their email, do they? This is not a rhetorical question. Ask yourself: Does anyone have a right to watch you to determine if/when you read a particular email? Yes or no?
If not then ask yourself this: Does spying on you become any more acceptable just because it can be done remotely? Again, not a rhetorical question. If you said NO, then you agree with me. If you said YES, then would it be OK to place a video camera outside your window to see if/when you read a particular email? That way someone could monitor remotely and determine if and when you open that particular email. Acceptable? I didn’t think so.
“Hold on,” you say, “watching everything you do is quite different from monitoring to see if/when you do one particular thing.” To which I say: Baloney. You’re quibbling over the degree of spying which is acceptable. I’m saying that it is wrong, in principle, for people to spy on me! (And you.)
Historically, encroachments on privacy and liberty occur gradually. It is rare for a free country to become a police state overnight. Web bugs are (pick your metaphor) a foot in the door, the camel’s nose in the tent, the start down a slippery slope. If we don’t rail against this bit of spying now, then we can expect more such spying in the future. Technology is constantly improving.
At one time, it was not possible to determine if/when someone read your email. Now it is.
At one time, it was not possible to determine what music you play on your computer. Now it is.
Just because something is possible, does that make it acceptable? Of course not. Apple assures us that the MiniStore feature does not retain any personally-identifiable information. But, of course, it could. If the music industry had its way, it would probably require such information to be collected and transmitted to their servers.
We don’t know what the future holds. The one thing we know for sure is that spying on us will increase if we don’t stop it now.