My turn in the barrel? Here we go...
The way I see it, Apple has been at the very least, irresponsible in their handling of the Ministore, and quite possibly deceitful. One thing is certain. It's been almost three months since iTunes 6.0.2 and the Ministore were released, and all of the big questions are still unanswered. As a Mac user, some of the blame for it goes to me, and to all of the Macintosh loyal base, for defending Apple without question, as we have been in the habit of doing for years. We have gotten so good at it that Apple only had to keep quiet while the Mac faithful shouted down the critics, but never answered them. If only Sony had invested in customer loyalty instead of the Xbox.
When iTunes 6.0.2 came out on January 10th, the new "Ministore feature" was not announced to the public. There were no press releases for the new Ministore, and the press had no advance notice, as is usually the case.
On that same day, Steve Jobs was on stage at Macworld, giving his keynote speech and showing off all the cool new stuff, but he never mentioned the Ministore.
When Software Update popped onto my screen, and said that there was a new version of iTunes, there was no mention of the Ministore. I was told by Software Update that 6.0.2 was a performance, stability update, and that's all it said.
I guess the first question would be, If Ministore is a feature, put there to enhance the Mac experience, why was Apple trying to hide it, or at the very least not draw attention to it?
Those who were paying attention, or using "Little Snitch," figured out quickly that this new feature was phoning home, a lot! At that point things got a bit pear shaped because people assumed the Ministore was sending A) their entire Hard Drive, or B, their entire iTunes catalog to somebody.
Neither of these things were true, but the main issue was unavoidable.
Apple had installed software that was monitoring and reporting back to them about files on our local networks. It did it without asking, without telling us what information was being reported, without telling us who the information was being sent to, and without telling us what the information was to be used for.
You know, ... Spyware!
Every Mac blog and website was writing about "Apple's Spyware". Anyone reading this who doesn't think Apple was watching and probably sweating a little, must have missed the Sony drama just two months earlier. I'm not saying that the Ministore is as bad as a rootkit. I'm saying that bad PR can take on a life of it's own, and everyone on the internet was a already a bit paranoid because of Sony. Apple knew the situation, so what do you think they did?
Did they speak up and explain? Not a word. Did they post about peoples concerns on their website? Not a pixel!
It was left to the online community to find out what was going on, and to their credit, they did.
Merlinmann and Since1968.com found that... "if you launch iTunes on a Mac with the new MiniStore open (and its open by default), iTunes attempts to contact 207.net, otherwise known as Omniture." http://since1968.com/article/155/omniture-itunes
To make matters worse, Omniture tries to hide behind a fake local address, to fool users into believing that what they are seeing is a LAN communication. Why would a company with nothing to hide do something so deceitful? Hmmm.
Michael Griffin and Kirk McElhearn discovered that the Ministore was sending quite a bit more than just the name of a song. Part of the information sent is your Apple ID. http://www.mcelhearn.com/article.php?story=20060112175208864
That's important enough to say again.
PART OF THE INFORMATION SENT IS YOUR APPLE ID!
To make matters worse, all of the information sent, including the Apple ID, is sent in cleartext, which is a violation of Apple's own "Customer Privacy Statement".
It says, in part....
"The Apple Online Store and iTunes Music Store use Secure Sockets Layer (SSL) encryption on all web pages where personal information is required. To make purchases from the Apple Online Store or iTunes Music Store, you must use an SSL-enabled browser such as Safari, Netscape Navigator 3.0 or later, or Internet Explorer. Doing so protects the confidentiality of your personal and credit card information while its transmitted over the Internet." http://www.apple.com/legal/privacy/
Is your Apple ID "personal information? I'm pretty sure mine is.
So, do you think Apple recalled the software? Not on your life! Did they call a press conference or issue a public statement or send e-mails to everyone at .Mac? No. The only sign that Apple was aware of the problem at all, was from a Macworld editor, who said that, "an Apple official told Macworld that the iTunes MiniStore feature does not collect any information from users." http://www.macworld.com/weblogs/editors/2006/01/ministore/index.php
Ah, well, case closed then, right? Nothing to see here, right?
This is where I must part ways with the "loyal Mac base".
As far as I'm concerned a second hand statement from an un-named source isn't quite good enough to clear up issues this serious. Add the fact that the "answer" did not clear up or even address most of the issues, and was in direct opposition to the facts ( I'll explain in a moment), and you may see why I didn't consider it any comfort.
The Mac fans, on the other hand, took this information and ran with it like Johnny Appleseed on crack. Every blog and every forum, had a Johnny ready to jump on anyone who who typed the word spyware, or adware, or privacy. Within days that one statement had grown into every tool needed to defend Apple.
An actual post.
Post: Well, it seems Apple is responsible for developing spyware and adware in the latest version of iTunes
Johnny: This is false, total BS, and should not be propagated, it has been debunked numerous times.
Boing Boing and Slashdot reported it as "An Apple spokesman" (reliable word has it that it was Steve Jobs himself) told MacWorld that Apple discards the personal information that the iTunes MiniStore transmits to Apple while you use iTunes." http://www.boingboing.net/2006/01/11/steve_jobs_apple_dis.html
So now we have a third hand statement that it was Steve Jobs who made the call to Macworld. I'll go out on a limb here and speculate that if it was Steve, Macworld would have said so.
The Channel Register in the UK reported, "...Apple this week contacted a number of websites to insist that the feature not only doesn't record the data it grabs, but when the MiniStore is disabled, no such data is sent back to the ITMS servers." http://www.channelregister.co.uk/2006/01/12/itunes_602_spyware_claim/
So far, I have run across exactly one of these sites other than Macworld above. It was MacOSXhints Rob Griffiths, and you'll never guess what he wrote!
"I have just received confirmation from Apple directly (from a confirmed source I trust implicitly) that absolutely no information is being collected from the MiniStore (though clearly data is sent to make the feature work)... ...So I'll apologize for jumping to conclusions, but not for helping bring the issue to light. And thanks to Apple for clarifying that no data is collected; you didn't have to contact me directly, yet you did, and I appreciate that." http://www.macosxhints.com/article.php?story=20060111071001306&lsrc=osxh
That's right! Another second hand quote from an un-named source! I'm starting to see a pattern here, and a puzzle.
Apple Computer is a multinational company with a public relations department that knows how to issue a press release, and a website that is designed to inform their customers about Apple products, so why was such an important statement only issued second hand by a source who didn't want to be named?
I can think of one reason. Deniability. Please feel free to post any other reasons that you feel I might have missed.
Why do I say that the "statement" was in direct opposition to the facts?
1) Omniture's main source of income is reading log data from web sites, and reporting trends over time. What use is sending them information, if they don't keep it long enough to establish any useful trends?
2) The Apple ID is sent to Omniture. Not only is this the mother of all "personally identifiable" information, but it has no use here if the information is not kept. The IP address, sent with every internet transmission, is all that is needed to get the right ads to the right computers.
3) As a former webmaster, I know that the servers where those ads are stored keep logs of every request for information, and of every ad sent out.
Apple's "Customer Privacy Statement" confirms this.
"As is true of most Web sites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data.
We use this information, which does not identify individual users, to analyze trends, to administer the site, to track users movements around the site and to gather demographic information about our user base as a whole. Apple will not use the information collected to market directly to that person." http://www.apple.com/legal/privacy/
Doesn't the last sentence sound kind of silly, considering what the Ministore is for?
When you add the Apple ID to the server logs, every bit of information is "personally identifiable".
Some people are thinking... "Where's the problem? I don't care who knows what music I listen to".
There are many problems. Here's one. Apple makes it plain in the EULAs and the Privacy Statement, that they collect information when you "interact" with them. Go to their web site, go to the iTunes music store. call them, visit the Apple store, or post on their forums, and you can expect Apple to collect some information. They tell you they are going to do it.
Everyone understands that when you are on the internet or Apple's servers (the WAN), you are being observed and the information is logged. Now Apple is getting you comfortable with the idea that it's OK to observe you and collect data while you are on your private system (the LAN). They are doing it with small unimportant bits of information so you don't really notice or care, but the precedent has been set. Using an unimportant bit of data like what song you are listening to, Apple has made a huge step tward blurring the line between public and private.
I suppose a good lawyer could make the case that when you use the iTunes software, you are "interacting" with Apple. If you accept this, opening the door for other software developers to make the same claim, who will be next? QuickBooks? Adobe? Microsoft? Is it OK for them to look over your shoulder while you use their software?
To date, Apple has not made a single public statement on any of this.
To be fair, I should point out that Apple has put a page up in their Knowledge Base (#303066), titled "How to show and hide the Ministore in iTunes".
I don't consider this very relevant because, A) it does not address any of the important questions, and B) a single page, buried deep in Apple's site, with no obvious links to it, didn't really help anybody. The only relevant information on it was; "iTunes sends data about the song selected in your library to the iTunes Music Store to provide relevant recommendations. When the MiniStore is hidden, this data is not sent to the iTunes Music Store."
Hardly a complete answer, in so many ways.
On the Apple forums, any thread that was critical was locked. Any post that was critical or asked to many pointed questions, was removed. If I put this post on Apple's forum, in the iTunes area, it wouldn't last an hour. I know this because Apple has removed two of my posts, and locked 4 threads after I posted on them.
Of course I could be wrong about all of this.
It may turn out that Omniture being sent information was a mistake, and that sending your Apple ID was a software bug. The press release got sent to the wrong e-mail address, a server crashed without backing up first, and the only information lost was for the Ministore, and for the how-to page titled "Running OSX on a Dell". Since the beginning, the information from the server logs has been automatically wiped 512 times a second ... and I need a tin foil hat.
Well Apple? is that what happened? How about filling us in? How come you didn't call me?
Anyone else have the answers and want to speak on Apple's behalf? I'm all ears (and tinfoil).
Lampie The Clown
Mac Addict since 1985