Apple’s sneaky iTunes personal information leak

As (re-)discovered in a recent TechBlog article, Apple is embedding personal information in downloads from its iTunes music store. Assumably this is a way to help catch the “low-hanging fruit” of those who partake in unauthorized copying. Casting aside the ethical issues, this is rather horribly misguided if that’s Apple’s reason.

Consider the following situation: Alice hosts a party where several guests, Bob, Charlie, and a few other close friends of hers are in attendance. Mallory crashes the party (or, even attends as a friend of one of the other guests, it’s really kind of immaterial) and snarfs some of the music files from Alice’s collection, with Alice’s name and e-mail address in them. They wind up on a Web server with a Tor hidden service address, run by Mallory the next morning.

Now, nobody downloading these files will know anything about Mallory. Well, obviously they’ll know some Tor user put these up on a hidden service. But all they will see in the files is Alice’s e-mail address, and probably assume she’s the one who has shared the files.

This can happen any number of ways: stolen storage media strikes me as one of the more likely ones (in fact, Mallory may well have sticky fingers when it comes to USB flash drives in the above example). But I think it’s a great reason why this kind of information should not be in downloaded media files.

Not to mention Dwight does a great job of showing how easy this is to circumvent (converting to MP3). I would not even be surprised if there’s a way to configure a decoder to write the exact same encoded audio sans most of the tags.