Vassar Technology Today | Think you're alone when you're not online? Think again

Matthew Leung Columnist

Everyone seems to know a little about internet security issues these days. Viruses, Trojans, spyware and all other security hazards are familiar terms. But, if you have a robustly secured personal computer behind a firewall with no vulnerabilities, how much personal information and user activity information is still vulnerable to outside snooping?

By merely connecting to the Internet, activities that you perform on your computer, including those that have nothing to do with the Internet, such as listening to music and watching movies, are vulnerable to outside snooping no matter how secure your computer may be.

With the spotlight focused on the vulnerabilities of an unsecured computer, surprisingly little attention is paid to the vulnerabilities that even secured computers face.

One source of insecurity within a secured computer is that many popular applications are designed to legitimately leak information on user activities onto the Internet.

One example of such a programmatic mole is Windows Media Player (WMP). The problem started a few years ago with an earlier version, WMP 8, which came pre-loaded with Windows XP. Each time a song or movie was played, WMP sent the name of the song or movie to Microsoft’s servers, which kept a running log. Users were not notified of this in the application’s privacy policy. As WMP requires connection to the Internet for other purposes such as program updates, firewalls did not prevent this logging.

In the later versions (up to version 11 for Vista), Microsoft has gotten rid of logging and has created options for users to choose whether any exchange of information with the Web is made at all when a song or movie is played. By default, however, WMP still exchanges information with the Web in order to obtain album art and descriptions to complement media that users play.

Ruckus, the ad-supported free music download service, followed a path similar to Microsoft’s with its multimedia player, which users are required to install in order to download songs. Each user has a public profile that logs the downloaded songs. As users listen to the songs on the privacy of their computers, their profiles, visible to all users of Ruckus, update in real time which songs the user has played and number of times each song is played.

Users would have to manually go into the options menus of the player to disable this feature. Obsessions with particular songs are bound to be publicly disclosed!

iTunes is not exempt either. In 2006, users discovered that Version 6 of iTunes sent names of songs in the users’ playlists to Apple’s servers. Since then, Apple promised that it would not keep track of which users listen to which songs. However, this communication is required, even in the latest version of iTunes, for users who want to purchase songs from iTunes, as the only way to disable this communication is by turning off the ministore.

Each song purchased through iTunes is also embedded with the user’s account information in plain text. Sharing songs from iTunes with others also means sharing your personal information with them. In contrast, competitors such as eMusic do not embed user information into music files.

In Windows XP and Vista, the license agreement also explicitly states that some components of the operating system may connect to the Internet and send identifying information to Microsoft without notice. While Microsoft promises not to uniquely identify or contact users based on the information received, users do “consent to the transmission of this information” by accepting the license agreement.

One known consequence of this consent is that Windows updates its system files via the Internet without the user’s knowledge, even when automatic update is turned off.

Similar provisions apply for the Mac OS X, but in a more vague way: Its license agreement does not state whether identifying information may be sent to Apple without notifying the user, but its license agreement does warrant this action.

As long as you are online, there’s no escape: Your footprints far beyond the standard Internet Protocol address will be visible no matter how secured your system is. And Microsoft, the privacy violator most often portrayed in the media, is not the sole perpetrator here. But compared to the offline world, where serial numbers and unique identifying information are on many of the products that we use, this situation might not be that gloomy. Or much gloomier, depending on your standards.