First 4 vs. Sysinternals, and some thoughts on tracking users

Circling back to where it all started at the Sysinternals blog, Mark Russinovich has had some back and forth with First 4 Internet, the authors of the DRM in use on Sony BMG’s CDs. The upshot: they attempt to rebut four points about the nature of the new patch for their DRM, and Mark responds to each of them in turn. A few thoughts on one of the points, the “phone home” question:

Between the two of them, Mark and First 4 identified that the Aurora XCP player loads banners from a Sony-controlled web site during playback. Mark suggests (and mentions in an earlier post) that the requests from the player could be used together with an IP address to monitor customer behavior. First 4 denies the claim, but Mark says the lack of mention in the EULA of the communication with Sony leaves the question open as to whether the player can help track user behavior.

Based on my experience with studying online behavior, I think Mark’s fears of privacy violations from the communication with Sony’s servers are a little overblown. The Aurora player sends a request for an ID number, and the server has access to the IP address of the requester, true. But IP address alone is a highly unreliable way to identify an individual. Anyone connecting to the Internet through a proxy server, including not only corporate users but also the vast masses of AOL users, would show up with the IP address of the proxy. So if Sony is relying on IP address to identify an individual for analysis purposes, they deserve the bad stats that they get.

It is worth noting, however, that the logs of the player’s requests could be used to gather statistics on how users, in aggregate, interact with the disc–how often it’s played, at what time of day, even, potentially, the general location of the user playing it (again, based on that unreliable IP address). If that’s the case, then as a marketer I would want to pass more information than just the disc ID–at a minimum, I would want the track ID too so I could identify potential singles based on play frequency of album tracks.

Bottom line: if Sony really is tracking anything through this banner rotation, I think it’s unlikely that they’re getting anything of real business value, and they certainly aren’t violating user privacy any more than a website of artist information does by tracking how often a page is loaded. In fact, the player is likely violating user privacy less, since there’s no evidence that it is sending or requesting a cookie from the user, unlike most marketing oriented web sites.

This isn’t to let either Sony or First 4 off the hook. If anything, the dangers created by the rootkit decloaker prove my point that these folks are not to be trusted with holding one’s coat, much less installing software on one’s computer. Mark puts it better: “First 4 Internet’s failure to imagine this control flow [that crashes XP] is consistent with their general failure to understand Windows device driver programming.”

5 Responses to “First 4 vs. Sysinternals, and some thoughts on tracking users”

  1. The PC Doctor Says:

    Boycott Sony!

    Annoyed Sony customers might like this new blog by Tim Jarrett – Boycott Sony !
    Several good posts – like this one: First 4 vs. Sysinternals, and some thoughts on tracking users 
    Why not!
    (via Ed Bott )

  2. modelnine Says:

    Have you actually realised what you’re saying here? People cannot be tracked if they are behind a proxy? That’s just utter bullshit, as most proxies send a X-Redirect-From: <your old IP> header.

    You cannot be tracked if you are behind an anonymizing proxy (which doesn’t send the header and spreads traffic you create among several similar machines so that you can’t be tracked by the IP of the proxy-machine itself). But: who actually is? I’m not (costs $$$$$). And: in the age of Cable and DSL, your IP only changes once a day, probably even less often.

    Get a grip on data and web privacy before you start talking about it.

  3. Tim Says:

    Take a look at IP addresses you see from AOL–still a significant source of users on the everyday Internet–and tell me if they send an X-Redirect-From header. I did generalize about proxies, and failed to distinguish between anonymizing and regular proxies–bad habit from the days that I did web stats for Microsoft’s corporate site, when AOL users were a significant portion of our traffic and we could not rely on the IP address to get session data for about 1/3rd of our visitors.

    Thanks for your comments. Please assume less in the future.

  4. modelnine Says:

    Okay, maybe I was unfair, but over here in Europe AOL is just a slim, slim slice of the whole cake of providers. And I actually know of no other provider over here which has mandatory web proxy or anything else similar (my provider doesn’t even offer a proxy).

    There are lots of people who actually own DSL/ADSL, and if you take me (with a standard ADSL-flatrate 6MBit/s, not from AOL ;-) ) i change my IP about once every three days.

    That basically means: track me by my IP, and you get quite detailed usage statistics about my Internet usage.

    And I’m not the only one who fits this profile. There are quite a few other people I know who happen to have about the same degree of permanentness in their net-connection. And the number of people with ADSL is ever growing.

  5. Cash Registers Says:

    Cash Registers

    I think you have a valid point here.

Leave a Reply

You must be logged in to post a comment.