Richard M. Smith — the privacy expert who makes it a point to find out whether software, systems or networks are monitoring
consumers — has authored a detailed report on what he called “serious privacy problems” with Microsoft Corp.’s Windows Media Player for Windows XP.
Microsoft denied any foul play and said its privacy policy regarding DVDs has since been amended.
The root of the problem is in the Redmond, Wash. software firm’s design for XP, which Smith said lets Microsoft individually track what DVD movies
consumers are watching on their Windows PC. Basically, every time a DVD is played on a PC, the Windows player contacts a Microsoft
Web server to get title and chapter information for the DVD, so the firm has a record of what a person is watching.
Smith claimed the Web server then “phones home,” or gets an electronic fingerprint of the DVD movie being played and a cookie which
identifies a particular WMP player. In an example of this, Smith used a packet sniffer watch WMP make queries to
a Microsoft server each time a new DVD movie was played. He said the first HTTP GET request sent by WMP identified the movie being
played.
Smith said the hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify
the DVD. The privacy expert also detected an anonymous cookie, which he said uniquely identifies his WMP player. However, Smith said that there did not seem to be personal value assigned to this cookie and Microsoft adamantly confirmed this.
Smith postulated a few theories about why Microsoft allows all of this in its software, including notions that the software firm is
using the DVD info for direct marketing purposes, or for aggregating statistics about what DVD movies
are the most popular. He also said Microsoft may be doing nothing with this, which is exactly the case according to Microsoft.
Still, Smith would like the DVD information feature altogether removed, or at least turned off by default.
“The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests,”
Smith said. “This change will prevent Microsoft from tracking individual movie viewing choices.”
In response to Smith’s concerns, Microsoft’s Lead Manager for the Windows Digital Media Division David Caulton denied that his firm
was in any way trying to keep such a pulse on what consumers watch.
Caulton said he and his team thoroughly reviewed Smith’s points and “do not believe the DVD metadata lookup process in MPXP presents
a user privacy concern.”
“While the MPXP privacy statement discusses cookies in general, we plan to amend it to specifically include DVD lookup,” Caulton
said. “We also will make it clear that we do not associate this cookie with personally identifiable information.”
Microsoft confirmed that the policy has been updated.
Microsoft’s full response to Smith’s concerns and questions is here.