The RealJukeBox monitoring system



Richard M. Smith (rms@computerbytesman.com)
October 31, 1999

Recently, I downloaded and installed the RealJukeBox player software on my Windows 98 laptop. The player is available at no charge from RealNetworks at http://www.real.com. It can be used to play music CDs, as well as record them to music files on a hard disk for future playback. Since its release in the summer of 1999, more than 12 million copies of the software have been downloaded.

Unfortunately, I quickly discovered that the RealJukeBox software is sending off information to RealNetworks about what music CDs I listen to, along with a unique player ID number that identifies who I am. I also found that the RealJukeBox sends back to RealNetworks, on a daily basis, information on how I am using the product. It reports things like how many songs I have recorded on my hard drive, the type of portable MP3 player I own, and my music preferences.

This monitoring system, built into the RealJukeBox software, has the potential for being used as a powerful profiling system to help market new CDs and related products at the expense of personal privacy. The remainder of this write-up documents how the monitoring system is implemented and some of its potential uses and/or misuses.

The RealJukeBox is now the default music CD player on my Windows system. I noticed that each time I play a music CD in my computer CD-ROM drive, that RealJukeBox player shows the name of the CD, the artist, and a list of all songs on the CD. This is a pretty handy feature if one wants to only listen to or record one or two tracks on a CD. All of this information about the music CD is obtained from a Web server at RealNetworks. This information is downloaded in parallel when a CD starts playing.

I decided to put a packet sniffer on the RealJukeBox player to see exactly what information is being transmitted from my computer to the Real Networks servers. Mucmh to my dismay, I found that in the HTTP GET request for the CD information, the player is including a unique GUID serial number for my copy of the software.

Here was what a sample request looks like:

   GET /query.html?cmd=cddb+query+6f0fe407+7+150+74670+107840+146875+
   196050+215005+256182+4068&hello=realuser+real.com+
   "RealNetworks+RealJukebox"+1.0&proto=4 HTTP/1.0
   Accept: text/html
   user-agent:RealNetworks RealJukebox
   host:cdinfo.real.com
   X-Taiko-AppGUID:3d7460c0-83b6-11d3-a67f-444553540000
   X-Taiko-AppVersion:1.0.0.438
   X-Taiko-AppDistCode:RJ04
   X-Taiko-AppBuildType:FREE
The music CD I am listening to is identified by a "electronic fingerprint" called TOC numbers which are passed in the query string of the URL. These TOC numbers are read from the CD. My unique player ID number is sent in the "X-Taiko-AppGUID" HTTP header of the GET request.

My assumption is that the same GUID was sent to RealNetworks when I registered my copy of the player. Checking in the Windows 98 registry, I found the following URL that was used by the RealJukeBox player to register my software:

   http://registration.real.com/60ereg/RealJukebox.html?
   cw19q1wnACrfizsCrekm6u92mxx5zgi3t6zgtxort
   6w4w6C1wmB2zgxl3k3ccijdsee4E2b7sA786074fh
   4etx2qmfllpcghsmc4E6smc4E6Csc4E6tmc4E6ehs
   4o9Aj29E6Cpd4E6avhA6awz54E6v2hjuabpfEqcjB
   Cm48rdDvx71x12Eep35s2fvng2E69tABm7kg25i7j
   c2uy7Ehqjm6Et0ry7vCdBke8rtAy744yCm7bvczs7smc4E6
Unfortunately the registry entry is encrypted so that it cannot be easily read. However, a computer consultant from Australia that I know, Geoff Chappell, volunteered to decrypt the URL for me. With a few hours of work, he was successful. He found the following registration information is sent to RealNetworks:
   RealJukebox
   rms2000@bellatlantic.net
   United States
   02446
   RealJukebox
   000000000000100001B6000500007FF7FF00
   RJ04
   Win98
   586
   English
   1.0.0.438
   3d7460c0-83b6-11d3-a67f-444553540000
(Geoff's home page is http://www.ozemail.com.au/~geoffch/)

Geoff was also able to decode the following registry entry for the RealJukeBox player which contains my player GUID:

   [HKEY_LOCAL_MACHINE\Software\CLASSES\Software\RealNetworks\RealJukebox\1.0\Preferences]
   "Rotuma"="gfejehcihjekeicmeoioqpqtprjrktlufkhgkihlhjhkjiplnnmolplqqrlsotoujfighhgi"
It is very unclear to me why all of this secrecy is needed on my own computer.

Because the same GUID (3d7460c0-83b6-11d3-a67f-444553540000) is sent to RealNetworks both at registration time and when I play an audio CD, then in theory, they know what audio CDs I am listening to. They could, for example, be creating a list of all my CDs and putting this list in a database with my Email address. For pretty obvious reasons this is very valuable marketing information that could be used by CD retailers to pitch me via Email other CDs that match up with my musical tastes.

In addition, the RealJukeBox tracking system might also be useful for detecting music piracy although I do not have the time right now to investigate this possibility.

The CD Info feature for RealJukeBox is documented in the product and can also be turned off. However, there is no mention of the player GUID number in the documentation and nothing is said about RealNetworks ability to identify individual users. In addition, the RealNetworks' original privacy policy does not talk at all about the player GUID number even though it goes into great detail about things like IP address, cookies, referring URLs, etc.

However after notifying RealNetworks of the various privacy problems in the RealJukeBox they did update their privacy policy on Saturday, October 30, 1999 to talk about GUIDs and some the places they are used. The new privacy policy is available at:

  http://www.real.com/company/privacy.html
Unfortunately even this version of the privacy policy does not talk about the many uses of GUIDs in RealJukeBox. In addition, the privacy policy does not make it clear that the RealNetworks registration database can be used to turn a GUID into a person's Email address. I've attached the October 30 language to the end of this write-up for review.

I also found that the same player GUID number is sent to RealNetworks for most commands on the "Sites" and "Help" menus of the RealJukeBox software. For example, the "Product Feedback..." selection on the Help menu initially goes to this URL:

   http://presets6.real.com/sitesmenu/rjbhurl.html?
   ms10paElp957kCqldbatljkexuakEfskutu9dhdw581kb30i
   q9g8Cbxm93wabnxhaesD9Cpbkv28ng2C5Epbhai9s6oDads6
   wruzEhkg25i7jc2uy7Ehqjm6Et0ry7vCdBke8rtAy744yCm7
   bvczs7smc4E6xae20ibpfEqctel958rut157CqoBg748d20i
   vpz8sed8pr3c3ujlA85zeoec9iz8se6x4a66b0xcz8n2Cri7nEa6A8
The query string of this URL decrypts as follows:
   ID=618|SN=bad range|
   CS=28800|
   PN=RealJukebox|
   PT=Free|
   PV=1.0.0.438|
   GU=3d7460c0-83b6-11d3-a67f-444553540000|
   OS=Win98 4.10.33044|OL=en-US|
   LP=en-US, en, *|
   LI=1033|DC
   =Unk
The Feedback page asks for your Email address, but of course, RealNetworks already has it. (As an aside, it probably is important to say only nice things here on this page.)

The same thing happens at the "Sites" menu. When one goes to a music Web site from inside of RealJukeBox, the player GUID is sent in with a URL. This allows RealNetworks to synchronize a Web site cookie with registration information. What Web pages you visit can then be matched with your Email address.

Another interesting discovery I made of the RealJukeBox player is that in the morning it sends out information about my usage of the product to RealNetworks. This information includes how many songs that I have recorded to my hard disk, what brand of portable MP3 player I own, and my music preferences. My player GUID number is also sent along with this information. All of this information goes inside of an HTTP GET request. Here is what my player tells RealNetworks about me in its morning "status report":

   GET /getmusic/msearch.rmp HTTP/1.0
   user-agent:RealNetworks RealJukebox
   host:getmusic.real.com
   X-Taiko-AppGUID:3d7460c0-83b6-11d3-a67f-444553540000
   X-Taiko-AppDistCode:RJ04
   X-Taiko-AppVersion:1.0.0.438
   X-Taiko-AppBuildType:FREE
   X-Taiko-GenrePreference:New Music
   X-Taiko-BackWebInstalled:0
   X-Taiko-EncodingOptions:95780 bps G2 - Un-Encrypted
   X-Taiko-PortableDevices:
   X-Taiko-TotalTracks:11
   X-Taiko-EncodedTracks:12
Pretty obviously this information can be used for both market research and as well as "one-on-one" targeting of advertisments. Like the GUID and CD tracking, I didn't find any mention in the RealJukeBox documentation of this "status report" feature in the software.

I got in touch with RealNetworks and I received verification that the RealJukeBox player software is indeed doing all the different things I saw with my packet sniffer. However, I was told that Real Networks servers do not log what CDs individual customers are listening to. However, the person I spoke to agreed that logging is possible with the current RealJukeBox player software. The only changes to implement such a logging system would be required at the Real Networks servers.

The person I spoke to also clarified one point. If the same CD is played multiple times, the RealJukeBox player only asks for information about a CD once and it saves the result on the local hard disk.

So why then is the GUID sent to RealNetworks servers when my player software is requesting information about a CD? I was told that the GUID is used to validate that someone is a RealNetworks customer. This validation is apparently a requirement of the company supplying the CD data base, CDDB, Inc. (http://www.cddb.com). Unfortunately, in my testing this validation feature did not seem to work. I was able to request CD information from the RealNetworks server from Internet Explorer 5 which never sends in a player GUID.

This validation scheme also does not explain why the player GUID number is sent in when the RealJukeBox "Sites" and "Help" menus are used.

All and all, the RealJukeBox software does entirely too much tracking of how it is being used and reporting this information back to RealNetworks. I only hope it does not represent a "Brave New World" of consumer electronic devices which send back to media companies what music we listen to, what DVDs we watch, and what TV stations we tune into. As RealNetworks has shown, with an Internet connection, these kinds of monitoring systems are far too easy to implement and deploy.

Going forward, I hope to see RealNetworks immediately remove the player GUID number from the RealJukeBox player software. This one small change will eliminate most of the tracking possibilities that exist in the product today. In addition, the daily status report that is sent out about product usage needs to be stopped. For current users of the RealJukeBox software, I believe the right thing for RealNetworks to do is to notify users via Email of the privacy problems and offer them a patch on the RealNetworks Web site that can be downloaded to fix the problems.

Copyright (C) 1999 Richard M. Smith

Questions? Comments? Hot Tips? Click Here


   Language added to the RealNetworks privacy policy on
   October 30, 1999 about the use of GUIDs in RealNetworks'
   software products

   http://www.real.com/company/privacy.html


   "A Globally Unique Identifier (GUID) is an alpha-numeric identifier
   that is randomly generated by a RealNetworks consumer application
   during installation. RealNetworks uses publicly documented
   standards to create a GUID. A GUID is used to indicate a unique
   installation of one of RealNetworks products, and is found in
   many popular software applications. A GUID does not contain or
   identify any personal information such as your name or email.

   A RealPlayer GUID is sent to a RealServer when you initiate a
   streaming media session. The RealServer only uses the GUID for
   authentication when you request limited-access streaming content.

   RealNetworks uses GUIDs for statistical purposes and to
   personalize the services that are offered within our products. We
   may use GUIDs to understand the interests and needs of our users
   so that we can offer valuable personalized services such as
   customized RealPlayer channels. GUIDs also allow us to monitor
   the growth of the number of users of our products and to predict
   and plan for future capacity needs for customer support, update
   servers, and other important customer services."