In particular, the privacy problems with WMP version 8 are:
Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being played. For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD:
The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD.
This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software.
The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
Here's what this cookie looks like:
By default, this cookie is anonymous. That is, no personal information is associated with the cookie value.
However, if a person signs up for the Windows Media newsletter, their email address will be associated with
their WindowsMedia.com cookie. For example, when I signed for the Windows Media newsletter, the following
URL was sent to Microsoft servers:
The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter
and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can
be associated with a cookie value at any time.
Also when subscribing to the Windows Media newsletter, I was encouraged by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have watched. There is no evidence however that Microsoft is making this connection.
The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch on my computer.
After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML
WMP extracted movie information from this file and then added this information to a database file,
named wmplibrary_v_0_12.db, which is located on my hard disk in the directory
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index".
I didn't see any method of removing movie information from this file, so it appears
to me that the file keeps a complete record of all movies watched that have ever been watched on my computer.
If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent Microsoft from tracking individual movie viewing choices.