Windows Media is watching you

Summary:Microsoft changes its privacy policy after a security expert warns that Windows Media Player keeps track of the DVD titles people watch in a special database.

Microsoft on Wednesday amended the privacy policy for its Windows Media Player after a noted computer security expert warned that the software keeps track of the DVD titles people watch.

In a Web advisory, computer privacy and security consultant Richard Smith detailed what he termed "a number of serious privacy problems" with the Windows Media Player for the Windows XP operating system.

The posting flagged a feature that allows Microsoft to log what DVDs play on a particular PC through the use of an electronic tracking file known as a "cookie."

"Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD," Smith wrote in his advisory. "When this contact is made, the...server is giving an electronic fingerprint which identifies the DVD movie being watched and a cookie which uniquely identifies a particular (Windows Media Player). With (these) two pieces of information, Microsoft can track what DVD movies are being watched on a particular computer."

In addition, the player creates its own database of all DVD titles watched, Smith wrote.

Smith went on to criticize the Windows Media privacy policy, which as of Tuesday did not disclose the DVD reporting feature.

In response, Microsoft said that it had changed its privacy policy Wednesday morning.

"It is now amended," said David Caulton, lead product manager for Microsoft's Windows Digital Media division. "As of this morning, we have updated the policy to specifically call out that DVD metadata involves a call to the network and a cookie."

The metadata at issue lets people using WMP and XP navigate through DVDs with more information than simple track numbers. The metadata, including track titles, DVD cover art, and credits, sits on the WindowsMedia.com Web site, from where the player retrieves it.

To keep track of what metadata a particular computer has already downloaded, the WindowsMedia.com server assigns the querying computer a cookie, as do most media and commerce Web sites. But until the privacy policy was amended, Microsoft did not specify how it was connecting the information it was gathering, leaving consumers and privacy and security gadflies such as Smith to spin their own scenarios.

"Microsoft can be (using) DVD title information for direct marketing purposes," Smith speculated in his advisory. "For example, the WMP start-up screen or e-mail offers can be customized to offer new movies to a WMP user based on previous movies they have watched. Microsoft can be keeping aggregate statistics about what DVD movies are the most popular."

Microsoft denied that the information collected would let it target individual users.

"One thing Smith says that's simply wrong is that e-mail offers could be customized," Caulton said. "We don't have any information about who user No. 345216436 is, so there's no way to send them e-mail."

Caulton contended that Microsoft's cookie did not give the company any individually identifying information, that customers concerned about it could disable cookies in their browser, and that the database on the computer hard drive--which lets people access downloaded DVD metadata when they're offline--was stored in a proprietary, machine-readable format that could not be easily read by a third party.

Topics: Microsoft, Operating Systems, Servers, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.