RealNetworks rewrites privacy policy

Hoping to placate critics, RealNetworks changes privacy statement

In the wake of public backlash regarding its secret collection of user data, media software maker RealNetworks changed its Web site's privacy statement this weekend to more accurately reflect the data collection practices of its RealJukebox music software.

The three new paragraphs, added to the company's privacy policy, admit that RealNetworks had, until now, been quietly collecting information about the music to which its users had listened.

While RealNetworks could not be reached for comment, the Seattle-based company also issued a statement apologizing for any inappropriate collection of data.

"We made a mistake in not being clear enough to our users about what kinds of data was being generated and transmitted by the use of RealJukebox," said Rob Glaser, RealNetworks' chairman and CEO, in the statement.

"We respect and value the privacy of our users and we deeply apologize for doing anything to suggest otherwise." RealNetworks has pledged to release a 67KB patch to the software that will deactivate the data-collection function of the software. Any software downloaded from its site will also have the data-collection function deactivated.

Nonetheless, critics were not placated by the company's admissions. "This disclosure is far from adequate. The fact that they sneaked it in over Halloween does not inspire confidence," said Jason Catlett, president of privacy advocate Junkbusters.

The changes address the Seattle company's use of a software tag, known as a globally unique identifier or GUID, that links data from a program, such as Real's RealJukebox digital music software, with a particular user.

'This disclosure is far from adequate -- the fact that they sneaked it in over Halloween does not inspire confidence.' -- Jason Catlett, Junkbusters.

The New York Times reported Monday that RealNetworks had been using the GUID to capture data about what music its users listened to. The Times story was published after Richard Smith, former president of Phar Lap Software and independent security consultant, posted a lengthy explanation of the privacy violations on Sunday.When users insert a CD into their PC, the RealJukebox player gets title and artist information from the CD Database, or CDDB.

The request, however, is paired with the user's GUID and rerouted through Real's servers, allowing the company to collect data on its users.In the new privacy statement, Real explained how it used the information.

"Real Networks uses GUIDs for statistical purposes and to personalize the services that are offered within our products," stated the privacy policy. "We may use GUIDs to understand the interests and needs of our users so that we can offer valuable personalized services ... GUIDs also allow us to monitor the growth of the number of users of our products and to predict and plan for future capacity needs."

The new information contained in RealNetworks' privacy statement explains what the GUID is and stressed that other applications use the identifier as well.

While the updated statement claims that "a GUID does not contain or identify any personal information such as your name or email," the identifier can link to such personal information -- essentially matching the user with their musical tastes.

Junkbusters' Catlett sent an open letter to RealNetworks, stating that "this surreptitious transfer of information without the consumer's knowledge or consent is a kind of "Trojan Horse'' attack that should constitute "exceeding authorised access'' under the Computer Fraud and Abuse Act of 1986... a criminal offence."

Catlett has sent the letter to the Seattle office of the FBI for review.