Saturday, December 25, 2010

Personal Information in Amazon MP3 Files

A few days ago I wrote about Amazon placing personally-identifiable information within MP3 files. Here is an example, from near the beginning of an MP3 downloaded recently.

<?xml version="1.0" encoding="UTF-8"?>
<uits:UITS xmlns:uits="http://www.udirector.net/schemas/2009/uits/1.1" 
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <metadata>
    <nonce>Yvjd12Il</nonce>
    <Distributor>Amazon.com</Distributor>
    <Time>2010-10-24T04:41:17Z</Time>
    <ProductID 
       type="UPC" 
       completed="true">
      10731458698620
    </ProductID>
    <AssetID 
       type="ISRC">GBAAN0200016
    </AssetID>
    <TID version="1">
      plaIo2V1UdVjRvVYo2vBICme1kF4PYav
    </TID>
    <UID version="1"> MY USERID HERE </UID>
    <Media algorithm="SHA256">
      4fda5179408e867619d5321b804fd1d16cb1ffd4f3d3485b48c241f803444897
    </Media>
  </metadata>
  <signature 
     algorithm="DSA2048" 
     canonicalization="none" 
     keyID="9b3a698acfcfea37b486aba46bdfb50c92b8f7fe">MC4CFQCLUjy5GJIaXROMGuef/iTBI3ADngIVAI1ZVWo9+IA6FAVXQ5feBVbi3yH6
  </signature>
</uits:UITS>

I've done a little reformatting, replaced my user I.D. with a placeholder, and modified some hashes and keys, but you can easily get the basic idea. My advice is to be reluctant to share these files, or to strip the XML at the beginning.

This is a fairly recent change for Amazon. This information is not present in a song I downloaded from Amazon in August.

3 comments:

rone said...

Funny thing is that i'm reluctant to share music even before all this DRM and tracking nonsense appeared. You know, respecting the license and whatnot.

Jeff Martens said...

I agree. However, the entertainment industry's response has been to inflate the damages outrageously while going after the little, using intimidation when it's clear their business model is no longer working as well as before.

Mark said...

The problem arises from someone getting one of your files without your knowledge. Say you take your laptop into a computer repair place and the technician copies all your mp3s (and porn) for personal use.

Then, he shares the files with your personal info in them. Then you are stuck with the legal defense for his actions.

Another scenario might involve a trojan that sends your files to someone that then shares them. The whole point of the trojan might just be malicious mischief.

I'm not sure you could make it stand up in court, but you could probably get many people to fork over money to settle out of court even though they had done nothing wrong. In fact, if you were the RIAA, what would you have to lose if you caused such programs to be created so that you could profit? A trojan like that might actually cost chump change in comparison to what you could net with thousands of people that settle.