MobileRead Forums - View Single Post

since1968 · 01-16-2006, 05:11 PM

Hi guys,

I'm Marc A. Garrett, the person who originally reported the iTunes privacy issue on since1968.com. I came across your forum when it appeared in my referer logs. Sorry I'm coming a bit late to your discussion.

Brian, I think some of your skepticism is warranted: some of the blog discussion has moved beyond the initial assertions I've made. Still, I'd push back on a few points made you made:

First, your reading of the TOS [there are three documents covering iTunes, iTMS, and Privacy; for the sake of brevity I'll refer to them all as the Terms of Service] is so expansive that I wonder what you think it prohibits? I would argue that the plain language of the various agreements covering iTunes and iTMS is designed to reassure the user that the type communication going on between iTunes and Omniture is prohibited.

Second, if this type of behavior is clearly contemplated in the TOS, why try to obfuscate it? I haven't had one person defending Apple's behavior -- not a single one -- explain to me why an HTTP GET call to 2o7.net should be buried behind a 192.168[etc] prefix that's designed to look like traffic on the local network. I concede there could be a perfectly good explanation, but no one has come up with one.

Third, I was restrained in my initial coverage because I couldn't be sure that Apple sent uniquely identifying information to a third party -- what I mean to say is that I knew iTunes was sending data, but I did not want to make public claims about the nature of the data until I could confirm it for myself. But it turns out that the reporting about unique IDs is correct: iTunes sends your X-Dsid to Omniture. This X-Dsid is unique; not unique in the sense of a PHP session variable, but unique in the sense that it is the numeric equivalent of your Apple ID. It is the number that Apple uses to retrieve your contact and billing data, and it is the same number which Apple sends to Omniture in clear text.

Finally, let's assume Apple is telling the truth about "Apple doesn't collect data." That doesn't address whether Omniture collects that data. No one has answered this to my satisfaction either: why does iTunes send your unique ID to a data analytics firm if that data is not used or stored?

I'd be happy to share all of my data and methods with you guys. It looks like you have a good community here and I'm glad I stumbled across it.

Best,

Marc A. Garrett
since1968.com

01-16-2006, 05:11 PM	#21
since1968 Junior Member Posts: 1 Karma: 22 Join Date: Jan 2006	more on the privacy questions Hi guys, I'm Marc A. Garrett, the person who originally reported the iTunes privacy issue on since1968.com. I came across your forum when it appeared in my referer logs. Sorry I'm coming a bit late to your discussion. Brian, I think some of your skepticism is warranted: some of the blog discussion has moved beyond the initial assertions I've made. Still, I'd push back on a few points made you made: First, your reading of the TOS [there are three documents covering iTunes, iTMS, and Privacy; for the sake of brevity I'll refer to them all as the Terms of Service] is so expansive that I wonder what you think it prohibits? I would argue that the plain language of the various agreements covering iTunes and iTMS is designed to reassure the user that the type communication going on between iTunes and Omniture is prohibited. Second, if this type of behavior is clearly contemplated in the TOS, why try to obfuscate it? I haven't had one person defending Apple's behavior -- not a single one -- explain to me why an HTTP GET call to 2o7.net should be buried behind a 192.168[etc] prefix that's designed to look like traffic on the local network. I concede there could be a perfectly good explanation, but no one has come up with one. Third, I was restrained in my initial coverage because I couldn't be sure that Apple sent uniquely identifying information to a third party -- what I mean to say is that I knew iTunes was sending data, but I did not want to make public claims about the nature of the data until I could confirm it for myself. But it turns out that the reporting about unique IDs is correct: iTunes sends your X-Dsid to Omniture. This X-Dsid is unique; not unique in the sense of a PHP session variable, but unique in the sense that it is the numeric equivalent of your Apple ID. It is the number that Apple uses to retrieve your contact and billing data, and it is the same number which Apple sends to Omniture in clear text. Finally, let's assume Apple is telling the truth about "Apple doesn't collect data." That doesn't address whether Omniture collects that data. No one has answered this to my satisfaction either: why does iTunes send your unique ID to a data analytics firm if that data is not used or stored? I'd be happy to share all of my data and methods with you guys. It looks like you have a good community here and I'm glad I stumbled across it. Best, Marc A. Garrett since1968.com