• Print

Apple iTunes gifts users with a privacy hole

An iTunes privacy issue uncovered by Andrew McAfee highlights the need for better privacy by design.

When Apple added a “Gift button” to the iTunes Store in 2006, it provided users with a new way to easily buy music for friends, family or colleagues. In the years since, the Gift button has been extended to TV shows, movies and applications. As MIT research professor Andrew McAfee discovered recently, however, this gift function also comes with a privacy issue: whoever is making the gift can see whether or not the other person already has a song, video or application.

In his post, McAfee explains how a user could systematically determine whether someone already has a given video or application in his or her library:

I’ve been doing some poking around, and have found that it’s pretty straightforward for one person (let’s call him George Smiley, after John Le Carré’s master spy) to find out what music, video, and apps someone else (like me) has purchased or had gifted to them on iTunes.

nefarious-vppa.jpg

The key to this privacy hole is having the email address associated with the iTunes account for the person in question. Acquiring email addresses is not the barrier it once was, however, particularly in the age of spear phishing. As McAfee points out, there’s no need to establish an account with Apple or spend any money to work through the process. The user targeted also has no knowledge that this is going on, nor any way to stop it from happening, other than disassociating an exposed email address from iTunes.

The Video Privacy Protection Act and privacy

McAfee is right: the harm from this privacy hole in iTunes doesn’t extend to a data breach of credit card information or other personally identifiable information. That does not, however, mean that there isn’t some potential for a headache for Apple, given an accident of history that brings a federal statute into play.

McAfee, who is a student of history when it comes to the use of collaborative technology in business, looked back at the Supreme Court nomination of Robert Bork. During the hearings, the question of whether Bork believed that the United States Constitution included a general right to personal privacy was raised. After the Washington City Paper published a list of Bork’s rentals from a Chicago video store, Congress passed the Video Privacy Protection Act (VPPA), which specifically forbade the wrongful disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material.” As McAfee points out, the VPPA has been used in recent years in class-action lawsuits against Facebook and Netflix.

“If it’s a movie purchase, it’s a violation of the statute, under the Video Privacy Act,” said Danielle Citron, a law professor and privacy researcher at the University of Maryland School of Law. “Certainly if we were in Europe, there’s a whole other set of privacy implications. There are even more robust privacy protections there.”

In theory, a highly motivated searcher could take advantage of the security hole through automated scripts or by posting small tasks on a crowdsourcing platform, like Amazon’s Mechanical Turk. In practice, those concerns are unlikely to come to fruition. But as McAfee observes, this capability is problematic with respect to personal privacy:

A person’s taste in media can be highly personal, yet all of Apple’s more than 10 billion songs and 200 million TV and movie downloads are potentially traceable by the George Smileys of the world — the world’s spies, stalkers, yellow journalists, and opposition researchers. Of course, this is nowhere near as big a deal as privacy holes in online health or financial information would be, so we should keep this issue in perspective.

Citron offered a scenario that extended beyond one consumer looking at another’s media consumption. “Imagine if government has a suspect in mind,” she posited. “Typically to get reading habits, you’d need a warrant. If you had an email address, you could pretend to gift them and see whether they’d read something. You have to consider reputational harm — if someone doesn’t like you discovers that you’re reading or watching something salacious, there’s a problem.”

Privacy by design

Whether Apple will move quickly to address the issue with an update is an open question (Apple did not respond when asked for comment today). A new series of privacy lawsuits over the transmission of unique identifiers to application makers would suggest that the lawyers in Cupertino already have their hands full. The larger issue here lies in how technology companies should build platforms with privacy by design, as the electronic privacy report released by the Federal Trade Commission last year recommended. It’s worth going back to consider what FTC officials said about privacy by design then.

“When you’re designing systems, and put it in right at the outset, you’re in much better shape than adding it later,” said Jessica Rich, deputy director of the Bureau of Consumer Protection. “Behavioral advertising, when we came in and started calling on companies to add privacy to their business models, they were saying ‘privacy is very costly, and privacy is not in our business models, and you’re changing our business models.’ The idea of baking it in from the start is actually very good for small businesses,” she said.

“Companies that handle large amounts of sensitive consumer data, whether or not they are startups, have basic responsibilities to protect that data and to handle it responsibly,” said Ed Felten, the chief technologist at the Federal Trade Commission (FTC). “Startups are in a good position to ‘bake in’ privacy, compared to bigger, more established companies, because they are not constrained as much by past design decisions.  As with security, it is easier to design-in privacy in advance than to retrofit it later.”

As online privacy debates heat up in Washington, the benefits of personalization and new business models for publishing or distribution will need to be balanced with mechanisms to protect consumer privacy. “You want to give gifts that people want,” said Citron. “It’s part of the behavioral advertising message, but there are privacy risks that we shouldn’t overlook. This could be a way of outing people depending on the material.”

Privacy by design in an electronic gifting mechanism for media isn’t an unreachable holy grail here, either. McAfee determined that the same issue does not exist with Amazon. “As a test, I tried to send my Mom an Amazon Kindle book I knew she already had,” he wrote. “Amazon let the purchase go through and told me nothing about her Kindle inventory. She received a message from the company that I’d sent her an e-book she already owned, and giving her a credit for its price. To put it mildly, this seems like a better approach to me.”

tags: , , ,
  • Tom

    So let me get this straight -
    Apple helps you not gift someone somehow thy already have. They don’t deal with refund hassle, you don’t give duplicate present.

    The HUGE glaring security hole is that some crazy clever genius of a music hacker could spend thousands of pounds on you buying you music, working out your tastes?
    For every song you don’t have, it’d automatically gift?
    You’d only not be paying for a track if it stopped due to being a duplicate?

    The recipient would know something was up as soon as they got a few gift hundred gifts tracks, no?

  • Ted

    If you only find this information AFTER buying the song, then this is comical. If so, great example of the security people making up something that has no real issue. The cost barrier to profiling someone’s content would be huge. A great example of unreasonable issues being allowed to wreck a far superior experience than what is offered at Amazon.

    • http://radar.oreilly.com/alexh Alex Howard

      Ted, please read professor McAfee’s explainer post, if you haven’t already. You don’t have to buy anything to determine whether a targeted individual has a given song, app or video. There’s no need to complete the transaction or pay anything. There is no cost barrier, only one of time. This is also not a security issue, per se. It’s an issue around privacy.