Earlier this week, a bunch of posts popped up on sites including Slashdot and Wired Compiler about Privatunes, a free application that purports to anonymize DRM-free files you buy on iTunes.
Why would anyone need such an app? Well, because there's been much controversy in recent weeks over allegations that Apple may be tracking personal information in the headers of these DRM-free files, in order to limit sharing (previous BB post here).
Today there's word that Privatunes may not be what it's cracked up to be. Here's a snip from the EFF blog:
Unfortunately, the Privatunes coders didn't read our last post about iTunes tracking data. Aside from the name and email address, there are other fields that Apple, or a litigant that subpoenas Apple, could use to identify the purchasers of iTunes Plus files, even if they've been run through Privatunes 0.9.
In addition to the sign and chtb fields, there are several other places where iTunes Plus copies of the same song vary by three or four bytes (they can be readily observed with a program like vbindiff on *nix). It should be assumed that a file is identifying unless all of these fields have been overwritten.
Lastly, Privatunes 0.9 just overwrites the name and email address using spaces (0x20). This means that the length of these two fields can still be seen after the file has been modified. For full anonymization, these lengths should be made unreadable.
