iTunes update spies on your listening and sends it to Apple?

Update: An Apple "spokesman" (reliable word has it that it was Steve Jobs himself) told MacWorld that Apple discards the personal information that the iTunes Ministore transmits to Apple while you use iTunes.

A new version of Apple's iTunes for Mac appears to communicate information about every song you play to Apple, and it's not clear if there's any way to turn this off, nor what Apple's privacy policy is on this information.

Yesterday, I updated my version of iTunes to 6.0.2, at the recommendation of Apple's Software Update program. I noticed immediately that iTunes had a new pane in the main window — the "Mini-Store" which showed albums and tracks for sale by the artist whose song was presently playing.

The question is: how does Apple know which version of the Mini-Store to show you unless iTunes first transmits the current song that you're playing to Apple? I've turned off the Mini-Store, but a look at Apple's site, the iTunes license, and the iTunes documentation does not state whether this turns off this spyware behavior, or whether it merely causes iTunes not to show me things to buy based on the track I'm presently playing.

As Marc at Since1968 points out, there's no language in Apple's privacy policy that addresses this specific behavior.

I love iTunes because it's a clean music player. But no amount of clean UI is worth surrendering my privacy for — I wouldn't buy a stereo that phoned home to Panasonic and told it what I was listening to; I wouldn't buy a shower radio that delivered my tuning preferences to Blaupunkt. I certainly am not comfortable with Apple shoulder-surfing me while I listen to digital music, particularly if they're doing so without my meaningful, informed consent and without disclosing what they intend on doing with that data.

At very least, Apple must deliver information about whether iTunes gathers and transmits your data when the Mini-Store is switched off, and about what it does with the data the Mini-Store transmits when it's loaded.

Each time you play a different song, the MiniStore features information about the artist currently playing, as well as "Listeners Also Bought…" Here's a full size capture of Apple marketing in action: as you can see, I'm playing Mary J. Blige covering U2's "One", and the MiniStore shows other albums from Mary J. Blige and U2.

This means, of course, that every single time I play a song the information is sent back to Apple. You can turn off the MiniStore at the click of a button, but it's not clear whether turning off the MiniStore is the same as turning off the flow of data (one doubts it). And don't bother looking for a way to turn this "feature" off in the Preference pane: it's not there.

Link

(Thanks, Marc!)

Update: John sez, "With the Mini-Store turned off, no data is passed back to Apple. Verified with Little Snitch and Ethereal." I'd be interested in deeper analysis than this, though — is this under all circumstances?

Update 2: John sez, "The iTunes MiniStore does not transmit the current song data if the MiniStore pane is hidden. I ran TCPFlow to check my outgoing data and it only queried the server when the pane was open."

Update 3 Merlin reports that iTunes appears to be phoning 2o7.net when the Ministore is loaded. That domain is registered to Omniture, Inc. of Orem, Utah. From Omniture's site:

2o7.net is an Internet domain used by Omniture, Inc. on behalf of our customers to improve Web site design and to generally improve the user experience on the Web. This domain is used by Omniture's data collection systems, and is the domain under which Omniture places cookies. These cookies are NOT spyware – they are simple text files that help Omniture customers measure usage of their Web sites and performance of their marketing campaigns.

Update 4: Kirk has verified that hiding the Mini-Store appears to deactivate the spyware behavior in iTunes.

Update 5: Marc, who broke this story, has posted a snappy comebacks to silly apologists message that addresses the common objections to this subject (e.g., "It's not spyware if Apple does it," and "You have a duty to monitor all your applications' use of TCP sockets and filter the ones you object to," and "Privacy is dead, stop acting like companies are immoral for spying on you.")

Update 6: Timo sez, "I just ran a packet trace of the new iTunes – it only connects to
Apple if the Mini Store is open. For regular MP3s, it'll run a full text search to find related
articles, for purchased music, it searches by the original product ID. Sample query string is:

/WebObjects/MZSearch.woa/wa/ministoreMatch?an=Daft% 20Punk&gn=Electronic&kind=song&pn=Discovery

Update 7: Kirk adds, "after more analysis, this does not send info to Apple when you are playing music, but rather when you click on a song. So if you start playing a song by double-clicking, it will send info to the iTunes Music Store and retrieve suggestions. But if the song is in a playlist, the MiniStore display will not change when the next song begins."

Update 8: An Apple "spokesman" (reliable word has it that it was Steve Jobs himself) told MacWorld that Apple discards the personal information that the iTunes Ministore transmits to Apple while you use iTunes.