The recent update to Apple iTunes 6.0.2 was followed by a fierce discussion on various blogs about the possibility of Apple spying on its users' listening habits. Here at PC Magazine, we began dissecting the issue, one IP packet at a time.

What we know
What we know so far is that yesterday's update to iTunes 6.0.2 (6.0.2.23) added a feature called "MiniStore." The MiniStore is a split window on the bottom of the iTunes application that displays additional albums for purchase from the same artist as the song playing in the active selection. It also shows alternative titles that were purchased by other iTunes customers who also own the title playing in the active selection.


The MiniStore is active in the "Library" view as well as the "Purchased" songs view. Users can minimize the MiniStore by selecting the appropriate icon on the bottom right of the screen.

We also know that this kind of targeted album advertising relies on communication between the player (iTunes) and the database provider (Apple) that serves the ad to the music player.

Our Investigation and Results
To find out what information is passed across the Internet during the communication between the iTunes application and Apple we did some investigative work with Network Instrument's Observer packet analyzer. We found that iTunes sends packets to destinations on Apple's domain as well as Akamai's domain as soon as a song is selected for play.

Usually there is no need for any communication between the iTunes application and Apple, as long as all song titles resident in the iTunes library are authorized to play on the PC; all files that are not authorized require a one-time connection to Apple for verification.

Thereafter, iTunes M4P files, which are DRM (digital rights management) protected AAC files, are validated locally, making any further contact with Apple unnecessary. Users can play their music files over and over without anyone's knowledge or input. However, this is no longer the case. As of version 6.0.2.23, iTunes phones home as soon as you click on a song in your local music library. In return, you receive targeted album advertising.

We found that this can be prevented by minimizing the MiniStore application or by playing songs from a play list. In these cases there is no communication between any Apple servers and your local PC.

Apple Responds
Apple has since commented on this issue saying that any personal information it collects from iTunes users is being discarded and no data is being stored. We could not verify this at press time and also could not confirm exactly what information is passed to Apple, since communications are encrypted.

However, Apple is walking a very thin line between providing additional services to customers and invading its customer's privacy. Everyone should weigh for themselves the consequences of allowing Apple or any other media provider to invade their privacy for commercial benefit.

This article came from Ziff Davis' PC Magazine written by: Oliver Kaven.