|Home » News » Roundups
Why Are Microsoft Watching Us Watch DVD movies?
February 20, 2002 11:42 PM UTC
Things are getting worse for Microsoft - or Microsoft's customers, whichever way you look at it. After a week-long barrage of security advisories which also exposed Microsoft's penchant for stealing information off local machines, Richard M. Smith finds out more. In an advisory posted on the BugTraq mailing list, Smith takes a close look at Microsoft's Media Player and finds - you guessed it, spyware. 'A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC,' writes Smith.
While many media systems use Internet databases to cull information, Microsoft's goes farther, sending along a cookie which the Microsoft server can then use to uniquely identify the client computer. In addition, Windows Media Player constructs a database of all movies which have been played - overkill at best, espionage in the making at its worst. Most importantly according to Smith is Microsoft's unwillingness to reveal these sordid details to WMP users.
Smith used a packet sniffer to find out what Microsoft was up to. A typical outbound packet to the Microsoft servers looked like the following.
'The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the 'Dr. Strangelove' DVD. This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player. Here's what this cookie looks like:
'By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated with their WindowsMedia.com cookie. For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers:
'The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch on my computer.'
Smith does not claim to know what, if anything, Microsoft is doing with this information - only that it is a clear invasion of privacy, drawing a comparison with the US Video Privacy Protection Act which specifically prohibits activities of this kind.
Smith has received a response from Microsoft which may be read here. Smith's BugTraq posting may be found here.