DailyTech - Apple Tags DRM-Free iTunes Music, What Did You Expect?

Submit News

Blog: Internet Apple Tags DRM-Free iTunes Music, What Did You Expect?
Tom Corelis (Blog) - January 13, 2009 7:54 PM

E-mail

del.icio.us

30 comment(s) - last by SkateNY.. on Jan 21 at 4:16 AM

Don’t copy that M4A

So Apple dropped the DRM on all of its iTunes offerings. Are pigs flying? Did hell freeze over? This is a huge victory for the online freedom groups, and a potent statement for the long-term infeasibility of restrictive DRM as a whole.

Don’t break out the party champagne just yet, though: DRM is most certainly dead, but that doesn’t mean the music industry has given up. You know the phrase: there’s no such thing as a free lunch.

As someone with a long-time fascination with cryptography and steganography – that is, scrambling data or hiding it in an otherwise innocent information, respectively – I’ve always suspected that music offerings from the larger-scale, DRM-free stores like iTunes might have little bits of traceable data hidden somewhere in their product. It’d be remarkably easy: your average music file is at least a couple of megabytes, and an embedded tracking code, account number, or some other beacon need only take a couple dozen bits.

Apple, of course, has done just this: DRM-free iTunes downloads embed the account holder’s e-mail address in each song file, and that embedded data is impossible to edit with normal software.

The purpose of this is simple: providing accountability to the buyer – and presumably, uploader – in the event that a song turns up on a P2P network. We all know what at least a handful of (foolish, in my opinion) people are going to do: “No DRM! Let’s upload it to The Pirate Bay!” I’d bet cold, hard cash on this and I am sure that within the next one or two years someone, somewhere out there is going to be sued because of it.

Of course, I’ve given Apple a little bit too much credit here: a newly-downloaded, non-DRM’d iTunes track contains the downloading account holder’s e-mail address, stored in plain text, buried somewhere in the song file; anyone with a copy of Notepad, a hex editor, or Linux’s strings command can find it – and alter it. No crazy stego here, no sir-ee. Move along, citizen.

Or is it so simple? A plaintext email address, hidden-but-not-really, would be the perfect red herring to divert our attention from other, more sophisticated beacons buried even deeper inside. There are already stego tools out there for MP3 files, and they’re open source – who’s to say that Apple hasn’t adopted those algorithms to work with its format?

The powers that be have invested too much into DRM and copyright control – not to mention the music itself – to simply let things go. Don’t want DRM? Fine – here’s a DRM-free copy of your music, Merry Christmas/Happy Hanukah/Happy Yule/whatever. But don’t think that for a second the big boys have given up.

Look on the bright side: the music data we purchased is now, once again, fully ours. We may not know entirely what is in it, but that can change – I am certainly not the first person to think of this, and I’m sure some very smart people on both sides of the virtual counter are working hard to figure out just what’s up.

Until then, however, I can’t recommend posting your newly-freed tunes online, or handing them out to friends. You never who’s watching…

Comments

Threshold

Username
Password
remember me

This article is over a month old, voting and posting comments is disabled

Works for me

By mattclary on 1/14/2009 9:52:49 AM , Rating: 3

Good for Apple. I just want to be able to play music I buy on any device I own, and this plan does not affect that. This is a smart move and allows a pretty good solution to the customer.

RE: Works for me

By mikecel79 on 1/14/2009 10:28:15 AM , Rating: 3

Wasn't the main argument of all the DRM hates that they didn't want to distribute the songs they bought they simply wanted to be able to play them on any device they wanted? The fact that DRM has been removed from most iTunes music satisfies that need. I have no problem with Apple embedding my email or account number in the file because I don't plan to distribute it in mass.

I hated DRM as much as the next person. It's what drove me to use Amazon MP3 for most of my music needs. Now that iTunes has almost all of their musis DRM free I wil gladly buy from them again. If my account number is in the file then so be it, I don't plan on pirating it anyways.

Parent

RE: Works for me

By mvpx02 on 1/14/2009 2:26:13 PM , Rating: 2

I agree for the most part, but I'd rather not have any potentially sensitive information in my mp3's.

What if your PMP or laptop gets stolen? As the author said, it's only a matter of time until somebody gets the bright idea to try to share mp3s they got from iTunes, and when they do, we'll quickly find out how Apple intends to deal with these situations. Somebody like the RIAA would surely react by firing lawsuits for any and all infractions.

While it's unlikely that Apple's response would be so aggressive (at least Apple's initial reaction), I'd hate to think that the theft or loss of my PMP or Laptop (in addition to being a massive headache and costing me a lot of time and money) could be held against me in some way in the event that any of its copyright-protected contents were to spread.

While probably uncommon, it's inevitable that such things will happen, just like when we hear about some grandma getting sued because her PC was hacked and used as a proxy for file sharing without her knowledge.

I admit, I've never lost (or had stolen) any type of electronic device like that </knock-on-wood>, but I just don't see how having this type of unique information embedded in the file can benefit the consumer.

Parent

RE: Works for me

By matt0401 on 1/20/2009 11:49:59 PM , Rating: 2

Excellent point!

At first when I read this I thought it was a 100% foolproof solution. I still think it is a good compromise which shouldn't adversely affect customers who just want to actually use what they rightfully own as they please. But I do hope the RIAA etc. take this exploit into account before firing off lawsuits, or employ other methods to know 100% for sure if that person really did infringe on copyright.

Parent

RE: Works for me

By mindless1 on 1/16/2009 11:45:04 PM , Rating: 2

Depending on how they implemented this, consider the possibility of the following scenario:

Someone you piss off takes YOUR email address, embeds it in 1000 MP3 and distributes them on the popular torrent 'sites. It doesn't matter then what you did beyond them not having your ISP account's IP address as the seeder, otherwise the supposedly viable tracking data still points back to you.

Now consider something more random. A kid strips his email address out and replaces it with john.smith@msn.com. He doesn't know John Smith but given enough people doing this, odds are someone will accidentally use a real email address. It's not all that far fetched either, I once had someone use one of my emails addresses as their fake/throwaway address until I saw a sudden increase in spam and tracked the person down, politely asking them to pick a different fake address.

Parent

RE: Works for me

By FITCamaro on 1/14/2009 3:02:44 PM , Rating: 2

Yeah I really don't see a problem here. You're buying the song. No DRM. All it does is identify you as the owner of the song. And you're going to complain?

The only reason to complain is if you plan to share the song on a file sharing site. Otherwise this has no effect on you as the owner and in no way limits you from using the song anywhere you like.

Parent

RE: Works for me

By mindless1 on 1/16/2009 11:49:32 PM , Rating: 2

Owners have no concerns? What if someone drove around the parking lot at a store till they found a car that looked similar to theirs, stole the license plate then that plate was seen during a criminal getaway?

That plate, like an email address in an MP3, creates a presumption of identity until you go through the hassle of defending against allegations that it wasn't you.

Overall I feel this embedded data is better than the DRM but it could actually have an effect, never underestimate the willingness of people to try and find a way to use data against you.

Parent

RE: Works for me

By omgwtf8888 on 1/20/2009 12:08:14 PM , Rating: 2

It would be nice if they could use such a system to flag file that were on a stolen device. This would be great if your IPOD gets stolen, you report it to apple, with your email address, they would lock the files of anyone syncing with that email address. Now if they could just trigger a beacon on the IPOD that would summon the police.... Or maybe better yet an ITerminator!!! Where is Sarah Conner's IPOD!!!

Parent

Simple test

By noirsoft on 1/13/2009 10:09:16 PM , Rating: 5

People with two different email accounts should download the same song and see what is different between the two copies. If it's just the plaintext email, then there is no more to look for.

It's simple, obvious, and I'm sure someone has already done it.

RE: Simple test

By FaceMaster on 1/14/09, Rating: -1

RE: Simple test

By lagitup on 1/16/09, Rating: -1

RE: Simple test

By omnicronx on 1/14/09, Rating: -1

RE: Simple test

By soydios on 1/14/2009 10:23:16 AM , Rating: 2

I believe that the OP is talking about doing a bitwise comparison, not the size of the file.

Parent

RE: Simple test

By omnicronx on 1/14/09, Rating: -1

RE: Simple test

By mvpx02 on 1/14/2009 2:30:41 PM , Rating: 2

quote:
encrypted data using the same amount of bits does not change file to file

How is this possible if the data (prior to encryption) is unique from file to file?

For the encrypted portion to be identical in each file, I'd think that an encryption key would have to be burried somewhere in the file, but then the keys themselves would cause the bit-by-bit comparison to fail.

Parent

RE: Simple test

By omnicronx on 1/14/2009 4:41:39 PM , Rating: 1

Very true, you would have to have encryption keys to make the encrypted portion identical.

Parent

RE: Simple test

By noirsoft on 1/14/2009 6:04:07 PM , Rating: 2

If the encrypted files were identical, and the encrypted file is the only item you have, then there is no way to know which "key" is correct, and thus which email address is the proper one to prosecute.

I think you might have been thinking of a hash/checksum being made identical with padding characters, which is easily done. A full bitwise comparison would reveal the presence of any encrypted email address.

Parent

RE: Simple test

By mindless1 on 1/16/2009 11:38:51 PM , Rating: 2

Psychoacoustically speaking, there are lots of ways data could be embedded, but that is likely more elaborate than would be done.

Since playback software doesn't depend on authenticating the track, it seems sufficient to just zero any non-matching bits between two copies of the same track. Then we don't have to identify the specific ID bits vs padding nor care what the key is.

Parent

RE: Simple test

By MrPoletski on 1/15/2009 8:56:10 AM , Rating: 2

Yeah exactly, because the kind of people who know how to use bit torrent and upload torrents to sites and stuff have no idea how to clean an mp3 of any tracking information.

Even a moron could do it just by recording the stereo mix output of their soundcard with a cheap (free) audio package and saving it as an mp3.

Once again, they will find themselves suing somebody who has never even heard of p2p file sharing because their kid gave a couple of mp3s to another kid at school and they put it up for sharing.

Not to mention, of course, how the embedded email could be changed to anything you want, like, say, the email addresses of the RIAA bosses..

Actually, wow, that's a dang good idea, get them to sue themselves!

Parent

Grats.

By mentalchallenger on 1/15/2009 12:58:54 AM , Rating: 2

To be perfectly honest, having been on both sides of the isle when it comes to piracy, I really do like this solution.

There's no reason to punish your customer with bloated copyright protection simply because they want to enjoy your product.

The battle against piracy can very simply be won by treating the customers with a little respect - place that ownership tag for account ability and then work on making the entertainment more affordable.

It isn't that hard because seriously, after the artist who actually made the product get paid, no one else needs to benefit from it. There's absolutely no reason that people who played no part with the creation of content should make a dime off of it. And I'm talking about suits at the studios or labels and not the guy who watches the machine stamp out CDs or create film and what not.

RE: Grats.

By noirsoft on 1/15/2009 6:06:54 AM , Rating: 1

Except that the suits put the money up front to pay for the studio time and equipment for the artist to record the music, plus all of the up-front costs to have a distribution and production system in place. These people really did have a large effect on the (financial) production of the music and deserved to be rewarded for risking their money, since many bands to not recoup those costs.

The biggest problem is the average consumer's lack of respect for the music industry, not the other way around. People have some idiot idea that they deserve to be entertained for free, and that having the ability to easily get a digital copy for "free" means that they have no obligation to pay for their entertainment.

"Oh, but I wouldn't buy it anyways" -- Then don't listen to it.
"But I'm too poor to afford it" -- Then don't listen to it!
"I'm just sampling it" -- Then why is it still on your hard drive?

Piracy wouldn't be a problem if PEOPLE WOULD STOP PIRATING THINGS! duh.

Parent

RE: Grats.

By bubbastrangelove on 1/15/2009 3:23:04 PM , Rating: 2

quote:
Piracy wouldn't be a problem if PEOPLE WOULD STOP PIRATING THINGS! duh.

Heh, ideal but highly improbable or practical.

Parent

RE: Grats.

By bighairycamel on 1/15/2009 5:04:54 PM , Rating: 2

Like saying murder wouldn't be a problem if people quit killing eachother...

Crime will always happen, that's life.

Parent

With the DRM Free came higher quality also.

By AmbroseAthan on 1/14/2009 10:05:48 AM , Rating: 2

Almost all of Apple's library switched to 256kbps over night with the dropping of the DRM also. Personally, I don't feel a need to pirate music when I am only paying a dollar a song and the higher quality only makes me happier; I normally rip music from CD's at 256 or 320.

I was very excited to see 275 (literally) of my songs suddenly be available for iTunes Plus and hopefully the rest will be soon also. While annoying to pay to upgrade them, I was more then willing to for the higher quality (ps, I do run my sound through a home stereo system from my computer).

RE: With the DRM Free came higher quality also.

By maverick85wd on 1/14/2009 5:27:32 PM , Rating: 3

quote:
While annoying to pay to upgrade them

That even being an issue is why I refuse to buy music. Record labels just don't get it yet and thus don't deserve my money.

Parent

TANSTAAFL!

By maverick85wd on 1/14/2009 5:29:44 PM , Rating: 3

quote:
there’s no such thing as a free lunch.

Close, but that's "There ain't no such thing as a free lunch!"

;-)

Amazon MP3s

By Josh7289 on 1/15/2009 2:41:20 PM , Rating: 2

Does Amazon's music download service embed any personal information in its MP3 files (which are also DRM-free)?

Notepad

By Sivar on 1/16/2009 1:56:51 PM , Rating: 2

quote:
anyone with a copy of Notepad, a hex editor, or Linux’s strings command can find it – and alter it.

Notepad will not work for editing the file, though a hex editor will. Winhex is a good choice.

For those that don't want to do this, and if the email really is stored in plain text, utilities to remove it will be popping up all over the place.

I actually like this.

By rudy on 1/18/2009 2:58:09 PM , Rating: 2

Of course they have to prove I shared it still. But I dont mind some sort of accountability or tracking built into the song so long as I can now play it on any of my devices I am perfectly happy. If this is the middle ground we can agree on then I think it really is a good compromise that we could all be happy with except the pirates. Shrug they will strip it out anyway.

DRM was never Apple's choice, nor was it their idea

By SkateNY on 1/21/2009 4:16:38 AM , Rating: 2

It came from the music companies, so afraid to lose their dominance over consumers. You people need to get this story right, once and for all.

"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer

DailyTech Poll

Which web browser do you use on your primary personal machine?
Microsoft Internet Explorer
Mozilla Firefox
Google Chrome
Apple Safari
Opera
Other (list in comments section)

44 Comments

Macworld: Apple Drops DRM For Some Songs, Introduces $0.69 Pricing Tier
January 6, 2009, 4:08 PM

Latest By Tom Corelis

SSLStrip Makes Ignorance of HTTPS a Costly Mistake
February 25, 2009, 5:34 PM

Prosecution Alters Charges While Plaintiffs Fumble in Pirate Bay Trial
February 25, 2009, 7:19 AM

Censorship Head in Beijing Arrested on Corruption Charges
February 25, 2009, 7:04 AM

Microsoft Lets Laid-Off Employees Keep Extra Severance Pay
February 23, 2009, 7:30 PM

New Conficker Update Dispenses with Need to Phone Home
February 23, 2009, 6:39 PM

Updated: Microsoft a Little Too Generous with Severance Pay, Wants Some of it Back
February 23, 2009, 9:01 AM

Senate to ISPs, Anyone with Wi-Fi: Keep Access Logs to Save the Children
February 23, 2009, 9:00 AM

The Pirate Bay: 80% of Our Torrents Are Legal
February 22, 2009, 9:46 AM

Hacker Unveils Stealthy Memory Injection Attack in Mac OSX
February 20, 2009, 7:30 AM