mojo
01-16-2002, 05:23 PM
http://www.msnbc.com/news/688421.asp
Privacy issue hits Windows Media
Microsoft software includes ID that can be used track surfers
By Bob Sullivan
MSNBC
Jan. 15 — Privacy expert Richard Smith Tuesday warned that Microsoft Corp. has implemented a feature in its Windows Media Player that could be used to track Internet users while they surf. Smith termed the feature a “SuperCookie,” but added that it currently doesn’t pose much risk to Internet users. Microsoft admits the feature could be used for malicious tracking, but several months ago updated Media Player to allow users to turn off the feature.
STILL, THE EXISTENCE OF the ID number is a concern for privacy advocates — particularly because it’s turned on by default. “If you wanted a National ID System for web users, you’ve got it now,” said Russ Cooper, security expert at TruSecure.com. Cooper also administers the popular security mailing list NTBugTraq, where Smith disclosed his findings.
The Windows Media Player ID number is actually worse than a cookie, Smith says, because only one is issued per computer. Cookies are issued by Web sites to recognize repeat visitors, and while they have a bad reputation among surfers, they are generally tolerated — in part because they generally can’t be used to track users as they move around the Internet. A single computer user probably has hundreds of cookies on his or her machine, and external Web sites don’t recognize each other’s cookies.
But since the Media Player ID is unique, it theoretically could be used by Web sites to track movements across the Net — several sites could get together and correlate their data for example, or a major Web advertising firm could do it for them.
“We’ve always been worried that there would one number that everybody could use,” Smith said. “Windows Media Player is not privacy friendly at all.”
Windows Media Player is a critical component that is normally bundled with Windows, and as such the software is by default now installed on most home and corporate computers. As a result, says Cooper, “I’d argue that you can definitely now track 95 percent of all home users across their every site visit on the Internet.”
Neither Smith not Cooper indicated they knew of any Web sites actually using the ID number for tracking purposes, meaning the feature isn’t currently a privacy risk. “I’d call it a low to medium risk right now,” Smith said. “It depends on if Web sites pick it up or not.”
Microsoft spokesperson Tonya Klause said Microsoft implemented the ID feature in part to help video-heavy Web sites to sell subscriptions to users. The ID numbers allow Web sites to recognize visitors, so they don’t have to log in each time, she said. “If you go back they know it’s you,” she said.
Klause said the feature was introduced back in 1998. Smith brought the problem to the company’s attention last March, and by May the company had issued a software update to address Smith’s concerns. The fix, available at Microsoft’s Web site, lets users turn off the ID number. The fix is automatically included in more recent versions of Media Player.
But Klause admits many users may never take that step. “Clearly there are no superclean solutions, but there are some ways to adjust settings,” she said. “In an ideal world, we will evolve our products so there is a ‘one-stop shopping’ privacy panel for everything.”
Also a concern — malicious Web sites could obtain the ID even if users never launch Windows Media Player. Essentially, any Web site can ask a Web browser for the ID without telling the surfer. Smith’s Web site includes a demonstration.
Concerned users can also turn off javascript or ActiveX features, or simply ask for a warning dialog box to pop up before offering up the Windows Media Player ID, Klause said. According to Microsoft’s security bulletin, users can turn off the Windows Media Player ID by following these instructions:
In Windows Media Player 6.4, the privacy setting is selected via a new option, which can be reached by going to the menu item View / Options then selecting the player tab and de-selecting “Allow Internet sites to uniquely identify your player”.
In Windows Media Player 7.1, the privacy setting is toggled via the existing option under the tools menu, on the player tab and deselect the option “Allow Internet sites to uniquely identify your player”.
Privacy issue hits Windows Media
Microsoft software includes ID that can be used track surfers
By Bob Sullivan
MSNBC
Jan. 15 — Privacy expert Richard Smith Tuesday warned that Microsoft Corp. has implemented a feature in its Windows Media Player that could be used to track Internet users while they surf. Smith termed the feature a “SuperCookie,” but added that it currently doesn’t pose much risk to Internet users. Microsoft admits the feature could be used for malicious tracking, but several months ago updated Media Player to allow users to turn off the feature.
STILL, THE EXISTENCE OF the ID number is a concern for privacy advocates — particularly because it’s turned on by default. “If you wanted a National ID System for web users, you’ve got it now,” said Russ Cooper, security expert at TruSecure.com. Cooper also administers the popular security mailing list NTBugTraq, where Smith disclosed his findings.
The Windows Media Player ID number is actually worse than a cookie, Smith says, because only one is issued per computer. Cookies are issued by Web sites to recognize repeat visitors, and while they have a bad reputation among surfers, they are generally tolerated — in part because they generally can’t be used to track users as they move around the Internet. A single computer user probably has hundreds of cookies on his or her machine, and external Web sites don’t recognize each other’s cookies.
But since the Media Player ID is unique, it theoretically could be used by Web sites to track movements across the Net — several sites could get together and correlate their data for example, or a major Web advertising firm could do it for them.
“We’ve always been worried that there would one number that everybody could use,” Smith said. “Windows Media Player is not privacy friendly at all.”
Windows Media Player is a critical component that is normally bundled with Windows, and as such the software is by default now installed on most home and corporate computers. As a result, says Cooper, “I’d argue that you can definitely now track 95 percent of all home users across their every site visit on the Internet.”
Neither Smith not Cooper indicated they knew of any Web sites actually using the ID number for tracking purposes, meaning the feature isn’t currently a privacy risk. “I’d call it a low to medium risk right now,” Smith said. “It depends on if Web sites pick it up or not.”
Microsoft spokesperson Tonya Klause said Microsoft implemented the ID feature in part to help video-heavy Web sites to sell subscriptions to users. The ID numbers allow Web sites to recognize visitors, so they don’t have to log in each time, she said. “If you go back they know it’s you,” she said.
Klause said the feature was introduced back in 1998. Smith brought the problem to the company’s attention last March, and by May the company had issued a software update to address Smith’s concerns. The fix, available at Microsoft’s Web site, lets users turn off the ID number. The fix is automatically included in more recent versions of Media Player.
But Klause admits many users may never take that step. “Clearly there are no superclean solutions, but there are some ways to adjust settings,” she said. “In an ideal world, we will evolve our products so there is a ‘one-stop shopping’ privacy panel for everything.”
Also a concern — malicious Web sites could obtain the ID even if users never launch Windows Media Player. Essentially, any Web site can ask a Web browser for the ID without telling the surfer. Smith’s Web site includes a demonstration.
Concerned users can also turn off javascript or ActiveX features, or simply ask for a warning dialog box to pop up before offering up the Windows Media Player ID, Klause said. According to Microsoft’s security bulletin, users can turn off the Windows Media Player ID by following these instructions:
In Windows Media Player 6.4, the privacy setting is selected via a new option, which can be reached by going to the menu item View / Options then selecting the player tab and de-selecting “Allow Internet sites to uniquely identify your player”.
In Windows Media Player 7.1, the privacy setting is toggled via the existing option under the tools menu, on the player tab and deselect the option “Allow Internet sites to uniquely identify your player”.