[lug] M$ and their media player

Bear Giles bgiles at coyotesong.com
Fri Feb 22 19:48:40 MST 2002 

> The "log" file maintained by Windows Media Player is the equivalent of 
> our ~/.cddb/ which is used by just about every UNIX cd player app that 
> I have used. 

But many (most? all?) Unix players allow you to specify which server
you wish to use, or if you wish to use any at all.  WMP takes that 
choice away from us.

> It's not such a big deal in my view.

You don't have the right to declare whether the lookups are a "big deal"
or not.  Microsoft doesn't have the right to declare it either.  If people
don't want lookups to be performed, they should have the ability to
disable those lookups.

The other thing to remember is that the potential embarassment factor
is *much* more than knowing you listen to the Spice Girls.  WMP looks
up all DVDs, including adult ones.  It looks up all DVDs, including the
ones your ******* friend slipped into the drive as a joke, or while 
checking on your place while you were on vacation.  The software doesn't
know or care why the disc was inserted, it just looks up the DVD with
your cookie and stores the results in your WMP database.

Finally, even if you think the tracking concerns are misplaced, you
can't deny the fact that Microsoft has a horrible track record in 
application security.  How long until we see malware that exploits
this mandatory feature?

> Just caching.

That's the other big difference between WMP and the Unix equivalents.
It's not hard for me to prune or purge my CDDB database.  Even if I
have to use system commands to do it, the process is pretty straight-
forward.  How do you do this with WMP without breaking the application?

> As for the ID transmitted to the server, I doubt that they can reliably 
> correlate this with your personal information.

Why not?  How many different applications hit a Microsoft server for
information, even in these pre-.net days?  How many will establish
initial sessions using the system GUID?  How hard would it be for MS,
or someone with access to that data, to cross-correlate this information.

> As far as I'm aware, 
> unless you are being billed by MS, most people are not compelled to 
> even supply Microsoft with a real name, address, telephone, or any such 
> personal data to use the vast majority of their services and OS features.

What about XP activation? 

As a final point, I want to make it clear that I have no reason to 
believe that Microsoft is abusing this system.  They may have tried to
implement a CDDB knockoff, nothing more.  But their corporate culture
has blinded them to some trivial steps that would go a long way to
settling our fears.  Specifically:

 1) it should be possible to disable queries,
 2) it should be possible to specify alternative servers,
 3) it should be possible to disable cookies, or to us a well-defined
    'anonymous' cookie,
 4) it should be easy to prune or purge the database

These are not complex changes - most would take less than a day to
implement.  Therefore we have to wonder if there's some unstated reason
(besides indifference) why these steps weren't taken.

More information about the LUG mailing list