June 6, 2007 | By Peter Eckersley

An Update on the Innards of iTunes Plus Files

Last week, we posted to say that iTunes Plus files seem to exhibit some strange variations above and beyond the widely reported fact that they contain the purchaser's name and email address/Apple ID. We've since had time to look at these files more closely, and we can say a little more about what's going on inside.

Firstly, the most interesting hypotheses turn out to be false. There aren't any watermarks in the compressed data; in fact, the compressed segments are identical across multiple copies of the same track. The large variation in size that we observed between two different iTunes Plus purchases of the same track turned out to be because one file contained two copies of the cover art: a quality 93 600x600 JPEG, and a quality 100 600x600 JPEG. This is a little odd, but it probably results from iTunes having cached a cover for the whole album before the track was purchased, and is unlikely to double as a tracking mechanism (inadvertent or otherwise).

Secondly, the odd tables we mentioned last week are not all that interesting. They're tables of pointers into the compressed audio data, so that players can find different parts of the track (stco tables). When the file is offset by the inclusion of an extra JPEG in the headers, all the pointers change.

While there are no watermarks, there are some other interesting fields that are likley to have privacy implications. In particular, there is a 1024 bit variant field labeled sign and a 630 byte variant field labeled chtb. These are unique for every combination of user and track we've seen. Neither of these fields existed in the FairPlay DRMed .m4p tracks that Apple has been selling in the past.

It's best to assume that either the sign or chtb field could be used by Apple to identify the user who purchased a track (that would be true if Apple logs what it writes in these fields, or if sign is, as it seems, a cryptographic signature). It's also safe to assume that they can be used to tell the difference between real and forged names / Apple IDs in tracks.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

.@LizaGoitein pushes back on claim that S702 surveillance is "targeted" abroad. In reality it collects “a massive amount of Americans'" info

Mar 1 @ 1:01pm

Civil liberties depend on you. Donate today to support EFF's legal work, activism, and tech. https://supporters.eff.org/do...

Mar 1 @ 12:52pm

Some of eBay's current security practices don't protect users' sensitive information


Mar 1 @ 12:24pm
JavaScript license information