Slashdot and Wired Compiler ran posts yesterday about Privatunes, a program that claims to remove personally identifying information from iTunes Plus files (the current version is closed source and Windows only, thought the site says that this will change in the future).

Privatunes 0.9 overwrites the user's name and address. Unfortunately, the Privatunes coders didn't read our last post about iTunes tracking data — aside from the name and email address, there are other fields that Apple, or a litigant that subpoenas Apple, could use to identify the purchasers of iTunes Plus files, even if they've been run through Privatunes 0.9.

There are two fairly large fields, marked sign and chtb, that are unique to each copy of a given track. There are also several other places where copies of the same song vary by three or four bytes (they can be readily observed with a program like vbindiff). It should be assumed that a file is potentially identifying unless all of these fields have been overwritten.

Lastly, Privatunes 0.9 just overwrites the name and email address using ASCII spaces (0x20). This means that the length of these two fields can still be seen after the file has been modified. For complete anonymization, these lengths should be made unreadable.