June 28, 2007 | By Peter Eckersley

Privatunes 0.9 does not anonymize iTunes Plus files

Slashdot and Wired Compiler ran posts yesterday about Privatunes, a program that claims to remove personally identifying information from iTunes Plus files (the current version is closed source and Windows only, thought the site says that this will change in the future).

Privatunes 0.9 overwrites the user's name and address. Unfortunately, the Privatunes coders didn't read our last post about iTunes tracking data — aside from the name and email address, there are other fields that Apple, or a litigant that subpoenas Apple, could use to identify the purchasers of iTunes Plus files, even if they've been run through Privatunes 0.9.

There are two fairly large fields, marked sign and chtb, that are unique to each copy of a given track. There are also several other places where copies of the same song vary by three or four bytes (they can be readily observed with a program like vbindiff). It should be assumed that a file is potentially identifying unless all of these fields have been overwritten.

Lastly, Privatunes 0.9 just overwrites the name and email address using ASCII spaces (0x20). This means that the length of these two fields can still be seen after the file has been modified. For complete anonymization, these lengths should be made unreadable.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

The owner of our Stupid Patent of the Month has been suing the entire Internet over its "virtual cabinets" patent. https://www.eff.org/deeplinks...

Jun 30 @ 4:55pm

A recent ruling by a federal court gives us another reason to fear the pending changes to Rule 41. https://www.eff.org/deeplinks...

Jun 30 @ 4:44pm

Secret FBI docs obtained by The Intercept reveal major lack of legal oversight on FBI surveillance of journalists. https://freedom.press/blog/20...

Jun 30 @ 4:30pm
JavaScript license information