• Don't do it!

    From Matt Munson@1:218/700 to All on Tue Jun 21 14:35:00 2011
    Is Apple's iCloud Music Match a possible honeypot?
    from http://betweenthenumbers.net/2011/06/is-apples-icloud-music-match-a-possible-honeypot/

    Apple recently at their WWDC11 keynote announced a new service called iCloud Music Match. For $24.99 per year, it will scan the userÆs machine and mimic all of the userÆs music files onto AppleÆs new data center for streaming anywhere. In cases where it finds a match with one of the songs in its data files, even if not purchased from Apple, it will make a record of the song and then stream to the user AppleÆs 256kb AAC version. Apple presented this as a convenience to the users, saying that the setup will take æminutes, not weeksÆ in a jab at competitors like Amazon and Google that offer cloud based storage lockers.
    The unspoken flip side of this is: The users are voluntarily granting Apple the right to scan their system and store the personally identifiable results on AppleÆs servers. Presuming that Apple restricts its scan strictly to the information that is absolutely necessary for Music Match to work, what will that be?
    Quite obviously Music Match cannot work without scanning your files. For example, assume I take any old file and rename it LadyGaga:BornThisWay.mp3 and add it to my library. Obviously, Apple is not going to send me the music just because of the file name. I also doubt that there is going to be any process that is going to ælisten toÆ the music to see if it sounds like a recognized song. Instead, chances are the Music Match feature will, at a minimum, examine the header information on the MP3 file and run a hash calculation on the entire contents of the file.
    Although the æDRM freeÆ MP3 now being provided from many of the the major music download companies can be played anywhere, each download is watermarked with header information specific to the exact purchase and purchaser. This article from Techcrunch gives more details on ædirtyÆ MP3s. Consequently, if you purchase a æDRM freeÆ MP3 file from iTunes and then share it, and the person(s) who received it saves it to their iCloud, then Apple will know both (i) who shared their copy and (ii) whose copy is illegal. For files from other watermarked retailers, the same information would only require coordination with the other site.
    Next consider music purchased from sites that sell legal but ÆcleanÆ MP3s without watermarks. These files will have unique MD5 or SHA-2 signatures that can distinguish them to a particular company. They will certainly have different signatures than the watermarked versions (because the addition of the watermark) and they will be unique from versions of the same song encoded by others. When AppleÆs servers detect a number of copies far in excess of the æcleanÆ mp3 companyÆs reported sales, they will know where to suspect illegal copying.
    Then there will be MP3s that individuals created themselves from, for example, ærippingÆ their CD collections. While these are not watermarked to the individual, they appear to be unique for each æripÆ. To confirm this, I ran a test with fresh installations of the exact same CD ripping software on two different computers. I then had them rip the same track from the exact same CD using the unchanged system default settings on both computers. The MD5 hashes did not match. Small differences between the two reads, the internal timestamps, the system metadata, etc. likely resulted in the mismatch. It will almost certainly also be different from the file hashes from legal download sites, both those that watermark and those that do not. In short, if you and thousands other people have MP3s of the same song with the same file hash value, you will not be able to credibly claim it occurred because all of you ripped it from your CD collections.
    MD5 hash values are a cornerstone of computer forensics and fully accepted as evidence that two files are identical copies of each other. You could claim that you didnÆt download the song from the file sharing network because you were the one who uploaded it, but I doubt that will help your legal
    Some people I have mentioned this concern to have essentially accused me of heresy and paranoia because ôthere is no way Apple would do that to their usersö. Apple would not have to. They would simply have to comply with an information demand from the RIAA, who has had no problem with being seen as the bad guy in hardball enforcement against file sharing. Moreover consider this: Apple is the largest music retailer on the planet.
    Apple believes, possibly justifiably, that it loses billions of dollars annually to illegal music file sharing.
    The easiest way out of the legal jam over challenged content in your iCloud storage would be to convert the suspected iCloud music by buying it from Apple.
    Apple becomes almost like a white knight in the process.
    Several notable commentators, such as Berklee Music chief David Kusek and publisher rights lawyer Micheal Speck, have either in favor or against, called the iTunes Music Match service æamnesty for piratesÆ. I think they may be surprized at how this really plays out.

    ... An armed populace is the greatest insurance against tyrany.
    --- MultiMail/Win32 v0.49
    --- SBBSecho 2.12-Win32
    * Origin: realitycheckBBS | http://www.realitycheckbbs.org (1:218/700)