How "Dirty" MP3 Files Are A Back Door Into Cloud DRM

All the big music sellers may have moved to non-DRM MP3 files long ago, but the watermarking of files with your personal information continues. Most users who buy music don’t know about the marking of files, or don’t care. Unless those files are uploaded to BitTorrent or other P2P networks, there isn’t much to worry about.

A list of which music services are selling clean MP3 files without embedded personal information, and which aren’t, is here. Apple, LaLa (owned by Apple) and Walmart embed personal information. Amazon, Napster and the rest have resisted label pressure to do so.

A music industry insider who’s asked to remain anonymous writes to us:

Hidden in purchased music files from popular stores such as Apple and Walmart is information to identify the buyer and/or the transaction. You won’t find it disclosed in their published terms of use. It’s nowhere in their support documentation. There’s no mention in the digital receipt. Consumers are largely oblivious to this, but it could have future ramifications as the music industry takes another stab at locking down music files.

Here’s how it works. During the buying process a username and transaction ID are known by the online retailers. Before making the song available for download their software embeds into the file either an account name or a transaction number or both. Once downloaded, the file has squirreled away this personal information in a manner where you can’t easily see it, but if someone knows where to look they can. This information doesn’t affect the audio fidelity, but it does permanently attach to the file data which can be used to trace back to the original purchaser which could be used at a later date.

Retailers aren’t talking, but there’s ample proof of what’s transpiring. Using simple file comparison tools it’s possible to verify this behavior by purchasing identical songs using different accounts and see if they match. I emailed support departments for several retailers asking if they would acknowledge these actions and inquiring about what specific information they are embedding. Only 7digital responded saying they don’t use any watermarks. What retailers won’t say publicly is that the major record labels are requiring this behavior as a precondition to sell their music.

Certain record labels have aspirations to use this hidden data to control future access to music in a return to DRM (digital rights management). The labels yearn to control where you can listen to your music and this could be a backdoor for them to achieve it. When personal libraries are stored in the cloud, it becomes possible to retrieve this personal data and match it to a user identity. If the match is successful the song plays, but if not, access can be blocked through a network DRM system such as the one Lala patented (which is now owned by Apple).

For the scheme to work record labels need all retailers to support this and so far some notable names are resisting. Napster, Amazon and UK based 7digital are selling clean MP3 files. Files purchased from these stores do not have any user information whatsoever embedded into them. Other retailers such as Apple and Walmart have succumbed to label pressure to embed personal info.

Retailers and record labels should have the right to sell dirty files if they wish, however they should be obligated to disclose their practices in advance. Consumers should have this information so they can make an informed buying decision about whether to support dirty or clean MP3 vendors. If Barnes and Noble printed your name on pages of books you purchase that would be important information to know because it would affect the value of your book. Here the clandestine actions are even more worrisome because it could lead to a future lockdown of purchases. If the labels have plans to require cloud vendors to use this information in the future, they should disclose that as well.

Cloud Music And The New DRM

Apple, Google and Amazon are all reportedly in discussions with big labels to provide a cloud music service. These services will allow users to purchase rights to stream music, and they will also allow syncing of songs on your hard drive already so you can play those without repurchasing them (this was the original LaLa model).

The labels, say our source, are demanding that a user can only stream music that is watermarked to their username. Change the username, or try to stream music that you’ve ripped from a CD, and those songs won’t play.

In other words, it’s DRM déjà vu all over again.