Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Bylined Articles

Assessing the privacy risks of MP3 players

By Eric J. Sinrod
March 9, 2005
USAToday.com

Assessing the privacy risks of MP3 players

By Eric J. Sinrod
March 9, 2005
USAToday.com

Read below

A variety of technologies are designed to collect and use information about purchasers and end-users as part of normal functioning and operations. Such technologies include MP3 players, as these players can collect personal information and track user musical preferences.

A recent study by the Ponemon Institute, a privacy think tank based in Tuscon and headed by Larry Ponemon, measured privacy concerns related to MP3 players. Interestingly, while privacy risks are coming to the forefront in the minds of consumers in various technological areas, as of yet, the majority of respondents do not have privacy concerns when it comes to using their MP3 players.

Polling: How and when

How might your MP3 player give out your information, and at what point might that occur? The process for collecting end-users' sensitive personal information, such as music and artist preferences, vary by manufacturer and technology. For instance, some devices are now equipped with Bluetooth, thus allowing information to be captured or polled from various wireless networks — even if the user isn't aware that their player has made contact.

Information collection typically happens at three points: (1) at time of sale, set-up or registration of the warranty for the player; (2) when downloading music from the Internet; and (3) when sharing or uploading music to other devices.

In addition to music, some MP3 players are now equipped with additional peripherals such as digital cameras. The wireless capability of these devices make digital images equally insecure.

Rather than worry, many of the respondents expect MP3 manufacturers to be "proactive" in managing privacy risks. Thus, they expect manufacturers to recall products when there is a threat to personal information. Of course, at that point, the harm might already have occurred by virtue of a privacy breach. Additionally, as we see, some "leakage points" are in fact features.

What will you do?

Most MP3 users report that they would stop using their MP3 players if they had become a victim of a privacy breach. But, again, the damage would have been suffered first.

Innocently, most MP3 users do not believe that their personal information is collected when they download music. Evidently, these respondents have not been the victims of a privacy breach.

Notwithstanding the foregoing, the majority of MP3 users do believe that limitations on the sharing of their personal information would be an important step in terms of achieving trust and confidence in the MP3 manufacturers. However, the responses referenced above seem to indicate that most users already have a fair degree of trust when in comes to privacy and the use of their MP3 players.

As an intriguing sidenote, most MP3 users believe that their music choices and preferences are "sensitive" or "very sensitive" sources of personal information. One would think that they would be more concerned about personal data such as their credit card numbers, their home addresses, phone numbers and the like.

How can you protect your data without giving up your player? It's a good idea to consider the following issues when deciding to buy or use your MP3 player:

1. Understand the manufacturer's privacy policy. Determine what information about you is collected and how this can be used, shared or sold.

2. Read the end-user licensing agreement or EULA very carefully. Don't agree to anything unless you've seriously considered the risk. Just stop if you don't understand the EULA because it is too complex or filled with legal jargon.

3. Determine if you can opt-out of data collection or transfer by turning off polling features within the device itself.

4. If your player is equipped with wireless capabilities such as Bluetooth, be careful when using your MP3 player in a hot zone — and remember that hot zones can exist almost anywhere, including in proximity to someone else's mobile phone.

Many respondents conclude that MP3 manufacturers should obtain permission before sharing personal information with others. Hopefully, such manufacturers fully disclose to users their intentions regarding user personal information before collecting it. That said, most MP3 users do not belive that their MP3 manufacturers are sharing their personal information with third-parties — even though they understand that such information has potential value.

At the end of the day, MP3 users, as a population segment, do not seem too worried about privacy risks as they use their players. Perhaps this is because there have not been many privacy breaches in terms of the use of these devices — yet. Once the breaches start to happen in any technological area, the concerns, demands, investigations and lawsuits begin...

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at . To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to .

Reprinted here with permission from USAToday.com.