Microsoft watching us watch DVD movies (was: Microsoft finally)

From: Roger Marquis (
Date: 02/22/02

From: Roger Marquis <>
Date: Fri, 22 Feb 2002 03:06:40 GMT

While the privacy issues raised by this monopoly business practice are
ominous, the practice is even more unethical in light of MS' recent
licensing updates (allowing them to search and modify or delete any
file on any computer running Windows XP).


Posted on:

Serious privacy problems in Windows Media Player for Windows XP

by Richard M. Smith
February 20, 2002


I found a number of serious privacy problems with Microsoft's Windows
Media Player (WMP) for Windows XP. A number of design choices were made
in WMP which allow Microsoft to individually track what DVD movies
consumers are watching on their Windows PC. These problems which
introduced in version 8 of WMP which ships preinstalled on all Windows
XP systems.
In particular, the privacy problems with WMP version 8 are:

- Each time a new DVD movie is played on a computer, the WMP software
contacts a Microsoft Web server to get title and chapter information for
the DVD. When this contact is made, the Microsoft Web server is giving
an electronic fingerprint which identifies the DVD movie being watched
and a cookie which uniquely identifies a particular WMP player. With
this two pieces of information Microsoft can track what DVD movies are
being watched on a particular computer.

- The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer.

- As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8
does not disclose that the fact that WMP "phones home" to get DVD title
information, what kind of tracking Microsoft does of which movies
consumers are watching, and how cookies are used by the WMP software and
the Microsoft servers.

- There does not appear to be any option in WMP to stop it from phoning
home when a DVD movie is viewed. In addition, there does not appear any
easy method of clearing out the DVD movie database on the local hard

Technical Details

When a DVD movie is played by the WMP, one of the first thing that WMP
does is to query via the Internet a Microsoft server for information
about the DVD. The query is made using the standard HTTP protocol that
is also used by Web browsers like Internet Explorer or Netscape

Using a packet sniffer I was able to observe WMP making these queries to
a Microsoft server each time a new DVD movie was played. The packet
sniffer also showed the movie information which was returned to WMP by
the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being
played. For example, an HTTP GET request is made for this URL for the
"Dr. Strangelove" DVD:

The hex numbers at the end of the URL are an electronic fingerprint for
the DVD table of contents which uniquely identify the "Dr. Strangelove"

This URL is sent to, Microsoft's Web site dedicated to
the WMP software.

The HTTP GET request also included a ID number in cookie which uniquely
identifies my WMP player. Here's what this cookie looks like:


By default, this cookie is anonymous. That is, no personal information
is associated with the cookie value. However, if a person signs up for
the Windows Media newsletter, their email address will be associated
with their cookie. For example, when I signed for the
Windows Media newsletter, the following URL was sent to Microsoft

The same cookie value will be sent back to Microsoft
servers when signing up for the newsletter and when a DVD moive is
played. In addition, using various well-known "cookie synch" tricks, an
email address can be associated with a cookie value at any time.

Also when subscribing to the Windows Media newsletter, I was encouraged
by an email message from the Microsoft newsletter department to create a
Passport account based on my email address. In theory, yet more personal
information from Passport could be matched with what DVD movies I have
watched. There is no evidence however that Microsoft is making this
The cookie was assigned to my computer the first time I
ran WMP. The lifetime of the cookie was set to about 18 months. This
cookie gives Microsoft the ability to track the DVD movies that I watch
on my computer.

After a series of redirects from the WindowsMedia.Com server,
information about the "Dr. Strangelove" movie was returned in this XML

WMP extracted movie information from this file and then added this
information to a database file, named wmplibrary_v_0_12.db, which is
located on my hard disk in the directory " C:\Documents and Settings\All
Users\Application Data\Microsoft\Media Index". I didn't see any method
of removing movie information from this file, so it appears to me that
the file keeps a complete record of all movies watched that have ever
been watched on my computer.

Because as of Feb. 14, 2002 the Windows Media privacy policy is silent
about what is done with DVD information sent to Microsoft servers by the
WMP software, we can only speculate what Microsoft is doing with the
information. Here are some possibilities:

- Microsoft can be used DVD title information for direct marketing
purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies
they have watched.

- Microsoft can be keeping aggregrate statistics about what DVD movies
are the most popular. This information can be published as weekly or
monthly "top ten" lists.

- Microsoft might be doing nothing with the DVD information. (In my
discussions with Microsoft, I was told this option is their current

Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing
purposes. The letter of this law does not a pply to Microsoft because
they are not a video rental store. However, clearly the spirit of the
law is that companies should not be using movie title information for
marketing purposes.


I believe that the Microsoft should remove the DVD movie information
feature from WMP version 8 altogether. The value of feature seems very
small given that almost all DVD movies include a built-in chapter guide.
In addition, the Microsoft movie information feature is not available
when DVD movies are shown in full-screen which is how DVD are typically

If Microsoft feels that this feature is important to leave in WMP, then
I think it should be turned off by default. The feature can be made
privacy-friendly very easily, by having WMP never send in cookie
information with movie title requests. This change will prevent
Microsoft from tracking individual movie viewing choices.

Vendor Response

Response from the Windows Digital Media Division of Microsoft
Corporation is available here:


Thanks to Ian Hopper of the Associated Press for bringing this issue to
the attention of the author.


  Digital Media in Windows XP

  Media Player for Windows XP Privacy Statement

  The RealJukeBox monitoring system

  TiVo's Data Collection and Privacy Practices

  Internet Explorer SuperCookies bypass P3P and cookie controls

  Video Privacy Protection Act

  Bill Gate's memo on Trustworthy computing memo


Relevant Pages

  • Microsoft watching us watch DVD movies (was: Microsoft finally)
    ... Serious privacy problems in Windows Media Player for Windows XP ... Media Player (WMP) for Windows XP. ... in WMP which allow Microsoft to individually track what DVD movies ... this two pieces of information Microsoft can track what DVD movies are ...
  • Re: Why is Microsoft watching us watch DVD movies?
    ... with the changes it is making to WMP 8. ... what it comes down to is if you feel your privacy is being ... > in WMP which allow Microsoft to individually track what DVD movies ... > this two pieces of information Microsoft can track what DVD movies are ...
  • Why is Microsoft watching us watch DVD movies?
    ... Serious privacy problems in Windows Media Player for Windows XP ... Media Player (WMP) for Windows XP. ... in WMP which allow Microsoft to individually track what DVD movies ... this two pieces of information Microsoft can track what DVD movies are ...
  • Re: Feedbacks about WMP
    ... Microsoft unbundled WMP from the OS would there be a market for a real ... flaws reported to the product group. ... Other newsgroups, for other products, are visited by Microsoft employees ...
  • RE: Ideas for Windows Media Player 12
    ... Microsoft has a great chance to take on iTunes in the future. ... Someone has already created a plugin for OGG Vorbis for playback in WMP, ... great feature in past versions of WMP. ...