A perfect example

By Scott Bradner
Network World, 11/15/99

It would have taken a lot of hard work to have created a better bad example.

RealNetworks' approach to secretly collecting data on its customers is a perfect example of what Internet users are convinced that all 'Net companies do. Although RealNetworks reacted quickly to change its approach, the company's total obliviousness to the privacy aspects of its behavior is breathtaking.

On Monday, Nov. 1, The New York Times reported that RealNetworks' downloadable RealJukebox CD player collected all sorts of data on its customers and automatically sent it back to servers at RealNetworks' corporate offices.

Users of the RealJukebox software are required to enter their names, e-mail addresses and ZIP codes to register. Every time the program starts up, it sends back to the company the number of songs the user has stored on his hard drive, their formats and quality level, what type of music the user likes to listen to and the type of any portable music player that might be connected to the user's computer. In addition, every time a CD is inserted into the computer's CD-ROM drive, the CD title is sent to RealNetworks.

Spokesmen for RealNetworks said the company was collecting the information as a way to customize services for its customers and to be able to offer music selections targeted to users based on what RealNetworks knew about what users were listening to.

By later the same day that the RealJukebox story broke, RealNetworks had figured out that there was a flaw somewhere in its thinking (if thinking had actually been involved in programming the system this way). In light of this, the company announced the availability of a downloadable patch to disable the reporting features.

I can imagine that RealNetworks thought that some of its customers might even be happy for the pointers to music they might like. After all, Amazon.com's users seem to like the same sort of thing. But RealNetworks did this in secret, not even noting the practice in the license agreement or in the privacy statement on the company's Web page. The fact that RealNetworks gathered this information and must have assumed that no one would notice indicates a reality disconnect that would seriously worry me if I were an investor.

I will note that RealNetworks has not yet said it will disable the information-gathering servers or that new versions of the program will not return any information to RealNetworks. Nor has the company said that its very popular RealAudio and RealVideo players do not gather such information. Since few of the 13 million registered RealJukebox users will get around to patching their software, RealNetworks will keep receiving a lot of information unless the company shuts down the servers.

So far, RealNetworks is a case study in what not to do if you are an ISP - I hope that other companies will learn from this.

Disclaimer: Not even the Harvard Business School would use a case study this dumb, so the above observation is mine alone.