The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

A perfect example

by Scott Bradner

It would have taken a lot of hard work to do a better job of creating a better bad example. RealNetwork's approach to secretly collecting data on their users is a perfect example of what Internet users are convinced that all Internet companies do. Although they reacted quickly to change their approach RealNetwork's total obliviousness to the privacy aspects of its behavior is breathtaking.

On Monday November 1st the New York Times reported that RealNetwork's downloadable RealJukebox CD player collected all sorts of data on its users and automatically sent it back to servers at the RealNetworks corporate offices. Users of the RealJukebox software are required to enter in their names, email addresses and ZIP codes to register. Every time the program starts up it sends the number of songs that the user has stored on their hard drive and their formats and quality level, what type of music the user likes to listen to and the type of any portable music player that might be connected to the user's computer. In addition, every time that a CD is inserted into the CD drive in the computer the title of the CD is sent to RealNetworks.

Spokesmen for RealNetworks said that they were collecting the information as a way to customize services for their users and to be able to offer music selections targeted to specific users based on what RealNetworks knew about what the user was listening to.

By later on that same day RealNetworks had figured out that there was a flaw somewhere in their thinking (if thinking had actually been involved in programming the system this way) and announced the availability of a downloadable patch to disable the reporting features.

I can imagine that RealNetworks thought that some of their users might even be happy for the pointers to music they might like, amazon.com's users seem to like the same sort of thing. But they did this in secret, not even noting it in the license agreement or in the privacy statement on their web page. The fact that they did so and must have assumed that no one would notice indicates a reality disconnect that would seriously worry me if I were an investor.

I will note that they have not yet said they will disable the information gathering servers, or that new versions of the program will never return any information to RealNetworks, or even that their very popular RealAudio and RealVideo players do not do this type of thing. Since few of the 13 million registered users will get around to patching their software RealNetworks will keep getting a lot of information unless they do shut down the servers.

So far RealNetworks is a case study in what not to do if you are an Internet services provider - I hope that other companies will learn from their experiences.

disclaimer: Not even the Harvard Business School would use a case study this dumb so the above observation is mine alone.