A Closer Look at the Fine Print in Privacy Statements

Date: Jun 11, 2004

Most major companies (Novell, IBM, Oracle, HP, Microsoft, and so on) have very similar privacy statements. Zubair Alexander takes a closer look at the fine print in these statements: what type of data or personal information may be collected from you, and who it's shared with. What's in the fine print may surprise you.

Whether it's a privacy statement from your cable TV provider or a business web site, if you take time to read the fine print you might be in for a few surprises. Obviously, the companies provide these statements to meet legal requirements and to protect themselves from lawsuits. You can't blame them for that. They hire lawyers to make sure that every conceivable area is covered and nothing is left out. But I wonder how many people actually take the time to read one of these privacy statements and see what's inside. Let's face it; whether it's a privacy statement or a licensing agreement, most people don't take time to read all the boring details of legal mumbo-jumbo drafted by some attorney.

Fine Print for This Article

In this article, I'll help you take a closer look at one of the privacy statements from Microsoft and show you what you're agreeing to when you access their resources or use their products. I decided to use Microsoft's privacy statements as an example simply because a large number of people use Microsoft products. (Novell's privacy statements probably wouldn't generate the same level of interest.) I'm using WindowsMedia.com from Microsoft as an example, but I should point out that privacy statements from other companies such as IBM, Oracle, HP, and Novell have many of the same issues. In fact, if you examine privacy statements from several large companies, you might think that they were written by the same attorney with some minor changes. Although references are made to several organizations, this article is not meant to be a comparison of the privacy statements among these various organizations.

At the end of this article, I'll make some suggestions for customizing your settings in Windows Media Player, in case you're not thrilled about sharing so much personal information with the vendor.

What Is WindowsMedia.com?

WindowsMedia.com consists of a family of web sites and web-based services. The WindowsMedia.com services are used by Microsoft Windows software, such as Windows Media Player and Internet Explorer. You can access the WindowsMedia.com privacy statement discussed in this article by going to Help, Privacy Statement within Windows Media Player.

NOTE

To Microsoft's credit, they don't try to hide their privacy statements. Take Windows Media Player as an example. The privacy policy can be accessed from Help, Privacy Statement. Then there's a link to the policy from Tools, Options, on the Privacy tab. There's also a link in the Help file. And finally, there are several links on Microsoft's web site pointing to the privacy statement.

What They Collect

According to Microsoft, "In general, WindowsMedia.com doesn't collect personally identifiable information, such as name, address, or telephone number." That's true. In general, it doesn't—but sometimes it does. For example, if you sign up for a WindowsMedia.com newsletter, it collects your email address, which is definitely a piece of personally identifiable information.

So what specific information does WindowsMedia.com gather? Here's a list of items that WindowsMedia.com may collect from you:

Your email address, if you sign up for WindowsMedia.com newsletter
Your ZIP code
The web sites and pages you visit within WindowsMedia.com
Your IP address
Your browser type
Domain names
Access times
Referring web site's addresses
Any data that WindowsMedia.com receives when processing service requests

The information listed above is kept in daily logs, and Microsoft retains those daily logs for at least one year.

What They Share

When you use WindowMedia.com, you agree to the following terms:

If you sign up for the WindowsMedia.com newsletter, your email address will be sent to the MSN Newsletter Service.
Any information you enter and submit to WindowsMedia.com to improve the quality of the Metadata Retrieval service may be shared with other users of the service.

TIP

What does Microsoft mean by "other users"—other Microsoft employees? No, everyone else in the world who uses their service.

Your personal information may be shared with all Microsoft vendors, or subcontractors who provide limited services such as customer support. Microsoft does say that the vendors are required to maintain the confidentiality of that information and are prohibited from using that information for any other purpose.
Your personal information may be stored and processed not only in the United States but also any other country in the world. According to Microsoft, they abide by U.S. Department of Commerce's "safe harbor" framework when it comes to the collection, use, and retention of data from the European Union. What about countries outside the European Union? Well, we don't know. There's no mention of that.

What About Cookies?

A cookie is placed on your hard drive when you use WindowsMedia.com. The cookie contains a unique identifier that allows WindowsMedia.com to generate anonymous visitor statistics. The cookies are also useful for vendors to determine the type of music you listen to. You have the ability to decline cookies, but then certain features of Windows Media, such as Radio Tuner presets, will not function properly. Here's what you agree to about cookies:

WindowsMedia.com can place cookies on your computer.
MSN also has the right to place cookies on your hard drive.
Any third party that WindowsMedia.com allows to display ads on WindowsMedia.com web sites also will have the right to place "persistent" cookies on your hard drive. These cookies may reveal your listening habits—more specifically, the requests made by Windows Media Player—so that the content providers can offer you personalized services. What else the third parties do with the information is up to them, and you need to read their privacy statements for more details.

NOTE

What, you mean that you don't keep track of all the content providers for all the streaming media you use at any given time, and read their privacy statements on a regular basis?

Any third party that MSN allows to display ads on WindowsMedia.com web sites also has the right to place "persistent" cookies on your hard drive.

I want to make a couple of additional comments on the issues of cookies and ads. As the privacy statement mentions, Microsoft doesn't control the cookies placed on your hard drive or the ads by third parties, so if any of these advertisers decide to place spyware on your computer, don't blame Microsoft—because you've already agreed to it.

Also, as mentioned earlier, you can turn off the cookies in Internet Explorer. However, you should be aware that when you make changes to cookies settings in Internet Explorer, those changes affect not only the Windows Media Player but also Internet Explorer, Microsoft Outlook, Outlook Express, and any other program that may use cookies, as indicated in Figure 1.

Figure 1

Privacy statements from other companies, such as IBM and Novell, pretty much include the same statements about cookies and ads. Oracle.com, however, uses a different language when they talk about cookies. They say that their cookies usually last anywhere between 30–365 days but some cookies may last longer. Translation: Oracle.com may use persistent cookies that never expire.

Links to Third-Party Retailers

To make it easier for you to make online purchases, WindowsMedia.com may include links to third-party retailers. Let's see what you're agreeing to when it comes to third-party links:

If you click any links on WindowsMedia.com and connect to third-party web sites, those sites in turn may place cookies on your computer. How they use your personal information is up to them. It's your responsibility to read their privacy statements. Needless to say, Microsoft's privacy statements don't apply to third parties.
Microsoft is not responsible for the privacy statements or the collection practices of these third parties. Therefore, if these third parties use spyware, Trojan horses, or any other means to collect your personal information, you agree that Microsoft is not to be blamed.

The section that deals with third-party links in the WindowsMedia.com privacy statement is pretty standard compared to the privacy statements of most web sites.

Use of Web Beacons

WindowsMedia.com web pages and the WindowsMedia.com newsletter may contain electronic images called web beacons. These beacons are also referred to as single-pixel GIFs. Their purpose is to count the users who have visited the web pages and to deliver co-branded services. They also help a vendor determine the time, date, cookie numbers, and other information related to the web pages you're visiting. As far as web beacons are concerned, you agree to the following:

WindowsMedia.com can use web beacons to determine the date and time of your web page visits and the description of the web page on which the beacon resides.
Any third party that does business with Microsoft can also place their own web beacons to determine the date, time, and description of the web pages you've visited.

Essentially, you agree that Microsoft, and every vendor in the world that does business with Microsoft, has the right to know your web browsing habits, including the date and time of the web pages that you were viewing and the description of those web pages. What the third parties do with that information is totally up to them.

Communicating with Streaming Media Servers

When you use Windows Media Player, you might listen to streaming audio or watch streaming video. Let's see what you're agreeing to:

When you play streaming audio, video, or radio stations on Windows Media Player, Microsoft will send the streaming media server a log. Microsoft doesn't typically operate these streaming media servers, so you agree that it's up to the content provider to decide how the logs are used and whether the logs are shared with other third parties.
The logs may include the following:

Billing and advertisement tracking
Connection time
IP address
OS version
Player version
Player identification number (Player ID)
Date
Protocol
And more...

In this article, we've only looked at the privacy statement for WindowsMedia.com. Because WindowsMedia.com has some close ties with MSN, as indicated by the references to MSN services, you might be interested in finding out how MSN collects and shares your personal information. Did you know that MSN collects information such as your email address, name, home or work address, telephone number, ZIP code, credit card number, billing address, age, gender, preferences, interests, and favorites? It then combines this data with information obtained from other Microsoft services, as well as all other companies. For more information, check out the link to MSN's privacy statement at the end of this article.

What Can You Do To Manage Your Privacy?

You may have strong feelings about sharing your personal data with so many people when using Windows Media Player. There's no "one size fits all" solution to prevent software privacy violations, but you can at least customize your privacy settings in Windows Media Player:

Start Windows Media Player.
Choose Tools, Options, and click the Privacy tab in the Options dialog box.
Deselect all the check boxes on the Privacy tab, as shown in Figure 2. (This screen shot is from Windows Media Player 9.0.)
Click the Clear History and Clear CD/DVD buttons to clear the history.

Figure 2

You can also customize the cookies settings in Internet Explorer. For instance, you can specify which web sites are always (or never allowed) to use cookies, regardless of their privacy policy. You can also configure the settings to accept, block, or prompt for first-party and third-party cookies. These settings are configured on the Privacy tab, as shown in Figure 3. On the Security tab, make sure that the two script options are deselected, as shown in Figure 4.

Figure 3

Figure 4

On the Player tab, there's no way to disable Automatic Updates in Windows Media Player, at least not in the GUI. You must choose between updating once a day, once a week, or once a month. I also like to make sure that the setting Start Player in Media Guide is turned off, as shown in Figure 5. Some people like to leave the option Download Codecs Automatically checked because, according to Microsoft, only supported codecs are downloaded automatically. You're always prompted before a third-party codec is downloaded.

Figure 5

You'll find Windows Media Player registry settings at this location:

HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer

Most of the configuration settings are in the Preferences folder.

Conclusion

Privacy statements from most organizations are almost identical. They all pretty much want your personal information, such as email, browsing habits, and other data that helps them market their products, and in some cases enhance your experience.

However, when you read the fine print you may wonder if there's anything that's really guaranteed to be private on your PC. If you really want to know what I mean, check out the Microsoft Online Crash Analysis data-collection policy for the error reports that you send to Microsoft over the Internet. (I discuss error reporting in the article "Tired of Windows XP Phoning Home?") First, read about the types of data collected. Then read the section "Who has access to error report data." The information you provide is shared with "Microsoft employees, contractors, and vendors who have a business need to use the error report data.... If the error report indicates that a third-party product is involved, Microsoft may send the data to the vendor of that product, who may in turn send the data to sub-vendors and partners."

Obviously, you don't have to use Windows Media Player. You can use another third-party product, but be sure to read the fine print in their privacy statement. You may find that their privacy statement is not much different from Microsoft's.

For More Information

Here are some links to privacy statements that you may find helpful:

Like several other corporations, Microsoft is a member of the TRUSTe Privacy Program. TRUSTe is an independent, nonprofit organization, and it reviews privacy policies to ensure that each policy conforms to TRUSTe standards. All other companies mentioned in this article are also members of TRUSTe, except HP, which conforms to the Better Business Bureau's online privacy program because HP is the founding sponsor of the BBBOnline Privacy Program.