Is Apple’s iCloud Music Match a Possible Honeypot?

Honeypot – noun (from Encarta)

1. something that is inviting: anything that attracts or appeals to large numbers of people ( informal )
2. Internet server used to entice hackers: a server connected to the Internet that is used as a decoy to attract potential hackers in order to study their activities and techniques

Apple recently at their WWDC11 keynote announced a new service called iCloud Music Match. For $24.99 per year, it will scan the user’s machine and mimic all of the user’s music files onto Apple’s new data center for streaming anywhere. In cases where it finds a match with one of the songs in its data files, even if not purchased from Apple, it will make a record of the song and then stream to the user Apple’s 256kb AAC version. Apple presented this as a convenience to the users, saying that the setup will take ‘minutes, not weeks’ in a jab at competitors like Amazon and Google that offer cloud based storage lockers.

The unspoken flip side of this is: The users are voluntarily granting Apple the right to scan their system and store the personally identifiable results on Apple’s servers. Presuming that Apple restricts its scan strictly to the information that is absolutely necessary for Music Match to work, what will that be?

Quite obviously Music Match cannot work without scanning your files.  For example, assume I take any old file and rename it LadyGaga:BornThisWay.mp3 and add it to my library.  Obviously, Apple is not going to send me the music just because of the file name.  I also doubt that there is going to be any process that is going to ‘listen to’ the music to see if it sounds like a recognized song.  Instead, chances are the Music Match feature will, at a minimum, examine the header information on the MP3 file and run a hash calculation on the entire contents of the file.

Although the ‘DRM free’ MP3 now being provided from many of the the major music download companies can be played anywhere, each download is watermarked with header information specific to the exact purchase and purchaser.  This article from Techcrunch gives more details on ‘dirty’ MP3s.  Consequently, if you purchase a ‘DRM free’ MP3 file from iTunes and then share it, and the person(s) who received it saves it to their iCloud, then Apple will know both (i) who shared their copy and (ii) whose copy is illegal.  For files from other watermarked retailers, the same information would only require coordination with the other site.

Next consider music purchased from sites that sell legal but ‘clean’ MP3s without watermarks.  These files will have unique MD5 or SHA-2 signatures that can distinguish them to a particular company.  They will certainly have different signatures than the watermarked versions (because the addition of the watermark) and they will be unique from versions of the same song encoded by others.  When Apple’s servers detect a number of copies far in excess of the ‘clean’ mp3 company’s reported sales, they will know where to suspect illegal copying.

Then there will be MP3s that individuals created themselves from, for example, ‘ripping’ their CD collections.  While these are not watermarked to the individual, they appear to be unique for each ‘rip’.  To confirm this, I ran a test with fresh installations of the exact same CD ripping software on two different computers.  I then had them rip the same track from the exact same CD using the unchanged system default settings on both computers.  The MD5 hashes did not match. Small differences between the two reads, the internal timestamps, the system metadata, etc. likely resulted in the mismatch.  It will almost certainly also be different from the file hashes from legal download sites, both those that watermark and those that do not.    In short, if you and thousands other people have MP3s of the same song with the same file hash value, you will not be able to credibly claim it occurred because all of you ripped it from your CD collections.

MD5 hash values are a cornerstone of computer forensics and fully accepted as evidence that two files are identical copies of each other.  You could claim that you didn’t download the song from the file sharing network because you were the one who uploaded it, but I doubt that will help your legal predicament.

Some people I have mentioned this concern to have essentially accused me of heresy and paranoia because “there is no way Apple would do that to their users”.  Apple would not have to.  They would simply have to comply with an information demand from the RIAA, who has had no problem with being seen as the bad guy in hardball enforcement against file sharing.  Moreover consider this:

  1. Apple is the largest music retailer on the planet.
  2. Apple believes, possibly justifiably, that it loses billions of dollars annually to illegal music file sharing.
  3. The easiest way out of the legal jam over challenged content in your iCloud storage would be to convert the suspected iCloud music by buying it from Apple.  Apple becomes almost like a white knight in the process.

Several notable commentators, such as Berklee Music chief David Kusek and publisher rights lawyer Micheal Speck, have either in favor or against, called the iTunes Music Match service ‘amnesty for pirates’.  I think they may be surprized at how this really plays out.

Permanent link to this article:


10 pings

Skip to comment form

    • Matty H. on June 21, 2011 at 11:58 AM
    • Reply

    I suspect you don’t know a lot about compression… how in the heck would apple know I didn’t rip it myself from a CD? Assuming I downloaded from bit torrent, how would they know what tools I used to rip and encode to MP3? Or what settings I used? Given it is LOSSY compression, there is no hash that will be able to determine if the song is valid. I would suspect they won’t do any checking other than a cursory glance at the MP3 tags – anything other than analysis of the actual audio output from the file (which seems extremely CPU prohibitive to run on most users systems) would give unpredictable results.
    I’ll give you that “dirty” MP3’s might have some information, but how do they know I didn’t give the song away or use a different account that I own to download.

    1. Well, if after you downloaded the song you performed some editing or re-sampling of the file then indeed you would have a unique signature. But how often does that occur? Most users will download and save and never give it another thought, in which case the signatures will indeed be identical to everybody else who made the same download.

    • Ian Calvert on June 21, 2011 at 12:03 PM
    • Reply

    “I also doubt that there is going to be any process that is going to ‘listen to’ the music to see if it sounds like a recognized song”

    Why? Music scanners have been doing this successfully for some time now, just look at MusicBrainz (especially Picard). It’s done using perceptual hashing of the songs.

    1. I didn’t mean to say that it was impossible, only that it was likely to not be the route that Apple wants to take because they are looking as something that will scan through a lot of songs very quickly without having to upload them first to the servers.

        • James Andrews on June 21, 2011 at 9:14 PM
        • Reply

        Well surely the fuzzy hash can be done on the client side (which is how I believe tools like Shazam works – a music matcher on the iPhone – it doesn’t take that much processing power), then the fuzzy hash along with file name and meta tags can be uploaded.
        It will still be up to the server to decide if the fuzzy hash is close enough to the server side version that it isn’t just some renamed unrelated mp3.

        Between the hashes and meta data Apple might be able to work out which files originated from the same rip. Do aac’s and mp3’s have rip date in meta? If not I guess every file that was ripped with a standard encoder and music meta data repository will look the same.

        If potential copied rips could be identified, Apple might just say “This file looks like it wasn’t originally obtained, please insert the CD or tick here to purchase track” rather than leaving their customers open to RIAA attacks.

        Still we can speculate forever, will be interesting to see how it all plays out.

        1. I believe that Shazam works server-side, which is why it can use a phone-size client. I agree that only time will tell how things will turn out. My gut tells me that the RIAA will not sit still knowing that there is this huge database potentially describing billions of songs that people have not purchased.

          The test I ran in the article was done with identical versions of CDEX, which I believe uses the Lame encoder by default. You really don’t get more ‘standard’ than that yet the hashes were different.

        • antipax on June 21, 2011 at 10:31 PM
        • Reply

        You can hash clientside and send that to the server.

    • JustAGuy on June 21, 2011 at 12:12 PM
    • Reply

    I, for one, will never use iCloud, iTunes, or anything Apple says iCan’t control. I am a big fan of Amazon’s MP3 sales, and have bought many albums there. I just despise all the iCrap. Apple’s Bounjour service scans networks, trying to find other iCrap applications with which to exchange data. It’s a network resource hog. iPods may be great MP3 players, but I don’t want one. I have a Sansa that works wonderfully well, and the rest of my music I play on my PC.

      • netdev on June 21, 2011 at 11:56 PM
      • Reply

      Bonjour is just as much as a resource hog as it’s competitor, JXTA (originally a Sun product, but now owned by Oracle)…

      Whether you like it or not zero-conf networking infrastructure is the future of Service Oriented Architecture. Rendezvous networks are the one of the best forms of this type of systems networking. BTW Bonjour is Rendezvous since that was an Apple creation, but they had to change the name for legal reasons… JXTA is another implementation of the same protocol/standard.

      You want to blame Apple for all that’s wrong with the world.. Great, you do that…. The rest of us will at least acknowledge that Apple made MP3 players popular (they existed before the iPod, but weren’t widely popular with consumers until after the iPod), made zero-conf networking a reality (Rendezvous\Bonjour), made every Linux distro jealous by making one of the easiest to use Unix distros while still maintaining all the raw power and security of Unix, and making Smart Phones cool and popular (no consumers outside of enterprise customers cared about having a smart-phone until the first iPhone came out).

      Yeah.. Apple is evil, but Microsoft, Google, and Amazon are different and good… Yeah right… You think Amazon and/or Google don’t have the right to scan your files built into their TOU/TOS? Google is already scanning your e-mail, why not scan the files you give them to store as well? Amazon is already tracking your purchases, so why wouldn’t they have a vested interest in whether or not you “pirated” music? After all they stand to lose just as much, if not more, than Apple if you do upload pirated music to their service. But obviously Amazon, Google, and Microsoft are all good-guys in this whole “debacle” and are only looking out for the consumer and not their own corporate interests >.>

      1. I’m not trying to describe Apple as some sort of villain, or even presuming that the situation that I am describing is in any way a done deal. Unlike Google’s or Amazon’s service Music Match does actively scan your system (as opposed to sending up the files you tell it) and it does keep a centralized database. Those features alone will make it a more inviting source of data if the RIAA wants to go hunting.

          • netdev on June 22, 2011 at 10:14 AM
          • Reply

          Agreed, it *may* be more inviting for that reason and Apple has already demonstrated it’s willing to play ball (by getting a deal to be able to do iTunes Match), but AFAIK there’s nothing stopping either Google or Amazon from scanning your files once it’s in their system. Google has invested large amounts of money into technology to scan raw data for patterns, and Amazon has an enormous server farm. Both also have the resources, know-how, and almost certainly the will should it come to a legal battle.

          My reply was to the commenter (JustAGuy), not you. He *was* vilifying Apple while praising it’s competitors. My view is that they are all equally evil and equally good. Not one of those companies is more “evil” than any of the others. I own Macs, I own Windows PCs, I shop Amazon, and I have been a regular GMail user since it was invite only (and you only got 5 invites). I recognize that Apple wants to tell me how to use my computer and phone. I recognize that Windows 7 is still an insecure and unstable OS (compared to Linux or Unix based systems). I recognize that Google regularly scans my e-mail so they can deliver targeted ads. I recognize that Amazon tracks everything I have ever bought from them. Honestly? I couldn’t care less that any of that is happening. People say I should, but this *is* the Information Age. The old concepts of pure privacy are breaking down whether people like it or not. The upshot is that in the flood of Information, it will make it easier for the “little guy” to slip under the radar.

          I’ll get off my soap-box now 😛

          1. Oh I have no doubt that google and amazon will do some looking at your data for the purpose of delivering targeted adds or ‘recommending music you might like’. Because they don’t do matching (specifically because they don’t have the streaming license) it won’t represent quite as tempting a data mine for copyright enforcement.

    • Bruce McIntosh on June 21, 2011 at 12:14 PM
    • Reply

    Apple can probably emulate the procedures YouTube uses to find content matches. This doesn’t use embedded information or exact digital matches as they detect audio in video recordings taken at performances that use the copyrighted music. The person who uploaded the file gets a message telling them which entity owns the music they uploaded.

    1. The process uses a kind of ‘fuzzy hash’ in the same manner as uses to match pictures even if they have been slightly altered. But YouTube uploads the entire file and then looks for content matches. Apple wants to avoid uploading the file at all in order to meet their ‘minutes not weeks’ promise. So I am suspecting that it will be a simple process able to run mostly on the client.

    • Rob on June 21, 2011 at 12:38 PM
    • Reply

    MD5 hash values are a cornerstone of computer forensics and fully accepted as evidence

    They shouldn’t be, it’s been demolished enough.

    1. You are talking about MD5 as a cryptographic hash. In computer forensics it is used for file comparison and the chances of two files in the wild accidentally having the same MD5 is still impossibly large.

        • Rob on June 21, 2011 at 2:48 PM
        • Reply

        I would put it enough to place it under reasonable doubt in a court case.

        Random files? Not a chance in hell, I agree. Intentional matches though are what need to be considered.

        1. to reverse engineer a MD5 hash on a file as large as a digital music file would require an essentially impossible effort and to do it in a manner that would still sound like the original song when played even more so. And then to do all that effort to make your downloaded music file look illegal?

    • Klaus on June 21, 2011 at 12:52 PM
    • Reply

    If the watermarks were, as you write, in the headers only, they would be very easy to remove. In fact, they are called watermarks because they are hidden among the data.
    You write a lot about hashes, but it does not show that you are acquainted with the way track identification works in practice. Have you ever used CDDB or its equivalents? It uses song lengths (in milliseconds) to recognize tracks, and it works quite well. There are also many other ways to reliably identify music tracks that do not use hashes, like exact measurements of beat intervals or slightly out-of-tune instruments. The important question is: How intrusive will Apple be?

    1. We don’t know exactly, but we do know that in order to work as Apple describes it has to not involve loading the whole file up to the server before realizing it is a match and it has to be pretty efficient.

        • Klaus on June 21, 2011 at 3:38 PM
        • Reply

        No tracks have to be uploaded. All checks can be done on the user’s device within a few seconds per track. Apple will probably update the client software’s check routines every other week or so, like Microsoft does to detect modded/hacked Xboxes.
        Think of virus signatures. It is important to know where the most significant bits information are to be found. Fourier transforms, statistical analysis.
        In matters of music content recognition, hashing is not the appropriate concept.

        1. That would be a feasible technique, although it would require downloading a fairly hefty signature file before starting (as you say, like a virus signature file). They also no doubt would examine the MP3 header information for no other reason than to help reduce false positives. A full file hash (since they are locally scanning the whole file as part of the ‘virus check’) would be miniscule extra effort and worthwhile in case there are complaints of mismatches.

    • Darren on June 21, 2011 at 1:04 PM
    • Reply

    Yet another product from Apple that I wouldn’t touch without a big bottle of hand sanitizer. Why do people buy into all the hype?

    • Randall on June 21, 2011 at 1:04 PM
    • Reply

    I doubt Apple will md5 sum/hash the files, they will likely look to see if the file was ripped using iTunes and if so, was it ripped by you.

    In the case that they do check checksums, this mechanism would be somewhat easy to defeat, simply present unique checksums; for large collections this might present an issue but for ‘normal’ collections set your custom ripping bit rate to something very small (say 64 or 32kbps) transcode the whole lot, sums won’t match, metadata is another issue altogether, if you have access to file cleaner/mp3 tuneup app that might help but the real concern here would likely be in the info area where bulk rippers usually put their logo/credits.

    1. The hash value analysis would apply for music brought in through other sources such as downloaded MP3s (legal or not).

      I am not suggesting that the technique can’t be fooled, but few will know or bother.

      1. Here’s a paper/demo on how it’s done, a la Shazam, etc:

        Robust Landmark-Based Audio Fingerprinting

        Cached (in case):

    • Kevin J. on June 21, 2011 at 1:12 PM
    • Reply

    Typo in 5th paragraph: “pruchased” should be “purchased”.

    1. thanks.

    • david on June 21, 2011 at 1:23 PM
    • Reply

    I think,

    “I also doubt that there is going to be any process that is going to ‘listen to’ the music to see if it sounds like a recognized song”

    …is a big assumption.

    I think this is the most likely way that they will match your song to one in their library. Otherwise, as you stated, 1 song can map to lots and lots of hashes.

    FWIW YouTube seems to do that – I guess using the same techniques as Shazam.

    1. Maybe they will, but the whole idea is to make a match before uploading the file so that it can happen in ‘minutes not weeks’. Something that actually ‘listened to’ the song would not be able to work that fast on your local system.

        • TrailerTrash on June 21, 2011 at 5:25 PM
        • Reply

        Why couldn’t Apple sample the first 10-15 seconds like Shazam does and match that way? If Shazam can listen over a mobile phone’s tiny microphone to music played in a noisy bar and still get excellent recognition, why couldn’t Apple do the same thing? It wouldn’t matter if it was a crappy low-bit MP3Pro (who remembers this) encode or a lossless great copy, if it was “close enough” to match, it would be a match.

        1. It could but Apple needs a near-zero incidence of false matches and it needs to work very fast on large libraries of music files. I’m not saying that they can’t incorporate that technique, only that they are most likely going to be relying on header information and fast hash calculation.

    • Nick on June 21, 2011 at 2:47 PM
    • Reply

    I also doubt that there is going to be any process that is going to ‘listen to’ the music to see if it sounds like a recognized song

    Well….yes, actually they will. This has been done for many years and is called music fingerprinting and has many implementations. See here for more information.

    1. I didn’t mean to imply that such an ability wasn’t technically feasible, only that with Apple’s goal of being able to scan and set up large music libraries quickly. Besides there is nothing about using a sonic fingerprint that means that they might not also be examining the MP3 header and some form of hash analysis. Particularly since Apple would be looking for a technique with virtually no false matches.

    • Matt on June 21, 2011 at 2:54 PM
    • Reply

    So, there is one simple way around what you have mentioned, change the Meta data. If you take a file and copy it, it will have the same MD5 hash, if you change one thing in the Meta data, then they hash’s will be different. Most of the people I know like to organize and clean up the Meta data in the files the way they like it, instantly you would have different hashes.

    Lastly, one of the things to consider about how to match the songs, they might go the route of something like Shazam, or one of those other apps that listens to music and can identify it. They take a 30 second clip to identify it. So the apple program could take the clip, do some local analysis of a random 30 seconds of it, and then upload the result string to see if it matches. Similar technologies are used in CD manufacturing plants to make sure that the song you are trying to put on your CD is one that you have the rights to.

    So, your concerns might be justified, but the MD5 hash issue can be circumvented in a very easy method.

    1. I didn’t say that the the technique couldn’t be fooled. But most users don’t go through the effort of editing the metadata.

    • Will S. on June 21, 2011 at 4:19 PM
    • Reply

    You make a distinction between the way that iCloud operates and the way in which services such as Google Music operate, for good reason of course. It seems to me that in the case of Google Music, at least, Google would have just as much ability to analyze the music files of any user of the service, given that copies of the actual files are uploaded to their cloud-based storage. (I don’t have any personal familiarity with Amazon’s offering, so I can’t speak to that.)

    What do you feel is the risk of Google Music or similar services becoming honeypots as well? I’ve looked through the privacy terms and terms of service for Google Music and didn’t see anything that suggests they reserve the right to do any sort of analysis on files uploaded by users, but still the idea that copies of the actual files are stored on hardware under third-party control seems like it might be enough to give users with pirated MP3s pause. Your thoughts?

    1. Google’s service does not apparently do de-duplication. If ever you see certain songs ‘uploading’ impossibly fast then they are doing de-duplication. You could do a hash comparison analysis of the many terabytes of information stored in the Google cloud, but it would not be sitting already in a database. Amazon does free instant availability of content purchased from them, but that is clearly legal content. But the core of Music Match is a centralized database of who uploaded what music files that makes it an easier source to data mine.

  1. First off, Apple purchased LaLa on December 4th, 2009. LaLa had already built a key piece of technology: music matching. Surprise, surprise. If you want to figure out how Apple is going to match the music, it’s a pretty safe bet to look at LaLa’s technology. LaLa used sophisticated “listening” technologies to identify songs, a similar technology to how mobile apps (SoundHound, etc.) recognize songs. It’s worth noting that LaLa’s matching feature was far from perfect, sometimes getting confused between live and studio versions of a song, etc. This is because the technology uses the melodies and musical aspects of the song to identify it, and if recordings are extremely similar, there can be problems. It is likely that Apple has worked hard to improve the system, however.

    From the honeypot perspective, though, I’m pleased to see that you’re blogging about the potential privacy issues when it comes to pirated music. It’s been absolutely baffling to me to watch so many blind bloggers claim “amnesty.” I refuse to believe that the RIAA would allow such a system as iTunes Match without some serious measures to combat piracy, and I don’t think they would refuse the opportunity to collect so much useful data about pirated music. The most troubling part is how it’s likely to play out. Apple will most likely refuse to take a stance on the matter, and those who dangerously choose to upload pirated content will most likely not be stopped from doing so. Many will have no idea of the risk (especially due to the ignorant statements of so many bloggers). Then, months or years later, the RIAA will attack, based on evidence it collected long ago that you may not even remember…

    That may not be the case, but I’ll be very surprised if prosecution never occurs that uses “evidence” from iTunes Match…

    • Ivica on June 21, 2011 at 4:32 PM
    • Reply

    Apple believes, possibly justifiably, that it loses billions of dollars annually to illegal music file sharing.

    Apple’s Q1 2011 revenue related to
    “Other Music Related Products and Services”
    (which appears to include iOS apps and video) totalled 1.4B USD, and accounted for 15% of its revenue. Assuming a consistent number of sales throughout the year, you’re looking at 5.6B. It might be nit-picking, but using the loaded term “billions” implies that Apple is losing out on much more revenue than they likely are.

    Not that Apple wouldn’t like more profits from iTunes, but there’s little benefit in tricking pirates. Matching hashes would be far more trouble than its worth; iCloud is going to be swamped on day one, and now you think that they ought to do thorough analysis on every single track? If Apple was tracking pirated tracks, with the intent (or potential) of handing the info over to the RIAA, people would be more hesitant to use iCloud, which means they’d be less likely to lock themselves (further) into Apple’s ecosystem.

    1. Well, if there are two songs being illegally downloaded somewhere for every one that Apple sells that would be almost 3 billion dollars. That’s not that far fetched.

      They collect the data as part of the matching process, which is necessary for the service to work. The analysis can occur later.

    • Patrick M on June 21, 2011 at 4:38 PM
    • Reply

    Even assuming this did unfold the way you believe it would: so what? There is no money in going after downloaders. Every case so far has hinged on the re-sharing of content. That’s where the ridiculous punitive damage dollar amounts come in. Sure, they may send me a nastygram about my nefarious music collection, but unless they can prove (legally) I shared it with other people they are not going to waste their time trying to sue me over it.

    1. With millions of users each scanning thousands of songs there is the possibility of isolating billions of likely illegal downloads. If the RIAA can then pressure the users to convert them at 99 cents each everybody: Apple, the labels, etc. is richer.

    • Matt on June 21, 2011 at 8:32 PM
    • Reply

    Remember They were THE site for independent musicians back in the day. They started this cloud service before the word cloud was even used that way. You would put your CDs in your drive, it would read the header info off of the CD and then authorize you to play it in the cloud. The record companies sued them to death.

    1. That was why it was considered so noteworthy that Apple was able to get the streaming license that Google and Amazon were not.

    • Mark on June 22, 2011 at 1:44 AM
    • Reply

    So here’s the thing: Apple is pretty image conscious. If anything about Music Match is used in any way to prosecute you, Apple is never ever ever going to hear the end of it or be trusted again. Occam’s Razor therefore can be used to conclude this scenario will never come to pass.

    Pirated music is earning the industry (and Apple) zero. With this method, it’s going to earn the industry something. Infinitesimal, but something.

    The long-term revenue/profits/piracy solution is subscriptions and ending the delusion people will pay to buy music. If people will pay $8/month for Netflix and $13/month for SiriusXM, there is room for a correctly marketed subscription service to get millions upon millions of paying customers. Maybe that’ll be Spotify, Mog or Rdio (it’s obviously never going to be Rhapsody for whatever reason). But let’s get real, if Apple launched one tomorrow, it’d clear 10 million subs in one year — maybe 20 million.

    Some things are not viable until someone who has the right ecosystem does them right (Kindles, Netflix streaming, iTunes, App Store, etc. etc.). Apple’s blind spot on subscription music is stunning.

    That said, Music Match is not some honeypot designed to benefit the RIAA. And they are not going to be using forensic hashing to find frequently pirated files. That’s a ludicrous way to match MP3s, which can be clipped at infinite arbitrary lengths, encoded with many different encoders and countless bitrates, etc. They are going to “Shazam” this without the middleman of speaker + microphone, which is going to take something like 2-3 seconds per track maximum, probably significantly less. For someone with 5000 songs, that 10,000 seconds might be 3 hours if it’s really 2 seconds… And while that’s not exactly “minutes”, it’s not exactly weeks either.

    By the way, Apple knows how many songs everyone has in iTunes. I have no clue what the average is, but if it’s 500 and it’s 3 seconds per track, you are looking at under 30 minutes.

    • Lakland on June 22, 2011 at 4:40 AM
    • Reply

    I think it’s funny how upset people get over an article. No one is making you use an iPhone or iTunes. If you don’t like it…use something else. I could care less if they know I have horrible tastes in music.

    • Robert on June 22, 2011 at 5:05 AM
    • Reply

    I have a few hundred albums in iTunes, and I have the physical CD to go along with everything in my iTunes library, with the exception of the three albums I have purchased from iTunes because I could not find a copy of the CD locally. For those, I have original vinyl from the 1970’s, anyway. More that two thirds of my collection isn’t even ripped yet — only the stuff I listen to often enough. I’ve made my daughter purchase the physical CD for each album she has ever borrowed from a friend and ripped. I don’t download anything illegally, and she is not allowed to either.
    I will almost certainly subscribe to the service, because it will be a convenience to me. If the RIAA or anyone else should subpoena the data, even a few people like me could legitimately make a lot of noise if we were falsely accused. I am fairly sure that Apple would have thought just this scenario through — even if the “bad guys” grabbing the data are external to Apple, that would be a very big black eye for them. For that reason alone, I suspect that Apple will be matching using Fourier analysis or something similar — so that such data is simply not available to be subpoenaed.

  2. Well, I hope it works better than the system iTunes uses now to match songs with album art.

    I have a ton of MP3s in iTunes, all ripped from my personal CD collection, and I am amazed at how many incorrect matches and weird album cover art assignments iTunes has made.

    That’s all we need – the RIAA proceeding en masse on incorrect assumptions, and millions of iTunes users getting those nasty infringement emails…

    1. I trust that Apple has field tested the system and has figured out how to keep the false match rate small. That is one reason why I am thinking that they may be going with something more rigorous than the audio fingerprinting like Shazzam. If Shazzam gives you a false match or iTunes gives you a weird cover art it is at worst casuse for a chuckle. But Music Match will actually be replacing the music!

    • Daniel on June 22, 2011 at 4:57 PM
    • Reply

    iTunes currently keeps an index of all music stored, for fast search. According to Jobs’ keynote, they will try and match the CDs you have ripped – that will have their tag information from the CDDB (also the user has the ability to set all levels of encoding when ripping through iTunes). So – if your trying to identify the songs that user has ripped themselves, why bother using the MD5 or SHA-2 signatures? What benefit would their be for Apple to know this?

    IMHO – They will simply uses the Tags and track lengths to identify music, and then provide alternative options for music they can’t identify. Apple’s whole mantra is to make the user experience as easy as possible, so they would try and make the process simple – for the average user (with ripped CDs).

    But I do agree that the safety of the users information will come down to the implementation of the “matching” service. Lets hope they don’t leave themselves vulnerable to the will of the RIAA…

    1. Usually you resort to a SHA-2 or MD5 hash to be sure that you really have identical files. When it comes to the usual uses of music databases (finding album names and cover art) an occasional false match is a minor nussiance. Apple is going to replace the file, so being extra sure is not unreasonable.

    • Apc on June 23, 2011 at 6:15 AM
    • Reply

    Have you even considered ripping the SAME CD/DVD on the SAME computer with the SAME software about 10-20 times in a row and comparing hashes? :))
    I agree with your reservations about Apple, but your proof base is just insane..

    1. I suspect that even if they were ripped on the same computer there might be differences. That was not the point of the test though. The point of the test was that if you had a file on your disk with the same hash value as the one that was available on, for example, bittorrent that you could claim that you had ripped it from a CD and that the fact that it was identical to the bittorrent was simply a coincidence of using the same encoder on the same settings.

  3. Just wanted to chime in and inform you that the search box doesn’t work as it used to… Maybe you should switch to another plugin

    1. I performes a quick test with a couple of common browsers and it seems to work normally, Can you profice more information regarding your setup?

  4. The Zune concentrates on being a Portable Media Player. Not a web browser. Not a game machine. Maybe in the future it’ll do even better in those areas, but for now it’s a fantastic way to organize and listen to your music and videos, and is without peer in that regard. The iPod’s strengths are its web browsing and apps. If those sound more compelling, perhaps it is your best choice.

  5. Very nice!

  6. Awesomeness ;]

    • 藍俊嵩 on July 3, 2011 at 9:37 PM
    • Reply

    Undoubtedly, one of the best article l have come across on this precious topic. I quite agree with your conclusions and will eagerly look forward to your coming updates.

    • Tom Mack on July 4, 2011 at 5:03 AM
    • Reply

    We need an America with the wisdom of experience. But we must not let America grow old in spirit. ~Hubert H. Humphrey

  7. Your blog is very nice … keep up the great work!

  8. This post will actually served me a lot thanks

    • Florida Real Estate on July 14, 2011 at 6:06 PM
    • Reply

    Fantastic, Your post is an excellent example of why I keep coming back to read your excellent quality point of view….

    • full indir on July 26, 2011 at 2:28 AM
    • Reply

    This is getting a bit more subjective, but I much prefer the Zune Marketplace. The interface is colorful, has more flair, and some cool features like ‘Mixview’ that let you quickly see related albums, songs, or other users related to what you’re listening to. Clicking on one of those will center on that item, and another set of “neighbors” will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune “Social” is also great fun, letting you find others with shared tastes and becoming friends with them. You then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening habits if you so choose.

    • full yükle on July 26, 2011 at 9:12 AM
    • Reply

    but I’m really loving the new Zune, and hope this, as well as the excellent reviews some other people have written, will help you decide if it’s the right choice for you.

    • eye exams for free on August 1, 2011 at 5:34 AM
    • Reply

    Extremely useful and informative article! Thanks a lot for those tips!

    • Phone Network News on August 1, 2011 at 2:35 PM
    • Reply

    You have done a great job by exploring this subject with such an honesty and depth. Thanks for sharing it with us!

    • Johnathan Hohmeier on August 2, 2011 at 1:01 AM
    • Reply

    Excellent piece of writing and easy to fully understand story. How do I go about getting agreement to post component of the page in my upcoming newsletter? Offering proper credit to you the source and weblink to the site will not be a problem.

    • Tech News on August 2, 2011 at 2:00 PM
    • Reply

    Very informative information. You really have alot of knowledge in this area.

    • Samsung Conquer Accessories on August 4, 2011 at 2:23 PM
    • Reply

    Your attention to detail on this subject is superb. It was very well written and informative. Thanks for the information

    • Orlando Travel News on August 5, 2011 at 2:45 PM
    • Reply

    One of the best blogs written on this topic. Very enjoyable to read and straight to the point. Two thumbs up 🙂

    • T-Mobile myTouch 4G Slide Accessories on August 5, 2011 at 8:59 PM
    • Reply

    Useful information shared..Iam very happy to read this article..thanks for giving us nice info.Fantastic walk-through. I appreciate this post.

    • Thomas Obanner on August 6, 2011 at 11:16 PM
    • Reply

    I’m not sure where you are getting your info, but great topic. I needs to spend some time learning much more or understanding more. Thanks for excellent information I was looking for this information for my mission.

    • Free iPad on August 7, 2011 at 2:28 AM
    • Reply

    Hello I enjoyed this blog post. This post reminded me of another post that I’ve seen before. Well I figured to let you hear that I liked it!

    • Bethany Beach house rentals on August 8, 2011 at 7:15 PM
    • Reply

    […] part I, and part II. Now they go […]

    • invest liberty reserve on August 9, 2011 at 9:29 AM
    • Reply

    I agree with your Is Apple’s iCloud Music Match a Possible Honeypot? » Between the Numbers, fantastic post.

    • Buy Insanity Workout DVD on August 9, 2011 at 3:43 PM
    • Reply

    I not to mention my guys were actually reviewing the best points found on your web blog and at once I had a terrible feeling I never thanked the web blog owner for those techniques. My young boys appeared to be certainly stimulated to study all of them and now have certainly been using those things. Thank you for being considerably kind as well as for making a choice on some fabulous resources most people are really eager to be informed on. My personal sincere apologies for not expressing appreciation to earlier.

    • Fermin Mcmahan on August 9, 2011 at 6:10 PM
    • Reply

    Excellent write-up, I have bookmarked this web page so ideally I will discover much more on this subject in the foreseeable future!

    • Londa Capicotto on August 10, 2011 at 1:21 AM
    • Reply

    I appreciate you for posting such a wonderful website. Your weblog was not only informative but also very inventive too. We find very few bloggers who can create technical articles that creatively. I keep looking for information regarding something like this. We ourselves have gone through many websites to build up on information regarding this.I will keep coming back !!

    • Gayle Diffendal on August 11, 2011 at 8:08 AM
    • Reply

    Random Google results can occasionally lead to fantastic blogs such as this. You’re doing a good job, and we share plenty of opinions.

    • tv online on August 11, 2011 at 4:08 PM
    • Reply

    I don’t know what to say to be good. Everyone can to have an oppinion, i say just our oppinion is not the same.

    • computer repair ft lauderdale on September 10, 2011 at 5:36 PM
    • Reply

    I don’t suppose I’ve never read anything like this before. So nice to see an individual with some original thoughts on this subject. I really thank you for beginning it. This web site is one thing that is needed on the internet, someone with just a little originality.

    • Percy Huttman on October 10, 2011 at 3:48 AM
    • Reply

    Your blog was tweeted by a friend the other day. Decided I’d take a look. Best decision ever.

    • Burt Breeland on October 17, 2011 at 6:06 AM
    • Reply

    Great written content and great layout. Your website deserves all of the positive feedback it’s been getting.

    • mr. monk on February 25, 2012 at 12:30 PM
    • Reply

    Couldn’t I just add a small gap at the end of each song, to change the MD5, would that make it unlikely to come up in any match that apple could run?

    • Fumikazu on August 25, 2012 at 7:09 PM
    • Reply

    I’m pretty sure, the sceren will end up to be 3.7 inch, from 3.5 inch and not 4 inches.It will properly have 8.1 megapixel camera with flash.Better resolution, faster, slightly different design for the antenna problems.and will be probs be called iphone 4g or 4gs.Thats my opinion.

    • superdrol cycle on September 20, 2012 at 12:14 PM
    • Reply

    Hi is cool i love to read your content

  9. When your job is security and computer forensics then a little paranoia is part of the territory

  1. […] Daniel Nolte says Apple’s Music Match service will turn into a veritable honeypot for catching music pirates. He goes into some depth about the nature and characteristics of music ripped from CDs versus copied after being ripped and so on. I think he is pretty accurate as far as that information goes. But to say that Match will be a honeypot is either trolling for readers or if sincere then paranoia. […]

  2. […] Apple recently at their WWDC11 keynote announced a new service called iCloud Music Match. […]

  3. […] Is Apple’s iCloud Music Match a Possible Honeypot? Some people I have mentioned this concern to have essentially accused me of heresy and paranoia because “there is no way Apple would do that to their users”. Apple would not have to. They would simply have to comply with an information demand from the RIAA, who has had no problem with being seen as the bad guy in hardball enforcement against file sharing. Moreover consider this: […]

  4. […] 米Appleは今年度の技術者向けイベントWWDCにて、iCloud Music Matchという新たなサービスを発表した。クラウドに音楽を保存するというこのサービスが海賊版をあぶりだす壮大な装置なのではないかとの話が本家/.で紹介されている。 iCloud Music Matchはユーザのコンピュータをスキャンし、音楽ファイルをAppleのストリーミング用のデータセンターにアップロードするというサービス。年額24ドル99セントで自分の持っている音楽ファイルをどこからでもストリーミングすることができるというもので、Appleを通して購入していない音楽コンテンツについても記録されAppleの256kb AACでユーザに提供されるという。 このサービスは、ユーザのファイルをスキャンすることが前提となっている。恐らくMP3ファイルのヘッダ情報を読み、コンテンツ全体のハッシュ計算を実行すると考えられるという。例えDRMフリーの音楽ファイルであっても、ダウンロードされた音楽ファイルには購入情報と購入者情報を含んだヘッダの「ウォーターマーク(透かし)」が刻印されており、 iCloud Music Matchはこれを元に正規のファイルと違法なファイルを判断し、海賊版をあぶり出す壮大なハニーポットなのではという推測を元記事は提示している。 […]

  5. […] suggesting that rather than “amnesty” for unauthorized file sharers, Music Match could be used to track down infringers. My initial response was that this was totally crazy, because it wouldn’t know if the […]

  6. […] is some speculation that Apple might use the information to attempt to convert users’ pirated tracks into […]

    • safest suv on July 11, 2011 at 5:42 PM

    tiguan vw…

    Thanks for the great post, I have linked back to your site here. Thanks for the great article….

  7. […] Another article, cited by both Slashdot and Techdirt, goes further and argues that iTunes’ music match service might be a ‘honey pot’ for identifying copyright violators. In this Between the Numbers article, Daniel Nolte lays out the argument that Apple will be able to identify individual files that have been ‘stolen’—or in legal terms, copied without permission (and therefore a copyright violation). […]

    • Gold in 2012 on August 8, 2011 at 6:26 AM

    I like this post….

    […] Although this entry is not the most recent, I enjoyed your writing and hyperlinked to it at my blog. My only suggestion is to update this story with a recent vid. People love to watch video. […]…

  8. […] ever uploaded before.  I had previously discussed the piracy enforcement implications of this in The iTunes Honeypot.  Given the example of Megaupload, one would presume that Apple would delete everybody’s […]

Leave a Reply

Your email address will not be published.