They know what we are listening to

If you are one of the 10 million people who have purchased an Apple iPod, you've almost certainly loaded it up with songs from your favorite CDs. And, rest assured, Gracenote Inc. knows about it.

Gracenote Inc. knows almost any time a CD is "ripped" for use in a portable music player. Apple, Creative and Rio use its service, as do hundreds of software products devoted to playing and recording music CDs. Yet, few consumers know much about Gracenote.

The company quietly provides an efficient and important service to digital music users.  There's a common misconception that text-based information like song title, length of play, artist name, and the like, is contained on music CDs.  That's rarely the case. Instead, when a CD is loaded into a computer CD tray, software such as Apple's iTunes automatically calls out across the Internet looking for help identifying the music. The questions are posed to Gracenote's CDDB, or CD database.  By recognizing patterns in the data that is included on the CD -- such as the length of each individual track -- Gracenote figures out what the album is. Then, it transmits data, including music genre, composer name, language, year released, and more, back to the user's computer.

Today Gracenote can recognize about 3.5 million CDs.  And it works so well, most music lovers don't even know it's there. 

'It is very anonymous'
That near-anonymity raises some concern among privacy advocates. With the booming popularity of Apple's iPod, and its imitators, Gracenote is accumulating massive amounts of data about consumer listening habits.  But some are wondering if the company, and the various music player manufacturers and software makers, have done enough to inform consumers that information on their musical tastes heads to the Emeryville, Calif. company so often.

"The user has immediate benefit, but the potential trade-offs are very unclear," said Alessandro Acquisti, an expert on the economics of privacy at Carnegie Mellon University. "This is a problem for us on the Internet. It is difficult to assign a value to our data... and there is a future cost which is uncertain. Under these conditions, we often opt for immediate gratification."

There really is no cost, said Gracenote spokeswoman Kathryn Shantz. Gracenote doesn't store any personally identifiable information, she said -- the data the firm receives and compiles, is never tied to individuals.

"It is a very anonymous," she said.  "We don't keep any IP addresses. ... We don't have a way of aggregating the information on an individual basis."

The company does collect enough data to produce its own "Digital top 10" list, published in Billboard magazine. And it can even produce similar lists based on geographic location, down to the level of a metropolitan area.  The firm reserves the right to sell such aggregate data to marketers, but currently doesn't, Shantz says. 

No attempt is made to record precisely who is ripping what CDs, she said. The firm's privacy policy also spells this out clearly.

"We do not use IP addresses for direct marketing purposes and we have neither the desire nor the technology to use IP addresses to identify an individual user by name, address or exact location," it says.  "Furthermore, we delete the IP address when it is no longer needed for security or approximate geolocation purposes."

She also said the firm has never been approached by the Recording Industry Association of America, which regularly sues individuals involved in alleged illegal music downloading.

"(We are) really not in a position to facilitate what they may be looking for because,  When a user puts in a CD, we have no way of knowing whether that CD is a legitimate legal version, whether or not they have the rights to that music," Shantz said.

The trade off
Without Gracenote, music fans everywhere would be spending endless hours typing in music cataloging entries themselves.  There's no evidence the firm isn't practicing what it preaches. Still, those with an ear towards privacy concerns -- while admitting Gracenote's utility -- wonder if the firm has done enough to make sure consumers know what's happening.

"I think people would feel kinda strange," to learn about Gracenote's data, said Richard Smith, of  "Certainly in the (data) collection process, things are not anonymous.  Being up front about all this stuff is always a good idea."

On the other hand, Smith said, consumers clearly like the features Gracenote provides. "There can be two different reactions: 'How dare they,' and 'Who cares?' "

A privacy diminishing potential
Consumers do care, said Larry Ponemon of the Ponemon Institute, which studies privacy sentiment among consumers.  In a study of 541 iPod owners conducted recently, 39 percent said they agreed with a statement indicating iPod and Apple were committed to protecting their privacy, but 22 percent said they disagreed, and 40 percent said they were unsure.  Fully one-third said they would stop using their iPod if there was just one security or privacy breach that resulted in the leakage of their personal information; and 80 percent said information about their music tastes was "sensitive information" that "very few people should know about."

Apple did not respond to requests for interview for this story.

"It is a technology that could be privacy diminishing," Ponemon said.  "People are starting to become more sensitive to things that relate to your hobbies, interests, your reading habits.  To some people, that's really sensitive. ... What music they listen to may be a surrogate for what political beliefs they have."

Or it could be used one day for price discrimination, said Acquisti. A company that knew your favorite artists would likely know you would be willing to pay a little more for their music, he said.

Feared chilling effect
Robert O'Harrow, a Washington Post reporter and author of No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society, worries that while companies like Gracenote may be completely sincere in their current intentions to protect user privacy, the amazing data they gather could some day be turned on consumers.

"If the data is there, at some point, I'd bet somebody would find a way to make use of it in the particular, not just the general," he said.  While he hasn't studied Gracenote, O'Harrow is an expert in marketing practices, and fears the chilling effect that could be produced if people know someone else knows their musical tastes.

"Those joyful moments when you are listening to Jimmy Page, maybe they aren't as carefree anymore," he said.

The CDDB started its life as the ultimate Internet creation -- like the operating system Linux, it was the effort of the Internet volunteers, who merrily contributed lists of song titles and album information. Later, when the service was commercialized by Gracenote, there was controversy, as the firm engaged in legal battles with smaller, non-commercial competitors, like  In 2001, the firm was briefly in the headlines again, as it announced it would start selling its data to marketers. Aside from those brief moments of notoriety, Gracenote itself has remained largely anonymous.

Gracenote's Shantz says the firm doesn't make money from marketing musical tastes. Instead, the firm is devoting much of its energy to "automatic playlisting" technology, which will help music fans make sense of their massive music collections.  Playlists for the car, for romantic nights, for 80s parties, should be easy to use, she said -- but currently, they are a little too tricky for most consumers.  The firm is designing hard-disk drive car stereos that automatically have a "play the top 100 songs in this city" feature, for example, or simply "play more songs like this one."

But O'Harrow and other privacy experts think consumers need to remain vigilant in the face of companies like Gracenote and their ability to gather very personal data.

"Read their privacy policy closely and be properly skeptical if there are any loopholes for them. Be aware the rules could change next month," O'Harrow said.  "Part of the zeitgeist of our times, whether to trust or not to trust -- like Groucho Marx said, 'Trust everyone, but always examine the dice.' "

Bob Sullivan is author of  Your Evil Twin: Behind the Identity Theft Epidemic.