Opening Pandora's Box
A good while back I wrote a short post about Pandora's Music Genome Project. At the time I was briefly enamored with the novelty of creating a personalized automated playlist – introducing me to songs I’d never heard. But it didn't take long for me to get bored with it. Regardless of the quality of songs I programmed into it – and how diligently I managed my preferences, it always devolved into a monotony of sub-mediocre songs – hardly ever playing anything worthwhile. But such is life on the web.One thing I did notice however, was that Pandora always recognized me – without ever logging in. Whenever I went to the website my 'stations' were called up instantly, even though my browser, Firefox, always wipes the cookie tray clean after cooking (whenever I close the browser.) I tried changing my IP address but it still knew who I was. I became annoyed that Pandora must be surreptitiously writing files to my hard-drive, and although I was never able to locate the dirty Pandora folder, I stopped using the site.
Today, a seemingly arbitrary series of clicks somehow managed to return me to Pandora’s main site. And lo-and-behold my crappy stations lay in waiting. I’ve since renewed my effort to locate and eradicate whatever mechanism Pandora uses to identify me, but to no avail. Now I’m hoping some of my heavy-hitting hacker friends can help me figure this one out.
In googling for help, I came across this foolishness which at least seems to confirm my suspicions that Pandora does in fact place hidden files on my computer. And apparently not just one or two small files either. Ironically it seems that in their efforts to uphold the DCMA Pandora sees fit to resort to some particularly outrageous techniques.
While I appreciate the existence of services like Pandora and respect their need to protect copyrighted information, I don’t feel that ever grants them the right to write files onto my computer without my consent. Especially when the files are hidden and I’m left without reasonable means to remove them. Most especially when the files may contain personally identifying information and may grow to consume significant portions of hard-drive real-estate.
When I created my Pandora account I never consciously downloaded any software. I’ve since re-read their Terms of Service and while it does make oblique references to software plugins, it doesn’t mention anything regarding its rights to write to my computer via any method other than cookies. It never required any special plug-in to work, and as far as can tell it only uses standard Flash plugins in order to display its pages.
In a final test I borrowed my wife’s virginal laptop and visited the Pandora page. Without creating an account, I followed the easy prompts to test-drive Pandora. I created a Hank Williams station, let a few songs play, then I left the page – deleted all cookies, browsing history, and cache – closed the browser and rebooted. When I visited the page again it opened playing another Hank Williams song. It even remembered how I’d rated the previous songs. Hank never sounded so eerie. Apparently you don’t even have to create an account or agree to any TOS in order for Pandora’s ominous identifier to work – you just have to visit their site one time.
Perhaps I’m just paranoid and there’s a simple method of identifying a specific computer. Maybe all the relevant information really is stored on their database only. I hope so. But I can’t help but wonder if my computer is slowly bloating over with invisible files I’m not allowed to touch. Like its mythical namesake – I’m regretting ever opening this one up.
posted by Dædalux at 4:07 PM
9 comments
