The iTunes Store allows people to gift content such as music to another user. A person can compile a list of up to 100 songs to gift to someone else, and the iTunes Store checks to see if the recipient already owns the content, Andrew McAfee, principal research scientist at the Center for Digital Business at MIT's Sloan School of Management, said in a blog
"This is done with good intentions - to keep users from gifting music that the recipient already has - but the implementation of this feature opens up privacy concerns: if the check reveals duplicates, iTunes tells the gifter about one of them," McAfee said.
The person who is gifting the content only needs to know the recipient's email address, which McAfee argues isn't usually difficult to guess, and have a copy of the iTunes application. Apple also doesn't require givers to sign into their account or present credit card information. The recipients have no idea that their purchases are being scanned by someone else.
"This strikes me as problematic," McAfee said. "Of course, this is nowhere near as big a deal as privacy holes in online health or financial information would be, so we should keep this issue in perspective. But it is an issue, I think."
For music playlists, users are allowed to send up to 100 tracks, so scanning a person's library would take a while, but McAfee writes that the process could likely be automated.
McAfee said that the way the iTunes Store gifting procedure works could be violation of the US Video Privacy and Protection Act, which bans disclosure of customer rental records without consent of the consumer.
The Video Privacy and Protection Act was the basis for a class-action lawsuit filed in April 2008 against the video store Blockbuster, which signed up for Facebook's doomed Beacon ad service. Facebook cancelled Beacon due to privacy concerns. The service would report back what a user did on participating websites back to Facebook.
The class-action suit was later dropped, according to records for the US District Court for the Northern District of Texas.
McAfee contrasted Apple's approach with that of Amazon's digital book marketplace for its Kindle e-book reader.
"As a comparison, I tried to send my Mum an Amazon Kindle book I knew she already had," he said. "Amazon let the purchase go through and told me nothing about her Kindle inventory. She received a message from the company that I'd sent her an e-book she already owned, and giving her a credit for its price. To put it mildly, this seems like a better approach to me."
Apple did not have an immediate comment on the issue.
See also: 5 downloads to fix iTunes' biggest flaws