We Should Applaud Spotify's New Privacy Policy (Op-Ed)

Streaming-music service Spotify has caused quite a tempest in a teapot as outrage over the company's updated privacy policy swells, thanks to a few sensationalistic articles posted online.

"Spotify Just Got Real Creepy With the Data It Collects on You," trumpeted Forbes. "You Can't Do Squat About Spotify's Eerie New Privacy Policy," echoed Wired. "Wow, Spotify's New Privacy Policy Is Atrocious," crowed Wired.

Even Minecraft creator Markus "Notch" Persson has gotten into the action, arguing on Twitter today with his fellow Swede, Spotify CEO Daniel Ek, and announcing that he'd canceled his Spotify account due to "feature creep for privacy invasion."

This is a huge overreaction to a privacy policy that tries to be more clear than most. Instead of castigating Spotify, we should applaud it for its candor and honesty about what it wants from its users, and why it wants it. Many companies gather more information about their users, yet are less upfront about doing so.

The British version of Spotify's privacy policy was updated two days ago, adding language about potentially collecting more information from smartphones, such as contact lists and location and sensor data.

"With your permission, we may collect information stored on your mobile device, such as contacts, photos or media files," reads section 3.3. "Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy."

Section 3.4 says: "Depending on the type of device that you use to interact with the Service and your settings, we may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit)."

Is it so rude to ask?

I don't see why either of those additions are surprising. Many smartphone apps want to see your contacts, so that they can bug you to recommend the services to your friends, or want to know where you are, so that they can sell you localized ads. The bit about "local law" is protect-your-posterior legalese, because privacy laws vary by country and, in some cases, by state or province.

Moreover, these are pre-emptive privacy notifications. According to its permissions list, the Spotify Android app currently does neither of these things. Yet if you read the hysterical articles posted yesterday, this is all a huge violation of privacy. 

MORE: Apple Music vs. Spotify: Streaming Services Compared

"Like a jealous ex, Spotify wants to see (and collect) your photos and see who you're talking to," said Wired.

Spotify "wants to be able to access the sensor information on your phone so it can determine whether you're walking, running or standing still," said Forbes. "It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too."

(Forbes later updated its piece after Spotify informed it that the "walking, running or in transit" part had to do with an upcoming feature that matches musical tempo to bodily rhythm, such as while jogging.)

The Uber-collector

Let's get real here. Many mobile-phone apps already do what Spotify is asking to do. Have a look at the permissions demanded by the Android version of the Uber app:

  • Identity: Find accounts on the device; Add or remove accounts; Read your own contact card
  • Contacts: Read your contacts
  • Location: Approximate location (network-based); Precise location (GPS and network-based)
  • SMS: Receive text messages (SMS)
  • Phone: Directly call phone numbers
  • Photos/Media/Files: Modify or delete the contents of your USB storage; Read the contents of your USB storage
  • Camera: Take pictures and videos
  • Wi-Fi connection information: view Wi-Fi connections
  • Device ID & call information: Read phone status and identity
  • Other: Receive data from Internet; View network connections; Full network access; Use accounts on the device; Control vibration; Prevent device from sleeping; Modify system settings; Read Google service configuration

The Spotify app asks for fewer:

  • Identity: Find accounts on the device; Add or remove accounts
  • Photos/Media/Files: Modify or delete the contents of your USB storage; Read the contents of your USB storage
  • Wi-Fi connection information: view Wi-Fi connections
  • Device ID & call information: Read phone status and identity
  • Other: Receive data from Internet; Access Bluetooth settings; Use accounts on the device; Prevent device from sleeping; View network connections; Control Near Field Communication; Change your audio settings; Pair with Bluetooth devices; Send sticky broadcast; Full network access 

But, you may argue, Uber needs to see your location, just as Spotify needs to pair with Bluetooth devices (such as headphones). Yes, but does Uber really also need to read your contacts? Does it need to take pictures and videos?

I'm sure Uber has some justification for those permissions; my point is that all these permissions sound scary until you get into the details and find out what they're for.

Why the 'mea culpa'?

The nice thing about the Spotify privacy policy is that it's telling you what the company MAY want even before it's built the corresponding functions into its smartphone apps. And it's added a reminder that privacy on the Internet can be rather limited:

"Information that is publicly available, such as playlists, may be used, re-shared, or linked to by others on the Service or across the Web, so please use Spotify carefully and be mindful of your settings. Remember that even if you remove a playlist or make a playlist private, others who already subscribe to it or who otherwise have access to it (e.g., via a link) may still have access to it."

Nonetheless, Spotify has responded to the public-relations flak it's getting with a blog posted purportedly penned by Ek himself and entitled simply, "SORRY."

"We should have done a better job in communicating what these policies mean and how any information you choose to share will — and will not — be used," it says. "We indicated that we may ask your permission to access new types of information, including photos, mobile device location, voice controls, and your contacts.

"Let me be crystal clear here: If you don’t want to share this kind of information, you don’t have to," it continues. "We will ask for your express permission before accessing any of this data — and we will only use it for specific purposes that will allow you to customize your Spotify experience."

The post then details what the photo, location, voice-command, contacts and sharing permissions may be used for in the future.

More user control coming

In any case, it won't matter for much longer. iPhone users and users of rooted Android phones can already control which permissions each individual app can have on their devices. Regular Android currently has an "all-or-nothing" app-permissions policy, but granular permissions are coming with Marshmallow, the next version of Android.

Pretty soon, everyone will be able to control exactly what each mobile app does, which may cause some apps to crash, but will remove many privacy concerns.  Or, as the updated Spotify privacy policy puts it: "If you don't agree with the terms of this Privacy Policy, then please don't use the Service."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.