Music subscription service Spotify found itself in one of those increasingly common privacy dust-ups last week over policy changes designed for future personalization features. Forbes
staffer Thomas Fox-Brewster sparked a small user revolt by noting a new policy at the music service he
headlined “Real Creepy” in a post. Of particular note is Spotify’s additions to the privacy policy about its accessing “contacts, photos oe media files” on your
device as well as GPS location data and other movement sensor data. It also notes that the service may access your voice commands. The full, labyrinthine policy is here.
“Why does Spotify need your photos? And your
contacts?” Fox-Brewster asks. He goes on to ponder whether he should cancel his subscription. Part of his problem comes with the third-party sharing, which he claims is vague and poorly
described.
A small user revolt ensued, most notable via a tweet from Minecraft creator Markus Persson claiming to have canceled the service because of the changes. A high-level tweet exchange
occurred between Persson and Spotify CEO Daniel Ek.
Ek took the hint and wrote a blog post on Friday under the somewhat misleading
header “Sorry.”
In fact, in classic digital startup fashion Ek was not apologizing for the policy itself ,but for the “confusion” it has caused. “We apologize for
that. We should have done a better job in communicating what these policies mean and how any information you choose to share will – and will not – be used.” I always find these sorts
of apologies for miscommunication a bit infuriating in their passive-aggressiveness. The subtext is always, "Sorry that you really don't get us."
Ek goes on to reiterate some aspects of
the policy that are in fact outlined in the original text itself – that Spotify will only access individual features like contacts, photos and voice at the point of need, so there is an opt-out
opportunity. In the case of accessing photo, for instance, the app is not plundering your entire camera roll, but using only images users choose to share. Voice will require explicit permission, and
the microphone, and the purpose here is to activate hands-free modes. Location and sensors will be used to customize the experience, push personalized and localized recommendations, etc. Contacts will
be used mainly to share playlists or to find contacts on Spotify.
The third-party sharing clauses are still the least-well-explained part of the policy. Ek simply reiterates a point from the
policy that claims all shared information is “de-identified” before sharing. Yeah, well, OK, but even anonymizing data that is potentially of an intimate level strikes many users as
creepy, and has always raised concerns about discerning identities from anonymized data, along with the ultimate fate and use of that data when companies fold and merge.
Persson was not
mollified by the opt-out and other arguments. He objected to the overall “feature creep” and Spotify's accessing of data for features he will never use.
This may be an unavoidable
conundrum. On the one hand, Spotify’s policy was terribly explained and left holes a mile wide, especially on third-party sharing. And yet Ek is outlining how mobile devices will allow for much
deeper personalization and localized experiences that require accessing increasingly intimate data.
I can’t say that previous online publishers ever cracked the code of talking to
users about privacy. Mobile companies clearly need to have much more involved conversations with users about the exchange of value they are offering users. Porting cavalier approaches to data
collection from the Web is not advisable when you are layering on data points like contact lists, personal media and location.