• by Steve Smith , Staff Writer @popeyesm, August 25, 2015

Music subscription service Spotify found itself in one of those increasingly common privacy dust-ups last week over policy changes designed for future personalization features. Forbes staffer Thomas Fox-Brewster sparked a small user revolt by noting a new policy at the music service he headlined “Real Creepy” in a post. Of particular note is Spotify’s additions to the privacy policy about its accessing “contacts, photos oe media files” on your device as well as GPS location data and other movement sensor data. It also notes that the service may access your voice commands. The full, labyrinthine policy is here.

“Why does Spotify need your photos? And your contacts?” Fox-Brewster asks. He goes on to ponder whether he should cancel his subscription. Part of his problem comes with the third-party sharing, which he claims is vague and poorly described.

A small user revolt ensued, most notable via a tweet from Minecraft creator Markus Persson claiming to have canceled the service because of the changes. A high-level tweet exchange occurred between Persson and Spotify CEO Daniel Ek.

Ek took the hint and wrote a blog post on Friday under the somewhat misleading header “Sorry.”

In fact, in classic digital startup fashion Ek was not apologizing for the policy itself ,but for the “confusion” it has caused. “We apologize for that. We should have done a better job in communicating what these policies mean and how any information you choose to share will – and will not – be used.” I always find these sorts of apologies for miscommunication a bit infuriating in their passive-aggressiveness. The subtext is always, "Sorry that you really don't get us." 

Ek goes on to reiterate some aspects of the policy that are in fact outlined in the original text itself – that Spotify will only access individual features like contacts, photos and voice at the point of need, so there is an opt-out opportunity. In the case of accessing photo, for instance, the app is not plundering your entire camera roll, but using only images users choose to share. Voice will require explicit permission, and the microphone, and the purpose here is to activate hands-free modes. Location and sensors will be used to customize the experience, push personalized and localized recommendations, etc. Contacts will be used mainly to share playlists or to find contacts on Spotify.

The third-party sharing clauses are still the least-well-explained part of the policy. Ek simply reiterates a point from the policy that claims all shared information is “de-identified” before sharing. Yeah, well, OK, but even anonymizing data that is potentially of an intimate level strikes many users as creepy, and has always raised concerns about discerning identities from anonymized data, along with the ultimate fate and use of that data when companies fold and merge.

Persson was not mollified by the opt-out and other arguments. He objected to the overall “feature creep” and Spotify's accessing of data for features he will never use.

This may be an unavoidable conundrum. On the one hand, Spotify’s policy was terribly explained and left holes a mile wide, especially on third-party sharing. And yet Ek is outlining how mobile devices will allow for much deeper personalization and localized experiences that require accessing increasingly intimate data.

 I can’t say that previous online publishers ever cracked the code of talking to users about privacy. Mobile companies clearly need to have much more involved conversations with users about the exchange of value they are offering users. Porting cavalier approaches to data collection from the Web is not advisable when you are layering on data points like contact lists, personal media and location.