Why Everyone's Totally Overreacting To Spotify's Privacy Policy (Which Isn't As Bad As You Think)

Privacy

from the it's-not-what-you-think dept

As you may have heard, yesterday there was a bit of a kerfuffle over the fact that Spotify changed its privacy policy in a way that people are calling creepy and eerie. And there’s a ton of chatter on Twitter from people insisting that they’ll never use Spotify again because of this. The specific changes that have people up in arms sure do sound creepy at first glance. The key problems are that Spotify’s new privacy policy says that it “may collect information stored on your mobile device, such as contacts, photos, or media files” and that it “may also collect information about your location based on, for example, your phone?s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).” There’s some other stuff about how it may share information with third party services.

I understand, instinctively, why so many people freaked out about this — but it’s a pure overreaction for a variety of reasons, which we’ll dig into here. There are problems with this whole scenario, but it has a lot more to do with (1) the stupid reliance on “privacy policies” rather than “user controls” for privacy and (2) Spotify’s apparently asleep-at-the-wheel PR team.

Privacy is a Trade-off Not a Thing

As we’ve said before, if you ever want perfect privacy, you’d never leave your house. The second you leave your home, you’re giving up some level of privacy. But it’s a trade-off most people think is perfectly reasonable. Privacy is always like that. It’s a trade-off between the benefit you get from giving up a little privacy in order to get the thing that you want. The idea that privacy is some absolute “thing” is a weird way of looking at privacy and makes it difficult to do things in a reasonable manner. The real issue, then, is making sure that people understand the trade-offs involved (and we’ll get to that below).

Spotify’s Privacy Policy is Not that Crazy.

Much of the reaction is because people immediately assumed that there was some nefarious reason why Spotify was going to collect all this information on people. Yet, as a few people pointed out when everyone started freaking out — and which Spotify eventually clarified in a blog post “apologizing” for the poor roll out, there are legitimate service reasons for each of these requests. Also, the company made it clear that before it actually accesses any of this content, it would first ask your permission. In short, it’s like when various services ask if you’d like to “find friends” using a service, you have to first approve it. Same would be true here. And, note, that each of the uses would be for services that some people might actually like (personalizing cover art, voice control, etc.):

Photos: We will never access your photos without explicit permission and we will never scan or import your photo library or camera roll. If you give us permission to access photos, we will only use or access images that you specifically choose to share. Those photos would only be used in ways you choose and control ? to create personalized cover art for a playlist or to change your profile image, for example.

Location: We will never gather or use the location of your mobile device without your explicit permission. We would use it to help personalize recommendations or to keep you up to date about music trending in your area. And if you choose to share location information but later change your mind, you will always have the ability to stop sharing.

Voice: We will never access your microphone without your permission. Many people like to use Spotify in a hands-free way, and we may build voice controls into future versions of the product that will allow you to skip tracks, or pause, or otherwise navigate the app. You will always have the ability to disable voice controls.

Contacts: We will never scan or import your contacts without your permission. Spotify is a social platform and many people like to share playlists and music they discover with their friends. In the future, we may want to give you the ability to find your friends on Spotify by searching for Spotify users in your contacts if you choose to do that.

The Real Problem is that We Use Privacy Policies at All

For many years, we’ve been pointing out that this whole system of privacy policies is broken. It’s one of those ideas that people came up with years ago that sounds good, but isn’t. And yet, we’re not only stuck with it, we have politicians who keep pushing more requirements for more privacy policies. But that’s stupid.

First: the only way you can legally get in trouble over privacy issues is by violating your privacy policy. So every company is incentivized by law to create privacy policies that are very broad and expansive, making it less likely they’ll violate them in the first place. The only time such a broad privacy policy backfires is if the public suddenly has a viral panic about it, like this time, but that rarely happens because no one reads privacy policies.

In fact, one of the worst things about privacy policies is that people simply believe if you have a privacy policy it means “oh they’ll keep my info private” even if the privacy policy says “we’re going to share your information with everyone.”

Let’s face it: privacy policies are a stupid way to deal with privacy. They don’t work. They fuck up incentives. No one reads them. And yet, because politicians are clueless, they’re often “required.” You end up with grandstanding politicians who play gotcha games on privacy policies, without caring about actual privacy practices.

The Way to Deal With Privacy is MORE TRANSPARENCY and MORE USER CONTROL

Rather than using privacy policies, the real way to deal with privacy is to give the end user more transparency into what’s happening and more control. I don’t have an iPhone, but I believe it already offers the ability at an individualized level to allow users to block apps from accessing certain features/data on a phone. And I know that the next version of Android is moving to a similar model, including only asking you to approve privacy permissions at the moment the app is requesting it. In other words, when Spotify wants to access your photos, the app will directly ask you for permission at that moment — and, assuming it’s for something you want to do (like customizing your cover art), you’re more likely to grant permission without thinking it’s creepy at all.

The Real Problem Here Was The Perception Problem

And this is something Spotify should have prepared for much better. The company probably assumed, incorrectly, that no one would really read the new privacy policy, because no one reads privacy policies. But that didn’t happen. What Spotify should have done is from the beginning describe the new features it was offering — with a direct explanation of why that feature might then require a change in the privacy policy, along with the promise that the app will ask permission directly at the time of use. Spotify eventually kind of got there, but they did it after, not before. This goes back to the “more transparency” aspect above. Do it that way, and you have less of a freakout.

So, really, to everyone freaking out over Spotify’s privacy policy, I understand the gut reaction reasons for doing so. Of course, at first, it seems fucked up that a music player wants to access your contacts or your location. But there are perfectly legitimate, non-nefarious reasons for doing so. And Spotify could have cut off the freakout by being more transparent and upfront about things at the beginning. But, really, the problem here is our stupid reliance on privacy policies, rather than user controls.

Filed Under: apps, control, music, privacy, privacy policy, tradeoffs, users
Companies: spotify