Two weeks ago a debate popped up around Spotify’s new EULA, foisted upon its users in the sadly common “either say yes or stop using the service” option. Most of the discussion was around new data that Spotify was asking to access and share with third-parties. Aside from musical taste, it “wants to be able to access the sensor information on your phone so it can determine whether you’re walking, running or standing still. It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too. And it may share that information with its partners, so a whole load of companies could know exactly where you are and what you’re up to.” In a follow up blog post, Spotify’s CEO, Daniel Ek, confirmed that the app wants access location, identity, contacts, and photos, and tried to explain why it asked for that access. For example, access to photos to “to create personalized cover art for a playlist or to change your profile image,” and access location to “use it to help personalize recommendations or to keep you up to date about music trending in your area.”
In the same post, Mr Ek tried to explain that Spotify would access this data only if users give it permission. “Let me be crystal clear here: If you don’t want to share this kind of information, you don’t have to. We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience.”
It seems like Mr Ek is referring only to iPhone users. As of today, Android asks for all permissions when installing an app and doesn’t currently offer users the ability to turn off access to permissions once an app is installed and run for the first time. This ability will only be included with the future Android Marshmallow release which should allow users to “turn off” certain permissions in return for losing access to the feature that requires them. Right now, though, app permissions on Android are an “all or nothing” proposition: either accept them all and install the app, or don’t install the app. Mr Ek’s claim that Spotify’s access depends on user permission is true, but not entirely honest: users must accept all permissions if they want to continue to use Spotify.
The interesting part of the debate was when Markus Persson, creator of Minecraft, discussed these new permissions Mr Ek on Twitter. He raised a point that I think is valid: access to this data is a bit deceptive in that Spotify is providing minimal value (in terms of features) in return for permission to access very sensitive data. Access to all device photos just for the off-chance that a user wants to create their own cover art? How many users currently do that? He called it “feature creep for privacy invasion. I want NONE of those features. I want to stream music.”
Now, it could be that Spotify added features with a genuine wish to delight users. For example, Spotify Running (not yet available on Android… grrr…) accesses the phone’s accelerometer and GPS to determine the runner’s tempo (in steps per minute) and matches the music to the pace. For a runner using Spotify, this is a great feature while non-runners might see the request for GPS access invasive. That said, while GPS access for Running makes sense, other permissions, such as accessing contacts to share playlists, are more in line with what Mr Persson said: minimal benefit in exchange for sensitive, personal data.
Interestingly, yesterday Spotify posted an update to the post from two weeks ago that tried to clarify the changes, though, as I read it, it did not back down on any of the permissions and data access requests. In the post, Mr Ek defined two categories of information Spotify collects: “1) information that we must have in order for you to use Spotify; and 2) information that we can use to provide additional features and improved experiences if you choose to share that information.” Mr Ek clarified that the information requested in the second category is under the user’s control, which is, again, not yet true for Android users. That said, it seems that the Android app isn’t asking for access to contacts or GPS data yet, perhaps because the features needing that access haven’t yet been added to the app. It would be extremely interesting to see how many users actually restrict these permissions and how often that restriction is correlated with actual use of the associated feature.
Perhaps the bright point in the entire debate is that users now care enough about permissions to not install an app if too many are requested. In the past, it seemed like users ignored that entire part of the installation phase, just like the almost automatic agreement to any and all T&Cs. App developers, take note: ask for only the permissions you need and, if you are asking for access to sensitive information, make sure the feature justifies the request.