Spotify GDPR data export: user receives 250MB containing every interaction
twitter.comWhat grand times we live in, where you can actually get this kind of data from the services that you use.
Having the law say your personal data is owned by you and not some company just because it's on their server may turn out to be a landmark in consumer friendly legislation!
Frankly, I think a lot of this data isn't the users, but rather Spotify's. If Spotify didn't exist then the interaction data with it wouldn't exist. I don't see how it can possibly be "owned" only by the user here. Does a user "own" security footage in a store that they enter? Definitely not.
Personally I think that GDPR represents a rejection of the idea of "ownership" as it applies to data.
You will note that GDPR does not use "ownership" terminology anywhere. The closest it has is Data Controller, but GDPR makes that nowhere near the same as ownership.
GDPR establishes that data subjects are stakeholders in their data. It doesn't mean that they own the data, but it also doesn't mean that they don't own the data. They have rights to the data, which the Controller has to respect, while the Controller also has their own rights.
It's probably possible to model this situation as ownership (property law is complicated), but I think it's easier not to. Data is not owned, it is controlled and processed. Activities related to data are restricted.
I’m upvoting and agree in the realistic point you are making, but feel this isn’t the most popular point of view right now? I personally believe info just shouldn’t be captured period, beyond reasons for authentication protection purposes/identifying malicious/off pattern use of my login/auth token. We are releasing a new business/info mgmt product soon that has no GA/full story/user tracking whatsoever. It’s not clear why everyone enables a floodgate of tracking just ‘cause. We are implementing better feedback/reporting channels instead.
One thing that people constantly praise Spotify for is the quality of their music recommendations. You can find so many testimonials of people saying that their "Discover Weekly" playlist suggested them songs which they felt they had been searching for their whole lives.
Needless to say, such accurate recommendations of music, which even close personal friends have trouble doing, is based on building as complete of a psychological profile of the user as possible. There wouldn't be any way to do it without gathering lots of information about your very personality.
Surveillance isn't always bad -- after all, what is a baby monitor?
> Needless to say, such accurate recommendations of music, which even close personal friends have trouble doing, is based on building as complete of a psychological profile of the user as possible.
And then an innovative "security contractor" or "data research agency" makes a backroom deal with Spotify and copies their database of complete psychological profiles. Win-win?
I definitely agree that certain products create value from tracking, and those should be the exception, as long as everyone involved is ok with it. I don’t really use the recommendations in Spotify, but I don’t think there is a way to use the service in an anonymous/tracking free way (not that it bothers me). I don’t think maintaining a private /purchased collection should be the only alternative to full tracking.
GDPR isn't about removing all tracking, it's about empowering users and allowing them to decide for themselves how their data is used.
If someone wants to avail themselves of Spotify's recommendations they have to opt in by sharing their data. So they make an active, informed, decision about what data Spotify gets to use. They also have legal recourse if it turns out Spotify is misusing the data (selling it to record labels, let's say).
We have had an analogous law here in Sweden for ages: if you apply for a permit you're allowed to set up security cameras pretty much anywhere on your property but you have to put up signs informing people that they're being filmed. This is so people can opt into surveillance. 99% of the time it's no big deal that you're being filmed, but it's never secret.
That's a good thing.
At some level, I think one should have privacy concerns with baby monitors ... did your baby choose to opt-in?
(Three kids here, and no, we never used a baby monitor...)
I hope the sarcasm is flying over my head here...
> I personally believe
> It’s not clear why everyone enables a floodgate of tracking just ‘cause.
Have you worked in marketing, product development, or customer support? There are plenty of services that are used to help people generally do their jobs, identify problems, figure out what to build, improve the product, and to enable support folks to support customers.
But yes, there are all sorts of other, third-party trackers and cookies that are not as directly relevant.
Yes, I have. It’s a tough argument/longer conversation I realize. I feel it’s getting out of hand overall. As technology/saas products make it easier to simply capture everything, including user actions/playback/screenshots, to the point that someone in marketing at X startup is watching my private usage of their app on their MacBook Air somewhere without really caring or realizing how intrusive they are being. I realize 99.9% don’t intend to abuse or don’t even realize the intrusion, there needs to be a reset where companies take a stand and find greater value in simply not engaging in this low hanging fruit.
I wonder whether there's also a security compliance component here. For example, if you're SOC 2 compliant, does that preclude casual data review like that? If so, perhaps this will lead to greater demand for that kind of certification.
If the user didn't use Spotify, then the interaction data wouldn't exist.
It takes two. Perhaps if these companies had taken that tact (mutual ownership), then there'd have been no need for a law to specifically allow users to get the data created with their own effort.
If I write down every song that I play through Spotify for a year. Does Spotify own that?
No, but that's you writing down every song. The alternative is them saving one of their interactions to their server. These aren't remotely comparable...
Party A records every interaction with Party B. Party B records every interaction with Party A.
Who owns what Party A recorded, and who owns what Party B recorded?
That's why "ownership" is a bad model for this, and (to my knowledge) not really used in any privacy laws. They are not about who owns records, it's about who has which rights to them. Under GDPR, you do not own data about you a company has, but you have rights related to it.
Are you suggesting that the user should track their interactions themselves if they want to own a copy?
When Party A is a multibillion dollar corporation and Party B is an individual, the arguments can not be parallelized.
What if party A is a small business and party B is a litigious user movement? We can substitute values for A and B all day. At what point can we parallelize the arguments? Modern laws aren't defining that line which, in some cases while trying to solve their immediate problems, have unintended effects on the non-targets.
What makes them incomparable, in your view? The medium in which it's recorded? The ease with which it's recorded by Spotify? That the recording task is done in a different system than the client-server interaction? That Spotify has interactions with LOTS of people?
I get that they feel different, but every distinction I come up with feels like it either doesn't make sense applied uniformly. If I tracked songs in Excel, Spotify doesn't own that. If I automated tracking the songs I play, Spotify still doesn't own my recording. If I wrote down all my Spotify songs AND all my Skype messages AND all my texts, Spotify, Skype, and Verizon don't suddenly gain an ownership stake in what I've done.
> If I wrote down all my Spotify songs AND all my Skype messages AND all my texts, Spotify, Skype, and Verizon don't suddenly gain an ownership stake in what I've done.
Bringing up actual communication content is where you start to get onto shaky ground, though, especially considering, for example, the existence of "2 party consent" for recording of communications in some US jurisdictions.
Although I believe that context is entirely for criminal, not civil matters, my point is that there's already a precedent, and a long-standing one predating "data", for the idea that all parties being recorded do, automatically, have a legal ("ownership" may not be the best word, as pointed out upthread) stake in that recording, regardless of which party did the recording or holds the record.
I suspect you used Skype and Verizon, specifically, because, as mere carriers of the communication, they're not really parties to the content that they carry. That doesn't really compare, though, since we're not talking about taping the Spotify songs themselves, and the "ownership" situation there is relatively much clearer, if only because the songs existed previously and aren't being created by the interaction itself.
Kind of: https://www.dataprotection.ie/docs/Data-Protection-CCTV/242....
You can make a subject access request for CCTV footage.
Whoa. You're right. This is kind of insanely low fee mandated.
> The data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.
> This normally involves providing a copy of the footage in video format. ... Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester's image appears in order to comply with the obligation to supply a copy of all personal data held.
> Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester
I wouldn't be surprised if some video workflow products pop up to help companies comply with requests like this. For example, select the target person on video, automatically pixelate the rest, stitch together and export all clips of the target, securely mail it and log the task completion, etc.
This is nothing new. The right to request CCTV footage of you has been about in the UK for 20 years. It's covered by the Data Protection Act 1998. I remember some music video done this requested footage like 10 years ago https://www.youtube.com/watch?v=3LWpzHSOndk
Stop trying to VC-fund everything single idea that pops into your head.
> Stop trying to VC-fund everything single idea that pops into your head.
Even if had suggested VC funding (I didn't), were an investor (I'm not), lived in the UK (I don't), and had experience with video automation (I don't), why would you care? The background info was helpful enough.
> Does a user "own" security footage in a store that they enter? Definitely not.
Why not? Data is everywhere these days. You won't be able just quit e.g. social media in the future to avoid being tracked. One of your friends will tag you, your face will be indexed, your name will be correlated to your phone number, your phone number to your ip address and now they know everything you read anyway. If that isn't the future you want you can either come up with all sorts of rules for when and where you can and can't take pictures and collect data, which all the companies will try to avoid anyways. Or you can say that people own their own data and only reasonable usage is granted automatically.
Presumably reasonable usage of a security camera would be to, you know, ensure security. Maybe you can opt in to some consumer behavior survey. But they shouldn't just be able to sell the data to a data mining company for face recognition, location tracking and consumer intelligence.
> If Spotify didn't exist then the interaction data with it wouldn't exist.
Likewise, if you didn't exist, then the interaction data wouldn't exist either. I agree that the ownership is more complex in this case and is hard to attribute solely to one party. One party provides a system where interactions can take place, another party provides the interactions. Who owns the interactions? Clearly both parties are required for them to exist.
Try to use recognizable in-store footage of a person in a commercial advertisement without their consent and see what the lawyers say. It's not as clear-cut as you are making it out to be. You cannot just use photos or video of a person however you want without their consent.
Spotify is not making commercial advertisements showing all the raw data they have collected on you. Instead, they are probably doing things like aggregating data on their users and looking for trends.
It's more like watching security footage (or having machines watch it and let you know what they've observed) and then making decisions with that information.
That's because footage of them uses their image/likeness. If I used an amalgamation of all my customers it would be fine.
A lot of countries have laws that allow you to have access to any information stored that relates to you, health, education, criminal justice, etc. I think this logical but ‘ownership’ seems a bit of a reach.
Your income wouldn’t exist without the existance of your parents. This does not mean they own your income. You are arguing based on a contrived and unuseful philosophical basis. Who owns the data is a matter of law not philosophy, and having laws like GDPR looks like a great way to empower consumers, so who cares if the data would not be there without Spotify? It would not be there without the consumer either, in fact Spotify itself would not be there without the consumers... should the consumers then “logically” own Spotify?
> Does a user "own" security footage in a store that they enter? Definitely not.
I recently visited the main station in Cologne, Germany. They literally had notices posted next to the time tables about CCTV being conducted and about your GDPR rights concerning CCTV footage taken from you.
While this wasn't a straight "you own the footage", they did acknowledge you have certain rights regarding the footage.
Damn - you bring up a good point. I wonder what a lawyer would say.
Taking your thought one more step, what happens to the data the store creates thru a facial recognition system tied to the footage? Is that covered? I don’t know, but there are thousands of further permutations on his thought. Another reason I hate the GDPR (great intent, horrible execution).
I think the general point of decision is still about "personally identifiable information".
So my (IANAL) understanding is: If the data is somehow tied to your real life identity, it's protected. E.g., the headphone brand might be protected because it's uniquely associated with your user account which is uniquely tied to a real-life identity.
I guess, whether or not the facial recognition output is protected, might depend on whether you want to use it to identify the person behind it - e.g., if it's an identifier to a database, it might be protected. If it's an emotion score or eye tracking analysis, it might not be protected, unless it's associated with your identity by some other process.
If Spotify invented a device that could read my thoughts, and stored them all in a file, who would own them? Me or Spotify?
Exactly.
Don't use logic though. Logic is cold and hateful. ;)
That's the wrong analogy. The camera isn't some "security footage" in a random store, it's security footage from my own living room.
A better analogy is this: if i install a video camera in my home and pay a service to store and process that data (think nest cam), but that i'm paying monthly for, then that data should be mine. Stuff going on in my living room (aka my music listening habits) should be mine and i should have access to my habits and restrict others from using it if i want to.
Update: more importantly, without having access to data stored by any service, i can't make an informed decision as to whether the service is storing dubious information about myself that it shouldn't. Services can no longer hide the data they store about people.
None of these analogies make any sense or have any relevance to the nature of what's going on when you use a service. Fundamentally you are sending requests from your computer to their computers, and their computers are sending things back to your computer in response. They have every right to log what activities their own computers are doing, and (in my mind) they have every right to claim sole ownership over the logs that they create.
The fact that they have to legally release this kind of thing is really twisted, at least to me. If you want to have logs of your listening data --- if you want to have logs of what your computer is doing --- how about you log it yourself? If that's too much work for you, whose fault is that? Don't use it if you don't like it.
Music services are a dime a dozen nowadays. The biggest reason that any given consumer stays with a given service has to do with recommendations and playlists and the profile that they've built on you. The fact that these companies now have to give that data back to consumers, which they could presumably feed into another (cheaper) service, disincentivizes companies from building better recommendation engines and down the line it ultimately makes for a worse experience for music listeners.
With that logic you could argue that almost nothing should be regulated, as the "work" nowadays is always done by someone else, what is the different between this and a credit score?
I don't think everyone agrees people have the right to claim ownership to all data exchanged in a multi-party interaction. Further I don't think anyone understands Identity well enough to be able to provide transitively collected data without breaching confidence of similar third-parties.
Nothing is as simple as a quip can make it sound.
>Further I don't think anyone understands Identity well enough to be able to provide transitively collected data without breaching confidence of similar third-parties.
I'm obviously not a lawyer or anything but I think that this would be more compeling if Spotify was open source. "You don't want to share this? Well just remove the code then."
Here not only can't I do that but I've been a paying customer of Spotify for years and I had no idea that they even collected 90% of that stuff. In these conditions how can it be argued that I gave them ownership of data I didn't even know existed?
Everything is data. Anybody can remember anything they want. You didn't give them anything, they experience the same reality as you when you chose to interact with them. ... It takes two baby...
Further I don't think anyone understands Identity well enough to be able to provide transitively collected data without breaching confidence of similar third-parties.
Would you be willing to unpack this statement a bit, please? I'm not quite sure I understand.
If I may intrude, I think they mean that revealing to you data that involves you and other people could invade the privacy of those other people.
This is one of the issues in personal data and privacy that I think we're going to have to acknowledge and confront some time very soon: often, data about an individual in isolation is less telling than data about that individual's relationships, but relationships always involve multiple parties. Right now, we've barely established a consensus on the ethical and legal principles of a relationship between a single data subject and a second party using data about them.
The big social networks have amassed their huge databases not only through information volunteered by individual members, but also by co-opting people who know those individuals (or just happened to be nearby) to provide more. For example, every time a social network's mobile app uploads an address book from someone I know when they install on their new phone, and consequently that social network knows my name and contact details, they have potentially violated my privacy with neither my knowledge nor consent. With the advent of ubiquitous devices with cameras, microphones, network connectivity, GPS and other sensors, and at the same time the developments in automatic recognition technologies based on photos, audio or video footage, the risks of exploiting network effects to gather data on unwilling subjects have increased dramatically.
I'm not sure it's reasonable to expect every person I've ever shared my contact details with or anyone who ever took a photo with me in the background to understand the implications of their devices and the software they run on them. In any case, there are going to be difficult ethical questions about balancing the rights and freedoms of multiple parties.
However, I am quite sure it's fair to require businesses on the scale of Facebook to understand the basic situation and at least not to retain or use personal data for any longer than is necessary. The GDPR and similar proposals starting to appear elsewhere are clearly trying to enshrine something like that principle in law, but everything I have seen so far suggests that the biggest data hoarders are paying lip service but still trying to get away with anything they can.
Gotcha. Thank you, for some reason that wasn't immediately clicking in my brain.
For a bit more context, this was recently discussed a LOT with the Cambridge Analytica Facebook scandal.
The issue being that if you text me, and I give that to Facebook, does facebook have the right to ask me for permission to give it to a 4th party? Should facebook be required to give you that information if you don't have a facebook account and request it?
It's not actually "ownership": You have control over it, but you don't own it, and laws are careful to make that distinction. I emphasize this since at least in parts of the debate, people advocating for "data ownership" are advocating for weaker data protection laws, with the idea that rights derive from ownership of data means companies can gain ownership of data too, and you then do not have those rights.
You have rights to your personal data, you do not need to own it to have those.
Do you remember how much negativity there was the few days before GDPR "doomsday". I kept saying that it is a beautiful thing but all I got ... I have requested my data from many services that I use and I learned a lot about myself by reviewing my data, searches, marketubg tags etc.
Interesting.
Can they still sell it if it's owned by you?
They are collecting and storing it, for sure. What limitations do they have from there?
Also, how would the government patrol this without having access to all companies databases, servers, and policies?
They have to ask me if they can use it and for what purpose. And even better, they can’t condition the use of the site/product on me accepting that they sell it.
Is this actually happening, though?
I feel most sites don't comply with the latter half of your statement (conditioning based on acceptance).
This is very true. Many sites and services seem to have deliberately misinterpreted the legal text. I hope a high profile target will be taken to court over this, to establish a cautionary precedent. It just hasn’t happened yet.
That sounds good. How is it enforced?
( not being sarcastic )
Every EU country has a data regulator. These regulators have a range of enforcement options at their disposal, from politely asking a company to comply up to a fine of €20m or 4% of global revenues.
You can see a list of previous enforcement action and adjudication decisions by the British Information Commissioner's Office at the link below. These are all under the old Data Protection Directive, which was broadly similar to GDPR but somewhat lacking in teeth. You'll see everything from a slap on the wrist to six-figure fines.
https://ico.org.uk/action-weve-taken/enforcement/
https://icosearch.ico.org.uk/s/search.html?collection=ico-me...
It’s not (yet). The GDPR is still new and as far as I know there haven’t been many (or perhaps not any) legal processes.
>Also, how would the government patrol this without having access to all companies databases, servers, and policies?
As in many other cases you assume the companies are not doing illegal stuff and you act when someone reports them. A developer that is asked to do something illegal like hiding something from the exported data can report it .
I enjoy the mental exercise of finding where boundaries lie.
For instance, if you simply observe the actions people take when they talk to you, that's obviously your observation. If you were to, say, journal it, it's still yours. It's a weird thing to do, but it's yours.
If you used the journal to optimize yourself, perhaps to make conversation with you more enjoyable, again, that's weird, but perhaps also merely a paper version of what already goes on inside your head.
What if talking to you were really enjoyable, so that while people could technically avoid it, they usually didn't want to?
At what magnitude does the volume of people you're observing reach a scale where the people you're observing start to believe your observations are theirs?
two parts: purpose (e.g. GDPR excludes household activity, which a private journal of "everyone I talk to" would be if it's only for private use) and structure (with at least for GDPR a neatly kept notebook/ledger possibly already being organized enough to qualify). Although the observations are not "theirs" as in "their property", they merely gain rights against you to obtain information about them and copies, and rights to control your usage.
It's a huge difference when a company does it rather than an individual (as in your example).
It's a convenient difference, but I don't think it actually impacts anything.
It's an indirect way to address the level of resources you have at your disposal, which is itself only important for the scale at which you can capture the data.
In general, for the things people are OK with citizens doing but not OK with corporations doing, they mean an individual could not do it at a scale that bothers them. I'm specifically curious about what that scale is.
Certainly for me, there exists a hypothetical scale at which an individual gathering and recording detailed observations of other people becomes a little unsettling. Perhaps not criminal, but it falls into a "wish it didn't happen" bucket.
Impressive-- https://twitter.com/steipete/status/1025029133175336960
"They even store the brand of headphone I use. How do you even get that data, digging deep in CoreBluetooth?"
If you think about it, now it makes sense why big names in smartphone industry like Apple and Samsung are removing P2 plugs from smartphones in favor of more powerful interfaces like Lighting/USB-C: so you can track more information about the user.
Just imagine: you can track which kind of phone a user that likes to listen to Heavy Metal, for example, likes to use, or which phone is more popular at the moment. Based on this you can develop phones that is more likely to sell or use specific marketing campaigns depending of the kind of music a person listen.
There's a much more mundane explanation - waterproofing. Lightning and USB-C connectors can both be made intrinsically waterproof up to IPx7, while the 3.5mm jack can't. Waterproofing is a key point of differentiation for recent flagship phones. An iPhone 7 will survive a dip in a toilet bowl or a pint of beer, but an iPhone 6 probably won't.
> while the 3.5mm jack can't
Of course it can. It's just 3 or 4 wire connections, and an insertion switch.
Why do you think it can't be made waterproof? It's even easier than USB-C to waterproof.
A simple google search "waterproof 3.5mm socket" find tons of results.
So all the other phone manufacturers selling IP68 phones with headphone jacks are lying?
I had a Xperia Z5 and every time water touched the headphone jack the phone would go crazy thinking that I was plugging and unplugging something repeatedly.
On the assumption that the phone itself is fine, that could be fixed in software.
Plenty of phones where waterproof before. The lightning port is waterproof despite having many more pins than a simple phone jack.
I don't see the difference in the connector and how that can determine how waterproof the phone is. In the end, lightning/usb-c and 3.5 are just sending electron via a connection, how would the format determine how waterproof you can make it?
To all the people saying "but waterproof 3.5mm", here's the thing. Despite having _more pins_, lightning and USB-C have the advantage of _active signalling_. So not just an "open/closed" signal, but an active communication saying something was plugged in. So while 3.5mm can be made where it doesn't damage the phone, water will still short the open/closed switch, causing false insertion events.
Yeah, that must be it.
http://www.tradekorea.com/product/detail/P698873/IP67-waterp...
well then sony had been lying to me for years. the last 3 phones I've owned have had waterproof headphone jacks
You are wrong there.
There is a lot of conjecture happening here. I'm sure it doesn't hurt to know data about headphones but I'm having doubts that's the primary motivator.
Yeah, I am not saying this is happening right now (however this log from Spotify is alarming).
However, considering that they will have this option is sufficient to someone in the industry to abuse it, and after someone start to use this information, everyone will to remain competitive.
It displays the name of bluetooth headphones in the app as a useful feature to help you pick where you want the audio to go.
So all a device needs to do is play sound and they can retrieve you bluetooth make, model, and serial number. There's your replacement for the unique ID that Apple supposedly killed years ago. They just need to look at your bluetooth device identifier.
It's kind of weird (and worrying tbh) that the user doesn't get _all_ the data by default. Shouldn't all the data be sent upon request, is there a clause saying 'only after nagging the TRUE data will be sent?
There's a sense in which summary views are the real data. If I asked Spotify to share my data, and they just sent me a 250 MB file of every interaction they've ever recorded, I would conclude they're trying to obfuscate which data they actually use and how they use it.
Yeah. If Netflix sends me every byte I've ever viewed, that's pretty useless.
Exhaustive list of your data (sorted, redundant copies not included):
0x00
0x01
0x02
0x03
...
0xFE
0xFF
I think just 0 and 1 would suffice ;)
Easiest alternative to ripping video lol. And it's legal!
The default export only include the last 90 days so it's not just limited in details.
Here is a template for whoever else wants to request their data:
https://www.dropbox.com/s/fx5yyrru1uvx6no/sarletter.txt?dl=0
Source (@mikarv on Twitter):
https://twitter.com/mikarv/status/1012386696934182912?ref_sr...
If Spotify didn't give you all data with your first request I guess that they are in breach of GDPR?
Yes, you would then have a basis to file complaint to your (within the EU) country’s data privacy authority
Has anyone tried this request in the US? I'm assuming they would just tell you to politely shove it?
They are a Swedish company.
The British regulator considers the rules to apply to all people, not just European citizens, so I think the Swedish would have the same opinion.
In general, Europe has rights that apply to everyone, regardless of citizenship. This makes a difference when it comes to searches at the border, drone strikes, refugees and so on under the European Convention on Human Rights.
This should become a selling point for EU businesses.
Remember all of the data Winamp2 used to gather and send to third-party servers?
It's weird how perception on these things has shifted. So many practices are "normal" today which used to be clearly labeled "spyware" only 15 years ago. They successfully rebranded spyware, now it's called "telemetry", or similar.
Anyone remember the huge privacy-related outrage when Windows XP came out, because it forced users to do challenge-response activation? How times have changed...
It might just be that all those people have switched to free software and aren't being vocal because of that?
Did it send anything? I don't know which way to interpret your question.
I imagine some info was sent if you played those shoutcast(?) video streams listed in the media library, lots of cartoon channels from what I remember.
Sorry, just a bit of silly sarcasm. It wasn't a data exfiltration and user surveillance system like modern music players.
I don't but I suspect such a business model would flourish. Does anyone have a link to their hiring page?
While this is an extreme example, I'm not the least bit concerned about Spotify collecting this data. This data is likely used by Spotify to understand user behavior to improve user experience and improve their recommendation engine, or to simply understand how users interact with the app. I was delighted to find that Spotify sends you concert notifications of bands that I listened to the most. Personally, as long as they are not sharing this data with others without my permission they can collect this info. All of this is clearly stated in their privacy policy including the bit about Bluetooth) https://www.spotify.com/is/legal/privacy-policy-update/#s5.
> "this enables us to access your GPS or Bluetooth to provide location-aware functionality"
They only Bluetooth in the context of acquiring location data..
I have a friend that always used to joke that if Spotify ever failed and got sold off to private equity, they would shift to a business model where they mine for embarrassing music and behaviors and then extort people to keep quiet about it.
I'd be interested in knowing if he is a paid subscriber or not.
I understand that Spotify needs data to power Discover Weekly, but I'm not sure I'm comfortable with this amount of data.
This is great. I wonder if the EU can write a law to allow us to see what adverts are being served to which audiences on platforms like Facebook and Google. More transparency please.
> Having the law say your personal data is owned by you and not some company just because it's on their server may turn out to be a landmark in consumer friendly legislation!
It's interesting to think where this goes in the future. Can I demand my purchase history from physical McDonalds restaurants at some point? Why limit it to internet-related interactions? (Or maybe this is already included in GDPR and I'm just not aware?)
You can already demand this data from McDonalds, if they retain it.
You've been able to for about 20 years, in some form with the previous laws.
(More commonly, you could demand the paper records your employer has about you.)
The main issue as i see it is that he did not get data when he asked. He had to complain.
Man I was comfortable running spotify as the only non-free app on my Linux machines, now I'm not.
It's back to ocp and mods/classical music/occasional purchased for me I guess... (except on my phone of course which is a lost cause)
Why are you uncomfortable with Spotify now?
Because it's a piece of proprietary software?
Because they retain this data seemingly forever?
Is this data collected by Spotify, or __all__ data Spotify has for a user? That is, it's certainly possible for any given service to gather / aggregate data from sources other than itself.
Has someone started a list of GDPR data export requests and their results? I wonder what interesting information is out there...
Seems like CSV would've been a better format than JSON for this type of data based on the screenshots.
Indeed. Your typical data requester isn't going to know code for working with JSON. And converting JSON to CSV is a pain.
To be fair, GDPR stipulates only that it should be available in a common machine-readable format. It doesn’t require the most convenient format conceivable.
Also, CSV can’t easily handle nested objects. If the data model is even slightly more complex than a plain table, it doesn’t make much sense. I’d also argue that even if the source data is stored in an RDMS without exotic data types, a JSON with a nested object representation is probably going to be more friendly even to non-developers than multiple files with opaque foreign keys linking back and forth.
Sure, simple JSON you can view in browsers.
But with CSV you can just use spreadsheets. Are there n00b-friendly apps based on R, Python, etc?
And can't you always convert JSON to multiple CSV files?
Only if you accept a potentially unlimited number of CSV files/sheets. Many forms of data aren't really easily normalizable to a limited number of flat tables without losing information.
OK, then. How would someone who's not technically sophisticated interpret such JSON?
I suppose that some service could handle it. But then there's another level of trust and GDPR compliance.
Open it in any decent plaintext editor/viewer, it'll likely have support for 'prettyprinting' json, and it'll be readable.
If you want to 'do stuff' with the data, then JSON is a very (IMHO most, but your mileage may vary) reasonable format; unless that data really is just a single flat table, it would be hard to blame them from picking this format.
OK, I’ve been wondering if I could get this data. Now I want mine.
If something is free, you are the product being sold...
Meh you are the product spotify is free!
Spotify has over 70 million paid subscribers.
So they're paying to be tracked. Nice gig if you can get it, Spotify!
The pressure to collect any and all data to increase a company's valuation isn't lessened by charging your customers to use the service. That cliché is not really informative nor helpful in the fight for privacy and transparency.
You assume there is a pressure to collect the data and that it has any positive effect on valuation.
No, the new business model is that you're the product even if you're paying.
Confusing title. I thought there was some horrible bug that sent a 250MB file every time you clicked something! After reading the tweet I realize it’s saying the 250MB file contains every interaction.
Instead of "with", please use "containing" in the title.
Agreed. I couldn't understand why every single interaction would generate 250MB of data!