Watch Out: Spotify is Watching You!

Just been reading this article myself! All quite disturbing really and I can see no valid reason for Spotify wanting or needing to access my private and personal photos. So much for data protection hey! Seriously considering cancelling my premium membership on the back of this... 

I cancelled my Spotify account some time back so I can't check. Is the issue here that you can't prevent the Spotify app from readimg and uploading your private contacts and files if the App is active on your mobile device? If so that is appalling and possibly illegal.. Or do you have to opt in for Spotify to share your personal private data?

Simon

I am getting so upset by these type of firms which think they can violate the normal rules of privacy and decency. It has ended for me with them, it already annoyed me how it was influencing my of....

Spotify the lone culprit? Welcome to cyberspace. The second you signed with an ISP, used a web-browser, or got an email account your privacy went out the Windows. Personalize all the privacy settings you want, someone's watching. Google "how to make a fertilizer bomb" and you're likely on Uncle Sam's radar. And be sure to check your settings after each update.

Joerand, not quite in my view. Your ISP has to keep records of usage details (addresses and times), depending on local law, for a period of time such that a court order can be made to access them if required. (Not dissimilar to GSM phone useage and base station registration records)

Depending on your web search engine you can opt in or out of personalisation services.

You can also encrypt your web access using a VPN, not normally required for home use, but almost obligatory in my view if you use public wireless hot spots.

However that is quite different from a company using its application possibly as a piece of malware and accessing and uploading your personal information without you positively consenting each time it does it.

interestingly legally in the UK, as part of data protection legislation, you can ask Spotify to disclose what personal information it has currently stored about you.. and it will have to comply. Errors here or a false response could mean they are liable to penalties/prosecution and if severe could possibly prevent them trading in the UK in the future.

Simon

We also need Apple Music on our Naim Streamers.

Spotify (am watching you)...The clue is in the name.

My day to day activities are too mundane for me to worry who the hell is watching so I simply get on with what I want to do. Was it Spitting Image who did the sketch eavesdropping on John Major's telephone conversation...'Peas tonight darling?' 

Yours naively,

G

I think many people simply are not aware how much of their data is collected and stored.

This is from the Microsoft privacy statement:

[How Microsoft collects Data:]

"You provide some of this data directly, such as when you create a Microsoft account, submit a search query to Bing, speak a voice command to Cortana, upload a document to OneDrive, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device.

We also obtain data from third parties (including other companies). For example, we supplement the data we collect by purchasing demographic data from other companies. We also use services from other companies to help us determine a location based on your IP address in order to customize certain services to your location."

[Data collected includes:]

"Name and contact data.

We collect your first and last name, email address, postal address, phone number, and other similar contact data.

Demographic data.

We collect data about you such as your age, gender, country and preferred language.

Interests and favourites.

We collect data about your interests and favourites, such as the teams you follow in a sports app, the stocks you track in a finance app, or the favourite cities you add to a weather app. In addition to those you explicitly provide, your interests and favourites may also be inferred or derived from other data we collect.

Usage data.

We collect data about how you interact with our services. This includes data, such as the features you use, the items you purchase, the web pages you visit, and the search terms you enter. This also includes data about your device, including IP address, device identifiers, regional and language settings, and data about the network, operating system, browser or other software you use to connect to the services. And it also includes data about the performance of the services and any problems you experience with them.

Contacts and relationships.

We collect data about your contacts and relationships if you use a Microsoft service to manage contacts, or to communicate or interact with other people or organizations.

Location data.

We collect data about your location, which can be either precise or imprecise. Precise location data can be Global Position System (GPS) data, as well as data identifying nearby cell towers and Wi-Fi hotspots, we collect when you enable location-based services or features. Imprecise location data includes, for example, a location derived from your IP address or data that indicates where you are located with less precision, such as at a city or postal code level.

Content.

We collect content of your files and communications when necessary to provide you with the services you use. This includes: the content of your documents, photos, music or video you upload to a Microsoft service such as OneDrive. It also includes the content of your communications sent or received using Microsoft services, such as the:

• subject line and body of an email,

• text or other content of an instant message,

• audio and video recording of a video message, and

• audio recording and transcript of a voice message you receive or a text message you dictate."

I don't know how much of this can be restricted in settings (to much of a bother, and sofar I have hazarded any possible consequences, I havn't really got anything to hide, but I don't really know how extensive and complete their knowledge of me is either). If you use the address bar of Internet Explorer for searches Microsoft will store following data for six months without any opt-out possible : "search terms you provide, along with your IP address, location, the unique identifiers contained in our cookies, the time and date of your search, and your browser configuration. If you use Bing voice-enabled services, additionally your voice input and performance data associated with the speech functionality will be sent to Microsoft." . I have found no way of turning off this feature, and I would not be suprised if they combine this information with data collected via the other Microsoft services or data they acqiure from third parties.

PureReader - you quoted only part of the MS Privacy Statement - this lists the possible personal data that may be collected if you use certain services.. This is a statuatory requirement to state this for cloud/hosted services operating in the UK at least I believe.

The key part of the reference you omitted was:

The data we collect depends on the services and features you use, and includes the following:

And then is the list you quote. Clearly if you are using a service that requires name and address it wil be stored, if you are using email analysis tools MS needs to  looks at your email heading and text - or it cant be analyzed (if have disabled email analysis) - if you are using location/satnav  services and map services MS needs to know where you are etc etc  but these are features, services and applications you can disable, enable, use or not use  as required..

To store personal information that is not necessary to provide the services offered is a data protection offence in the UK. It is an offence to store personal data 'just in case' its useful.

I cant help feeling your post was slightly misleading

Simon

My attitude is that the NSA is collecting (or soon will be) everything I say, write, and do on the internet and my phone, and the companies are generally very complicit in the process.

I have "nothing to hide", but that is beside the point.  But the oligarchs (both private and public) view us as chattel to be owned and managed, and nothing I do or say can change that.

That said, it is extremely annoying that privacy is dead, unless you want to disconnect from everything, which is becoming increasingly impossible to do...and the positive wonders of the technology are no small part of life any more.  I cannot even conceive of life without the internet, and yet I lived the first 30+ years of my life without it.

Sorry if it was misleading. I thought it was pretty obvious that the specific data collected depends on the specific services used. I didn't want the quote to get too long so also left out some of the data types stored (such as passwords for account access which I think is so obviously necessary). In fact, under the listed data types: Interests and favourites, Usage data, Contacts and relationships, Location data, Content, the connection with the use of specific services is repeated and in some cases explained more specifically than the general statement I omitted. In fact, the statement "The data we collect depends on the services and features you use, and includes the following" may actually be somewhat misleading, because collecting of some personal data stored by Microsoft obviously is not dependent on the service used, as suggested by the statement: "In addition to those you explicitly provide, your interests and favourites may also be inferred or derived from other data we collect." under : Interests and favourites.

The techniques they use to extrapolate information, or to mine specific information may be far more advanced than the average PC user (me, for example)  imagines. For example, one may assume that for Microsoft to collect and store data such as postal address, age, gender or other personal contact data it would be necessary to consentually give this specific information using a specific service (like you can fill in as much information as you want into your outlook.com = Microsoft account profiles). But can Microsoft not extrapolate or mine this information from data already collected or from the content of E-Mails (can I be sure they only analize E-Mail Content to prevent spam?)?

So apologies for omitting that statement anyhow. And the complete original Microsoft policy statement can be found here for anybody interested:

http://www.microsoft.com/en-gb...atement/default.aspx

I gave myself 5 minutes to find the setting in my outlook app to prevent Microsoft from looking into the content of my E-Mails (which I assume they do by default, because I was never asked about this since openning my Microsoft account and the privacy statement says they do it). Couldn't find it.

PureReader thanks for your reply. I guess the point is that captured data should be relevant for the services being consumed.. However to enjoy Spotify streaming does Spotify need to see all your private contacts and see other private data?   Personally I think it's none of their bl**dy business, and if you can't opt out of such action, and becomes a condition of service usage I believe that would be illegal in the UK, which is why perhaps they seem to be stepping up their public apology etc as part of their damage limitation.

Simon

I just find it despicable that sort of intrusion without consent. If wanted to share my private life with the rest of the world I would have joined Facebook long ago and even they have tools to stop such a invasion of privacy. I hope they learn their lesson and rethink  their T&Cs as a matter of urgency. 

Another reason not to join the over-priced Spotify then.

What I want to know is why these companies want or need this information?  I can see why the paranoid USA might - though their history of using it is not impressive - but why Spotify?

Anyone know?

Further more, it is an offence to use data for any purpose other than the specific purpose for which it was collected, as notified to the data subject (that is you!).  Since most of the items specified don't list additional purposes, the data may only be used in the context of the service for which it is provided.

Well, it is a pity Microsoft doesn't clearly state the point made by Simon, that they are not allowed to store data "just in case it is useful" and the point you make, that the data collected may only be used for the stated purpose, because the following parts of the Microsoft privacy statement gave me excactly the opposite impression:

Regarding bing:

"When you conduct a search, or use a feature of a Bing-powered experience that involves conducting a search on your behalf, Microsoft will collect the search terms you provide, along with your IP address, location, the unique identifiers contained in our cookies, the time and date of your search, and your browser configuration. If you use Bing voice-enabled services, additionally your voice input and performance data associated with the speech functionality will be sent to Microsoft. ... Retention and de-identification. We de-identify stored search queries by removing the entirety of the IP address after 6 months"

To me that sounds like they collect and store information on searches in association with personal data (IP-address) for six months "just in case it is useful". For what other reason?

Regarding "Interests and Favourites":

"In addition to those [data about your interests and favourites

you explicitly provide], your interests and favourites may also be inferred or derived from other data we collect."

So they infer or derive my interests from data origionally collected for a different purpose, as I understand it.

Still, I must say I trust Microsoft more than google, facebook and Apple.

Windows 10 may be a different kettle of fish though than Windows 2000 and 8.1 which I use. Tech sites have been reporting that the free upgrade to W10 deletes privacy settings previously made by the user without warning to defaults which do not protect privacy, so you have to recheck every setting you made to protect your privacy.

Indeed, the interbet and the web are great enabling technologies, however as with all things people and organisations will try and exploit it for commercial gain. There is nothing wrong with this in my book, after its that often drives innovation. However one needs to be a bit savvy if one is not be obviously exploited themselves.

So I say be careful of any website or services you log into.. make sure you trust them and are happy with their T&Cs. If in doubt then don't log in... simple.

With web directory search engines such as Google, Bing, Yahoo, if you don't need their personalisation services then DON'T log in.

If you are certain you don't want any history left on your browser after you have visited a site, then disable cookies. If the website complains, then click away.

if you use wifi hotspots on your laptop or phone do use an encrypted VPN service from a trusted service provider or use SSL/TLS enabled web sites (sites with trusted keys). Most smartphones I am aware of will support VPNs.

For personal or family web use try and use an ISP that uses dynamic Internet address assignment. In the UK this is the norm for consumers.. 

Simon

Wat, if there is a proxy device doing a man in the middle attack, or some sort of clumsy relay - then the sites SSL/TLS key will come up non trusted (Red) - and a descent browser should warn you and ask whether to proceed or not.

If you see a non trusted key - then I strongly advise not proceeding!!!!! 

Yes the SSL/TLS encryption has obviusly to be decrypted at the remote web site, but if you trust that web site no issue, but at least no one can look at realtime what you are browsing from that site, and you know you are talking to the bonafide site and not a phishing site.

Some national intelligence services have as condition of the use SSL/TLC or IPSEC VPNs access to the private keys that are managed through a key agency - again how this access is regulated and policed varies from country to country. Of course you can self publish - but you have to know what you are doing so as to detect whether it has been compromised - and no one has access to a self published key other than you - of course this might not be lawful in some countries.........

As far as streaming being a passing phase, I hope not!!  I spent a sizeable part of my career developing and delivering prototype consumer oriented streaming services (video and audio) in the 90s and I am delighted to have see it grow and grow over the last 20 years - so far it has completely exceeded my expectations  of it from those early beginnings.

Simon

@Simon

Thanks Simon. It sounds so easy... just "click away".

Your recommendations are of course sound, and appropriate for you or me, but I do wonder whether young people who have grown up with the internet, whos friends use services like facebook for example have this option without experiencing considerable disadvantages.

@Wat; Simon

"I'm happy enough to trust Apple & Amazon, but less so Microsoft, the Facebook & Google (I rarely use their products in any case). Not that I think these companies are evil: I just don't know them well enough. "

Living in Austria, I know of an interesting ongoing legal case against Facebook. Facebook may not be evil, but according to young Austrian lawer Max Schrems (who has thoroughly researched facebooks policies) is in serious violations of european law. On this Webpage

http://www.europe-v-facebook.o...ints/complaints.html , scroll down to "1. Complaints against Facebook (August and September 2011)" and you'll find 22  complaints he filed all based on compelling evidence. For example Schrems discovered that facebook continues to store data indefinitely even after a user has used the correct procedures on the facebook website to delete data. Also facebook, although registered in the EU does not comply with its legal obligation to disclose which personal data of users it is storing. If a user takes the correct procedure for the enquiry,  facebook discloses only a fraction of the information stored. Trouble is, an average consumer has no chance of doing anything about it. Max Schrems tried to get facebook to comply with EU privacy laws via Irish Data Protection Commssioner (EU branch of facebook is registered in Ireland so Ireland is responsible for complaints, not the country of resdence of the complainant) with inconclusive results after three years (!), and now trying a class action (with 25,000 participants) against Facebook Ireland.

I think one reason facebook feels it has little obligation to comply with EU law is because the data is stored on servers in the US. And it's a US company - reason enough.

Wat

You can not replicate a master key. Therefore the  encrypted transport layer will remain intact to the point of encryption

The master private certificate and key is licenced to specific IP addresses - and these are public addresses. Therefore unless your  proxy IP address matches the remote servers IP server address - the certificate will be invalid and will be flagged untrusted.

Sure a new private certificate and key could be set up and the transport layer encrypted - but that is simply confirming the identify of the proxy server - and the encryption through to the proxy server and nothing beyond.

If in doubt - click on the key certificate in your browser- if it matches your remote site and is validated by a signed certification authority  (CA) then you are safe - if it matches a proxy - then your SSL is only through to that proxy... The CA's are stored in your browser. Yes if your browser was hacked and a false  authenticating authority was installed then it could be used falsely authenticate a false certificate. There are other malicious methods that can try exploit weaknesses in the browser and receiving application - in the data around the encrypted data - but the encrypted data remains intact until the point of decryption. Software updates address such new flaws in browsers on a regular basis.

Believe me there is no way around this that we are aware of apart from using specialist key stores to validate the link up to the proxy - but as discussed this only works with special copies of the master key - and can used in corporate networks that use IPSEC over high latency links. If there was a way around this then most eCommerce would be compromised and no one would want to shop, bank on the web

Remember no private master keys are sent, just the freely available public key and public certificate associated with the private key -  hashing/cypher functions of the two keys are used to protect integrity and retain encryption so as to remain secure, as well as the client validating the certificate against a verified CA.

Simon