40 comments

[ 5.1 ms ] story [ 99.7 ms ] thread
Wow. Well I think that settles that!

On a similar note, I've always thought Daniel Ek was a pretty upstanding guy.

It only settles it when they formulate a new TOS that does not give them the freedom to completely ignore what they say are the reasons for accessing things like photos. If you have only features abc in mind, why formulate a TOS where you have access to the whole a-z?
Is it possible to just take Daniel Ek's word on this one? If you're so upset, couldn't you just disallow access?
The ToS is Spotify's word on this matter. If the ToS says they can do X, you can only assume they are going to do X. An apology doesn't fix the problem, no amount of grovelling by the CEO changes anything until the ToS are fixed.
It could be, say, the catholic pope and still the privacy and PII selling problem would remain the same, so who cares who Daniel Ek is? The damage had been done already, on such bad timing... Apple must be loving this fallout.

EDIT: I am not saying PII selling was the main problem here but I believe this is what usually people fear when these TOS changes come, and I think they are right in thinking so

If you are a user on most stock android devices, then no, you can't, outside of not installing the app. (Which IMHO is a major defect in android and annoying to solve for app makers, but that's the environment they have to keep in mind)
Yeah, the android permissions model is absolutely terrible; not sure if iOS is any better (actually, I think it might be worse). Not only is it incredibly non-granular, but it also seems to be an all-or-nothing, and there's no way to control global permissions either.
Permissions are now granular in Android 6.0, and even for apps which weren't built against the newer SDK, you can turn off permissions individually.
> Is it possible to just take Daniel Ek's word on this one?

Maybe, but the question is irrelevant.

I do business with people every day who I fundamentally trust. But we sign contracts anyways.

If what Ek is saying is true, then there is no reason for the T&Cs to not reflect it.

Is it possible to just take Daniel Ek's word on this one?

lol. Of course not. He's a CEO being given access and legal permission to material with business value beyond what they're currently claiming to use it for. What exactly is so unique about Daniel Ek that I should take his word?

I have to trust that he's not being deceptive, will never change his mind, and can influence the course of action taken with my data for the life of the company and beyond (when assets are sold off if Spotify fails)?

I don't even use Spotify, so this is all moot to me. It just sounds goddamn crazy to take his word on this one.

I don't even use spotify but I logged in just up vote you. The HN hivemind is real.
Uninstalling Spotify settled it. Also, WTF is with having to talk to a representative to delete my account completely.

All this is is pinky swearing that they won't do what you have to explicitly allow them to do.

for android users it doesn't settle anything. "Photos: We will never access your photos without explicit permission", but what does that mean? When the app is installed the user has to give permission to the app to access photos otherwise it won't install. So there's no state in which, on Android at least, the user can deny access to photos to the app, as the app has been given permission already at install.

So this 'sorry' is really a lot of hoopla which changes nothing: Android users still have to trust them that they won't access my photos if I don't use them in their app and won't access any other elements on my phone when I am just listening to some music.

You're right, but he's clarifying that that's all they use that permission for. It might be worth auditing the app on a rooted device to see what it actually does though.
If they explicitly ask for permission on each access anyways, then it is unnecessary to talk about it in T&C.
No, it is not, because they still need to explain what exactly they are doing with it, unless they want to show the legalese each time the feature is activated.
Being a Spotify user on iOS, I didn't expect much change from the new privacy policy they had released. The OS doesn't permit apps to access the camera roll, microphone, location services or contacts without explicit permission. Which is essentially what Daniel is re-stating here, for those who are freaking out/forgot. But I guess it's good to state this, because the desktop apps are a bit less sandboxed (aside from the one that runs in the browser). Also, the revised privacy policy could have been written/worded better. I feel like there was just a significant disconnect between the legal and PR teams.
Most stock android users also only can give "explicit permission" by installing the app, there are no finegrained control mechanisms (because reasons).
Not yet, Android M comes with a similar permission model as iOS has.
This was my thought too (as an iOS user). Thanks for clarifying. My next car will have Carplay so the voice control in Spotify will be a welcome addition.
I literally just started toying around with using Spotify's API to build a voice control for it this week. I like the app and use it a lot, but it's impossible to (safely) put on something new while driving. If this were built in that would be fantastic.
"Voice: We will never access your microphone without your permission. Many people like to use Spotify in a hands-free way, and we may build voice controls into future versions of the product that will allow you to skip tracks, or pause, or otherwise navigate the app. You will always have the ability to disable voice controls."

Why even put it in if you're not using it? Honestly I just want something that plays music and 95% of that other stuff(which poses a large security risk on a managed corporate device) just isn't interesting.

If you ask for all of it in one go, you don't have to bother the user with new T&Cs all the time. You also only pay the lawyers once.
Apple's T&Cs are a great example of this (bothering the user regularly). I feel like I have to agree to 48 pages of updated iTunes T&C every time I download an app, and there's no way to know what changed since last time.
Apple's T&Cs are so long because they usually show you like 6 different documents, most of which aren't even in regard to iTunes. (Google does this too.)
I thought the exact same thing. How can people enjoy using the hand free features if they aren't in the app yet?
>I just want something that plays music

If you're concerned about privacy or security, I recommend not using any streaming service. You should just load the music you want to listen to onto your device, and use your local music player. You could also listen to an internet radio service like DI.fm which provides raw .pls files for use in any app.

This advice operates from a mindset that both privacy and security risks are binary. They are not+.

A third-party app that gives access to X,Y, and Z permissions is a larger security risk than an equivalent app that only has permissions for X. So if an app only needs X in its current version but requests Y and Z, then it is introducing unnecessary risk.

+ See e.g. https://systemoverlord.com/blog/2014/09/05/security-not-a-bi...

Yeah, an apology isn't a substitute for an updated EULA.

I will wait for the updated EULA before I re-evaluate my cancellation.

We will only use permissions with your permission!
"We also share some data with our partners who help us with marketing and advertising efforts, but this information is de-identified – your personal information is not shared with them."

We know that proper data anonymization is hard. Could they prove this or held liable if it's not working as intented?

Too late, I've just unsubscribed. This issue was a last-drop motivator, the primary reason being that I don't like paying artists I don't listen while the lesser known artists I do listen only get a few cents if anything of my monthly fee.
We went through a TOS kerfuffle recently with our startup. As a team we fall pretty far on the side of users' rights and privacy. I can't speak for Spotify, but I can say we found it to be a bit of a challenge to balance users' rights with future feature ideas, privacy controls within a mobile OS, corner cases, and legal fees. We wanted to keep options open around business models and features without having to go back to our lawyer (and our users) with every new release. It was instructive to be on the other end of crafting a TOS and realizing just how complicated and expensive it can get to try to do the right thing.
Funnily enough, I've never seen much of developers pushing for better privacy controls in the OS.
«Of course now with all that backlash [and probably a significant number of account cancellations], I can assure you that we never intended to actually do the stuff our new policy has reserved the rights for»

«Please accept this humble apology and look forward to an updated policy we will publish very soon (I promise). In the mean time, the updated policy stays in effect because, as you can see here, we never intended to do the things we were saying we're going to be doing, so it really doesn't matter for you»

(sorry for the sarcasm bordering cynicism, but I really didn't like the posting. If it was sincere, they would have immediately rolled back the policy until they have something better)

This hit the front page of Reddit (and http://skimfeed.com !) overnight. Other similar examples of "bad decision, reddit, ceo statement" are the Netflix price increase. It helps if the service is easy to stop using/cancel because then they see the juicy inverse hockeystick right in their analytics over their morning coffee.
I read this as "Click OK once while updating and we'll be gettin' all up in yo phone".

"We will never access your photos without explicit permission"

"We will never gather or use the location of your mobile device without your explicit permission."

"We will never access your microphone without your permission."

"We will never scan or import your contacts without your permission."

Crikey, you're not screening me for a mortgage or a job with a three-letter agency. Can't you write an app that doesn't need every last piece of info on my phone?