Skip to content
Naked Security Naked Security

Updated privacy policies – do you check what’s changed?

A Forbes writer decided to take a careful look at the changes in the new Spotify privacy policy. He checked, but did you?

Do you use the music-streaming service Spotify?

According to Wikipedia, more than 75,000,000 people worldwide do, and one of them is Forbes writer Thomas Fox-Brewster.

Earlier this week, he received notification from Spotify about changes in its privacy policy.

Such is internet life these days.

At this point, Fox-Brewster did something we should all have done, but probably didn’t: he went looking with some care to see what had changed.

Programmers are used to looking at and reviewing each others’ changes in a well-known ritual called a “diff,” short for “checking the differences.”

The word diff, in fact, is the name of a widely-used programming tool that picks out and draws your attention to the changes between two versions of a file.

For program source code that hasn’t changed much, diff and similar tools do a great job, clearly denoting lines that were removed, new code that was added, and buggy lines that were changed.

For web pages, however, diffs are a trickier prospect.

Even if you use Fox-Brewster’s links for Spotify’s old and new privacy policy pages, save them as plain text files and diff them, the results are underwhelming because the changes aren’t quite as regimented and as line-based as programmers’ edits tend to be.

For example, the sections about The information we collect have changed position, moving from part 2 to part 3 and getting new section numbers as well as new content.

In the end, therefore, the easiest approach is simply to re-read the new privacy policy with the same care that you read the old one.

In this particular case, fortunately, Fox-Brewster has done most of the work for you, noticing a number of new data collection terms and conditions.

The old policy mentioned that Spotify would definitely collect “location information” if it could.

That’s now expanded to say:

[W]e may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g. data about the speed of your movements, such as whether you are running, walking, or in transit).

In other words: where you are, where you’re going, and how you are getting there.

There’s more in the new policy, which also wants to do this:

With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.

In other words: where you hang out, who you hang with, and what you do when you get there.

There’s no explanation for the scope of the words “media files,” but it sounds like a pretty wide net, and surely includes at least music, podcasts, videos, screenshots, your reading list, articles you’ve saved, ebooks you’ve downloaded, and more.

We can guess why all that sort of stuff might be valuable to a service like Spotify, and we think the new policy makes good business sense.

We aren’t going to pass judgement on whether sharing that information is worth it to you, because that’s a decision you need to make for yourself.

(Spotify does warn you in capital letters that it reserves the right to share that data with its own business partners that may be overseas, “INCLUDING [IN] COUNTRIES WHICH DO NOT PROVIDE THE SAME LEVEL OF PROTECTION FOR THE PROCESSING OF PERSONAL DATA AS THE COUNTRY OF YOUR RESIDENCE.”)

What we are suggesting is that Thomas Fox-Brewster’s vigilance ought not to be something special, conducted to produce subject matter for security articles such as this one.

Vigilance in checking and rechecking privacy policies is something that we should all do, not just for Spotify but for any other service that knows anything about us.

Every time, even though it’s a bit of a pain.

The devil, as they say, is in the details.


How about campaigning for a privacy policy that says “we won’t do anything with any of your data except for the following” and then limit it to a page of A4.

When I retire and have the time, I plan to run a campaign to get terms and conditions for any consumer transaction limited to a single page of A4 in 11pt text. This was inspired by the T&C on the back of an airline ticket written in around 4pt text and that some user licences from software companies are longer than some of Shakespeare’s plays.

11pt is the minimum recommended font size for anyone over 45. Good companies use as much as 14pt for literature aimed at the elderly.

Here in the UK, we have a great law about unfair terms and conditions, so to a certain extent, it doesn’t matter what people write, a court can determine that it is unfair.


I’d like to add to your recommendation to remove the legalese talk that is forever dominant in user agreements, aup’s, TofC’s, and EULAS. It should be easy to understand and read for the general populace.


It greatly helps when someone explains why companies want all that data. In many ways it is down right scary what is collected and why.


Spotify is a “music-streaming service”, right?

So at protocol level it needs to know (1) my IP address to stream (2) requested music that “I” (my IP address) has requested.

Anything else is an invasion of privacy


The trouble is that the only option you have is to stop using the facility concerned, and that is often not practical. They have you by the proverbial short and curlies and they know it.


We need an OS-level facility to look at an app’s requested permissions and individually return ‘real’ or ‘fake’ data.

Nosy apps would see I’m on a first name basis with Santa Claus, typically travel at mach 3, and like kittens.

Garbage in; garbage out.


Paul, I’m curious why you say: “…we think the new policy makes good business sense.” How on earth does that make good business sense?!


For the same sort of reason that it makes business sense for supermarkets to have loyalty cards so they can learn who likes what, and when…so they can hit you up with special offers that may be more interesting, and make sure they stock those reassuringly expensive artisan cheeses that have recently become surprisingly popular in your neighbourhood.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!