

Daniel Ek and Minecraft creator Notch debate Spotify privacy policy - tooba
http://musically.com/2015/08/21/daniel-ek-minecraft-notch-spotify-privacy-policy/

======
smegel
The truly rotten egg here is Android (and Google by extension).

Why a user cannot elect to nominally provide permissions to an app, but
restrict the content of different grants (so an app may see an empty phone
book by default or an empty Pictures folder) is beyond me. It borders on
abusive.

~~~
tokenizerrr
You cannot do any of that on a computer either. As far as I know neither
Windows, Mac and Linux have any kind of permission system for the applications
they run. Sure, you can hack something together using
sandboxing/containers/VMs, but none of the operating systems provide this by
default. There have been alternate Android roms which provide the features you
speak of, as well.

~~~
shock
That's not strictly true on Linux: you could use AppArmor/SELinux to remove
capabilities from programs. Surely not as user friendly as they could be but
the capability is there.

~~~
tokenizerrr
You can do that, but there is no way for an application to "ask" access to
anything. You need to fully know how the application works, where it wants to
read/write etc. I consider this under the hacking something together using
'sandboxing' portion of my post, since it's not something that will work for
your regular user. (Don't get me wrong, I think it's awesome but sadly not the
same as a permission system)

------
lqdc13
I think Spotify guy is right. If you give photos access to twitter, it is not
much of a stretch to give it to the Music app.

The problem is the way permissions work. You should be able to give temporary
individual permissions to each app for each service to only a portion of your
storage. For example, not all photos forever, but just these photos.

The way the permissions currently work on Android is insane.

It is also insane that people are okay with sharing all of this information
with facebook, twitter, verizon, google, lyft, uber, yelp and 50 other apps.

~~~
RGamma
Interestingly on virtually all home computers the situation with access
control to certain APIs and data is _way_ worse (because basically nobody (I
know you're out there SELinux/AppArmor/grsecurity/etc users) uses it to the
extent that would be necessary to provide even basic privacy protection or
system security).

I do hope that, when application sandboxing goes mainstream, it is not only
going to be used to mitigate dependency hell, but also to provide a nice and
featureful (and usable!) interface for filesystem/networking/etc isolation and
monitoring with white/black/greylisting and fake permissions (i.e. pretend an
application has a permission and return made-up data).

Heck, it'd probably be best to make full isolation of every executable the
default and selectively introduce (fake) permissions, such that it just gets
the minimum that is needed/desired.

~~~
throwaway7767
I'm a big fan of the Qubes OS project, and I think they're on the right track
there: [https://www.qubes-os.org/](https://www.qubes-os.org/)

Basically, have the desktop environment running in a non-network-connected
machine, and have different VMs for different purposes with application
windows seamlessly appearing on the desktop. If I have a spotify VM (or even
listen in a disposable-removed-on-close VM), there's nothing for them to
access.

EDIT: Not saying this is for everyone. At this point I would not let my
grandmother use it. But I can see the concept becoming very easy to use.

------
teh_klev
Have they removed their Contact Form (apparently the way to perma-close your
account)?:

[https://support.spotify.com/uk/article/how-can-i-close-my-
sp...](https://support.spotify.com/uk/article/how-can-i-close-my-spotify-
account/)

Yet clicking on the "Contact Form" link returns me right to:

[https://support.spotify.com/uk/contact-spotify-
support/](https://support.spotify.com/uk/contact-spotify-support/)

Wash, rinse, repeat.

Digging through their forums I eventually located this:

[https://support.spotify.com/us/close/](https://support.spotify.com/us/close/)

~~~
Jgrubb
Just had the same experience. edit: thanks for the link.

------
sp332
Wasn't loading for me, here's a cache
[http://webcache.googleusercontent.com/search?strip=1&q=cache...](http://webcache.googleusercontent.com/search?strip=1&q=cache:http%3A%2F%2Fmusically.com%2F2015%2F08%2F21%2Fdaniel-
ek-minecraft-notch-spotify-privacy-policy%2F)

~~~
outsidetheparty
Thank you, I was having the same problem.

------
sbarre
As long as I can opt out of providing access to those features (photos,
contacts, sensors) and still use the app, then I will do that, even if that
means I get "reduced functionality" or however they spin it. I just want to
listen to my music, I don't care about social features or anything like that.

But if I can only use the app by giving access to those features, even as a
paid subscriber, then I will absolutely cancel my paid account and look to
other services.

~~~
Rezo
Once you've given those permissions on Android by installing/upgrading
Spotify, you have no guarantee that the app won't use them without your
knowledge. Any options to limit the features from inside the app itself are
purely cosmetic from an access control point of view.

~~~
gpmcadam
Not sure about Android, but at least on iOS, you aren't prompted to allow
access to photos until the you attempt to use the feature in most cases, which
is what Spotify are arguing for here. But you're right, once you've granted
permission it's up to the app to be responsible.

Makes me think the OS should provide a 'Just this once' button when being
asked to allow access to extra permissions.

~~~
lucaspottersky
That would be nice. Otherwise, soon I'll need to use a "throw-away" phone just
for the apps since most of them usually require more permissions than I'd like
to share.

------
kevando
I like seeing these conversations and hope to see more public figures debate
them in the open like this.

------
criley2
Notch has a bad habit of getting caught up in drama and making loud but
seemingly stupid statements about a situation before all of the information is
out there.

Every time a company updates their app permissions, we get this kind of
permission-hysteria.

THEY WANT TO DOWNLOAD ALL OF MY PHOTOS!!!

Well, actually, they want you to be able to set a photo as the cover of a
playlist, and there is no difference between "Allow user to upload 1 photo"
and "Have access to all of users photo" in terms of mobile permissions.\

THEY WANT ACCESS TO MY GPS!!

Well, actually, they're rolling out a Run feature already implemented on iOS,
and, as always, you can disable GPS or customize its functionality on both
platforms pretty deeply.

Every permissions update we get these histrionics. Notch should have the
foresight to step back and listen before jumping in with a million followers.

~~~
mbrutsch
> Well, actually, they want you to be able to set a photo as the cover of a
> playlist, and there is no difference between "Allow user to upload 1 photo"
> and "Have access to all of users photo" in terms of mobile permissions.

I think Notch's response is quite accurate: “But I do understand how easy it
is to make up small features to require access to the entire phone so you can
sell your customers.”

Two things can be true at the same time. Just because the public, published
reason is innocuous doesn't mean there's not some MBA just waiting to get his
hands on that data.

~~~
JumpJumpJump
From my experience, when a company has the permission marketing always thinks
about new ways to use it.

------
smoyer
I didn't cancel my account (like Notch did) but I did remove it from my phone.
It should be safe to continue using on my desktop unless they're mining data
from my computer too.

~~~
Jtsummers
Should be safe since they don't need to ask your permission to access photos
on your computer.

~~~
smoyer
It would probably be more financially rewarding to try to break the encryption
on my password vault since I also stash my credit card information in there. I
have a pretty boring life, so my photos wouldn't help them much (plus I don't
have a Facebook account so where would they even use them?).

~~~
Jtsummers
Or search your documents for past tax returns. Find a social, even better than
a CC!

~~~
smoyer
Those are conveniently in a folder labelled "taxes" with sub-directories for
each year - I've been pwn'd.

------
ErikAugust
You could switch to the Apple service. Because, you know, Apple's got all your
stuff anyway.

------
SlashmanX
Notch seems insanely out of touch and paranoid here.

~~~
lawlessone
They basically want access to everything on your phone. are you comfortable
with that?

~~~
SlashmanX
1) I don't use Spotify.

2) I know how permissions work on mobile devices, therefore I know exactly why
they need access to all this new stuff and I know the permission can be denied
if I wanted to

~~~
mbrutsch
> I know how permissions work on mobile devices, therefore I know exactly why
> they need access to all this new stuff

Those two things are not even remotely related. Your knowledge of the
permissions on a mobile device sheds exactly zero light on what is going on in
the minds of the Spotify employees who participated in this decision.

~~~
SlashmanX
I know that they need location access for the running feature. I know that
they need access to photos to allow changing of profile pic. That's what's
going through their minds "We want to add this feature, but hey wait, we need
a new permission and we'll have to update our privacy policy accordingly"

~~~
mfjordvald
This is entirely possible yes. I have also worked with people for whom that
was just the public reason and the less nice uses were very much on their mind
privately.

Comes down to whether you trust corporations or not.

