Sponsored Links

Spotify

Post removed by OP for legal reasons
 
Last edited:
Sponsored Links
Hmm I use Spotify myself but haven't updated the client in awhile, though now I might just avoid it. Certainly a credible app should always ask whether it can check accounts on another service (e.g. anything that interfaces with Twitter usually does this as per the TOS); IMO this is not something they should be sticking in small print, especially if doing so could also change the status/nature of that other account to your detriment.
 
Thanks Mark.

Because I intend to pursue the matter legally, and shall be engaging my solicitor to deal with this, I have removed the content of the posts.

As said however this is a serious breach of data security and I would recommend anyone who values their privacy and the security of their information to avoid Spotify.
 
Mark,

Thanks for the heads-up. All staff here stopped using Spotify some months back after all the intergration with Facebook started to gather pace. To be forced to interact with a 3rd party site, we felt was a step too far, especially the way Facebook changes privacy all the time (normally making mistakes each time they update). We simply felt staff data could be leaked without knowledge.
 
Apologies for the removal of the original posts; I do think the information should be in the public domain.

At this point, I'm minded to write to Spotify setting out what happened and to give them the opportunity to refute anything before I put it in the public domain (e.g. BBC Watchdog, News 24's Click, news channels e.g. Russia Today).

I have already told them that I shall be pursuing this through the approriate UK channels, not just because of the data disclosure on my account, but because of the danger they are placing their users in.

That's why the posts were removed. Once I have a response I'll put them back up again.

I'm certainly not seeking to sue for some windfall amount or any amount - my concern is that people need to be aware of what has occured here.

I have bundled up all the information and sent it to the Information Commissioner's office following a conversation with them yesterday.
 
Sponsored Links
I have bundled up all the information and sent it to the Information Commissioner's office following a conversation with them yesterday.
Good luck with that - Ineffective and disinterested when I contacted them about a potential for mass data theft from an (also disinterested about my complaints) land line service provider.

Tom - www.mouselike.org
 
I saw something on TV earlier this week about people getting nuisance calls on their landlines after having registered with the Telephone Preference service.

This is totally alien to me, since we haven't had a landline in 5 years, and you tend not to get them on mobiles. The last landline calls I remember coming in were from a debt collection agency after someone whose address was 100 miles away. Anyway..

Apparently there are about 2,000 complaints a month regarding unsolicited cold callers. When asked "How many prosecutions have you secured in the last 18 months?" the answer came back "None".

Quelle surprise. Thing is I have a feeling that's the guy I spoke to on the phone.

In all my years in IT (about 18 I think) I've never seen such a blatant deliberate breach of the Data Protection Act as Spotify and Facebook. At each step as I uncover what happened, I think "that really can't be true" and it is.

If you value your privacy and the security of your information you won't have a Facebook account anyway (having one that's suspended is pointless, a Google search reveals the "full delete" URL), but as stated, stay well away from Spotify also.

Once I get back the subject access request data and their response I'll post an update.
 
OK, Spotify have now invoiced me for the £10 for my Subject Access Request so I'll pursue that.

In the meantime, here's my last email to them. No reply, so here's what I believe to have happened.

--

I have passed the details of your breach of the Data Protection Act 1998 to the Information Commissioner's office following a conversation in which they requested same.

Before I go ahead and place this information in the public domain (for instance, contacting BBC's Watchdog programme, News 24's Click and news channels) I wanted to give Spotify the opportunity to correct any misunderstandings or factual inaccuracies.

I believe the following to be a true and accurate reflection of what has happened.

Please respond within five calendar days from the date of this email with any corrections so that I can ensure that anything published about you is entirely accurate.

Thank you,
Mark


1. I disabled my Facebook account a long time ago and did not and do not use it.

2. I created a Spotify account with a specific username and used that on signup quite some time ago. I do remember very specifically choosing a Spotify login; I do not use Facebook anyway.

3. I then later rebuilt my PC and used incorrect login details to access Spotify, instead using my email address instead of the correct user name.

4. Instead of rejecting my invalid login, Spotify have asked Facebook if I have an account with that user name and password despite me giving no explicit sanction to transmit that information to them.

They said they did, even though the account was suspended, and Spotify have gone ahead and set up a second account linked with Facebook by virtue of the invalid login. It's my fault for using incorrect login details, yes. But I'd expect to be told so. This has resulted in me having two paid subscriptions running simultaneously - one for the orphaned account and one for the 'Facebook' one.

5. Without knowing it, I've been using that account since the rebuild in step 3

6. I realised that my Facebook account had "come back to life" all by itself last week, and this time requested a complete deletion of my data. Shortly after this point the Facebook account was deleted.

7. I find that my Spotify login no longer works and as I key in what I believed to be the correct login, which had worked before, Spotify have then made API calls to Facebook and sent them that email address and password *after* I had them delete my data (clearly, since this is why the login stopped working), so it's possible that the very data I wanted removed from Facebook's database is again now stored in there in a list of "login attempts" leaving me vulnerable to exactly the sort of data disclosure I wanted to prevent when Facebook is eventually compromised, whether it's stored using a one-way hash or not.

I only spotted this after I emailed Spotify at Step 7 and Spotify responded confirming there were duplicate accounts. I had no idea until that point, nor that I had paid twice.

The clues were there:

1. The mysterious reactivation of the Facebook profile
2. Having to put the card details again on the second account - I assumed something had gone wrong, maybe the card got declined (I had to have the card in question replaced at one point around that time and the new one had a different number resulting in a string of declines for automated subscription payments which I had to rectify manually at the time)
3. The change of the Spotify interface from a split "choose your login" to "Login with Spotify or Facebook" - that is the really key one.

If you go to Spotify.com - download the app - and enter an email and password both those pieces of information will be sent to Facebook to check against their database to see if you have a Facebook account.

There a serious data disclosure issue here which has occured specifically because the login screen does not offer two login routes with say a drop down list to pick which one you want, rather, it takes it upon itself to send what you key in to Facebook.

My Facebook account was not only "reactivated" but whatever I listened to with that connected account was also passed to Facebook and may have been published on my reactivated Facebook page.

Finally, because of the account lockout, it was necessary for me to lookup the WHOIS record to find contact details; other users may not know how to do this. It is impossible to contact the company online without logging in.

--

I also discover that it is possible that Facebook passed back, along with the "login token", details such as my profile photograph. Which I take to be a very similar and serious breach of the Act in the opposite direction. However that is not a statement of fact, it is conjecture based on what I have read elsewhere.

The irony is that Spotify wanted to compete with iTunes. Until this happened I had a paid Spotify subscription, now, I buy stuff from iTunes.

I deleted the original posts after discovering that I was very far from the only one to have been impacted by these changes at Spotify, though perhaps the combination of events meant I was impacted more than most. I wanted to give Spotify the opportunity to correct anything that was not correct.

As they have elected not to bother replying, I'll take it that I was correct.

In summary, I think my privacy has been royally raped by these two companies and I would recommend that people avoid both.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6026)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules