Spotify has been accused of doxxing users through sharing links. “But why does this matter?” asked many Cybernews readers. We decided to provide some answers. Each week, our team selects one pressing and common reader issue and deconstructs it to help you stay safe online.
Last week, Cybernews reported on Spotify adding a new feature that enables users to chat with each other. The company has started testing the feature with a selected pool of users in South America, with planned expansions to the US, Canada, Brazil, the EU, the UK, Australia, and New Zealand in the coming weeks.
However, criticism arose when users started noticing that among “suggested friends,” there were strangers. People quickly realized that those strangers were the people they had shared music links with.
This reveals that the share link has a tracker that points to your account. While the share link itself does not reveal your account directly, the tracker allows Spotify to link the sender and receiver whenever anyone clicks on this unique URL.
This became clear after the messages feature was rolled out and users started noticing that Spotify had retroactively filled out the history of song shares in the Messages feature, which is possible through these tracking URLs.
“Why does that matter, though?”
asked many Cybernews readers.
“What are you gonna do with my identity? Play Roblox?” joked another.
“If I’m sending you music, I probably trust you,” points out one more commenter.
“If it were pornhub, then I could understand,” said another.
Our editorial team decided to investigate the situation and explain why it matters.
The end of privacy
At first glance, this might seem like a minor issue that isn’t worth worrying about. After all, Discord has an integration with Spotify that allows users to publicly display their profiles and what they are listening to.
Moreover, some users suggest that, for example, Meta matches users' locations and suggests friends based on their being in the same space. So, Spotify’s move to match people by shared music is nothing new to the industry of no privacy.
Companies like Google and Meta can already track the links you share through URL parameters, cookies, and IP addresses to monitor user behavior and serve targeted advertising.
Spotify's data collection is a core part of its business model, allowing it to gather vast amounts of user data for profit. Spotify, which has recently been under attack for multiple security-related issues, plugs into a darker story of eroding privacy and the slow bleed of control over our own data.
In 2023, Spotify was fined over $5 million for failing to inform users that the platform collects large quantities of personal data for targeted advertising, tracks user activity on other platforms, such as Facebook, potentially misuses voice data from voice features, and fails to inform users. The case also included a lack of transparency in disclosing how data is used to train AI models.
Spotify is not that social to act as social media
Spotify’s intent to become a social platform reveals another ugly truth – that it’s not the best platform for being social. Many users do not treat it as cautiously as other social media platforms, as its main purpose is streaming music. What’s more, it’s not unusual for Spotify users to use their real names on their accounts.
For users who want to stay anonymous on other internet platforms, such as Discord, sharing Spotify links might reveal more than they initially intended to share.
“This new Spotify feature allows malicious actors to link your online personas to the pseudonyms you use on other accounts, potentially uncovering embarrassing posts and using them for harassment,” said Cybernews researchers.
The situation is even more dangerous if you signed up to Spotify using your Meta profile. In this case, Spotify displays your Facebook name and picture in the app, making your Facebook account traceable.
Random strangers coming from internet forums or communities where you share music might think of texting you via Spotify’s messages, cross-reference your social media accounts, or see your playlists, which are not private by default. Actually, you need to make an effort to hide your Spotify playlists from the public.
“If your Spotify account contains your real name or a real picture of you, linking identities between accounts may lead to malicious actors identifying the real identity behind an otherwise anonymous social media account,” explained our researchers.
How to reduce the doxxing risk?
“Why do you even care if people know your name? Ninety-nine percent of us are nobodies that no one will take the time to identify cause they hold no value to our name,” wrote another Cybernews reader, raising a common question. Why should you, as an average user, be of interest to anyone on the internet?
Fair question: Who actually cares what playlists you’re into? But the real danger isn’t taste in music, it’s doxxing, and that can hit anyone, anytime. There are many known cases of internet sleuths, stalkers, journalists, or even security agencies identifying individuals over breadcrumbs of information scattered around the internet.
“You don't need to be rich or famous to be targeted. Leaving such features enabled may allow your disgruntled ex, an opponent in an online game, or a random troll to find out more information about you, and target you for harassment,” said the Cybernews research team.
What steps should you take to reduce the risk of doxxing?
- Minimize your digital footprint: Remove location EXIF from photos and avoid posting images near home/work or in real time.
- Strip tracking parameters from shared links: For example, Spotify users should be vigilant of “?si=” and 16 characters at the end of every link.
- Lockdown profiles: Use a display name instead of your legal name, and limit who can view your friends list, check-ins, and stories. Review old posts for identifying details.
- Data broker opt-outs: Regularly submit data removal requests to revoke your data from data brokers' databases.
- Protect your email and phone number: Always separate emails and phone numbers for shopping/newsletters vs. banking vs. personal and use unique usernames.
- Monitor: Set Google Alerts for your name. If you get doxxed, document, report to platforms, and consider law enforcement if threats are involved.
Your email address will not be published. Required fields are markedmarked