Security warning over Spotify update to terms and conditions

Spotify makes a data grab for user data

A security company has warned that changes to the terms and conditions of the popular Spotify streaming music app has extended the range of information and data that the app will be able to access - with implications for companies running bring-your-own-device (BYOD) policies.

The update to the company's terms and conditions will apply to all users - including users paying a monthly fee.

"It will now be able to access much more information on users' phones, including sensor information, GPS coordinates, photos and even contact information - all of which it can share with its partners," according to Skyhigh Networks.

The change to the popular company's terms and conditions, and the associated data grab, is not related to the company's ability to deliver the service that users are paying for, or have signed-up to receive.

One part of the company's new policy includes the following: "With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy."

Translated by security company Sophos, this means: "Where you hang out, who you hang with, and what you do when you get there."

It continues: "There's no explanation for the scope of the words 'media files', but it sounds like a pretty wide net, and surely includes at least music, podcasts, videos, screenshots, your reading list, articles you've saved, ebooks you've downloaded, and more."

However, Skyhigh Networks warns that such changes to terms and conditions by a popular app company as Spotify has potential implications for companies with BYOD policies, as well as organisations supplying company smartphones and other devices.

"Spotify's changes to its terms and conditions are giving it more power over users' data, knowing full well that the majority of users won't notice, and those that do probably won't care in the slightest.

"We're so used to clicking ‘I agree' that we're paying less and less attention to what it is we're agreeing to, and rarely question why these companies need our data in the first place.

"Things get trickier still when you consider that a large proportion of mobile devices today have a mix of private and corporate data.

"We've seen several high profile breaches just this week, where user data has been lost. As companies like Spotify store and are responsible for more user data, that's information that can go the way of Ashley Madison in case of a data breach - put online or sold to the highest bidder," said Nigel Hawthorn, Skyhigh's EMEA marketing director.