Updated privacy policies – do you check what’s changed?

Do you use the music-streaming service Spotify?

According to Wikipedia, more than 75,000,000 people worldwide do, and one of them is Forbes writer Thomas Fox-Brewster.

Earlier this week, he received notification from Spotify about changes in its privacy policy.

Such is internet life these days.

At this point, Fox-Brewster did something we should all have done, but probably didn’t: he went looking with some care to see what had changed.

Programmers are used to looking at and reviewing each others’ changes in a well-known ritual called a “diff,” short for “checking the differences.”

The word diff, in fact, is the name of a widely-used programming tool that picks out and draws your attention to the changes between two versions of a file.

For program source code that hasn’t changed much, diff and similar tools do a great job, clearly denoting lines that were removed, new code that was added, and buggy lines that were changed.

For web pages, however, diffs are a trickier prospect.

Even if you use Fox-Brewster’s links for Spotify’s old and new privacy policy pages, save them as plain text files and diff them, the results are underwhelming because the changes aren’t quite as regimented and as line-based as programmers’ edits tend to be.

For example, the sections about The information we collect have changed position, moving from part 2 to part 3 and getting new section numbers as well as new content.

In the end, therefore, the easiest approach is simply to re-read the new privacy policy with the same care that you read the old one.

In this particular case, fortunately, Fox-Brewster has done most of the work for you, noticing a number of new data collection terms and conditions.

The old policy mentioned that Spotify would definitely collect “location information” if it could.

That’s now expanded to say:

[W]e may also collect information about your location based on, for example, your phone’s GPS location or other forms of locating mobile devices (e.g., Bluetooth). We may also collect sensor data (e.g. data about the speed of your movements, such as whether you are running, walking, or in transit).

In other words: where you are, where you’re going, and how you are getting there.

There’s more in the new policy, which also wants to do this:

With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.

In other words: where you hang out, who you hang with, and what you do when you get there.

There’s no explanation for the scope of the words “media files,” but it sounds like a pretty wide net, and surely includes at least music, podcasts, videos, screenshots, your reading list, articles you’ve saved, ebooks you’ve downloaded, and more.

We can guess why all that sort of stuff might be valuable to a service like Spotify, and we think the new policy makes good business sense.

We aren’t going to pass judgement on whether sharing that information is worth it to you, because that’s a decision you need to make for yourself.

(Spotify does warn you in capital letters that it reserves the right to share that data with its own business partners that may be overseas, “INCLUDING [IN] COUNTRIES WHICH DO NOT PROVIDE THE SAME LEVEL OF PROTECTION FOR THE PROCESSING OF PERSONAL DATA AS THE COUNTRY OF YOUR RESIDENCE.”)

What we are suggesting is that Thomas Fox-Brewster’s vigilance ought not to be something special, conducted to produce subject matter for security articles such as this one.

Vigilance in checking and rechecking privacy policies is something that we should all do, not just for Spotify but for any other service that knows anything about us.

Every time, even though it’s a bit of a pain.

The devil, as they say, is in the details.