Privacy/Cookie Policies From Hell... SOUNDCLOUD

Bob Leggitt | Thursday 3 January 2013
Quite recently I focused one of these “From Hell” articles on Photobucket, whose attitude to privacy I thought would be hard to undercut among the ranks of really big, ‘serious’ sites. Of course, Twitter’s privacy arrangements are pretty dire, in particular (but by no means exclusively) because there’s no way to make your follow list private. Therefore, you can be psychologically analysed by your own followers at the very least – or, if your account is not protected, by anyone on the Web. So I wasn’t exactly regarding Photobucket as peerless in its cavalier attitude to privacy...

But the latest discoveries I’ve made about the enormous audio streaming site SoundCloud have come as a surprise. Clearly, the likes of Photobucket and Twitter are not the only contenders in the oppressive privacy race...

I’m taking a slightly different approach with this article, because SoundCloud’s take on privacy warrants a special, bullet point list of headlines…
  • SoundCloud uses LSO/Flash “Supercookies”.
  • SoundCloud uses “Web bugs”.
  • SoundCloud records your mouse movements/clicks, your scrolling actions and your keystrokes.
  • SoundCloud establishes logged-in access to third party sites such as Blogger and Tumblr without confirming user consent.
  • SoundCloud charges money for privacy functions.
  • SoundCloud doesn’t allow users to block followers.
  • SoundCloud doesn’t allow users to make their profiles private.

So, quite a few headlines. Have I over-sensationalised the list?… Read on, and see what you think…

SoundCloud’s Privacy Policy starts with the immortal: “Your privacy is important to us”. As is almost always the case when that sickeningly disingenuous phrase of weasel words is used, there’s a prefix missing. What the phrase typically means is: “Invading your privacy is important to us.”, and I’d certainly apply that to SoundCloud.

Before breaking down the headline list, I want to mention the new SoundCloud interface, which looks very much as if it will soon become the default. I always become very wary when I see these big revisions on big sites, because normally, it’s not just about the cosmetics. Indeed, within one minute of using the new SoundCloud interface I could see it was a lot more aggressive in terms of monitoring users. With the old interface, you load a page, and there’s no further ‘talk’ between your computer and SoundCloud until you click a link or button. But the new interface is perpetually grabbing information from your computer – timing your presence on the page to the exact second I presume, and going by what I’ve seen on SoundCloud’s Cookies and Privacy pages, I shudder to think what else (though ‘Mouseflow’ looks a likely culprit – read on). If you have a Firewall like Zone Alarm and a usage meter like Bitmeter you can physically see the constant digital ‘chat’ in the system tray icon as you’re continuously monitored. Noticing this, I was already getting the sense that, as with Photobucket, it’s pretty much time for me to stop using SoundCloud.

So, to kick off a full exploration of my headlines list with the LSO/Flash cookies… SoundCloud acknowledges using Flash cookies in its Cookies Policy, but says:

“We do not use Flash cookies for the purposes of collecting any personal data, and do not use Flash cookies to respawn any cookies that you might previously have deleted.”

So that’s okay then, isn’t it? No. Because if you disable your Flash storage using the Adobe Flash Settings Manager (as described in my LSO cookies article), the SoundCloud Flash streams won’t play. This means that if you want to play SoundCloud Flash streams (as opposed to their HTML5 streams) across the Internet, you MUST allow LSO cookies onto your drive. Even if you’re not a registered user. That obviously opens up your computer to Flash cookies from other Web presences, whose LSOs will collect personal data, and will respawn deleted cookies. Surely SoundCloud could have found a way to make their Flash player work without forcing users to accept LSOs?

But this is also a potential legal minefield for the countless third party sites who add SoundCloud streams to their pages. If you have SoundCloud Flash streams on your site, then, as my tests have shown, those streams will place LSO cookies onto the computers of your site visitors when they click the play buttons. So technically, you'd be required to inform visitors via your own Cookie Notice, that certain of your pages will set LSOs on their systems. Otherwise, a visitor who doesn’t use SoundCloud would not have access to any warning about those LSOs, and that would be legally dicey as far as I’m aware. But whatever the exact legal position, millions of Web users will inevitably be taking LSOs from SoundCloud, via third party sites, without knowing anything about it or having any acceptable means of finding out. You can't really blame the third party sites for that. SoundCloud's system has to be considered irresponsible.

Next, Web bugs… Again, from the SoundCloud Cookies Policy:

“We use “clear GIFs”, sometimes known as “web bugs”, which are small image files that we embed into our email newsletters. These clear GIFs tell us whether you opened the newsletter, clicked on any of the content or forwarded the newsletter to someone else.”

Yes, your privacy is certainly very important to SoundCloud.

Here’s another gem buried in the Cookies Policy

“We work with Mouseflow ApS ("Mouseflow") to help us understand which parts of our website are of most interest to website visitors. Mouseflow does this by recording mouse clicks, mouse movements, scrolling activity and certain text that users type in the Website (other than text typed in password fields), and aggregates this information into heat maps showing which areas our website generate the most activity.”

SoundCloud do stress that this only applies to the main homepage, and that the collected information is aggregated and not personally attributed to specific users. But it’s not a comfortable feeling knowing that websites are monitoring your usage so intensively. It’s almost the equivalent to having someone standing there behind you with a video camera. But more to the point, they don’t need to do this. They can see quite clearly from conventional analytics which parts of the site generate the most activity. What these "mouse re-enacting" tools are really all about is making an in-depth study of users’ behaviour, and that’s a completely different matter from gauging the popularity of various parts of the site. Do you want to be part of SoundCloud's grand behavioural survey? I don't.

You can supposedly opt out of Mouseflow tracking at http://mouseflow.com/opt-out/, but if you don’t consent to taking cookies from Mouseflow the opt-out function doesn’t work (it didn't for me, anyway). Ah, whoever said we all had a right to privacy?...

I’m a little unsure about the exact implication of this next point. What I do know is that the likes of Twitter require you to officially grant any third party apps access before info can be transferred between the third party site and your logged in Twitter account. I also know that Blogger at least used to require users to officially grant SoundCloud access before information could be transferred from SoundCloud to a logged in Google account. It's now the case, however, that information can be directly transferred from SoundCloud to both logged in Tumblr and logged in Blogger accounts (and possibly other sites) without the user having to click a consent button. You merely click on the Tumblr or Blogger sharing buttons in SoundCloud, and SoundCloud transfers song/track info straight to your logged in Tumblr or Blogger account. I've checked my Google account and it tells me no third-party sites are authorised for access, so I definitely haven't given permission in the past and forgotten about it.

I find it disconcerting that SoundCloud is able to access third party logins without some part of the process attempting to confirm permission. Afterall, it doesn’t say on SoundCloud that clicking the buttons will log you into another site and transfer information. When I clicked the Blogger button in SoundCloud I initially thought I’d just get a line of code to paste over, but it in fact opened up a new Blogger post - from SoundCloud! I'd assume all parties (SoundCloud and the other sites) would have to collude in setting this up, but just for the sake of user confidence you'd think they'd block access until it was confirmed. It just looks bad.

I am sure about the next point. SoundCloud charges money for privacy. If you want to disallow comments, or make your comments private, or make your stats private, SoundCloud recognises those important privacy issues, and provides you with the means to do all of the above… But only if you pay for an upgrade. This, as far as I'm concerned, is an abuse. They’re not asking people to pay for extended features – they’re disabling privacy components and using the consequent psychological pressure, which can arise as a product of inadequate privacy, to extort money out of users.

Worst of all, SoundCloud actually acknowledge that these are privacy issues. The URL which explains how to enable these features ends in the word “privacy” – so they know full well it’s privacy they’re trying to charge you for, and not just luxury features. I thought for a while before using the word “extort”, because it’s a very strong word. But I feel it’s justified. I know – no one forces you to use SoundCloud, and you can close down your account at any time. But this is a psychological trap, and for some users, part of that psychology will be that they’ve reached a point in their use of SoundCloud where they feel closing the account is not an option. Online privacy should not cost money – case closed.

The penultimate point follows on from the above, but this time, there’s no means to achieve the desired level of privacy at all. You can’t block followers on SoundCloud. Followers can be “muted”, to use SoundCloud’s term, but it’s not the same as blocking. This is not just about whether another user gets my updates or is able to spam me - If I get someone whose views I find offensive following my account, I don’t want that association there for anyone who visits my SoundCloud page to see. I need to be able to either block that user, or in some other way get them off my public page. “Muting” doesn’t do either, so it’s just not good enough. I've gently criticised WordPress on here before because it doesn't permit the blocking of followers, but the WordPress situation is very different, because a user can keep his/her followers list private. It's the fact that SoundCloud doesn't permit either blocking OR rendering the followers list private that makes this into a much more serious and oppressive matter.

Finally, Profile Pages can’t be made private on SoundCloud. Again, there’ll be people who’ll say: “Well just don’t put any information on there!”. But that doesn’t cover it. The Profile Page shows, for example, everyone you’re following, and you can’t remove that information from the page. So we’re back in the territory of Twitter, with outsiders being able to mentally profile the user based on their tastes and preferences. But it’s worse than Twitter, because with SoundCloud you can’t even protect your account. Any Internet user can find out who you’re following on SoundCloud, along with who’s following you. How any site which refuses to allow the suppression of that information can claim to care about user privacy I haven’t a clue. But as SoundCloud insist, your privacy is important to them.

CONCLUSION

So, what now? I’m a SoundCloud user with a number of SoundCloud streams on this site, and that gives me a dilemma. Having made the discoveries I’ve made, I’ve updated the Cookie Policy here on Planet Botch to warn visitors that, at least for the time being, there’s the potential for them to pick up LSO cookies whilst on one or more of my pages.

I’ve made a start with replacing some of the SoundCloud streams with Tindeck streams (which will at least help stem the LSO problem). But whilst Tindeck doesn’t seem to have declared war on privacy with quite the aggression of SoundCloud, it’s far from ideal. In fact I don’t think you can even remove comments on Tindeck, let alone block them, and I haven’t been very comfortable with one or two of the promotions which have appeared on the Tindeck site. But in the limited realm of free audio streaming hosts you very quickly run out of options, and you can’t afford to be too choosy. Also, Tindeck is tiny compared with SoundCloud, and appears to be run by just one guy. Some of the flaws in Tindeck could possibly be put down to oversight. That’s obviously not the case with SoundCloud.

One positive clause with the SoundCloud revisions is that it appears the new interface is incompatible with old browsers. That’s probably going to mean you can preserve the old interface by getting an outdated browser (from a site like Old Apps) and using it purely for SoundCloud. At least for the time being, anyway. But in time, it’s quite possible that SoundCloud could ditch the old interface and drop support for older browsers altogether.

Just because a privacy measure is not set in law or recognised by the average Web user as a privacy right, it doesn’t mean it’s not necessary. Ask the average Twitter user what's wrong with the site's privacy and they'll immediately start thinking about whether or not someone could get hold of the email address or whatever. They don't see the elephant in the room - namely, that unless they lock off their account entirely, their permanently public follow list reveals their innermost tastes and preferences to the world. Millions and millions of people accept this situation, but it is, nevertheless, a gross privacy invasion, and one of the Internet's worst genuinely legal privacy policies. SoundCloud mirrors that oppressive model, but takes it a stage further, as well as adding in a raft of other privacy nasties on top.

If I’ve sounded annoyed in this article it’s because I am. I’m annoyed by the way powerful organisations pretend to care about people, and say one thing, whilst meaning the exact opposite. Yes, SoundCloud will keep your email address and other elements of your personal information private (within the limitations of its data sharing policy, that is), but it has no choice other than to do that. What reveals who these organisations really are (and it’s not just SoundCloud), is where they draw the line after their legal obligations end. And most tellingly of all, how much real respect they have for user privacy. Keeping an email address private according to the user’s wishes is not respect – it’s the law. Respect is about giving the user all the privacy options you know they need. Not deliberately disabling those options to create sales or ‘motivational’ pressure, and then spying on their email habits and precise mouse movements.