Spotify Is Now Deploying 6 Different Types of Cookies…

Back in August of 2011, researchers at UC Berkeley unearthed an ‘evil cookie’ being deployed by Spotify. This cookie couldn’t be removed or modified, and even dynamically regenerated if deleted.  Spotify, correctly betting the whole thing would blow over, decided not to respond to the matter (to Digital Music News, or anyone else that we know of).

  • Save

But instead of quietly modifying or reducing their cookie structure, Spotify seems to be vastly expanding it. In fact, they are now deploying at least six different types of cookies, with potentially several contained in each category.  Which means the average Spotify user could be saddled with dozens of tracking cookies, even when Spotify is not being used.  And if that sounds bad, Facebook is probably putting that number to shame.

Here’s a rundown of the various types, as delineated deep within Spotify’s Privacy Policy.

  • Save

Written while listening to Franz Liszt (but Spotify already knew that ;).

17 Responses

  1. jw

    There are two ways to make money on ads on the internet… blow up your inventory, creating better chances of click throughs, but diluting the overall effectiveness of your ads across the board, or leverage technology to create fewer, more targeted ads with better chances of click throughs. The latter makes for a much, much, much more enjoyable internet.
    The squeeky wheels on this subject don’t actually reflect the average consumer, because the sad truth is that ads that aren’t technologically invasave are perpetually becoming more visually & experientially invasive, which is what actually drives consumers away from products. And the reality of the situation is that Spotify has a lot of overhead to cover if for no other reason than the terrible deals the labels roped them into.
    You can’t argue that Spotify’s per-stream payout is too low, but that they’re also too technologically invasive with their advertising. In the real world these forces have to balance out somehow. The only alternative is to drown the consumer in loads & loads of experientially invasive, non-targeted ads, which is worse for everyone. The truth is that cookies aren’t necessarily the evil demons they’re made out to be.
    I will say that advertising-related cookies shouldn’t show up on the computer of someone paying for a premium subscription, though. And they may not, seeing as how Spotify would have little chance to capitalize on that data. But if it’s the case that they are, that’s unethical double dipping.

    • Bobby N

      I will say that advertising-related cookies shouldn’t show up on the computer of someone paying for a premium subscription, though. And they may not, seeing as how Spotify would have little chance to capitalize on that data. But if it’s the case that they are, that’s unethical double dipping.
      ^ As a paying subscriber, this is my concern, and I don’t know whether they do this either. Agreed on your other points.

  2. Earnest Scribbler

    I really don’t care how many trackers, tracers, bugs, cookies, snoopers or loggers get dropped onto my computer. That’s ‘cuz I never click on an ad and never buy anything from an ecommerce site except from a separate “clean” computer on which I run only a web browser, and which I wipe free of all data after use. Maybe a cookie or two gets left on it, but I don’t care, since I never click on ads from my main computer.
    Catch me if you can!

  3. Mike

    Funny – just checked my browser and I have 7 cookies from this site.

  4. Cookies

    what is more interesting here, is that someone has made 6 ‘Spotify’ themed evil looking Chocolate Cookies for the photo!

  5. danwriter

    Consider installing Ghostery, which shows you all of the cookies being deposited on your computer in real time and also you to block them going forward.

    • Econ

      I did that almost a year ago. The great thing is some sites just plain won’t work without cookies – an for no good reason!

      For example, with ghostery installed won’t let me search or even advance to another page.,, and do not beg me to track my every move. Guess which sites get my business?

      The simple fact is that so many users have no idea of what is being tracked, that is is downright stupid to block the handful of people who won’t let you track them.

  6. worse than cookies

    The real story is how Spotify’s app uses YOUR computer’s storage space to ‘cache’ the most popular music (even if you don’t listen to it) and then uses your computer and bandwidth as a ‘node’ to serve pieces of the music stream to others in your local area who are listening to said popular music on Spotify. Think of it as a P2P network or CDN that rides on all of its user’s bandwidth and storage.
    Its very well done and the terms and conditions make it difficult to understand that you are actually allowing it to do this. But any computer guy can show you where the files are being stored and the bandwidth served. I believe it even works in the background when the app is not launched on your computer. Not sure if it steals storage or bandwidth on your mobile device, but they are allowed to do so by their Ts and Cs.
    Its been very surprising that there has not been a public discussion/fuhrer over this practice. The upside to this tech is that the songs load faster, which is why lots of fans love Spotify. The downside is that you are paying for the badnwidth cost of other people’s streams, the storage cost of storing songs in your cache that you may not even listen to, and there may be some security risks to your computer. It would be great for Paul to look into this and maybe even ask the company to comment (hint, hint).

    • Versus

      Disturbing. Where are the files stored? Are they invisible? How to delete them? The thought that even a byte of a Gaga “song” is on my hard drive is making me feel rather ill.

    • jw

      This post is very misleading, & a lot of it is flat out wrong.
      Spotify doesn’t cache the most popular music, you have a cache of the music you listen to on your hard drive. You set your cache size in the preferences, & a lot of the music you listen to plays from local storage after you’ve streamed it once. If you’re truly streaming a song, you’re streaming from Spotify’s servers & also people connected to the network who have listened to the song & therefore have it stored in their cache. The P2P element element is responsible for Spotify’s network responsiveness.
      So you’re not paying to download anything you’re not listening to, & you aren’t paying to store anything extra. And you are using upload bandwidth to send data to other nodes on the network, but the efficiency, combined with the local caching, make streaming more efficient than just streaming from a web server, & much more responsive.
      Mobile usage doesn’t utilize p2p, & this doesn’t happen in the background when you aren’t logged in.
      At this point, most users are used to p2p traffic & aren’t bothered by it… the overall effect is that you’re uploading ~35% of what you’re listening to, & downloading ~45%. So you’ve got a 20% net bandwidth saving versus something like Grooveshark or Pandora, plus a much more repsonsive & more reliable stream. (I’m assuming Pandora doesn’t cache, but I haven’t looked into it.) Everyone agrees that Spotify has the best streaming quality, & p2p is why.
      I’m not sure there’s a need for some kind of expose, this isn’t something that they try to hide. Here’s a pretty detailed slideshow on the technology that I found with a quick google search…

      • visitor

        I found the cache, but there is no way to tell exactly what they are storing in it.
        @jw, do you work at Spotify? Or are you just guessing about what they store in there?
        As for Spotify “not hiding” the fact that they are using my storage and bandwidth to serve songs to other Sptofiy users, I would strongly disagree. My guess is that this would be news to about 99.9% of Spotify users – and not good news.
        I don’t recall them explicitly asking for the right to use my bandwidth to serve their other customers, nor do I recall giving them permission to do that, and if someone could point to where I gave them that right in the agreement, I’d really appreciate it. I can’t find it.
        Had they given me the option to ‘increase streming performance if you let us use your computer as a P2P node’ I may have given it to them once I understood it, but to bury it in terms and conditions and make it the DEFAULT setting seems very wrong to me.

        • jw

          I wish I worked at Spotify. I’m just making an educated guess. The popular songs are the ones with the most available bandwidth on the p2p network, & the demand is low because the seeds are everyone who’s ever listened to the song & has it cached on their hard drive, and the only leeches are users listening to the song for the first time on their device (mobile devices excluded, of course). If you’re trying to reduce the load on the server, it seems any unsolicited transfter of data is wasteful… it’s sending X->Y->Z, instead of just X->Z, double the bandwidth.
          What leads you to believe that they are sending unsolicited data to users?
          Like I said, you’re only uploading ~35% of what you listen to (on average), & there are no super nodes, so bandwidth is distributed fairly across the network. I don’t see anything shady about it. Anyone who’s used to p2p is comfortable with this type of thing, & most people don’t take the time to go into their settings & opt into things. Maybe it’s a generational thing.
          Maybe I’d feel differently if bandwidth used wasn’t just ~80% of what you’re listening to.
          The reason that you can’t see what’s stored in your cache is because it isn’t whole songs. When you stream a song on Spotify, you hit their server initially, & then you collect bits of the song from different people & the Spotify client assembles it on the fly. So it’s stored as data, rather than songs. It’s not because they’re trying to hide Justin Beiber on your computer.

          • Visitor

            My biggest issue isn’t that they are hiding Bieber on my computer. Its that they have taken up to 10GB of my drive space and are using my bandwidth to stream music to my neighbors – all without asking me to OPT-IN.

            Instead, they hide the fact that they are doing this in their incredibly confusing Terms and Conditions and give me the right to OPT-OUT if I actually figure out what they are doing (which 99% of people won’t know – Paul shoud survey his bleeding edge readers and see if even they know).
            To me it just seems ethical to ask someone if they’d be okay giving up some of the resources they pay for, or at least TELL them explicitly that this is what they are signing up for.
            Its really a striking sign of the times that readers like @jw are ok with consumers blindly adbicating control over the resources they pay for to apps that don’t have enough confidence in their product to actually ask you for permissions to do it. Kind of amazing that facebook has to overtly ASK you for permission to tell an app what day of the year your birthday is on, but Spotify doesn’t feel compelled to ask you if they can use your bandwidth or hard drive to add value to their company.
            Do Rdio, MOG, and Rhapsody do this? If not, I wonder if they’d comment on why not.

          • jw

            To be fair, it’s taking up 10gb in order for you to not have to download that 10gb over & over again. That’s actually a bandwidth saving feature, & that’s not a new concept at all, & shouldn’t be a problem if your computer is up to date. Reserving 10gb for a music collection isn’t unheard of.
            The difference between what Spotify is doing & what Facebook is doing is that Facebook is sharing personal information, whereas what Spotify is doing is all anyonymous. That’s where permission comes in.
            Let’s look at what’s actually happening… at 256kbps, a 3.5 minute song is ~5.4mb (this is assuming most people don’t opt into high quality streaming). On average, you’re uploading 35% of that. So ~1.9mb per song. Let’s say you listen to 3 hours of spotify per day (this is assuming you’re only connected to Spotify when you’re listening to music). If my math is right, that’s ~98mb of upload bandwidth per day. If you’re listening to only songs that you listen to regularly, you’re not using any download bandwidth. So you’re looking at less than 3gb of data per month. That’s exactly 1% of the monthly bandwidth allowance for Comcast’s economy internet plan. And it’s approximately the bandwidth it takes to stream 1 HD movie on Netflix.
            The reason I’m fine with it is because my bandwidth isn’t a precious resource, & I’m paying for all of that data transfer that I don’t use, so I might as well get faster Spotify response times out of it. I see it as utilizing resources that would’ve otherwise gone to waste, it’s not costing me anything. The ONLY way I would have a problem with it is if I was a heavy gamer & wanted to prioritize the response times of other applications over Spotify.
            As bandwidth capacities increase, you’re going to see a lot more of this type of creative network usage, I think. If for no other reason than that it’s much easier & more efficient to distribute the load than it is to update older infrastructure. When Google Fiber reaches the coasts, users will have much more capacity than services are able to service, & so the only way to capitalize on that & avoid the bottlenecks will be by distributing the load across users.
            Keep in mind, also, that Sweden, where this technology was developed, has nationalized internet, & so none of this is an issue.

          • Visitor

            I’m not a fan of “if you are better off anyway, then there is no reason to give you a choice” arguments. I’m not so into abdicating my decision rights to others, but that’s a different discussion.
            But you make a logical case for why I’d WANT to choose to turn on Spotify’s P2P tech.

            So why don’t Spotify just let me opt-in to that choice instead of making it for me and hiding it in legalese that nobody can understand?
            Is this simply a fear that the public would react poorly to Spotify if it became known that it had a P2P component to it? Is it the acronym P2P that has Spotify so scared to ask its users for permission instead of forgiveness?
            Or is it the cost savings to Spotify’s bottom line that makes them want to hide this ‘feature’? I’m not being snarky, just earnestly wondering why they wouldn’t ask their users for permission to use their bandwidth and hard drive space.

            Maybe I’m crazy and we should all agree that every app we download should be allowed to store whatever it wants on our computers and send/receive whatever it wants over our networks provided they do so in a way that they deem is ‘best for us’. I’m just not sure I’m ready to live in that world quite yet.

          • jw

            I agree that software EULAs are screwed up, & are more to cover the publisher’s ass than to explain what’s actually happening. But I’ve definitely seen worse…
            “Spotify has a right to allow the Spotify Software Application and the Spotify Service to utilize the processor, bandwidth and storage hardware on your computer or other relevant device for the limited purpose of facilitating the communication and transmission of content and other data or features to you and other users of the Spotify Software Application and the Spotify Service, and to facilitate the operation of the network on which the Spotify Software Application and the Spotify Service runs.”
            What you’re objecting to is Spotify utilizing bandwidth & storage hardware on your computer to facilitate the transmission of content to other users of the Spotify Service. I don’t think it’s hidden, I just think that the language is really dense.
            It’s tough because, as an independant party, I can take the data & extrapolate an average scenario. But because Spotify has liability, each level of clarity that they offer requires exponentially more language, & the EULA is long enough as it is (at some point EULA length is going to begin to deter some users form signing up). It’s sort of a case where, if you can’t be clear within a certain word count, it’s better to just be accurate. However, to Spotify’s credit, they’re completely transparent elsewhere, & you can learn anything a consumer would possibly want to know about the technology in Spotify – Large Scale, Low Latency, P2P Music-on-Demand Streaming by Gunnar Kreitz and Fredrik Niemelä.
            Regarding opt-in versus opt-out, if you’re dogmatic about it, you can really cripple a service with opt-ins. At the end of the day, you have just have to make an educated guess about, if your users had all of the data & understood the technology, would most of them opt in or opt out? And you go with that. And if it’s half & half you default to what you think is best for everyone. If for no other reason than the principled users who care about this stuff are the minority, & you can’t leave it to the users to consider what the technology is, understand it, & make the choice to opt in. When you weigh the cost v benefit, Spotify’s p2p technology is clearly an opt-out. (Obviously if personal information is involved, that’s a whole different ballgame, but I feel like this is the approach to anonymous technology like Spotify’s p2p.)
            Sure, there’s a PR element to it. Some people are conditioned to extrapolate doomsday scenarios out of any information presented to them, & you have to manage that. But I think that their decision was more pragmatic than disingenuous, based on the fact that they seem to mention it whenever their engineering guys are boasting about the network response times, & it’s been mentioned in an NPR feature (which is easily searchable), they’ve released academic papers describing the technology, etc.

        • nmgyrl

          Visitor wrote:

          > I don’t recall them explicitly asking for the right
          > to use my bandwidth to serve their other customers

          It’s right there in the Terms & Conditions, section 7, “Considerations”. That’s what brought me to this discussion. I was about to set up Spotify and then saw that clause. It would be nice to know how to “Opt Out” of that condition, as jw said can be done. Their language doesn’t read like it’s optional:

          “In consideration for the rights granted to you under these Terms, you grant us the right (a) to allow the Spotify Service to use the processor, bandwidth and storage hardware on your Device in order to facilitate the operation of the Service, (b) to provide advertising and other information to you, if you subscribe to the Free Service, and (c) to allow our business partners to do the same.

          “You grant Spotify a non-exclusive, transferable, sub-licensable, royalty-free, perpetual, worldwide licence to use, reproduce, make available to the public, publish, translate and distribute any User Content that you post on or otherwise provide through the Spotify Service.”