Update 6/3 - As that “grain of salt” warning suggested, Ars Technica posted on Monday 6/1 that that last.fm denies this in the clearest terms possible:
As a result, Last.fm’s Russ Garrett has issued a strongly worded denial on Last.fm’s forums. “That particular data is controlled tightly inside Last.fm and is only stored for a short period of time. Any request for such data would have to be approved by myself first. The suggestion that CBS’s ops team provided this data is just not possible—Last.fm operates as a separate entity and their operations staff do not have access to our system,” Garrett said. “It really seems like someone is trying to slander us here.” In another post, Garrett clarified that Last.fm has never given data linking IPs to scrobbles to any third party or to CBS, for that matter.
Original post below…
All of this is done with anonymous sources, so take it with a grain of salt, but /. contributor “suraj.sun” says TechCrunch, the party responsible for breaking the Last.fm-gives-up-users-to-the-RIAA story in February, now has released another story claiming additional sources have confirmed that Last.fm data was leaked to the RIAA, by way of parent company CBS:
Here’s what we believe happened: CBS requested user data from Last.fm, including user name and IP address. CBS wanted the data to comply with a RIAA request but told Last.fm the data was going to be used for “internal use only.” It was only after the data was sent to CBS that Last.fm discovered the real reason for the request. Last.fm staffers were outraged, say our sources, but the data had already been sent to the RIAA.
I documented the initial leak back in February, and I noted how impractical it would be to try and base an infringement claim on Last.fm data. It seems TorrentFreak agrees with that conclusion. I still am very skeptical that this happened, but given what we’ve seen from the RIAA over the past few months I’m more inclined to believe the RIAA would try this, as part of their “kitchen-sink” strategy for litigation.
Certain third party individuals or organisations may have access to your personal information (excluding your email contact information) via Last.fm’s API and webservices or as a result of agreements between Last.fm and its preferred partners. (However, you should be aware that if you provide your e-mail contact information and/or username directly to any such third parties, they may use your information for their own purposes.) Such partners may use such information for their own purposes, which may be either commercial or non-commercial in nature and which may include targeted advertising or direct marketing. These third parties may be based in the United Kingdom or elsewhere (including outside of the EEA). [Emphasis added; British spellings in original]
…paired with this:
We believe in privacy and therefore will take all reasonable measures to ensure that your personally identifiable information remains private. However, in the event that we are required to disclose personally identifiable information by a court, the police or other law enforcement bodies for their investigations, regulation or other governmental authority we will make such a disclosure without being in violation of this Policy.
We collect data regarding the users of Last.fm, including: (i) The Internet Protocol (IP) address of the user’s computer. This may or may not be associated with a particular Internet Service Provider (ISP); (ii) The referring URL, if any; (iii) The browser software identification (i.e. the brand and version of your browser software).
… and it makes no mention as to whether or not the IP address is part of the “personal information” which Last.fm makes available to third parties. So, by disclosing the IP address and not the email, CBS/Last.fm could still give up info to the RIAA and not violate the Policy.
(When I posted about this a couple months ago I also got into a quasi-fight with one Jonty Wareing of Last.fm, who thought I was doubting his existence. Jonty? You still read this? Want to comment on this story?)