Andy on the Road

24 May 2009

Quick update: /. says Last.fm did in fact give up users to the RIAA (but they didn’t want to)

Filed under: followup,RIAA-WTF,seriesoftubes — Andy @ 10:20 pm

Update 6/3 - As that “grain of salt” warning suggested, Ars Technica posted on Monday 6/1 that that last.fm denies this in the clearest terms possible:

As a result, Last.fm’s Russ Garrett has issued a strongly worded denial on Last.fm’s forums. “That particular data is controlled tightly inside Last.fm and is only stored for a short period of time. Any request for such data would have to be approved by myself first. The suggestion that CBS’s ops team provided this data is just not possible—Last.fm operates as a separate entity and their operations staff do not have access to our system,” Garrett said. “It really seems like someone is trying to slander us here.” In another post, Garrett clarified that Last.fm has never given data linking IPs to scrobbles to any third party or to CBS, for that matter.

This doesn’t really change my analysis below as to whether they could do such things without violating the Privacy Policy for the website, but it certainly should allow last.fm users to breath a sigh of relief.

Original post below…

All of this is done with anonymous sources, so take it with a grain of salt, but /. contributor “suraj.sun” says TechCrunch, the party responsible for breaking the Last.fm-gives-up-users-to-the-RIAA story in February, now has released another story claiming additional sources have confirmed that Last.fm data was leaked to the RIAA, by way of parent company CBS:

Here’s what we believe happened: CBS requested user data from Last.fm, including user name and IP address. CBS wanted the data to comply with a RIAA request but told Last.fm the data was going to be used for “internal use only.” It was only after the data was sent to CBS that Last.fm discovered the real reason for the request. Last.fm staffers were outraged, say our sources, but the data had already been sent to the RIAA.

I documented the initial leak back in February, and I noted how impractical it would be to try and base an infringement claim on Last.fm data. It seems TorrentFreak agrees with that conclusion. I still am very skeptical that this happened, but given what we’ve seen from the RIAA over the past few months I’m more inclined to believe the RIAA would try this, as part of their “kitchen-sink” strategy for litigation.

TechCrunch also argues in the link above that such disclosure would violate Last.fm’s own Privacy Policy. I assume the part they mean is…

Certain third party individuals or organisations may have access to your personal information (excluding your email contact information) via Last.fm’s API and webservices or as a result of agreements between Last.fm and its preferred partners. (However, you should be aware that if you provide your e-mail contact information and/or username directly to any such third parties, they may use your information for their own purposes.) Such partners may use such information for their own purposes, which may be either commercial or non-commercial in nature and which may include targeted advertising or direct marketing. These third parties may be based in the United Kingdom or elsewhere (including outside of the EEA). [Emphasis added; British spellings in original]

…paired with this:

We believe in privacy and therefore will take all reasonable measures to ensure that your personally identifiable information remains private. However, in the event that we are required to disclose personally identifiable information by a court, the police or other law enforcement bodies for their investigations, regulation or other governmental authority we will make such a disclosure without being in violation of this Policy.

Assumedly, TechCrunch is arguing that Last.fm lists mandatory disclosure to “a court, the police, or other law enforcement bodies” at the exclusion of other interested third parties (to wit, the RIAA). As Last.fm promises not to give up your “email contact information,” this would mean a personally identifying disclosure to someone who is not a court or the police would be off limits acording to the Privacy Policy. However, you also see this clause…

We collect data regarding the users of Last.fm, including: (i) The Internet Protocol (IP) address of the user’s computer. This may or may not be associated with a particular Internet Service Provider (ISP); (ii) The referring URL, if any; (iii) The browser software identification (i.e. the brand and version of your browser software).

… and it makes no mention as to whether or not the IP address is part of the “personal information” which Last.fm makes available to third parties. So, by disclosing the IP address and not the email, CBS/Last.fm could still give up info to the RIAA and not violate the Policy.

(When I posted about this a couple months ago I also got into a quasi-fight with one Jonty Wareing of Last.fm, who thought I was doubting his existence. Jonty? You still read this? Want to comment on this story?)

About these ads

2 Comments

  1. Is this accurate?

    “/. says Last.fm did in fact…”

    I thought /. claimed nothing about last.fm, only that TechCruch made a claim. I thought someone at /. just posted a link to the TC article to give it greater visibility. Did /. do any additional research? Sorry if I’m wrong.

    Comment by k — 24 May 2009 @ 11:47 pm

  2. Sorry if you find that misleading. Whether or not /. did additional research or not is a bit irrelevant though, isn’t it, when if they post the story under the headline: “Last.fm User Data Was Sent To RIAA By CBS.” They certainly didn’t take any steps to contort that otherwise. TechCrunch may get credit for the story (as they did last time around), but /. seems to be where most people are reading the story. And their headline is much more assertive than the cryptic TC headline “Deny This, Last.fm.”

    It does raise a bit of an interesting question about crediting stories, though, doesn’t it? Thanks for getting me thinking about it. And thanks for coming by.

    Comment by Andy — 25 May 2009 @ 12:00 am


RSS feed for comments on this post.

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: