Spotify's privacy policy blunder is as a reminder of challenges facing GaaP

Spotify had a tough week last week after it faced a backlash from its users and privacy experts over an update to its terms and conditions, specifically with regard to how it wants to use people's data. The debacle was an important story in its own right, but it also made me think about how the UK government is likely to face a similar challenge if the plans for government-as-a-platform (GaaP) go ahead.

And whilst the business case for GaaP is still up in the air, following the mass exodus of senior executives at the Government Digital Service (GDS) due to a lack of support for the idea, I still think its worth highlighting the data challenge facing the public sector.

Ultimately it boils down to a delicate balance between a perception of an individual's privacy versus the want of a better service provided by any given entity. Spotify got that balance wrong this week and had to face the consequences. It's possible the government could have the same experience and it's something it should be thinking about if it wants GaaP to be a success.

But let's take a step back and assess what happened at Spotify.

Last week the music streaming service updated its data privacy policy by asking users for their consent to let the company access their pictures, contact phone numbers and sensor data on their smartphones. The company wants to provide users with a more personalised service and obviously the best away to achieve this, if users agree, is to get access to more data.

For example, sensor data has been used by Spotify to create its Spotify Running feature, which is meant to recognise when a person is doing exercise and in turn creates a playlist to match the person's activity.

However, the update caused a stir amongst its users and some high-profile Spotify subscribers voiced their concern with the changes to the policy. For example, Minecraft creator Markus Persson tweeted to his millions of followers that he would be cancelling his account as a result. He also tweeted the following to the company:

.@Spotify Hello. As a consumer, I've always loved your service. You're the reason I stopped pirating music. Please consider not being evil.

— Markus Persson (@notch) August 21, 2015

Forbes reporter and privacy expert Thomas Fox-Brewster, someone's opinion I value highly on these matters, also expressed his concern. He said:

I’m now considering whether the £10 I pay for a premium membership is worth it, given the amount of privacy I’d be giving away by consenting.

A quick scan of social media sites confirms that these aren't isolated concerns and that users were not convinced, to say the least, that Spotify's request for more data in return for a better service outweighed their desire to hold on to their information.

The backlash has resulted in Spotify CEO Daniel Ek writing a blog post, titled 'SORRY', where he has said that he will ordering a new Privacy Policy in the coming weeks to better explain the company's intent. However, he didn't go as far to say that Spotify would be reversing its decision to use more data.

Ek said:

We are in the middle of rolling out new terms and conditions and privacy policy and they’ve caused a lot of confusion about what kind of information we access and what we do with it. We apologize

for that. We should have done a better job in communicating what these policies mean and how any information you choose to share will – and will not – be used.

We understand people’s concerns about their personal information and are 100 percent committed to protecting our users’ privacy and ensuring that you have control over the information you share.
“So let me try and clear things up.

In our new privacy policy, we indicated that we may ask your permission to access new types of information, including photos, mobile device location, voice controls, and your contacts. Let me be crystal clear here: If you don’t want to share this kind of information, you don’t have to. We will ask for your express permission before accessing any of this data – and we will only use it for specific purposes that will allow you to customize your Spotify experience.

Only time will tell whether or not Spotify can limit the damage done and whether or not its users will be happy with the changes being made. However, the decision made me think about how willing citizens would be to let their government use their data in a more efficient way to provide a better service.

When we talk about the plans for government-as-a-platform (GaaP), what we are really talking about is an effective data platform that allows government departments to quickly build and deliver easy to use services.

The vision for this, at the moment, is to create a number of 'data registers' that can be used across government. I explained this recently in a previous piece, where I said:

The plan was for the government to create a variety of canonical sources of data and registers, which could be used across the public sector. For example, a register for addresses, for doctors, for companies, for car ownership, for land, etc. These would not be stored in a database, they’d be hashed and use blockhain-style encryption to ensure security. This effectively means that the data is as secure as it can be, given that each change is logged.

Simply put, there would be a data registry for all the core types of citizen and/or public sector information that will be required.

From the conversations I’ve had, the plan was to put control of this data in the hands of the citizen. So, for example, if the Department for Work & Pensions wants access to information about a welfare payment, access permission is given with which to retrieve that data from a number of registers. Just that one time. In that context, data sharing becomes irrelevant.

And whilst I stand by what I said, I think my previous piece could have benefitted from an assumption that some citizens may still not be comfortable with this agreement. As we have seen previously with government data projects, such as care.data, citizens are very wary letting central public bodies make decisions about how their data is used.

As far as I can see, government bodies have all this data already, but it its processes are in such a mess that even if it wanted to use somebody's data in a certain way, it would have a hard time of finding it and making it meaningful. And I think that, in a weird way, gives people a certain level of comfort.

They don't trust the government to make the right decisions with their data. And this is largely because these decisions aren't communicated effectively and there is very little trust when those transactions take place.

I still think that the GaaP model as it currently stands is a very transparent way of using people's data and the decision to let government departments access it will ultimately lie with the user. However, this is similar to what Spotify wanted to do. Users have to agree to let it access the data it wants and if they don't, they can take their custom elsewhere. That's not something we can do with public services.

My take

The Spotify fiasco should serve as a strong warning to those in Whitehall making plans with regard to citizen data. Not because they have any bad intentions, but because people don't trust organisations to necessarily do the right things with their data.

Overcoming this in the public sector won't be easy. People are likely to be even more resistant, as they can't take their 'custom' elsewhere, and as a result may fight to block any changes.

However, the key to getting this right will be transparency and clear communication around the benefits that better use of data can bring. People need to understand why the trade off is worth their while.