Did Last.fm Just Hand Over User Listening Data To the RIAA?

Update: Last.fm vehemently denies this rumor. See below.

That leaked U2 album is causing all sorts of trouble. The unreleased album, which is due out on March 3, found its way onto BitTorrent and was downloaded hundreds of thousands of times. That, apparently, sent music industry lawyers over at the Recording Industry Association of America into a fit. As a result, word is going around that the RIAA asked social music service Last.fm for data about its user’s listening habits to find people with unreleased tracks on their computers. And Last.fm, which is owned by CBS, actually handed the data over to the RIAA, according to a tip we received:

I heard from an irate friend who works at CBS that last.fm recently provided the RIAA with a giant dump of user data to track down people who are scrobbling unreleased tracks. As word spread numerous employees at last.fm were up in arms because the data collected (a) can be used to identify individuals and (b) will likely be shared with 3rd parties that have relationships with the RIAA.

Supposedly, the operations team which handed over the data in the first place weren’t told the true purpose for the transfer or who was getting the data until after the fact, and only when they had to help with some corrupted data. It sounds like it was more of a corporate decision. I’ve contacted both CBS and the RIAA. Most of the Last.fm team is in London, where the weekend has already started. For now Last.fm says: “To our knowledge, no data has been made available to RIAA.” (The RIAA declined to comment).

Setting aside what actually happened to the data, and assuming this rumor is true, why would the RIAA target Last.fm? It wasn’t streaming the U2 album, and it is not an illegal download service. But Last.fm has millions of users who are heavy music consumers, and many of them download Last.fm’s Scrobbler software which keeps track of every single song you listen to on your computer, no matter which music player you use. In other words, it captures tracks played from illegal BitTorrent downloads just as easily as from iTunes.

Last.fm members knowingly share what they are listening to with the rest of the Last.fm community, and in return receive social recommendations of music they might like. That is the whole point of the service. And Last.fm’s privacy policy does clearly state:

. . . your record collection (including your skipping history) may be viewed by all other users of Last.fm (who may include other organisations or representatives of other organisations who have registered as Last.fm users) and that they may easily associate this information with your Last.fm username.

But most probably never even considered it a possibility that individually identifiable information about their listening habits (legal, illegal, or otherwise) could be handed over to an organization known for taking consumers to court for file-sharing. What makes this even more egregious is that it appears to be absent any legal precedent (such as a pending lawsuit) for which Last.fm could at least hide behind as an excuse.

Incidents like this highlight how the social Web can sometimes bite back if you are not careful. It also raises the issue of who owns all of this data about you and what they can do with it. (The same issue that caused Facebook to backtrack on recent changes to its data policy). Unfortunately, it’s come down to this: you really shouldn’t share any data on the Web you wouldn’t feel comfortable seeing in a court of law.

(Please contact us at tips [at] techcrunch if you have more information about this).

Update: Some more denials from Last.FMers, including one of the co-founders, Richard Jones, in comments, who says this story is “utter nonsense and totally untrue,” and another one from Russ Garrett, a systems architect.

Update 2 (2/21/09): There are a lot of angry questions being raised about this post in comments and elsewhere. Lots of demands for retractions and some people questioning the timing of the post late on Friday night.

First, on the timing. The reason this story was posted so late was because I had contacted a Last.fm spokesperson in the U.S. earlier in the day who promised me a response, and I decided to wait for it. Several hours passed, with assurances that a statement was being prepared. So I was a little surprised when it was only one sentence:

To our knowledge, no data has been made available to RIAA.

That statement is hardly a categorical denial. It leaves open all sorts of holes. Was the data collected internally, but never actually handed over? Was it made available to a specific record label or group of record labels, perhaps at the request of the RIAA. Or did the whole thing never happen? I asked for clarification, but again was referred to the single vague statement. After I posted, I again contacted the spokesperson to see if she had any further comment she would like to make. She didn’t.

Soon after I posted, however, plenty of unofficial but heartfelt denial came from Last.fm staffers in London, two of which I linked to last night in the update above. The one from Russ Garrett, in particular, raised even more questions. His denial starts out unequivocal, but then he adds a squishy disclaimer:

I’d like to issue a full and categorical denial of this. We’ve never had any request for such data by anyone, and if we did we wouldn’t consent to it.

Of course we work with the major labels and provide them with broad statistics, as we would with any other label, but we’d never personally identify our users to a third party – that goes against everything we stand for.

Hmm, so could the RIAA or a record label use the data to identify people? I never suggested that it was Last.fm that was singling out individuals listening to unreleased tracks. The issue is whether the RIAA or any of its member companies are trying to do so and whether or not Last.fm is helping them.

As Garrett points out, Last.fm shares aggregate listening data with the labels. Are there any unique identifiers associated with this data that could lead back to an individual, despite any precautions Last.fm might take? (It wouldn’t be unprecedented—remember that leaked AOL search data a few years ago?) I sent Garrett an email about 5 hours ago asking him some of these questions.

From the very beginning, I’ve presented this story for what it is: a rumor. Despite my attempts to corroborate it and the subsequent detail I’ve been able to gather, I still don’t have enough information to determine whether it is absolutely true. But I still don’t have enough information to determine that it is absolutely false either. What I do have are a lot of unanswered questions about how exactly Last.fm shares user data with the record industry.

Update 3 (2/22/09): Garrett got back to me. He responds:

The data we make available to labels is aggregate data about their artists – it’s a slightly more detailed version of what you see on the site. We release no data linking users and plays to any third parties.

The only data we provide to labels (in addition to the data publicly available on their artist pages) are historical graphs of listeners and plays. There’s no way to link these to individual users.

If a label was trying to work out who’s been listening to their leaked track, the closest they can get would be to look at the publicly-available listeners on the music pages. I would doubt that would be enough evidence to convict someone, and users can opt out of being displayed there in their settings.

Update 4 (2/23/09): Last.fm co-founder Richard Jones expands on his denial in comments with an official post on the Last.fm blog. He also adds this:

We never share personally identifiable data such as email and IP addresses. The only type of data we make available to labels and artists, other than what you see on the site, is aggregate data of listeners and number of plays.