Spotify Says 2 Million Users Hacked Apps To Suppress Ads On Its Free Service

Earlier this month, Spotify revealed that it had begun cracking down on people using hacked versions of apps. These apps allowed users with free accounts to suppress advertising and take advantage of paid features. Now, Spotify has disclosed just how many people have been taking advantage of this hack: around 2 million users. Engadget reports: That's not an insignificant number, and it's understandable why Spotify is cracking down on them. As the company explains in an amended F1 filing with the SEC this week, these users forced the company to adjust its metrics and key performance indicators. The disclosure notes, "Unauthorized access to our Service may cause us to misstate key performance indicators, which once discovered, corrected, and disclosed, could undermine investor confidence in the integrity of our key performance indicators and could cause our stock price to drop significantly." As a result, Spotify has adjusted its monthly active users from 159 million at the end of 2017 to 157 million.

In other words

> These apps allowed users with free accounts to suppress advertising

IOW, running software they chose to run on a device they owned?

Blocking ads is not theft any more than going to the bathroom during a commercial is stealing from Toyota

Re:In other words

[ls671]

We already have been through this a few days ago. Spotify servers are too dumb to enforce what the user has permissions to do. Instead, it lets the client app decide ;-)

Re:In other words

[Rewind]

> These apps allowed users with free accounts to suppress advertising

IOW, running software they chose to run on a device they owned?

Blocking ads is not theft any more than going to the bathroom during a commercial is stealing from Toyota

Except they are connecting to Spotify's servers that Spotify owns to listen to Spotify's music library. so no, it is nothing like your Toyota 'example'.

Re:In other words

[grep+-v+'.*'+*]

Blocking ads is not theft any more than going to the bathroom during a commercial is stealing from Toyota

Except they are connecting to Spotify's servers that Spotify owns to listen to Spotify's music library.

I have to comment on this one, sorry. I have a question, and you're probably not the one to ask:

If I'm fetching from a "legal source" and I somehow ignore commercials, am I breaking / stealing / anything? What if you, the legal source, let me? What if you force me to watch? How will you enforce / check / penalize that? (I suspect that question itself is wrong, but let's run with it.)

Let's take your argument. I'm got a device I bought that someone else built and someone else wrote the supporting OS and someone ELSE wrote the software application interface. But I bought it, so it's "my" hardware, running on "my" account on "my" internet connection and/or "my" paid-for 4G and/or an "open WiFi" point. That device then connects upstream to God-knows what, eventually to one of the backbone providers, eventually making it to Spotify's computers.

Right? That's how the internet works, being just a series of tubes. *I've" got my access, Spotify's got THEIR access, and everyone in between's got their own access rights. Assume for a second that skipping commercials are illegal. WHERE does that occur? On my device? On Spotify's? Maybe somewhere in the middle?

It's all active vs passive. Watching TV, the usual comparison, the commercials are interspersed within the shows, and there's nothing you can do to your TV to bypass them. So you walk away and use the bathroom / SUDO Make me a sandwich. You run the slight risk of missing the resumption of the show, but that's usually ignored.

Now let's bring up Tivo / Plex / Kodi / Direct TV DVR. Suddenly that passive device assumption is no longer valid -- there's an intermediate processor between source and destination that's suddenly not under the originator's direct or indirect control. I pay Tivo for a service that provides an Electronic Program Guide that specifies the date / time / channel / duration a show is on. I can specify a show by name and it will search out and record it for me, allowing me to play it back at my leisure and time (aka Time Shifting). That's nice and all but suddenly I can shift the time that commercials take down to 0. I still have the "missing program" problem, but that's easy to skip back and fix. Plex can scan recorded shows and physically remove them from the stream, Tivo will mark them so they're easy to skip, Kodi will mark them and even autoskip them I understand. (Heck, Tivo even has a "speed-up" command for the actual shows themselves, so you can watch a 60 minute show in 45 minutes. Forget skipping commercials, I'm speeding up content.)

All of these change the "intent" of the "original stream" in an "cost-adverse manner". However they're not free and the individual must actively implement them. So sorry, the world is not "Pure", no matter what kind of SJW you are. Just ask viruses that subvert larger systems and "bad bugs" that invade other bugs and plants.

So is this "wrong"? Depends on whom you ask. Vendors, yes. Consumers, no. The only way to enforce someone to watch (or at least fetch) something is to give it to them first, and then receive a verified response that allows the next item to proceed. (But: see third party Captcha decode services.) TVs, providers, and intermediaries are NOT yet set up for that, so all they can do is force one show before another, or somehow intersperse them. (Product placement.)

Spotify's the same way -- if you WANT me to listen to your extras, you've going to have to FORCE me to at least download it before playing the next piece. That a client can automatically fetch the next correct part bypassing the annoyance is Morally Bankrupt, Bad Programming,

Trusting the client? What decade is this?

[fuzzyfuzzyfungus]

I know that smartphones and the App Economy(tm) change everything and stuff; but hasn't it been a ubiquitous article of common sense that trusting the client is for suckers since the days when using your phone to access the internet involved dialup?

Outside of some 'trusted computing' dystopian fantasy there isn't much they can do about people suppressing ads; but since they are the ones running the servers streaming the music one would think that they could quite easily do things like stopping the media stream during periods when ads are supposed to be playing; making periodic chunks of silence the best-possible modified client outcome.

It's a shame, killing Pandora too

[DatbeDank]

Pandora is already a public company. I'm willing to bet that they're suffering just as much if not more.

I've been a subscriber to Pandora since 2008. I loved the service and when the ads started, I hated it so much I shoveled out a paltry amount for the yearly service. I don't remember what it was, but it was stupid affordable enough for a broke college stupid.

The music industry really bends these guys over and abuses them. Their licensing costs are stupid high. This type of piracy depresses me because they're both struggling to make any sort of profit.

Re:It's a shame, killing Pandora too

[jeti]

Pandora isn’t available where you are yet.
Pandora is only available in the U.S. right now – but we are working on bringing our music service to other parts of the world.

This message has been up for over ten years for anyone outside the US.

Didn't read the summary?

[raymorris]

> So for who is this message? Not for the "bad user" who (the 2 million of them) are identified.

Didn't bother to read even two sentences into the summary before posting your insightful knowledge about the topic? The message (an SEC filing) is for potential investors.

> So where is the real loss occurring?

The loss would be investors losing their investment. You, in your 401k, for example. If they invest in the company based on the claim that they have 159 million users generating revenue, but in fact there are only 100 million legitimate users, the company has a lower chance of success, a lower likely future value, and investors will likely lose money.

Public companies are required to do two things - state business facts such as the number of customers they have as accurately as they can, and report any foreseen risks. In its most recent filing, the company has amended their statements for both reasons. They reduced their customer count by 2 million, and acknowledged the risk that many more active accounts may not actually be able to bring revenue, because those users could be using hacked apps.

On a side note -
I've been in computer security for twenty years, so I've seen a few things in that time. One thing I've noticed may seem obvious once I say it, but it's not obvious to a LOT of people:

Hacked apps are hacked, by hackers.

When you install a "cracked warez", you're installing something you've downloaded from a known disreputable site, that you KNOW was coded or modified by disreputable people who don't mind screwing somebody else over, and of course breaking the law. It has malware folks; most of the time "cracked" includes malware. These organizations and individuals don't crack and distribute the cracked software, risking legal trouble for themselves, out of the goodness of their hearts. They want you to install their hacked version because it includes a payload they want to sneak on to your system.