spotify logoI don’t use Spotify much. To be honest, the main reason is that I’m still stuck to the concept of “owning” music, mostly still on physical CDs, although I do always rip them into compressed format for playing at home, or in the car.

But I also have reservations about how much, or how little, Spotify pays artists. (This is a couple of years old, but it makes a powerful point. If you could live on 150 album sales a month on CD, you’d need 4,053,110 Spotify plays to match that income. [])

Today, I found another reason. When I started up the Spotify client, I was working on something else concerning open files, and I happened to notice outgoing network connections. A lot: 271 of them. Because the command I used was helpfully doing reverse DNS, I could see the host names. Ones you’d expect, like and (say) (for the adverts).

The majority, though, were obviously the home PCs of ordinary users; (in the UK, Belgium and the Netherlands, as it happens, although I have no idea if that is representative).

I checked the Spotify website to see what the fuck was going on, and found nothing other than a claim of “clever technology” to avoid buffering. It was the Wikipedia article [] which gave me the answer: Spotify uses a peer-to-peer system for sharing streamed music around the internet, although the details are not made public of how it works.

As is common, my home network has a firewall which blocks incoming connections, but it allows outgoing ones; and once a connection is established, it can be used in both directions. (After all, that’s how, say, normal web browsing works.) Presumably, the software on my computer is being given a list of addresses to call. That list must be constantly updated and downloaded as people go on and off line.

If you assume that everything is kosher, compared to other streaming services the only downside is the extra network traffic in the “up” direction from your computer to all the other Spotify customers you’re connected to. If you’re on fixed broadband, neither the volume nor cost of that is likely to be significant. If you use mobile internet and pay for your data, it may be more of a concern.

No worries then if you trust Spotify. You have to trust them because the technical details are a secret, and the network traffic is actually encrypted. So cross your fingers and hope that their software is behaving responsibly on your computer, and also hope that their design is robust enough to stop it being hacked. (And, for the latter, almost no software is.)

With my background in internet security, I have a few rough ideas on how I might hijack the hidden Spotify connection between your computer and my computer to plant bad software on your system. Not that I would, of course.

(I only use Linux, but I haven’t bothered to try the specific Spotify client, which originally only worked with Premium accounts (maybe still the case?). The latest Windows software for Spotify works fine on Linux, with Wine providing the Windows compatibility.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s