How could a simple music-sharing feature potentially expose users’ private identities? Spotify’s recently reintroduced messaging function, designed to keep users engaged within the platform, has raised significant privacy concerns among its user base who fear unintended identity exposure through the app’s link tracking system.
The feature, which began rolling out to users aged 16 and older in select markets, allows for sharing songs, podcasts, and audiobooks directly within Spotify through encrypted messaging. While Spotify emphasizes that messages are secured “in transit and at rest,” security experts point to a more subtle privacy issue that many users have overlooked—the unique tracking URLs generated whenever content is shared.
Every song share creates a distinct URL containing a “?si=” parameter followed by a 16-character code that potentially connects users who have received or shared the same links. More concerning for privacy advocates is Spotify’s practice of backfilling historical sharing data, even from external platforms like WhatsApp, to map user connections and suggest contacts. Cybernews experts strongly recommend disabling the messaging feature in app settings to protect user privacy.
This system has particularly alarmed users in online communities where anonymity is valued. “I’ve shared Spotify links in Discord servers where no one knows my real identity,” one user reported. “Now I’m terrified those connections will expose my personal account with my real name and photo attached.”
The implications extend beyond simple discomfort. Users with separate online identities or those who participate in anonymous support groups could face unwanted exposure through Spotify’s suggestion algorithms. The messaging feature was previously discontinued in 2017 due to low user engagement before its controversial relaunch.
While the platform offers options to reject message requests, block senders, and opt out of the messaging feature entirely, many users argue these controls come too late if their sharing history has already been indexed. Musicians who rely on the platform should consider registering with performance rights organizations to ensure their royalties are properly tracked regardless of how their music is shared.
Spotify has implemented various security measures, including encryption and content moderation, but the fundamental concern remains: a music sharing platform has inadvertently created a potential doxxing mechanism that could reveal users’ carefully maintained separate digital identities without their informed consent. This privacy issue is particularly concerning for musicians who rely on streaming royalties from Spotify as a significant part of their diversified income streams.
