According to a new study, only three songs from a playlist can be used to identify the curator from a lineup.
Researchers in Israel conducted experiments to see if the choice of songs could be associated with their curator even without knowing their musical tastes.
They found that undergraduate students were able to identify others based on three pieces of music – but the experts didn’t infer how they did.
The results are worrying as streaming giants could identify potentially anonymized users based on their listening habits, “posing a significant threat to privacy disclosure”.
According to the researchers, three songs from a playlist are enough to identify the person who selected the songs. Hence, companies like YouTube and Spotify (pictured) can collect a lot of information about their users based only on their music choices
SPOTIFY USERS FURIOUS TO UK PRICE HIKE
Spotify will increase the prices of its premium subscriptions in the UK from April 30th.
Several frustrated users took to Twitter this afternoon to discuss the price hike. One claimed that Spotify was “getting too big for its boots”.
A Spotify spokesperson said the service had 70 million tracks and 2.2 million podcasts, giving listeners “more value than ever”.
Spotify price increases:
– Premium Student – was £ 4.99 / month increasing to £ 5.99 / month
– Premium Duo – was £ 12.99 / month increasing to £ 13.99 / month
– Premium Family – was £ 14.99 / month increasing to £ 16.99 / month
The new study, published in Telematics and Computer Science, was written by Dr. Ori Leshman from Tel Aviv University and Dr. Ron Hirschprung from Ariel University.
“Music can become a form of characterization and even an identifier,” say the authors.
‘It provides commercial companies like Google and Spotify with additional and more detailed information about us as users of these platforms.
“In the digital world we live in today, these results have far-reaching implications for data breaches, especially as information about individuals can be inferred from a completely unexpected source that does not protect against such breaches.”
The team’s study included approximately 150 young people, all of whom were students, divided into four groups of approximately 35 people each.
The group members did not know each other well – they had “the slightest acquaintance” – and had no prior knowledge of each other’s musical tastes.
In each group, five participants were asked to anonymously select three songs or pieces of music that they liked or were “touched” by from their preferred playlist.
The rest of the participants in each group had to identify these five people using just these three songs.
“They could see each other, but the subjects identified were separate from the group and couldn’t give any clues about their faces, for example,” said Dr. Hirschprung opposite MailOnline.
Graphic summary of the researchers’ work. The study shows that these records can be used to identify users even if they are anonymized
So the participants knew what they looked like, but weren’t allowed to talk to each other beforehand.
The variety of music was diverse, ranging from classic rock and pop, including the Beatles, Pink Floyd, Beyonce and Ariana Grande, as well as old and new Israeli music and international hip hop such as Kendrick Lamar and Eminem.
The results showed that the participants could identify themselves at a very high level between 80 and 100 percent according to their taste in music.
The researchers aren’t sure how they did this, though – although MailOnline suggested that the appearance of the participants could have been a strong factor.
In this day and age, we mainly consume music on demand via streaming services such as Spotify, Apple Music and YouTube (pictured), which are owned by Google
“The definition of the factors used in the identification process is a very good question that we don’t have an answer to right now,” said Dr. Deer jump.
‘It was our hypothesis that musical selections might lead to identification, and our research has proven it.
“In more research that we are now doing, we are trying to make further progress and address this issue.”
The researchers took into account the likelihood of a successful arbitrary guess.
This, it is said, “provides conclusive evidence that re-identification based on music selection is possible so that the threat is real”.
A common way to protect our identities when we use online services is to remove certain identifiers such as name or address from records – something known as “anonymization”.
However, this approach is “naive”, say the study’s authors, as in many cases it allows re-identification based on what they call “quasi-identifiers”.
Quasi-identifiers are information that describe the individual but are not unique to that individual, such as: B. the age.
In a medical record, for example, there is a risk of re-identification of the person using quasi-identifiers such as age and blood pressure, even if the data record is anonymized.
“In this study, we examine an interesting and unexpected new quasi-identifier – an individual’s musical choices that represent their musical preferences,” say the authors.
Spotify, one of the streaming giants named in the study, anonymizes the personal data of its users when they request it.
“Streaming agents can cross data (with Google, Facebook) and thus achieve de-anonymization,” said Dr. Deer jump.
‘This technique has been widely demonstrated and used in other areas. So our claim that music choices are identifiers is revolutionary. ‘
MailOnline contacted Apple, Spotify and Google, which owns YouTube, to comment on the study.
In a statement, a Google spokesperson said: ‘We use the information we collect to customize our services [for its users] This includes recommendations, personalizing search results, and serving relevant ads.
“While these ads help fund our services and make them free for everyone, your personal information is not for sale.”
ANONYMIZING DATA “NOT ENOUGH TO PROTECT PRIVACY”
The UK General Data Protection Regulation (GDPR) does not apply to anonymized personal data.
According to the rules of the GDPR, organizations can only sell personal data by “anonymizing” it.
This means that the principles of data protection “should not apply to anonymous information”, according to recital 26 of the regulation.
Making data anonymous is therefore a valuable tool that can be used to share data.
According to a 2019 study, data protection laws that require an individual’s data to be anonymized do not prevent individuals from being identified.
Businesses today often sell anonymized data to third parties for a variety of uses, including analyzing and verifying audience participation.
It does this by removing the data used to identify traits such as names and email addresses so that people cannot theoretically be identified.
After this process, the data is no longer subject to data protection regulations, so it can be freely used and sold.
However, researchers from Imperial College London and the University of Louvain in Belgium showed that machine learning can be used to reverse this process.
Read more: The anonymization of personal data is not enough to protect privacy.