Interesting last sixty days for Pandora, privacy-wise. Here’s a timeline, going backwards.
April 5: The Veracode software security company says that it ran tests on Pandora Android application and discovered that the app "appears to be integrated with a number of advertising libraries."
Specifically we found FIVE (yes that’s FIVE!) advertisement libraries compiled into the application: AdMarvel , AdMob , comScore (SecureStudies) , Google.Ads , and Medialets . Looking even closer, we analyzed each of the modules to determine the type of data they access.
The first library we decided to break apart was the AdMarvel and AdMob libraries. The AdMarvel library references the AdMob library fairly significantly. AdMob in particular accesses the GPS location, application package name, and application version information. Additionally there were variable references within the ad library that appear to transmit the user’s birthday, gender, and postal code information.
A couple of days later, Veracode backtracked on the GPS access finding, but stood by the rest of its research.
On the same day (April 5), the Wall Street Journal reiterated its own findings about Pandora, first reported in December.
"In Pandora’s case," the newspaper noted, "both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service."
April 4: A day earlier, Pandora noted the following in an amendment to its Security and Exchange Commission S-1 form submission (the company plans to go public):
In early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms. While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena, management’s attention could be diverted and there is no guarantee that we will avoid costly litigation. Any claims or allegations that we have violated laws and regulations relating to privacy and data security could result in negative publicity and a loss of confidence in us by our listeners and our advertisers, and may subject us to fines by credit card companies and loss of our ability to accept credit and debit card payments.
February 11: Pandora files its first S-1 form.
"Existing privacy-related laws and regulations are evolving and subject to potentially differing interpretations, and various federal and state legislative and regulatory bodies may expand current or enact new laws regarding privacy and data security-related matters," Pandora notes.
We may also be required to expend significant resources to adapt to these changes and to develop new ways to deliver relevant advertising or otherwise provide value to our advertisers. In particular, government regulators have proposed ‘do not track’ mechanisms, and requirements that users affirmatively ‘opt-in’ to certain types of data collection that, if enacted into law or adopted by self-regulatory bodies or as part of industry standards, could significantly hinder our ability to collect and use data relating to listeners. Restrictions on our ability to collect, access and harness listener data, or to use or disclose listener data or any profiles that we develop using such data, would in turn limit our ability to stream personalized music content to our listeners and offer targeted advertising opportunities to our advertising customers, each of which are critical to the success of our business.
June 12, 2009: "I wish that Pandora Internet radio made it a little more obvious that you’ve got to adjust your profile options if you don’t want the whole world to know what you listen to," I wrote back then on Radio Survivor.
Not that anyone cares what I write about these matters, but it does appear that Pandora’s privacy practices are catching up with the firm.
