Subscribe by email, free
Your daily briefing for podcasting and on-demand

Podcast apps, privacy, and GDPR

December 20, 2018 · Updated January 16, 2019 · By James Cridland · 5.9 minutes to read

With the release of NPR's RAD specification for podcast consumption data, many commentators have expressed concern that it is "a privacy violation and a GDPR liability". We thought we'd look into that. Turns out it's rather more complicated.

How does RAD work?

NPR's RAD specification is relatively simple. A RAD-enabled podcast player will spot timestamps in a podcast - perhaps one's at the start of a commercial mention, or another is at the front of a story. It will then report back to a "RAD tracking server" when someone listens to that part of the podcast.

Stacey Goers from NPR Digital Media says that "Contributors to the RAD spec understand that privacy is a product requirement. Podcast advertising and technology is changing rapidly and we know RAD is a thoughtful and privacy-protective approach to have those who care about the sustainability of the business define its future."

Podnews operates a RAD tracking server - and here's the full data that the RAD specification might feed back to us when someone listens our podcast 1 minute 2 seconds in:

{"audioSessions": [{"sessionId": "D8DA0640-1D2F-446A-9D7C-A590FE4F8BB2", "podcastId": "podnews", "episodeId": "181211", "events": [{"eventTime": "00:01:02.000", "label": "Second story"}]}]}

The RAD tracking server is operated by the podcast publisher, or someone on their behalf; and if a podcaster doesn't add RAD tags into their podcast, nothing gets sent anywhere.

The "sessionID" is a random bit of text that identifies a device, and it changes once every 24 hours. (The reason it's there is to allow publishers to spot people coming back later to continue listening - otherwise they'd claim they were two separate people).

There's no personal data here. It's true that RAD is, by itself, privacy-protective.

But this information is sent over an HTTP request

An HTTP request is what runs the internet - on a basic level, the internet doesn't work without them. When you clicked the link to read this page, you sent an HTTP request to Podnews's webserver, so that it could send the page back to you. When I just did that, it looked something like...

IP Address:
Path: /articles/podcast-apps-privacy-gdpr
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X
            10_14_1) Chrome/71.0.3578.98
Accept-language: en-AU,en-GB

...this is very simplified, but on a basic level you can see a few things here: an IP address (my internet connection's unique address on the internet); what type of computer I have; and even what languages I've configured on it.

An IP address looks like a random set of numbers, but you can look it up and you'll discover that my IP address is in Brisbane, Australia; and every single request on the internet that I make is accompanied by this IP address. (PS: This one's not really mine.)

We spoke to Rowenna Fielding, who works for Protecture, a company giving advice on data protection and GDPR, based in the UK.

She told us that IP addresses "are treated as personal data if they allow a living individual to be pinpointed. In the case of an app downloading content, it’s very likely that the server logs will contain personal data because of the additional information like device, date and time, and so on."

Any tracked RAD timestamp will also come with these HTTP headers, including the IP address. So it's perfectly possible for someone to take the RAD consumption data and add the information from the HTTP header to it: and then it doesn't look as private.

This isn't an issue with RAD

HTTP headers and IP addresses make the internet work, and they're used for nearly everything we do online.

You might have shared your IP address and your computer's make and model with a RAD tracking server... but you also share it with every podcast you download.

Here's an actual line from our webserver, when someone asked for our podcast just now...

2018-12-19 08:32:48
     (iPhone; U; CPU OS 12_1_1; en_gb) can see a date/time; an IP address, and a user agent.

This is a user in Paris. They've just downloaded yesterday's podcast; they have an iPhone running a slightly outdated version of iOS 12; and it's configured in British English.

This is nothing to do with RAD - yet, I already know quite a lot about this user - certainly enough to spot them again.

A RAD tracking event tells me very little more - other than someone actually listened. Assuming that they stay on the same IP address, I can probably tie this information together.

So: is RAD a privacy problem? No. The act of downloading a podcast is.

Who GDPR applies to, and what it actually is

GDPR is the European Union's privacy law. For the consumer, it aims to answer the question: "Who has my personal data, and what are they going to do with it?"

NPR's Stacey Goers tells us: "It is the responsibility of publishers, mobile apps and analytics providers that use RAD to adhere to all applicable and other laws, including to the GDPR for those it applies to."

GDPR applies to people and organisations located in the EU; but most podcast apps are available globally, and the podcasts themselves are, too. So realistically, every single app and online service needs to comply with GDPR, if it's likely it'll be used by a European. "For those it applies to", in NPR's statement, realistically means "everyone".

When you hit "play" or "download" on a podcast, you are - irrespective of RAD - making an HTTP request to the podcast host. You're giving a podcast host - whether it's Libsyn, ART19 or ourselves (since we self-host) - your personal data: your IP address, the type of device you use, all of that.

But from what you can see, would you know that the audio of this podcast is hosted on behalf of a company owned by Rupert Murdoch, for example?

Our GDPR expert, Rowenna Fielding again: "The podcast app/platform needs to make it very clear in privacy info that when content is downloaded, there is personal data transferred to the content distributor (the host). The distributor also needs to clearly explain what they will do with the personal data."

Are podcast apps clear about their privacy?

Every podcast app will leak your personal data to whoever it is who hosts the podcast when you download it. Some acknowledge how this works.

Overcast's privacy policy says: "Overcast displays links and content from third-party podcast feeds and sites, and downloads podcast files directly from each podcast’s third-party servers. These have their own independent privacy policies, and we have no responsibility or liability for their content or activities."

NPR's says: "As you navigate our Services, we and our service providers also automatically collect a variety of information about your interactions with our Services" and goes into considerable detail about what they might share.

Pocket Casts doesn't acknowledge this at all. Mind, nor did we on our podcast pages either. (We do now.)

However, from the user interface of any of the podcast apps we've used, the user isn't informed who ultimately hosts that podcast, and what that end company is going to do with your personal data, partly because that information isn't available to the podcast app.

"I think if the end user is completely uninformed about where their data is going, for what and who is involved, then there is likely to be a contravention of GDPR going on," added Fielding.

And why does all this matter?

In Saudi Arabia, for example, homosexuality is illegal and the death penalty is applied. Listening to a gay podcast is, all of a sudden, a life-threatening pastime.

Plenty more subjects are illegal in various countries; and the global nature of podcasting means that many items discussed may be against local laws. Many countries may imprison their citizens for what they access online.

So, is RAD “a privacy violation and a GDPR liability”?

No. At least, no more so than podcast apps.


<< Podcast analytics in the spotlight

Our supporters (become one)

Get a global view on podcasting and on-demand with our daily news briefing

Subscribe to our daily newsletter by email, free