Spotify is a music streaming service. It allows users to listen to songs without charge, but subject to hearing occasional adverts to pay royalties and service costs. A premium service allows subscribers to download playlists that can then be heard offline. This started on mobiles with an app; but Spotify recently extended it to become a web service available via PC browsers.
The Downloadify Chrome extension provided a simple option to save the music to disk without DRM. This, it has to be said, is simply illegal. Although the extension is still available on the web (not via the Chrome store) it no longer works – indicating that Spotify has closed the hole. The incident has, however, led to widespread surprise that Spotify should leave its library unencrypted. “Seems they forgot to encrypt their music (free to download),” tweeted the Downloadify author, Robin Aldenhoven.
“The Downloadify creator, Robin Aldenhoven of South Holland, has been active on Twitter and blames Spotify for a lack of encryption on the HTML5-based Spotify Web player,” reports Digital Trends. “According to Aldenhoven’s recent tweets, he advocates paying for Spotify’s service, but created the Downloadify exploit to bring attention to the missing encryption.”
Almost all reports concentrate on this lack of encryption, implying if not specifying that encryption is the solution. But it’s not that easy. “Security defects come in two flavors,” explains Paco Hope, principal consultant at Cigital: bugs in the code and flaws in the design. “The latest Spotify issue is a flaw, but anyone who blithely says ‘they should have used encryption’ hasn't thought this problem through very far.”
The problem is that if Spotify encrypts, the listener has to decrypt. Since it is a streaming service, the act of decryption has an effect on the quality of the sound. “Neither Spotify nor the rightsholders want the sound quality degraded or jittery, because encryption interferes with the smooth delivery of audio data,” says Hope. What’s more, he adds, “some embedded devices that are in the market today supporting Spotify can't have encryption retrofitted into them. They would simply lose access to Spotify if the music streams became encrypted.”
The issue here is a flaw in the design, not a bug in the software. “We can call this a flaw because it is an aspect of the architecture,” says Hope. “Fixing it requires a new design and changes that ripple across their entire ecosystem. But it is easy to see how they ended up where they are. And frankly, given their constraints of access control, user experience, and ubiquity, it isn't clear how they could retrofit cryptography into their design.” In general, flaws need to be fixed at the design stage, while bugs can be cured later.