Spotify Messages can reveal your profile to anyone you’ve ever shared music with

Spotify recently announced a new Messages feature, adding a layer of communication and social discovery to the music streaming app. Spotify Messages is rolling out to Spotify Free and Premium users aged 16 years and older in select markets on mobile devices. If the feature has already rolled out to you, there is some fine print that you should be aware of, lest you unintentionally expose your identity when you don’t mean to.

Reddit user sporoni122 spotted a few “suggested friends” under Spotify Messages that they did not recognize. The user then realized that these were people with whom they had shared music on Spotify in the past. This wasn’t an issue in the past, as the music streaming app had no element of direct social interaction. But now, anyone they have shared music with, including strangers on the internet through Discord or other pseudonymous platforms, can trace them back to the user, see their profile photo and name, and potentially message them.

As Reddit user Reeceeboii_ highlights, any time you share a song from within Spotify, it generates a unique tracking URL linked to your account. Spotify can join the dots between the sender and receiver whenever anyone clicks on this unique URL. People have allegedly noticed that Spotify has retroactively filled out the history of song shares in the Messages feature, which is possible through these tracking URLs.

Spotify is far from the first or only app that does this — practically every app, service, and website uses tracking URLs and has been doing so for decades at this point. However, for Spotify users, this might be the first time they notice a tracking URL shaping a social feature, which can be unnerving, especially if they want to retain some anonymity on their Spotify profile.

You can bypass tracking URLs by removing the query parameter from them. For most URLs, it’s the code that follows the “?.” For example, if the Spotify URL is
https://open.spotify.com/track/0PsBajvo0g7bLLHxwH3Sk0?si=8dyy8ff75d4a4fa8, then ?si=8dyy8ff75d4a4fa8 is the tracker parameter that can be removed. You lose out on social features that the tracker enables, but chances are that you can live with that trade-off. If you aren’t sure what parts of the URL are essential, you can also use websites like LinkCleaner to clean them easily.

In its announcement, Spotify explicitly mentioned that it would suggest people to message based on whether you’ve previously shared Spotify content with them, joined Jams, Blends, or collaborative playlists together, or if you share a Family or Duo plan. Users will have the choice to accept or reject message requests from friends and family. If you hate the idea, you can block other users and opt out of Messages entirely through Settings > Privacy and social > Social features.