TechCrunch Says CBS Gave Data to RIAA, But Proof Is Elusive

May 26, 2009 06:29 PM
by Liz Colville
TechCrunch and are battling over whether the music streaming site’s parent company, CBS, gave personal information about its users to the Recording Industry Association of America.

TechCrunch Accuses CBS, Not

TechCrunch received a tip in February from a source suggesting that RIAA “asked social music service for data about its [users’] listening habits to find people with unreleased tracks on their computers.”

Coinciding closely with the early leak of U2’s 2009 album “No Line on the Horizon,” the tip-off suggested that submitted data such as IP addresses and user names to the RIAA. The London-based is a site where users freely stream music and receive music recommendations based on user preferences. The U.S.-based CBS bought the start-up for $280 million in 2007, The New York Times reported.

A CBS spokesperson told TechCrunch in an e-mail, “To our knowledge, no data has been made available to RIAA,” but later followed up that e-mail by requesting that the statement be attributed to, not CBS. “This is a issue, not a corporate issue. The posting represents’s response,” said Shannon Jacobs, VP of Communications at CBS, according to TechCrunch.

A founder, Richard Jones, then told TechCrunch in a comment that the story was “utter nonsense and totally untrue,” while systems architect Russ Garrett said in an e-mail, “Of course we work with the major labels and provide them with broad statistics, as we would with any other label, but we’d never personally identify our users to a third party—that goes against everything we stand for.”
Jones then added in a clarification of his own: “The only type of data we make available to labels and artists, other than what you see on the site, is aggregate data of listeners and number of plays.”

TechCrunch’s Michael Arrington clarified the blog’s claims on May 22 by asserting that CBS handed the information over, not Arrington also wrote that the person who leaked the news of the data breach to TechCrunch’s source was a CBS employee whose position has since been terminated. At the end of his post, Arrington addressed the fired employee. “[W]e believe certain U.S. Whistle Blower laws may protect you from retaliation from CBS in this matter,” Arrington wrote. “We’d like to provide you with legal counsel at our cost.”

After an angry exchange with’s Richard Jones on Twitter, which was captured in an image by The Guardian,’s Russell Garrett issued another denial of the claims and said he hoped CBS would follow suit. Meanwhile, on May 25 an RIAA spokesperson denied RIAA involvement in the controversy. “We’ve made no such request for this information,” the spokesperson was quoted as saying by The Wall Street Journal.

Qwidget is loading...

Opinion & Analysis: What’s at stake for and its users?

The claim

In a May 22 update of Erick Schonfeld’s February story, TechCrunch’s Michael Arrington surmises that “CBS requested user data from, including user name and IP address. CBS wanted the data to comply with a RIAA request but told the data was going to be used for ‘internal use only.’”

TechCrunch’s sources suggest only later “discovered the real reason for the request” and that its staff was “outraged.” Arrington also reasons that one or several music labels represented by the RIAA, rather than the trade organization itself, may have made the requests to CBS.

The legal ramifications

It is common for music sharing sites like to share “aggregated statistics” with groups like the RIAA, says Sarah McBride in The Wall Street Journal. The difference here is that and CBS are allegedly “going beyond sharing aggregated statistics and into the realm of sharing individual user information.”

If TechCrunch’s claims are true, could be in violation of its privacy policy. In its privacy policy, says that it may be “required to disclose personally identifiable information by a court, the police or other law enforcement bodies for their investigations, regulation or other governmental authority,” but that it will otherwise “take all reasonable measures to ensure that your personally identifiable information remains private.” could also be in violation of the European Union’s Data Protection Directive of 1995. A Data Protection Guide to the law on the European Commission Web site says that data transferred from E.U. countries “can only be transferred to countries outside of the EU that guarantee an ‘adequate’ level of protection” of the data.

Calling TechCrunch’s claim a “very serious accusation,” the Guardian notes that the U.K. Data Protection Act is also at stake. That act states, as one of its eight principles, that personal information cannot be “transferred to other countries without adequate protection.”

Most Recent Beyond The Headlines