Conclusion

This book—and the project on which it is based—proactively engaged with a well-known problem of access to media industries. Media companies whose main outputs are defined as information goods protected by intellectual property standards understandably prefer secrecy over public scrutiny, especially when heavily investing up front in the development of such property, as in the film industry. In order to avoid potential harm to their products and brands, these companies regularly use gatekeeping arrangements when interacting with scholars. Research interest is sometimes ignored, but it is also often welcomed, provided that it can be vetted, filtered, and guided in order to impose symmetry or at least balance between the legal and ethical interests of both the researcher and the researched. Sometimes, this balance of interest is secured in strictly formal ways and includes nondisclosure agreements, endorsements, or method sanctioning. Sometimes, it develops more informally, built on trust, mutual respect, and the fact that many, if not most, media executives have both an academic background and a vested interest in studies of their operations that differ from business consultancy. A host of remarkable academic studies and recent industry-academic cooperations testify to the potential and prospects of this research.¹

While digital industries are not necessarily an exception to this rule, it is hard to overlook the fact that the dynamics surrounding the issue of access have developed on somewhat different terms. Generally speaking, companies like Spotify obtain existing copyrighted content from sources they do not directly control, distribute this content, and produce customer data based on the interest the content generates. Spotify USA’s Terms and Conditions of Use organize this arrangement by granting users a “limited, non-exclusive, revocable license to make personal, non-commercial, entertainment use of the Content.”² Users, in turn, have to grant Spotify a “non-exclusive, transferable, sub-licensable, royalty-free, perpetual, … irrevocable, fully paid, worldwide license to use, reproduce, make available to the public, … publish, translate, modify, create derivative works from, and distribute any of your User Content in connection with the Service through any medium.” Users also are required to allow the service to use the processor, bandwidth, and storage hardware on their devices, to “provide advertising and other information,” and “to allow our business partners to do the same.”³

There are no specific regulations for academic researchers or journalists defined in Spotify’s terms of service, but the user guidelines do not permit, “for any reason whatsoever,” any “reverse-engineering, decompiling, disassembling, modifying” of the service; “artificially increasing play count or otherwise manipulating the Services by using a script or other automated process”; or any “crawling” of the Spotify service “or otherwise using any automated means (including bots, scrapers, and spiders) to collect information from Spotify.”⁴ Facebook’s Statement of Rights and Responsibilities, in contrast, allows for the possibility of informed consent when it comes to the use of bots or scrapers.⁵ Likewise, Twitter suggests the possibility of prior consent in regard to bots and scraping and explicitly allows crawling the service.⁶

On the one hand, the process of getting access to Spotify was framed through these strictly formal, comparatively restrictive, and user-unspecific guidelines. Although the legal status of such guidelines remains unclear, they firmly articulate the company lawyers’ position regarding user rights. On the other hand, when we initiated this research project, Spotify employees were open to conversations probing mutual interests. An early suggestion made in this context was to engage in writing the company’s history while access to data was denied. Spotify’s suggestion resonated with an implied division of labor between a humanities project such as the one presented in this book and the company’s long-term engagement with engineers and computer scientists working at the KTH Royal Institute of Technology. For the four-year duration of the project, access to Spotify employees was individually granted for thematically specified interviews, but establishing rapport on an organizational level failed.

The process of accessing Spotify remained a constant topic of self-reflective inquiries within the project itself. For instance, after a meeting in May 2014, a team member noted the following in an autoethnographic field diary:

Seems as we all agree that it’s important to establish a contact with Spotify, but we also feel the need to protect the integrity of the project. I don’t really have a clear position on the issue. I’m used to thinking about research ethics, but in this case, there are no human subjects involved (unless we contact Spotify’s employees), and the other project members seem more experienced with this type of research. We acknowledge that there are certain criticisms within the music industries against our project, which is seen as an anti-industry project.… We have been in touch with a head of department at Spotify. There’s also a professor and a PhD student connected to Spotify that we might get in touch with. But how should we go about it? After some discussions, we decide to take the official path to Spotify, try to arrange a meeting where we will let them introduce themselves, and then possibly we can get a chance of doing interviews, etc. We decide to draft an email asking if they can meet us before summer to present their work.

The research group subsequently learned that the Norwegian music streaming service WiMP (now Tidal) had shared its data with researchers in an academic project hosted at the University of Oslo, “Clouds & Concerts: Trends in Music Culture.”⁷ Compared with WiMP’s willingness to provide access to streaming and search logs from anonymized users of the service in Norway over a total of seventy-two weeks, Spotify’s uncompromising rejection of uncommissioned research seemed all the more debatable.

We have heard from other researchers that they have tried to interview Spotify but that there was no particular interest from Spotify’s side. On the other hand, we know that the Norwegian project managed to cooperate with WiMP, getting data from the company.

Spotify is moving towards an IPO. This determines how they may interact with researchers, and we mull over the question of why they are inaccessible. WiMP wants to contribute to Norwegian cultural life and to promote Norwegian artists. But Apple, Google, and Spotify are perhaps more characterized by being closed off. Could we appeal to their social responsibility?

In the early fall of 2014, we also discussed the following:

Nothing seems to happen with the formal email, and we tend to get back to the question about contacting Spotify whenever we meet, but no one seems particularly eager to approach them. I don’t know if it is simply because it is more of a challenge to do research “from the outside” or if there are other reasons. In Berlin in August, we discussed whether it would be better to avoid the formal contacts and let project members approach them individually rather than “the project” approaching “the company.” The reluctance towards approaching Spotify is also related to our need to be able to show some basic knowledge of what they are doing, which we believe can be gained from working with digital methods.

In November of 2014, one of us got in touch with a Spotify representative after having inquired about participating in a tech meetup event organized by Spotify in November. By joining this event and conducting interviews afterwards, we received valuable information about Spotify’s peer-to-peer architecture, but overall the findings from interviews remained meager. Simultaneously, the group had a first meeting with programmers at Humlab, Umeå University’s digital humanities lab, which increased the interest in developing a complementary perspective based on digital methods.

It’s our first meeting with the Humlab programmers. The programmers ask if we have been in touch with Spotify. We consider that it is difficult because of business secrecy, requiring us to design alternative means of access to this system (e.g., by throwing our own material into the system). How to upload files, what kind of metadata, which requirements exist for that? Spotify defines explicit frameworks for music distribution, but there is so far not much documentation available about these frameworks. We plan to begin like amateur musicians, loading up music via aggregators manually. Then we aim to register a record label more formally. We have tested one aggregator already. One initial finding is that uploaded songs have to be at least twenty seconds long. Another topic of discussion is our interest in technology and how we have been in touch with a department head at Spotify who is interested in getting the company history written but unwilling to share any data. Now there is a possible contact via another university. By gaining access via an API [application programming interface], we might be able to compare and see directly the difference between what is publicly communicated and what the company keeps for itself.

As these fieldnotes illustrate, negotiating and conceptualizing forms of access was vital to the project. The forms of rapport that result from such access always have strong ethical implications. Traditionally, the ethics of building rapport have been guided by the imperative of informed consent, and access implies that the research subject will not only be respected but also fully protected in its integrity by the researcher. But what happens when researchers encounter a subject that, at some point, begins to threaten their own integrity?

Methods, Law, and Ethics

Shortly after receiving Spotify’s notice (“You are hereby asked to confirm by 26th of May 2017, in written form, that you have received this notice and that the group of researchers has ended such actions in violation of Spotify’s Terms of Use”), the project group mailed a detailed response. The letter expressed understanding of Spotify’s concerns and assured the company that any action that could potentially have violated its terms of use had ended. The letter also pointed to our previous attempts at engaging directly with Spotify and offered to open a conversation about methods and results. Since the project’s plans and methods had been public since 2013, including early press coverage,⁸ the letter served as a reminder of the project’s research design and the fact that the project would soon be over.

While awaiting Spotify’s response, the project group discussed Spotify’s reasons to establish rapport at this specific and late point in time. Research interests had been communicated for four years, and project publications were still pending. Why the sudden urge to get in touch and restrict the methodology? The most likely answer was an interview that team member Rasmus Fleischer had given to Dagens Industri, a leading Swedish industry and business newspaper, a few days earlier on May 7, 2017. The story was quickly picked up by Torrentfreak and Digital Music News before spreading widely across the web.⁹ Referring to Fleischer as an “investigator” who was “funded by the Swedish government,” Digital Music News translated one of the Dagens industri interview “nuggets” as follows:

The entire Spotify beta period and its early launch was propelled by the Pirate Bay, Fleischer explained.… “They’d never have had that much attention without the Pirate Bay happening. The company’s early history coincides with the Pirate Party emerging as a hot topic, with the trial of the Pirate Bay in Stockholm District Court.” But the connection goes far deeper than that. In fact, Fleischer alleges that Spotify directly connected with the Pirate Bay. Literally. “Spotify’s beta version was originally a pirate service,” Fleischer said.¹⁰

Instead of disputing Rasmus Fleischer’s claims as quoted in the news media, Spotify used the occasion to inquire about the “methods used by the responsible group of researchers in this project,” implying that the company anticipated that more sensitive information about its services might be revealed.

In addition, and unbeknownst to the research group, Spotify’s legal counsel had contacted the Swedish Research Council—the government agency that provides funding for basic research, including this project—with a second, more specific request:

As far as Spotify understands, the project has received financial support from the Swedish Research Council. Spotify is particularly concerned about the information that has emerged regarding the research group’s methods in the project. The available information indicates that the research team has deliberately taken action that is explicitly in violation of Spotify’s Terms of Use and by means of technical methods sought to conceal this violation. The research group has attempted, among other things, to artificially increase the number of plays and manipulate Spotify’s services using scripts or other automated processes. Spotify assumes that this systematic violation of terms has not been known to the Swedish Research Council and is convinced that the Swedish Research Council aims to ensure that all research undertaken with its support in all respects conforms to ethical guidelines and is carried out properly and in accordance with applicable law. Spotify invites the Swedish Research Council to contact Spotify for a discussion about the above matter. It is Spotify’s hope that the Swedish Research Council acts resolutely in order to ensure that unruly or illegal practices cease immediately. Spotify anticipates the Swedish Research Council’s immediate response.¹¹

While there were not yet journal or book publications that could have substantialized Spotify’s claims, these allegations rested on the premise that the project systematically attempted to use digital methods against the service’s interest. Speculating that such covert research had been conducted behind the Swedish Research Council’s back, the letter more specifically suggested that the project had acted in direct violation of both “ethical guidelines” and “applicable law.” It ended with an explicit call to action against the project.

As this book has documented, research within the project used digital methods in an inventive and probing, rather than systematic, way. Only a part of the overall research activity engaged digital methods, and these methods were partly adapted from existing tools developed by the Digital Methods Initiative (University of Amsterdam) and other research groups. No part of the research concerned human subjects; the project did not violate the integrity of any Spotify user, collect any personal data related to Spotify users, or illegally share copyrighted content via Spotify. Spotify’s own corporate or competitive interests and the integrity of its service and brand were respected. Not only was the research design, with its covert or “gonzo” strategy, described in detail in the project application, but it was precisely the reason the project had succeeded in receiving funding in the first place.¹² Adopting the idea of inventive methods against a background of previous work that had struggled with creative workarounds to gatekeeper access for decades, one overall aim of the project had been to proactively engage Spotify in a conversation about its culture. Spotify’s letter could be read as precisely that. Its confluence of ethical, methodical, and legal standards therefore deserves closer scrutiny.

“Impact Culture”

In the interdisciplinary and proliferating field of research on the internet, digital methods—and views on the “digital as method”—are widespread.¹³ Apart from regularly scraping and crawling platforms such as Facebook, Google, and Twitter, researchers have previously engaged with algorithmic bias and other critical issues that require systematic approaches such as those deemed illegal by Spotify. This includes, for instance, a platform audit of hotel-rating platform Booking.com that revealed an “algorithmic system bias” based on the confluence of inputs and users, resulting in good reviews for bad hotels.¹⁴ Other researchers have established automated user profiles as inputs to algorithms as a form of audit. One example of this work employed simulated users in order to detect gender bias in online advertising, another conducted experiments to analyze Uber’s surge pricing algorithm by emulating Uber accounts, and yet another created multiple Airbnb accounts in order to identify racial discrimination against black users.¹⁵ One of the most consistent and prolific advocate of this kind of research is Christian Sandvig, who has repeatedly argued for what he calls a “consequentialist ethics of algorithms.”¹⁶ Together with the American Civil Liberties Union and journalists working for the Intercept, Sandvig has sued the US government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), a law that criminalizes any user activity “exceeding authorized access.” As Sandvig observes, “Terms of Service sometimes prohibit people from using Web sites for research, they prohibit users from saying bad things about the corporation that runs the Web site, they prohibit users from writing things down. They should not be made into criminal violations of the law.”¹⁷ Audit tests like those suggested by Sandvig have been regularly conducted in the offline world.

The project on which this book is based did include forms of platform auditing, yet only as part of a mixed-method approach. At the time of this writing, the applicability of contract law to an online service’s terms of service remains an issue of debate, as are these terms generally, with some scholars suggesting that companies ought to pay users for reading them.¹⁸ In October 2017, the Swedish Research Council declared Spotify’s accusations to be baseless and rejected the company’s call to action against our project.

In terms of research ethics, the project could hardly be accused of violating existing norms, as such norms are inconsistent and still being actively debated. Privacy concerns have been and still are paramount in ethics discussions among internet researchers—discussions that developed before Google, Facebook, and Twitter were founded. Given the traditional focus on how people use the internet, critical ethical concerns primarily relate to research on human subjects, especially on informed consent, and they foreground the needs and safety of vulnerable users.¹⁹ With the growing control of platforms such as Facebook, Spotify, and Google over the infrastructure enabling the recording and analyzing of social and cultural life, however, the question has been raised “how researchers are to maintain rigorous standards of scientific integrity, objectivity, accuracy, and so on, vis-à-vis corporate and government agendas that may run contrary to these standards.”²⁰ The ethics committee of the Special Interest Group on Computer-Human Interaction (SIGCHI) recommends critical industry researchers to argue

that violating TOS [terms of service] is not only ethically possible, but might even be ethically required in some circumstances. The issue is far reaching: if we abide by overly restrictive TOS, are we giving up the ability to reflect on systems that are increasingly shaping society? If we only work with permission of Large Corporation, can we ever be critical of Large Corporation? If the products and services of Large Corporation are having a profound impact, what is the obligation of the research community to understand that impact?²¹

A similar position is articulated in the Code of Conduct issued by the Association for Computing Machinery’s Committee on Professional Ethics. While some groups such as the Council for Big Data, Ethics, and Society and the Association of Internet Researchers (AOIR) are so far lagging behind, to “get your hands dirty” has become not only an accepted but a recommended research practice. When it comes to digital industries, it is “not always feasible or desirable to comply with the consent requirement.”²²

At this point, it is worthwhile to turn from Spotify’s inaccurate rendering of the project’s methodological, legal, and ethical standards to Spotify’s own norms and standards. Its letter appears as written on behalf of a formal organization, but the company in fact has a long history of moving across the entire formal-informal spectrum. For instance, think of its early unauthorized music distribution practices (described in chapter 1) or its reliance on peer-to-peer infrastructure and user devices (discussed in chapter 2). On December 29, 2017, Wixen Music Publishing, whose clients include Neil Young, Tom Petty, and many other famous musicians, filed a $1.6 billion copyright lawsuit against Spotify in a California federal court.²³ Tax evasion practices and political lobbying efforts are well documented, as are Spotify’s attempts to change its Privacy Policy to gain access to users’ smartphone sensor information, GPS coordinates, and camera in order to share this information with business partners.²⁴ In this context, Spotify’s conflation of legal, methodological, and ethical issues should not be seen as accidental. Whatever the intent of sending the letter, it effectively negotiated a new cultural norm. Given the company’s declared desire to “impact culture,”²⁵ its action taken against the freedom of academic research should be taken seriously.

Toward a New Ethics of Internet Research

In his book, Mining Capitalism: The Relationship between Corporations and their Critics, anthropologist Stuart Kirsch shows how major companies establish and maintain their own order of knowledge. While not engaging in the negative tactics of oil firms or pharmaceutical companies, digital companies such as Spotify, Microsoft, Google, and Facebook certainly manage their relationships with academia. They promote themselves as responsible, encourage diversity, and enhance their reputation through forging strategic partnerships or establishing research divisions, yet occasionally, they also spread uncertainty and doubt.²⁶ A threat of litigation can be a way to prevent unwanted studies from being conducted or published.

The basic difference between Spotify’s corporate behavior and the work of the research team presented in this book is that such critical academic research has no financial interest, is constantly assessed by critics through peer review, and is public. Spotify itself deals in secrecy, as it draws researchers into its private domain while simultaneously claiming to be of public benefit and in the interest of those communities on whose practices its services were built. In balancing the ethical responsibilities of this project against those of a multibillion-dollar company, the project’s ethical challenges appear mundane and inflated—part of a situated approach rather than global strategy. While not entirely successful in all of its undertakings, the project has worked out the boundaries of ethics in practice.

Covert research, as this book has attempted to show, may thus help “to get where others get not.”²⁷ The book has made a case for a type of research that avoids routines and being boxed in between institutional ethics boards and corporate interests, opening a space for the unpredictable. But this is not to claim that all research should be covert. Not only did overt and more conventional methods form a significant part of this project, alternative approaches to digital industries are equally productive. For instance, in his anthropological dissertation on developers of music recommendation systems, Nick Seaver pitches Laura Nader’s idea of an “imbalanced power dynamic” between researcher and subject against his own findings of an environment largely shaped by cultural factors and “subjective dynamics” that feel not only much less strategic and rational than is often assumed but also much closer to home. While Seaver emphasizes his own similarity to and sympathy for “techies,”²⁸ this book has insisted on acknowledging difference and has taken an attitude of outsideness.²⁹

Although this book has probably left more questions open than answered, we may be considered successful in forcing Spotify to read it, if only to test its own hypothesis of what ethical, legal, and methodological confluences are about. In the meantime, and probably opening a new chapter elsewhere, the research team has drafted a letter of its own, dated May 25, 2017, and addressed to the Swedish Data Protection Agency:

To: datainspektionen@datainspektionen.se

Hej!

We would like to inquire about Spotify’s compliance with the new General Data Protection regulation issued by the European Union in 2016. In particular, this relates to the Regulation’s provisions on profiling. According to the definition of “profiling,” as stipulated in article 4 point 4, “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Article 22 (1) explicitly provides rules on profiling as follows: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” However, there are exceptions to this rule, outlined in the paragraph 2, 3, and 4 of Article 22. The data subject (i.e., a physical person) shall also have (albeit limited) right to object to profiling (see article 21).

Spotify has, since at least 2015, begun to invest into systems to gather so-called “contextual data” that allows them to track, and predict, user behavior. This is also called behavioral profiling in social psychology and Internet marketing. Such profiling activities seem to be in direct violation of upcoming EU regulation. They also are not made clear in any of Spotify’s offerings to users. Spotify sells its service as music streaming. We therefore would like to inquire about Datainspektionen’s view on Spotify’s activities, especially in regard to the compliance with upcoming EU legislation. We have already been in touch with EU legal bodies and would be glad to hear from you, in order to complement the information we have received. Thank you in advance.³⁰

Notes

1. See, for instance, sociologist Violaine Roussel’s Representing Talent: Hollywood Agents and the Making of Movies (Chicago: University of Chicago Press, 2017). Also see the research conducted by the Media Industries Project, University of California, Santa Barbara, especially Michael Curtin, Jennifer Holt, and Kevin Sanson, eds., Distribution Revolution: Conversations about the Digital Future of Film and Television (Oakland: University of California Press, 2014); and Michael Curtin and Kevin Sanson, eds., Precarious Creativity: Global Media, Local Labor (Berkeley: University of California Press, 2016).

2. Spotify USA, Terms and Conditions of Use § 4. Rights We Grant You, effective July 6, 2017, https://www.spotify.com/us/legal/end-user-agreement/.

3. Spotify USA, Terms and Conditions of Use § 7. Rights You Grant Us.

4. Spotify USA, Terms and Conditions of Use § 8. User Guidelines.

5. “You will not collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.” Facebook, Statement of Rights and Responsibilities § 3. Safety, last revised January 30, 2015, https://www.facebook.com/terms.php.

6. Twitter, Terms of Service (US version), effective October 2, 2017, https://twitter.com/en/tos.

7. “Clouds & Concerts: Trends in Music Culture,” University of Oslo, Department of Musicology, accessed January 18, 2018, http://www.hf.uio.no/imv/english/research/projects/cloudsandconcerts/.

8. In an interview with Sweden’s main public television broadcaster SVT, Pelle Snickars described the difficulty of gaining access to Spotify and the idea of creative workarounds that included studying Spotify “from the inside.” Matilda Svensson Glaser, “De ska studera Spotify inifrån,” [They will study Spotify from within], SVT Nyheter, November 1, 2013, https://www.svt.se/kultur/musik/de-ska-studera-spotify-inifran.

9. Björn Wallenberg, “Han skriver en bok om Spotify,” [He is writing a book about Spotify], Dagens Industri, May 7, 2017, https://digital.di.se/artikel/han-skriver-en-bok-om-spotify-det-var-fran-borjan-en-pirattjanst; Andy, “Spotify’s Beta Used ‘Pirate’ MP3 Files, Some from Pirate Bay,” TorrentFreak, May 9, 2017, https://torrentfreak.com/spotifys-beta-used-pirate-mp3-files-some-from-pirate-bay-170509/; and Paul Resnikoff, “Spotify Illegally Streamed MP3s before Getting Proper Licenses, Investigator Claims,” Digital Music News, May 9, 2017, https://www.digitalmusicnews.com/2017/05/09/spotify-illegal-mp3s-investigator/.

10. Resnikoff, “Spotify Illegally Streamed.”

11. Benjamin Helldén-Hegelund (legal counsel, Spotify) to Kerstin Sahlin (secretary general, Artistic Research/Humanities and the Social Sciences, Swedish Research Council), undated. The letter was forwarded to the project’s administering university, which in turn contacted the research team.

12. The project received the highest grades with respect to methodology. Only 5 to 7 percent of project applications were funded.

13. Noortje Marres, Digital Sociology: The Reinvention of Social Research (Cambridge: Polity Press, 2017), 182.

14. Motahhare Eslami et al., “‘Be Careful; Things Can Be Worse than They Appear’—Understanding Biased Algorithms and Users’ Behavior around Them in Rating Platforms,” in Proceedings of the Eleventh International Conference on Web and Social Media (Palo Alto, CA: AAAI Press, 2017), 62–71, https://aaai.org/ocs/index.php/ICWSM/ICWSM17/paper/view/15697.

15. Amit Datta, Michael Carl Tschantz, and Anupam Datta, “Automated Experiments on Ad Privacy Settings: A Tale of Opacity, Choice, and Discrimination,” Proceedings on Privacy Enhancing Technologies, no. 1 (2015): 92–112, doi:10.1515/popets-2015-0007; Le Chen, Alan Mislove, and Christo Wilson, “Peeking beneath the Hood of Uber,” in Proceedings of the 2015 Internet Measurement Conference (New York: ACM, 2015), 495–508, doi:10.1145/2815675.2815681; and Benjamin Edelman, Michael Luca, and Dan Svirsky, “Racial Discrimination in the Sharing Economy: Evidence from a Field Experiment,” American Economic Journal: Applied Economics 9, no. 2 (2017): 1–22, doi:10.1257/app.20160213.

16. Christian Sandvig et al., “When the Algorithm Itself Is a Racist: Diagnosing Ethical Harm in the Basic Components of Software,” International Journal of Communication 10 (2016): 4972–4990, http://ijoc.org/index.php/ijoc/article/view/6182.

17. Christian Sandvig, “Heading to the Courthouse for Sandvig v. Sessions,” Social Media Collective (blog), posted October 19, 2017, https://socialmediacollective.org/2017/10/19/heading-to-the-courthouse-for-sandvig-v-sessions/. Also see “Sandvig v. Sessions—Challenge to CFAA Prohibition on Uncovering Racial Discrimination Online,” ACLU, updated September 12, 2017, https://www.aclu.org/cases/sandvig-v-sessions-challenge-cfaa-prohibition-uncovering-racial-discrimination-online; and E. Tammy Kim, “How an Old Hacking Law Hampers the Fight against Online Discrimination,” Currency, New Yorker, October 1, 2016, https://www.newyorker.com/business/currency/how-an-old-hacking-law-hampers-the-fight-against-online-discrimination.

18. Yannis Bakos, Florencia Marotta-Wurgler, and David R. Trossen, “Does Anyone Read the Fine Print? Consumer Attention to Standard-Form Contracts,” Journal of Legal Studies 43, no. 1 (2014): 1–35, doi:10.1086/674424.

19. See the contributions to Michael Zimmer and Katharina Kinder-Kurlanda, eds., Internet Research Ethics for the Social Age: New Challenges, Cases, and Contexts (New York: Peter Lang, 2017).

20. Charles Ess, “Foreword: Ground Internet Research Ethics 3.0: A View from (the) AoIR,” in Zimmer and Kinder-Kurlanda, Internet Research Ethics, xii.

21. SIGCHI Research Ethics, “Do Researchers Need to Follow TOS?,” Medium, November 30, 2017, https://medium.com/sigchi-ethics-committee/do-researchers-need-to-follow-tos-f3bde1950d3c.

22. Gerwin van Schie, Irene Westra, and Mirko Tobias Schäfer, “Get Your Hands Dirty: Emerging Data Practices as Challenge for Research Integrity,” in The Datafied Society: Studying Culture through Data, ed. Mirko Tobias Schäfer and Karin van Ess (Amsterdam: Amsterdam University Press, 2017), 183–200. Mirko Tobias Schäfer and his team also have developed the “Data Ethics Decision Aid (DEDA),” Utrecht Data School, accessed January 18, 2018, https://dataschool.nl/research/deda/?lang=en.

23. Wixen Music Publishing Inc. v. Spotify USA Inc., No. 2:17CV09288 (C.D. Calif.).

24. Much in line with Facebook’s strategy of asking for forgiveness rather than permission, Spotify CEO Daniel Ek said “Sorry” in a blog post after these changes had been made public. Daniel Ek, “SORRY,” Spotify News (blog), August 21, 2015, https://news.spotify.com/int/2015/08/21/sorry-2/.

25. Charlie Rose, “Daniel Ek CEO of Spotify | Charlie Rose,” YouTube, May 22, 2014, video, 2:26, https://www.youtube.com/watch?v=D55XlVKjzPw.

26. Stuart Kirsch, Mining Capitalism: The Relationship between Corporations and Their Critics (Oakland: University of California Press, 2014), 3.

27. David Calvey, Covert Research: The Art, Politics and Ethics of Undercover Fieldwork (London: SAGE, 2017), 460.

28. Nick Seaver, “Studying Up: The Ethnography of Technologists,” Ethnography Matters, March 10, 2014, https://ethnographymatters.net/blog/2014/03/10/studying-up/.

29. Barbara Czarniawska, Shadowing, and Other Techniques for Doing Fieldwork in Modern Societies (Malmö, Sweden: Liber, 2007).

30. Thanks to Mati Kaalep, Estonian Ministry of Culture, who pointed this issue out to us.