Loud controversies are a hallmark of the music streaming industry.
Remember Taylor Swift’s public feud with Spotify?
And there was the time Thom Yorke, of Radiohead, bitterly attacked streaming services for propping up big record labels instead of emerging artists.
Right now, Spotify, Tidal, and Rhapsody are all battling multi-million-dollar lawsuits alleging copyright issues and improper royalty payments—with one seeking as much as $150 million in damages.
But amid all the high-profile tumult, music streaming is facing a much more quiet, insidious problem: Click fraud.
Click fraud—the use of automated digital bots to “click” on payment-generating links and steal money by pretending to be consumers—has long been a problem in the online advertising industry. Websites stand to lose as much as $7.2 billion from fraudulent traffic in 2016, according to a study this January from the Association of National Advertisers.
This is now also a growing problem for the music industry, amid a rapid transition to online streaming services as the primary mode of distributing music and source of royalty payments. In the US alone, the streaming industry is projected to reach roughly $2 billion by 2019. The ascent of services like Spotify, Apple Music, Deezer, and Tidal—along with their per-stream payment models—has created an alluring target for fraudsters who need only a few auto-generated dance tunes and a modicum of coding expertise to fashion bots that basically snatch money out of thin air.
What’s most alarming, experts say, is the industry’s refusal to acknowledge the size of the issue. ”It’s something that will probably increase. Whether that results in thousands of misappropriated dollars or millions, I don’t know,” John Seay, an entertainment lawyer who specializes in copyright and streaming, tells Quartz. “[Click fraud] is a new development in an ongoing narrative of hustlers trying to get money they’re not entitled to.”
And it doesn’t only hurt companies like Spotify. Because of the way streaming services pay musicians, fraudulent “streams” of fake artists actually take away money from real artists—so big chunks of your monthly subscription fees may not be going to your favorite bands, but totally anonymous strangers who write code, not music.
A clever, silent game
How do you cheat streaming?
It’s actually remarkably easy.
Streaming services pay royalties on a per-stream basis, pooling customers’ regular payments ($10 a month per user for Spotify, for example) and divvying that up among musicians depending on their relative popularity. The more streams an artist gets, the more money he or she is paid. So if someone sets up an ”artist” account with Spotify and uploads a few fake tracks, then creates a bot to stream those tracks on repeat—that’s a regular profit. And one that doesn’t have to be split with labels, producers, or any of the other players involved in a legitimate music deal.
Engineer William Bedell came out with a step-by-step tutorial on how to set up a click fraud scheme last year. It was “mesmerizing to watch the plays rack up,” wrote Bedell, who says he made more than $32 a day from fake streams with minimal effort. Michigan band Vulfpeck took the issue of click fraud public in a similar way in 2014 when it asked fans to stream 30-second silent songs; the band nabbed almost $20,000. (Spotify eventually got annoyed and pulled the plug.)
For an in-depth look into how click fraud works, there’s Sharky Laguana’s thorough explanation here. Laguana—a music industry veteran who now owns a rental company—tells Quartz it certainly wouldn’t be hard to run the “perfect” scheme to con Spotify. First, set up a couple hundred fake artists. Next, upload some auto-generated tunes—mediocre dance music is particularly easy to “produce” online—and just make sure your bots click on an array of songs both real and fake, so no one gets suspicious. (He uses Spotify as an example because of its size, but the scheme could theoretically work for any music subscription service.)
“If it’s done properly, it’s nearly impossible to detect,” says Laguana. “There’s no way to know why somebody chose to click on something.”
You might think all this could only be done by highly skilled programmers, but think again. There are “tens of thousands of people out there with the technical ability” to engage in click fraud on streaming services, Rich Kahn, CEO of online advertising services company eZanga, tells Quartz. A strong coding background and an “understanding of how the system works,” he says, are all you need.
How music is—and isn’t—fighting back
For years, the streaming industry, Laguana says, seems to have been ”either remarkably good at security or in a pretty serious state of denial” about click fraud.
It’s not necessarily the case now. For its part, Spotify—the biggest player in the business currently, inching up to 30 million paying subscribers—is actively involved in stamping out click fraud, using a combination of algorithms and human employees to scan its catalog for potentially illegitimate songs.
A track with thousands of repeat listens from a single user, for example, may be marked as suspicious. ”When we find something suspect, we flag it and then have it removed from the service,” Spotify spokesman Graham James tells Quartz.
But such practices are fallible. They also create a whole new tangle of issues, as Ryan Walsh of Motherboard brings up: How do you determine what is or isn’t a legitimate piece of music? Who makes the call?
The fact of the matter is, click fraud’s scale—and the financial drain it poses for streaming companies and the artists who lose out on their share of profits—is still completely opaque, and streaming services have been, as one would expect, reticent about sharing how much money they think fraudsters have conned out of them.
One way to drastically cut down on click fraud would be to remove its motivations. Some propose switching the current payment model of per-stream rates to one based on subscriber share, in which artists get money from their number of listeners and not listens—which would take away much of click fraud schemes’ profitability. Implementing that idea, though, would be a logistical mess.
And it’s easy to see why click fraud has lingered for so long in the first place: Streaming services simply don’t have the bandwidth to address it.
“At the end of the day, [these services] are trying to do this insanely difficult thing, which is build a company that streams music. And they’re losing money hand over fist about it, and growing so fast, too—I think there’s the feeling right now of ‘I don’t even know if I have the resources to devote to this,'” Laguana says, adding, “It’s a weird time.”
But while click fraud may not be as high a priority as growing subscribers or fighting lawsuits, streaming services would do well to cut the problem off before it escalates—as it has in the internet at large.
And if services are really serious about catering more to musicians’ needs, there’s no better way to prove that dedication than tackling something that saps such artists’ already-paltry profits. All in all, the time to act is now.