The innovative online music service Pandora lets you create personalized music stations that you can stream online, but it also makes those stations viewable to anyone on the internet who knows your e-mail address. And there seems to be nothing you can do to make them private.

Update: See end of post to learn how to turn this off.

While the fact you created a Metallica radio station may not seem like the most confidential thing in the world, Pandora makes it feel like a private act when you use the service.

But last week, I got an e-mail from a company pitching its social dashboard software. The e-mail noted the service keeps up with what your contacts do online – including Pandora – and the writer of the e-mail added, perhaps showing off a bit, that he likes the Yeah Yeah Yeahs too – a nod to a station on my Pandora account.

Now there's nothing on the Pandora site that tells you "your stations" are public to anyone who knows your address. Its options for sharing talk about how you can publish to Twitter and Facebook. But the site makes no mention in your profile settings that your e-mail address is the key to unlocking your musical tastes.

There is, however, a handy box in the corner of the front page called Friends, and on the Friend page you can look up anyone's personalized choices by entering their e-mail address. There's no notification to them that you are now watching what stations they create. Ostensibly, there's an API somewhere too that the aforementioned social dashboard service is using.

What can you find out?

Well, a fellow with the e-mail address sergey@google.com likes an angsty band called Rise Against (one wonders what the hell someone with that e-mail address actually has to rebel against).

The choices for an e-mail address that Apple CEO Steve Jobs uses suggests he favors the jazz trumpeter Chris Botti and country music legend Willie Nelson.

I then played around a bit looking for some settings to tweak to turn this off or some explanation to users that their musical selections were public information and could end up being spidered by an automated web service but found nothing. I dove deep into the privacy policy, but found no mention there.

So I wrote the contact e-mail address for privacy at Pandora last Thursday, asking for clarification as to whether this was a bug or an undocumented feature.

It's been 8 days now and Pandora hasn't written back or even acknowledged it received the e-mail.

So take this post as a necessary, missing update to their privacy policy: Anything you listen to on Pandora is not confidential and is available to anyone who has or guesses your e-mail address.

Do with that what you please – letting someone see what you listen to online may or may not feel like letting someone open your own personal Pandora's Box, but at least now you know they can open it.

Update: Friday 6:35 Pacific: Turns out you can hide your music, if you like! Reader BH points us to this page, which tells you can go to your profile, click the tiny edit button in the corner, then scroll down to a checkbox that makes your profile private. Other users then can't even discover if you are registered or not. Nice find, BH – who stumbled on that page when trying to figure out how to delete his profile in order to stop the sharing.

See Also: