To understand how leakers could game the system on paid platforms, it’s important to understand the huge amount of control held by digital distribution companies. Artists are unable to directly upload their music onto streaming services like Spotify or Apple Music (versus YouTube or SoundCloud, which are often thought of as less “legitimate”), so they must go through some sort of distributor. Last year, Spotify experimented with allowing artists to upload their own music directly, but the function was recently nixed so that the service could focus on “developing tools in areas where Spotify can uniquely benefit [artists and labels].”

The biggest record labels often oversee their own distribution, but there are independent digital distributors of all sizes out there. Artists who are just starting out typically depend on distributors with a lower barrier of entry, like DistroKid or TuneCore. There are scores of these companies, their main appeal being that they charge little to nothing to upload a song to streaming services. Uploads are generally vetted to varying degrees of thoroughness by algorithms, human beings, or a combination of both, depending on the company.

In the case of the Beyoncé and SZA leaks, the leakers distributed the tracks to Spotify and Apple Music via Soundrop. Zach Domer, a brand manager for Soundrop, says he believes the leakers used the service because it does not require an upfront fee for distribution. “It’s like, ‘Oh cool, I don't have to pay DistroKid’s $20 fee to do this fake thing,’” he said. “You can’t prevent it. What you can do is make it such a pain in the ass, and so not worth doing, that [leakers] just go back to the dark web.”

Domer told Pitchfork that Soundrop relies on a variety of systems to vet the legitimacy of their content, including “audio fingerprinting” systems similar to those powering the music identification app Shazam, as well as a small content approval team of three to four people. The team reviews any submissions that come back flagged, either because the songs triggered the fingerprinting system or have suspect metadata; an example of the latter would be the use of an existing artist name, which explains why these leaks typically don’t use artist’s official names. Though rudimentary, Soundrop’s vetting process is more extensive than some of their competitors’. Domer says, for example, that the fake song briefly uploaded to Kanye West’s Apple Music page last year should have been “super easy to catch.”

The fake song/real profile phenomenon doesn’t just happen to the Kanyes and Cartis of the industry. The manager of an unsigned act that has racked up over 50 million Spotify streams to date spoke with Pitchfork about their client’s struggles with impersonators throughout 2018. Fallible authentication measures made it possible for unsanctioned music to appear on said artist’s official Spotify profile. The manager issued takedown notices to the streaming service with mixed results: “The hurdle we came across was, will [Spotify] be able to remove the music, or will they shuffle it onto another profile and not actually remove it? There seems to be no consistency with which route is enforced.”

In one instance described by the manager, an impersonator went so far as to create and distribute a fake album under the artist’s name. According to the manager, it took three days for Spotify to remove it. “That was the first time we contacted a lawyer,” the manager said. “We didn't end up needing to pursue legal action, but we came to the conclusion that it is incredibly hard to even sue anyone who you cannot legally identify. And even then, that person could have multiple accounts on multiple uploading platforms. If they get caught on one, they could just go to another.”

While distributors are the ones who facilitate payments, all roads in the digital supply chain end with the streaming services. Companies like Spotify, Apple Music, Amazon Music, and Deezer are the final checkpoint before music reaches listeners. But with “close to 40,000” new tracks being uploaded to market leader Spotify every day, it seems near impossible, at least on the bigger services, to catch every single illegal upload before payouts accrue. There does not appear to be any publicly available information on how many of those tracks are vetted in the first place, or how many eventually get taken down due to copyright violations.

A source close to Spotify tells Pitchfork that it is standard practice for the company to flag pipelined releases from notable artists and double-check the accuracy of those uploads with the artists’ representatives before they go live. This policy might explain how that fake Kanye track made it onto his Apple Music page but never surfaced on Spotify. It also might explain how “Free Uzi”—released and promoted by Lil Uzi Vert as his next single but characterized as a “leak” by his label, Atlantic—never made it onto Spotify, despite initially showing up on other streaming services. But it’s unclear how many artists Spotify is willing to double-check for, and how that list is determined.

“When there’s a million gallons of water and a two-foot pipe for all of that water to come through, people start to figure out another way through,” said Errol Kolosine, an associate arts professor at New York University and the former general manager of prominent electronic label Astralwerks. “The fundamental reality is, if people are losing enough money or being damaged enough through this chicanery, you’ll see something change. But the little people who don’t have resources, well, it’s just the same story as always.”

When asked why labels haven’t pressed the issue of streaming fraud, several of the industry figures interviewed for this piece mentioned “the metadata problem.” This refers to the lack of a universal metadata database in music, which makes it incredibly difficult to keep track of personnel and rights holders on any given song, and thus a huge ongoing issue in the record business. Royalty tracking start-up Paperchain estimates that there is $2.5 billion in unpaid royalties owed to musicians and songwriters, due to shoddy metadata. (There doesn’t seem to be an industry consensus on this figure; by contrast, Billboard puts the estimate at roughly $250 million.)

It’s important to note that streaming scams will likely exist in some form with or without the existence of a metadata database. (“I don’t know if there’s ever going to be a pure technological solution to prevent somebody from uploading unreleased material under fake aliases, with fake metadata,” said Domer.) But the fractured state of music metadata makes it far easier for bad actors to entangle themselves in the streaming ecosystem. It should not be possible for outside individuals to gain access to artists’ official profiles on streaming services, and yet it occurs because there is no authentication protocol outside of individual companies’ own vigilance. Having a system in place to ensure accurate metadata across companies appears to be a necessary first step.

Spotify’s solution thus far seems to be the copyright infringement form on its website, which notes that artists “may wish to consult an attorney before submitting a claim.” Apple Music has a similar online form. As for the distribution companies, DistroKid appears to be the only one to date that has developed a promising defense strategy, the aforementioned DistroLock. That said, even DistroKid stakeholder Spotify has yet to announce any plans to integrate DistroLock within its platform.

Ultimately, the problem at hand is greater than the risk of lost royalties. The prevalence of leaks on established streaming services has a significant impact on an artist’s sense of ownership over their life’s work. The lines become blurred as to whether something actually “exists” in an artist’s canon if they never gave permission for it to be released. So while diehards might feel a thrill, circumventing the system and listening to unreleased songs by their favorite musicians, the leaks ultimately hurt those same artists. After the last of this June’s many leaks, Playboi Carti uploaded a brief explanation to his Instagram Stories: “Hacked :(,” it read. “I haven’t released anything… I hate leaks.” Beneath it, a GIF sticker: “Leave me alone.”