Legal question: Displaying TIDAL Content from the TIDAL Web API in a Discord status

[ungive]

Hello there,

I am developing an application, which uses the TIDAL API (https://apiref.developer.tidal.com/apiref) to obtain metadata for certain music that is playing on the user's system. This metadata includes title, artist, duration, the album name and the URL to the album cover/artwork. The intention is to send this data to Discord through its RPC Client/Game SDK (docs) for a temporary amount of time, to show which song the user is listening to at the moment. The data will be displayed on the user's profile (as a so called "status"), that is, the text information and the image of the album cover would be visible there, but only as a small thumbnail (less than 100 pixels in width and height). The user's profile cannot be viewed publicly on the internet, but it can be viewed by their friends and possibly people who they share a server with (which might be large servers or communities, with thousands of members).

I know that "TIDAL Content" that is retrieved via your API is governed by your "TIDAL Developer Terms of Service" (https://developer.tidal.com/documentation/guidelines/guidelines-developer-terms). I also understand that song metadata is copyrighted and intellectual property.

The Developer Terms of Service state:

You will not, nor will you permit another party through access to TIDAL’s Developer Platform, TIDAL Platform, Developer Tools or Your Offering, to: [...] o. use the Developer Tools, TIDAL Content or TIDAL Marks (as defined below) in any way or in connection with any activity that is deceptive, fraudulent, or in violation of law, or infringes, misappropriates or otherwise violates the Intellectual Property Rights (defined hereafter), contractual rights, rights of privacy or publicity, or other rights of TIDAL or any third party. "Intellectual Property Rights" shall mean ​​all copyright, patent, trade secret, trademark and any other intellectual property or proprietary rights recognized in any jurisdiction worldwide.

I have two questions, as it seems this could pose a problem to me:

Is it problematic to upload this data to Discord for a temporary amount of time? Will doing so violate your Terms of Service or any "Intellectual Property Rights"? I know that handling intellectual property like this should be done with care, but temporarily uploading it to Discord seems like a grey zone to me, and I'm not really knowledgeable enough to draw a definitive conclusion myself. Other opinions would really help me.

And a somewhat unrelated question: Is it problematic that my Client ID and Client Secret for the API are hardcoded in my application's executable binary file, which could theoretically be extracted and used by a third party to violate the Developer Terms of Service in my name?

Here is an example of what such a Discord status could look like:

I'd appreciate any input on this matter!
Thank you for your time.

[stefanmoro]

Hi @jonasberge , and welcome to the forum.

I have forwarded your first question to the legal team, and we/they will get back to you.

Regarding the second question:

And a somewhat unrelated question: Is it problematic that my Client ID and Client Secret for the API are hardcoded in my application's executable binary file, which could theoretically be extracted and used by a third party to violate the Developer Terms of Service in my name?

The Client ID and Client Secret are used by our platform to identify your app. It is your responsibility to make sure they don't end up being used by any other app. TIDAL reserves the right to block your client id/client secret if we see that they are being used in a way that does not conform to our guidelines.

In the cases where you need to add your client credentials to a client side application, we strongly recommend you do some sort of obfuscation of the id/secret, making it hard to extract them from your app.
I also recommend reading the OAuth recommendations for public and confidential clients.

I hope that helps.

Thanks

[ungive]

Thank you for forwarding the message and for your answer.

I've thought about having a backend server before, which gives ephemeral TIDAL API access tokens to clients, so I don't have to store the client secret in the binary file, but I'll think about obfuscating it a little more too (I don't really want to maintain a server, if I don't have to).

Thanks!

[stefanmoro]

Hey again @jonasberge, I just heard back from our legal regarding your first question - please find the advice below:

As long as the app complies with our developer guidelines, e.g., the app includes TIDAL branding and links back to the TIDAL service (both of which we see in the screenshot you shared), doesn't imply that TIDAL endorses your app, doesn't alter or distort the album artwork, etc. we are okay with you including the small album cover image as you described. We would recommend reviewing Discord's terms and conditions of use to ensure sending the "now playing" metadata to Discord would comply with their T&Cs. Once we're accepting app submissions again, we will need to review the app in full to ensure it otherwise complies with our developer guidelines.

Hope that helps

[ungive]

Thank you a lot for the quick reply! I'll be sure to check Discord's Terms too.

[ungive]

@stefanmoro I have a follow-up question.

I have checked how Discord shows the image on the user's profile, and it does it not by directly embedding the URL from the TIDAL API, but by proxying it with its own service. A URL like this would e.g. be used: https://media.discordapp.net/external/9HwfSDqTjxffDWnEHItSdHBqVm4kVcSH5BWrIRI8euI/https/resources.tidal.com/images/ff783fbf/46cb/4abc/a115/fee48666097c/160x160.jpg (try it, it probably still works)

This proxying service (https://media.discordapp.net/external) is a bit problematic though: It does not respect any Cache-Control headers from the source (http://resources.tidal.com/images/ff783fbf/46cb/4abc/a115/fee48666097c/160x160.jpg). If you look at the response headers sent by the first link, if they can be trusted, then the content will be stored in cache for one year: expires: Tue, 15 Jul 2025 10:44:47 GMT and date: Mon, 15 Jul 2024 10:44:47 GMT. While the second link has this header: Cache-Control: max-age=86400.

I see a problem with clause II.1.e. of the Developer Terms of Service: "Do not store TIDAL Content indefinitely." While I am not storing an image myself, nor am I endorsing it, by using Discord and showing it on a Discord profile it's inherently (apparently) gonna be cached for a year. I'm not aware of any mechanism to delete an image from this cache.

I have tested this yesterday with my own server, where the cache control header specified that the content's max age should not exceed a few minutes. After having used the image in a Discord status I have deleted the server link, so that Discord cannot refresh its cache, and then just checked for how long the proxied URL (via https://media.discordapp.net/external) actually remains working. It still serves the data that was once available on my server today, which suggests the Expires header is correct and the cached file will still be served in 10 months from now.

Could this be a violation of the Developer Terms of Service? Would the app be unable to go into production, if ever reviewed?

Or is this just a case of "this is not my responsibility anymore, it's Discord's responsibility now, unless Discord's ToS prohibit using copyrighted material in a Discord status"? Technically their proxying service is faulty by not respecting HTTP cache control headers.

[stefanmoro]

Hey @ungive,

Thanks for your question. We're not able to provide specific advice at this time, but will consider complete app submissions when we open up our production mode request pipeline (expected within the next few months). In the meantime, we encourage you to continue to reference our guidelines.