Without writing a line of code (I wouldn't know how to anyway), I built my own music streaming service. This guide spells out the different components of the system I built and the steps needed for anyone to build their own music streaming service.

This post is a little long. If you want to go straight to the main takeaways, I suggest you scroll down and check out the following sections:

• Objectives and results
• Cost
• Get Started

But if you got time and are curious (hey fellow nerd 👋🏻), read away! Also, let me know if you have feedback on the streaming service I built—any suggestion to improve it is welcome—or if you experienced challenges while building it for yourself!

Intro

I've been on Spotify since 2012. With Spotify, I've been able to easily discover new artists and tracks; keep my music at my fingertips whether I'm on my laptop, phone, or even someone else's device; and seamlessly share playlists with friends. Like most streaming services nowadays—Apple Music, YouTube Music, Deezer—Spotify is easy to use. It is seamless and extremely convenient.

But like most things in this world, when something is so convenient, there is a darker side to it. The business model of streaming services leaves artists in the dust, with minuscule payouts for the vast majority of them; massive profits for the streaming platforms, which flow back into global capitalism; and even for users who have become used to a convenient, seamless experience, the service is becoming increasingly enshittified with features we don't want and don't need.

Using a streaming service like Spotify also means we don't own our music: tracks we love become at times 'unavailable' due to copyright changes; and changes in the company's business priorities can just lock us out of a music library we've spent years building.

In general, I like the idea of moving past ownership and instead sharing, borrowing, or renting the things we use (when it comes to physical goods, sharing, borrowing, or renting are the only ways we can meaningfully address the environmental crisis); but I'm not willing to rent my music when it is from a billion-dollar company that exploits artists and reinvests in AI killing drones.

All of this to say: time to let go of our beloved streaming services.

It took me a few months of research and tweaking, but I managed to build my own music streaming service. This post describes the streaming service I built and explains why I made the decisions I made. Hopefully, it can help others build their own streaming service without having having to do all the research and testing I did. And to be clear, I don't code and I don't have the skills to manage servers. So the system I built should be accessible to anyone, even without technical skills. You just need to be comfortable with tech and be willing to put in a bit of time into it.

Objectives and results

My objectives in building this music streaming service were to:

• Achieve more control and autonomy over the music I consume, including by owning the actual music files, so I'm not at the whims of the business models, copyrights battles, and algorithms of corporate streaming services.
• Support and compensate artists for their work—not with infinitesimal amounts paid out by corporate streaming services but with actual, tangible money.
• Be able to access my music from any of my devices, including without an internet connection, just like I've gotten used to with Spotify. I'm willing to lose some convenience, but accessing my entire library from any of my devices is the baseline requirement of the streaming service I need.
• Minimize my capitalist footprint and participation in surveillance capitalism by withdrawing my consent, personal data, and money from corporate music streaming services.

The solution I came up with:

• Accomplishes all four objectives outlined above.
• Requires a bit of time and energy to set up, and more generally a mindset shift in how we consume music. It's a bit less convenient than a corporate streaming service, but more importantly it is simply a different way of consuming music.
• Is only slightly more expensive than what I used to pay to corporate music streaming services. That's not a bad thing because it means that artists and software developers get better compensated for their work, and that I get a lot more control and autonomy out of it.
• Only falls short in one way: it's harder to share music with friends and relatives, which used to be a breeze (tap the “share” button and send the link to your friends, who are often on the same service as you).

The setup

Below is a description of the streaming services I built. The list of components may sound like a lot, and it is a lot, but once you set up the system and get used to it, it becomes fairly seamless to use.

Also, because every part of the system is open, replacing one component with something you like better is easy (using a different music server; buying your music from a different store; selecting a different mobile app to stream your music; etc).

Music server

This is where the music files are hosted and what the apps you use (whether on mobile or on your computer) will connect to in order to stream or download music from.

The solution I recommend is Navidrome. There are other good solutions out there (Jellyfin is the main one that comes to mind), but Navidrome came on top for me because it focuses exclusively on music (other solutions often support all media types, including films and tv shows) and because it can be installed and managed without technical skills. Navidrome also supports multi-users: you can get your whole family on it so everyone has access to the same music library but each person gets their own account and playlists!

Navidrome is actively being developed, so we see improvements released on a regular basis. It is free and open-source, and can be supported with monthly donations.

Host

The beautiful thing about a music server like Navidrome is that you can install it anywhere: on your computer, on a server at home, or on a remote server.

To me, it is important to have uninterrupted access to my music: I want to be able to listen to it at any time and from any device. I also want my family to have access to my music. This is why I opted for installing Navidrome using a professional hosting service. This way, I don't want to have to worry about whether my home's internet connection is good enough or if the server is up and running. Using a professional service is also more energy-efficient than having a single server running from home.

This has some privacy drawback: people working for the host can access my music if they really want to; but it's just music, so I don't mind. Plus, it's still a significant step up in terms of privacy, given that corporate streaming services like Spotify collect an enormous amount of data and sell it to advertisers, like most hyper-capitalist internet companies.

PikaPods is the best solution I found for this. In just a few clicks, without any coding, you can install Navidrome on a server only you have access to. Every time Navidrome releases an update, PikaPods takes care of upgrading to the latest version. And if you want to get fancy, you can connect your own domain (my server is at https://music.raphmim.com).

PikaPods is cheap: I pay $4 per month. And it has a revenue-sharing agreement with Navidrome, so part of what I pay goes to Navidrome developers!

Music stores

Buying actual music files (good'ol mp3!) hits two birds with one stone: it gets me the ownership over my music library, and it gets artists much higher compensation that from streaming services.

Any new song I discover and like, I buy from Bandcamp, which is a platform entirely dedicated to supporting artists. If I can't find a file on Bandcamp, I'll buy it from Qobuz's music store. Each track is anywhere between $1 and $2. Looking at my usage of Spotify over the past few years, I usually add to my library between 5 and 15 new songs per month. So with an average of 10 new songs per month at an average of $1.5 per song, that's $15 per month.

The difference in artist compensation is drastic. If I stream a song 50 times on Spotify, the artist will get paid about $0.15. Yep, that's just 15 cents of a US dollar for 50 streams. And that's for songs I listen to a lot. Most songs I will never listen to 50 times in my entire life. By contrast, if I buy the file on Basecamp for $1, the artist or label gets about 0.80 cents. Pretty good deal.

Personal music library

It's technically possible to store all music files directly on the music server, but I find it much easier to instead store my library on my computer and once in a while, sync my library with the server. This way, I only have to do any work on the server once in a while.

So I simply have a library folder on my computer where I store all my music files. It is important to keep those files organized, or at least properly tagged. These tags (like artist , title , genre , album , etc) make it possible for an app to organize your files and make them easily findable. A well-tagged library is pretty important to make it easy and seamless to navigate your music. To tag my music, I use Strawberry, a super old-looking piece of software that's nonetheless very powerful and, once you get used to the outdated interface, does the job perfectly. It's free for Linux but costs $5 per month for Mac and Windows. Tagging hundreds of songs or albums can be a time-consuming so apps like MusicBrainz Picard can automate the process. I donate $2 per month to MusicBrainz Picard.

And to sync your library from your computer with the music server, tools like FileZilla do a good job. FileZilla lets you connect to the server and upload your files through a relatively accessible user interface—no command-line work needed. To make things even smoother, I suggest buying a FileZilla Pro license to get access to the 'sync' feature: this avoids having to re-upload the entire library each time and instead only uploading files that were recently added to the library or files of which tags were recently updated.

So once it's set up, managing your library only means 1) adding newly purchased files to the library folder on your computer 2) ensuring the new files are properly tagged and 3) syncing the library from your computer to the music server.

Clients

Now that we have a music server with a well-organized music library, the only missing piece are the clients we'll need to actually listen to the music: mobile and desktop apps.

Because Navidrome is an open app that uses open standards (specifically the open Subsonic API), there are dozens of apps that can stream music from a Navidrome server. All you have to do is go through the list of compatible apps, test a few, and pick the one you like best.

As my Android client, I use Symfonium. It's a $5 one-time payment, but there is a trial period to see if it's a good fit for your need. Symfonium is great because it lets you completely customize the app's interface.

And for desktop, I recommend Feishin. It's functional and does the job well (my only issue is that you can't download your music for offline listening; but in a few months, Feishin will be replaced by another player that will support offline playback). I donate $2 per month to Feishin too.

Discovering new music (optional)

One of the drawbacks of this personal music server is music discoverability. Streaming music services make it easy to listen to new artists, albums, or tracks, and this has been a key way for me to discover new music. A personal music server, by definition, cannot fulfill this need to discover new music because it only hosts the music I already own. There are two separate challenges here:

1. Discovering new music passively, meaning just listening to music in hope of finding a gem here and there. With corporate streaming platforms, you could just let the algorithm feed you music it thinks you'll like (algorithm-based music discovery is problematic in its own right). With your own personal music server, the best way to replace algorithms is to revert back to internet radios. This fits especially well with the setup I outline here because the apps and tools outlined above are built to be part of an open ecosystem, and as such many of them include the option to stream internet radios directly from inside their apps. So you can add the radio stations you like to your Navidrome server, and if your client supports it, you'll have access to these radio stations directly from your mobile or desktop app. Super easy to set up and convenient.

2. Actively exploring music. This is where it gets a bit tricky. If I discover a new track I love, I often want to listen to the rest of the album, or other albums by the same artist, or other artists from the same genre, place, or era. Streaming services made this a breeze. In this case, I suggest two options:

   1. Bandcamp lets you listen to any track for free and in full, at least 3 times, before you purchase. And if Bandcamp doesn't have the music you're looking for, Qobuz has a much larger library and lets you listen to the first 30 seconds of any song.

   2. This first solution isn't enough for me because Bandcamp often doesn't have the music I want to explore and Qobuz's 30 second limitations kills it for me. So I signed up for Qobuz's basic streaming plan ($10/month). Qobuz pays artists four times what Spotify pays per stream, so it's ethically acceptable, and it lets me do everything expected from a normal music streaming plan: check out all the albums released by an artist, search by genre, etc. My brother thinks that signing up for a streaming service defeats the point of this whole system; he is not wrong, but the only alternative I can think of would be to stream Youtube Music, but that means listening to ads every two songs and putting money into Google's pocket. At the end of the day, streaming on Qobuz is an acceptable compromise for me: I only use Qobuz to discover new music, and not to build playlists or listen to my library, so I don't become beholden to the service; and I still get access to a huge library of music I can freely explore before purchasing it.

Cost

So looking back at the whole streaming service, the cost for each component is:

• Hosting the server (PikaPods): $4/month
• Music server (Navidrome): included in the server host cost
• Purchasing music files (from Bandcamp or Qobuz): $1.5 per song on average. In my case, that's $15/month.
• Tagging music files (MusicBrainz Picard): $2/month (optional donation)
• Syncing with the server (FileZilla Pro): $50 for 5 years, so $0.83/month (recommended)
• Mobile app (Symfonium): $5 one-time payment (optional: other mobile apps available for free)
• Desktop app (Feishin): $2/month (optional: other desktop apps available for free)
• Discovering new music (Qobuz): $10/month (optional)

Total cost: $19 to $34/month

Getting started

If you're looking to build this streaming service for your own usage, here is how to get started:

1. Create an account on PikaPods, add some money, and install Navidrome.

2. Create your library on your computer with music files you already own or by purchasing albums or songs on Bandcamp or Qobuz. If you want to transfer your library from a streaming service, it will take a bit of work but it's doable (you can use a service like Tune My Music to transfer your songs to YouTube Music, and then download from YouTube Music using yt-dlp; if you do that, consider buying some merch or albums from your favorite artists on Bandcamp).

3. Tag your library using an automatic tool like MusicBrainz Picard or manually using Strawberry.

4. Sync your library from your computer to the Navidrome server using FileZilla or a similar solution that supports SFTP.

5. Install a mobile or desktop app that supports the Subsonic API and connect it to your Navidrome server.

6. Enjoy your music, free from capitalist exploitation and algorithmic manipulation!

Concluding thoughts

• It took me a lot of time to research, test, and tweak things to build this. Hopefully this guide saves you all this time and you can move straight to the 'enjoying music' part.
• There are still gaps in the system. For example, I haven't found an easy way of sharing my music and playlists. Navidrome lets us make playlists public, which means anyone can listen to them from a URL; but they can't easily add those playlists to their personal music library. I'll keep looking for solutions and update this guide if I find something.
• My hope is to iterate on this streaming service as new technologies become available and as this open ecosystem of apps and tools grows. I'm hoping this DYI streaming service becomes simple and accessible enough that it can be installed and managed by folks who aren't tech savvy.
• Let me know if you have some ideas on improving this streaming service! I'm especially interested in ideas to to remove a component to make the system simpler; to fill in a gap in the system; or to use a more accessible or performant solution for any of the components. I would love to hear from you if this was helpful… or if it wasn't!

Subscribe to receive future posts like this directly to your inbox. No spam, ever.

Coming from Twitter or other centralized platforms, we are used to hierarchy, to spaces where we can voice complaints and even advocate for change, but where we ultimately expect a small number of individuals to make decisions and where we hold them responsible for both mishaps and successes. If we don’t like how the platform is being managed or those individuals at the top, we have only two options: accept the platform as it is or leave it.

But the Fediverse is much closer to an anarchy: we have a lot more freedom but it's also much more up to us to create the spaces we want to spend time in.

More freedom because we are free to join an instance that reflects our values, needs, and priorities, and free to move our account to a new instance if we're no longer happy with our instance. We're also free to run our own instance if we can't find one where we fit, or even to build a whole new server or client (of course, if we have the time, skills, and resources).

But in the Fediverse, there's not a single company or organization to look to when we have a complaint: there are the admins and moderators on our instance; the developers of the client; the developers of the servers; and the developers of the protocol—all spread among many different organizations, projects, or even contributing as individual engineers.

And because most people working on the Fediverse do it because they want to build an open and decentralized internet, rather than for money, most of those people are volunteers. So the speed of releasing new features (and the kind of features that get released), hiring moderators, or improving usability is always going to be very different from what we are used to on profit-driven, VC-funded platforms.

It is up to each of us to push the Fediverse forward: to take on moderation roles; to support (with actual $$$!) our admins and developers; to get together to build new tools; to come up with new mechanisms for governance or collective decision-making. It’s up to us to make it the space we want it to be.

Of course, it’s okay to be a more passive user; or for those without the privilege, time, and resources to suggest improvements or complain without doing the work themselves. But it still requires a major shift in mindset on what “success” means on the Fediverse. (if you’re curious about “success” on the Fediverse, check out this excellent blog post) by @eloquence).

Perhaps that's why Signal has been so successful. The Signal app operates under different incentives than other messaging apps (privacy-first, no ads, etc), but Signal the organization, though a nonprofit, is just as hierarchical as private companies. Decision-making is restricted to a core team, there is no public roadmap, user input is limited to a community forum, and your main option if you don’t like the way Signal is being run is to leave the app and find another one. So transitioning from WhatsApp, Messenger, or Telegram to Signal only meant getting used to a slightly different UX and a few missing features, but didn’t require any shift in our relationship with the technology we used.

Moving to the Fediverse, however, is a whole other ball game, and people should know what to expect: it’s a work-in-progress, but one that is built, owned, and managed by us.

Earlier this month, WhatsApp started showing a notice informing users of an update to the app's privacy policy.

The update seemed to indicate that WhatsApp would share user data with its parent company, Facebook.

Nevermind that WhatsApp had already been doing it since 2016, the notice raised awareness on the data-sharing scheme and pushed millions to look for alternatives to the messaging app.

Many flocked to Signal, the secure messenger endorsed by Edward Snowden and already used by journalists and activists worldwide (in fact, Signal got so many new users that its servers went down for a few hours on Friday).

But even larger numbers turned to Telegram: over 25 million people registered on the app within 72 hours. The same thing happened when Facebook purchased WhatsApp in 2014, and in 2019, when WhatsApp discovered a vulnerability in the app, and thousands of alarmed users—particularly activists—turned to Telegram for safety.

This increased awareness of digital privacy risks is certainly a positive development. But Telegram is seen as the gold-standard for secure messaging is deeply concerning. So here are 7 reasons why Telegram isn't as secure as it paints itself to be.

1. Chats are not end-to-end encrypted by default

By contrast to Signal or WhatsApp, conversations are not end-to-end encrypted by default. This means that anyone with access to the Telegram servers can read user chats (messages, photos, audio recordings, etc)—whether that's Telegram staff, a hacker who manages to get in, or a government serving the company a subpoena.

We don't know whether Telegram staff has accessed user conversations in the past or handed over data to governments, but we don't need to know: if they want to, they can.

Telegram does support end-to-end encrypted “secret chats”, which keep data encrypted even on Telegram servers.

But users need to go out of their way to start a secret chat, and in the process lose significant functionalities, such as cross-device syncing (secret chats started on the phone are not viewable on Telegram desktop, and vice versa).

Because they join Telegram expecting an already-secure messenger, casual users are often not aware that default chats are not fully private. (It's also worth noting that secret chat is not a particularly unique feature: Facebook Messenger and Skype support similar features)

2. Group chats are not end-to-end encrypted

Just like regular one-on-one chats, group chats are not end-to-end encrypted. Except there, Telegram does not offer an option for a secret group chat at all. So if you are on Telegram and want a truly private group chat, you're out of luck.

3. Full chat histories are stored in the cloud

The entirety of users' chat history is stored on Telegram servers. This means that if someone gets access to your account, they are able to read every message of every conversation you've ever had on the app (except for secret chats and those you have manually deleted). In the words of security researcher The Grugq, “this is a security nightmare”.

To get access, a hacker would need to intercept the verification code that Telegram sends when a user activates the app on a new device. This is not theoretical, it happens in real life—including in places where criticizing the government can land you in jail. There are ways of protecting yourself against this threat, such as enabling an extra password to register a new device, but yet again, most users are unaware of those risks.

This is not an issue unique to Telegram: other messengers that use the phone number as an identifier face the same risks. What is unique about Telegram is that it stores all conversations on its servers.

Other apps like WhatsApp or Signal do not store chat history on their servers, leaving it to the user to back up their conversations on their device. Telegram storing chat history in the cloud adds a great deal of convenience (all conversations are available on any device at any time), but presents serious risks that are often not clear to ordinary users.

4. Metadata collection

Metadata is data about your conversations. It can include who you talk to, when, and for how long; it can identify members of a group chat, their locations, IP addresses, etc. Even without access to the content of a conversation, metadata can reveal a lot about someone's life—so much so, that a former head of the NSA admitted that the US government kills enemies just based on metadata. When WhatsApp says it shares data about its users to Facebook, the data it's talking about is that metadata.

Like WhatsApp, Telegram collects metadata about its users, including IP addresses that can reveal the users' location. To many users, that's much better than Facebook holding that data. But others many not want anyone, not even Telegram, to know who they are talking to, when, and from where.

This is all the more regretful because private messaging can work perfectly well without collecting metadata. In 2016, as part of an FBI investigation, the US court subpoenaed Signal to handover all the information it had about two of its users. Because Signal is end-to-end encrypted, and therefore has no access to user conversations, all that the team could share with the court was metadata and it did share all the metadata available: the date the users created their Signal account, and the date they were last connected. That's all.

Collecting user metadata is a choice apps make, and Telegram made the privacy-invasive choice.

Above: the entirety of the user metadata Signal handed over to the FBI

5. More of a social network than a secure messenger

While Telegram calls itself a “messaging app with a focus on security and speed”, over the years, it’s become more of a social network. Telegram supports groups of up to 200,000 members and channels where admins can broadcast messages to millions, similar to a Twitter feed or Facebook page. There is of course nothing wrong with being a social network. The problem is that users are misled to think that Telegram is a particularly secure or private one.

In August 2019, when millions of Hongkongers turned to Telegram groups to coordinate protests against Chinese interference, a vulnerability was discovered in the app. An attacker was able to identify the phone numbers of those who were part of those Telegram groups—even if those users had set their app preferences to hide their phone number. This meant that if that attacker was the government, they could then use the phone number to track down the users’ real world identities—and detain them for their activism.The issue was quickly fixed, but it showed yet again that many Telegram features of Telegram were not built with privacy as a primary concern.

And like all social networks, Telegram uses censorship: it shuts down groups and channels when it is under public or political pressure—like when the app became a hub of ISIS propaganda or, just last week, when white nationalists turned to Telegram after being booted from all major social networks.

6. A great deal of confusion

Telegram brands itself as a “secure” app and says its chats are “highly encrypted”. But as all of the above shows, it's a little more complicated than that. Secret chats are end-to-end encrypted, but not regular chats. Telegram's website says nothing about groups being end-to-end encrypted (they are not), so many users may mistakenly believe that they are. Voice calls and video calls are end-to-end encrypted.

To an ordinary user—not a security expert or a hacker—this is all pretty confusing and error prone. Users who buy into Telegram's branding are likely to feel like anything they do in the app is safe. Others may mistakenly open a regular chat instead of a secret chat, or forget which feature is end-to-end encrypted and which isn't. All in all, Telegram was either not designed to protect user privacy, or protecting user privacy was poorly executed.

7. Worthy of our trust?

A big part of digital security is about trust. It's about asking ourselves questions like: Who are we willing to trust with our data and digital identities? Do they have the right motives? What is their history and reputation? Asking ourselves those questions about Telegram, it's hard to recommend the app.

The app was launched by Russian billionaire Pavel Durov and his mathematician brother Nikolai, the creators of VK, Russia's most popular social network. When in 2011 VK topped 100 million users, Durov starting attracting the anger of the Kremlin for refusing to censor Putin's political opposition. By 2014, the situation had escalated to the point where Durov was ousted from the company and left Russia. This is when Durov launched Telegram. He said at the time that “the No. 1 reason for me to support and help launch Telegram was to build a means of communication that can’t be accessed by the Russian security agencies”. But Durov's aim to help Russians bypass censorship says little about his commitment to privacy in general.

The first warning sign about Telegram came early on. When designing the app, the Durov brothers ignored cryptography's golden rule, a consensus among security experts: don't create your own encryption scheme. Cryptography is so complex that designing an encryption algorithm from scratch almost inevitably leads to mistakes, so developers should instead use time-tested, recognized algorithms. But Telegram arrogantly decided to create its own homegrown encryption technology, and as expected it was filled with errors (which remained unaddressed for years).

In the following years, despite fixing those initial cryptographic flaws, Telegram did nothing to address the many worrying weaknesses, and continued to paint itself as the most secure and private app out there—often making his case by arguing that Signal cannot be trusted (despite the universal endorsement of the app by cryptographers, security experts, and whistleblowers).

Years later, Durov's appetite to cash-in on the app further raised eyebrows. In 2018, Telegram raised a whopping $1.7 billion from investors to launch a cryptocurrency on the platform—the largest amount ever raised for a cryptocurrency launch. The move was expected to generate a whole lot of cash for Telegram's founders. The project was eventually abandoned after a US court ruled that Telegram didn't comply with financial regulations, but the whole saga raised questions about Durov's motives.

Finally, though initially based in Berlin, Telegram has operated out of Dubai since 2017. Durov explained that it moved to the United Arab Emirates for its fiscally advantageous policy. This was, according to him, out of belief in small government rather than financial motivation—though the billion-dollar cryptocurrency fundraising was announced just months after the move to the tax-free zone.

Most worrying, the UAE is a deeply repressive state, routinely jailing political dissidents and journalists for critizing the ruling family. It is a violent player in regional politics, backing dictatorships against democratic movements, waging a cold war against Iran, and fueling proxy wars in Yemen, Libya, and Syria. The UAE is an unabashed enemy of freedom of speech, with a long list of political enemies. Durov claims that its server infrastructure is distributed around the world and strategically set up to avoid the jurisdiction of any one country, including of the UAE. With no means of verifying those claims, we'll have to take his word for it and hope that the billions of conversations stored in Telegram's servers are, indeed, safe.

Conclusion

As the Electronic Frontier Foundation explains, it would be silly, dangerous even, to give blanket recommendations on what communication tool is the most “secure”. Security is subjective and personal. What is it you want to protect—the content of your conversations, who you talk to, your identity? Who do you want to protect it from—Facebook, Google, the US government, the Chinese government, your boss, your stalking ex-lover? Each app has strengths and weaknesses, and different needs call for different apps.

Telegram may well fit some people's security needs, and it may offer social networking features that people are looking for, free of Facebook surveillance. But the app’s self-branding as “secure” and “highly encrypted” is deceptive and puts users at risk. From Signal to Wire or Briar, there are many apps that were designed from the ground up with security in mind. Telegram is simply not one of them.