Skip to main content

A podcast app is exposing subscribers-only shows

The beauty and misery of private RSS feeds

Share this story

Illustration by Grayson Blackmon / The Verge

There’s only supposed to be one way to hear exclusive podcast content from sports host Scott Wetzel: by paying $5 a month to subscribe to his Patreon. But the show’s also been available on a smaller podcasting app for free. In fact, leaked podcast feeds from dozens of subscription-only shows, including Wetzel’s and The Last Podcast On The Left, are available to stream through Castbox, a smaller app for both iOS and Android, just by searching for them.

Two people in the podcast space tell me they’ve reached out to Castbox multiple times, only for the company to remove a show and then have it pop up again, an infuriating cycle for someone trying to charge for their content. “It’s a little bit like playing whack-a-mole with them,” says one source, who asked to remain anonymous because of their ongoing work in the space.

Podcast subscriptions have existed for years, but they’ve gained wider attention this past month. Apple, which makes the dominant podcasting app, introduced in-app subscriptions with a button that lets people directly subscribe to a show from the app. Spotify announced its own subscription product, too, but with caveats — the main one being there’s no actual in-app button.

Multiple private RSS feeds are publicly available through Castbox

Prior to both of these proprietary solutions, the podcasting world’s subscription products mostly centered on private RSS feeds, or links typically assigned to individual listeners that allow them to access shows. The links can be pasted into any supporting podcast app, like Apple Podcasts, Overcast, and Pocket Casts, and for the most part, the system’s worked. Podcasting remains a mostly open ecosystem, and although this content is paywalled, shows still benefit from seamless RSS distribution. Notably, podcasters don’t have to manage multiple backends across services and can publish all their subscribers’ content at once.

But private feeds still have a glaring downside: these links can be easily shared, and anyone with the link can access private content. Piracy might become a growing concern, too, as the industry looks toward subscription and exclusive models. Already we’ve seen pirated shows on Anchor, and re-uploads of the Spotify-exclusive The Joe Rogan Experience on Castbox, as well. Although Castbox is small enough that the leaks likely aren’t on most podcasters’ radars, they still illustrate the problems one weak link in the distribution chain can create.

“This is the beauty and the mess of the open system — the web is amazing and allows us to publish content everywhere, but restricting access to content is always going to be tricky,” says Justin Jackson, co-founder of podcast hosting service 

He adds that, inevitably, people will find ways to subvert the system, whether that’s recording audio and distributing it on their own or sharing their private feed links among friends. 

Much of the podcast subscription industry is built around private RSS feeds, but a link can be shared

To prevent situations like this, software has been touted as a possible solution. Slate’s Supporting Cast — which powers multiple membership-oriented shows, including Slate’s own Slate Plus network — monitors private RSS feeds for suspicious activity, like thousands of downloads on what’s supposed to be someone’s single-person feed. The software also monitors the IP addresses where someone is listening and the podcast app they’re using to see if anything seems out of the ordinary. 

So far, the issue hasn’t become a huge problem. Supporting Cast CEO David Stern says the team has only had to take action fewer than 100 times in the year and a half that the automated monitoring has been active.

“You could always share a username and password to Hulu or Netflix, and that’s sort of okay. The companies let you get away with that,” Stern says. “You’ve got to strike a balance. We’re not talking about national security secrets here.”

The software-side workarounds can be effective — especially considering RSS, the backbone upon which the podcast industry was built, doesn’t allow for many technical improvements. However, it’s an investment that not every company might want to make. So the broader solution for locking down private feeds is simpler: tags, or literal snippets of text, that are part of a podcast feed’s metadata.

When software solutions fail, tags should help

Multiple distribution companies and hosting platforms now verify the owners of RSS feeds through tags. These tags list an owner’s email address, which the platforms then use to verify the person uploading the feed, thereby preventing people from trying to pass an already established show off as their own. Feeds can also be “locked,” a separate tag that, if respected, stops platforms from importing a show. A third and final tag, which is particularly relevant to private RSS feeds, instructs podcast apps not to index a particular show. Google Podcasts, as an example, scours the web to index shows and include them in the app, similarly to how its search engine populates results. If this tag is placed in an RSS feed, as it likely would be for a private feed, the app won’t index it. 

“What most platforms are doing is making it as difficult as they can for people to pirate podcast feeds – for people to submit podcast feeds to the directories — but still, at the same time, trying to make it easy for folks [who listen],” Jackson says.

The catch with tags, though, is they’re only as good as the platforms allow them to be. You might tell a platform not to index a program, but it doesn’t have to obey that request.

Jackson posits that this appears to be happening in Castbox’s case. These RSS feeds likely aren’t being verified when they’re submitted and, if a feed’s metadata requests that it not be indexed, Castbox isn’t heeding that ask. 

None of these feeds appear to have been uploaded maliciously to Castbox and most have a small number of plays — the damage is minimal. I reached out to the owner of the private RSS for Wetzel’s podcast, and he confirmed that he only meant to listen to this podcast on his own, not to make it public. He “didn’t give it any thought” that the show would become public when he added the RSS feed to listen on Castbox. (The Joe Rogan Experience copycat, however, has more than 400,000 plays and over 14,000 subscribers.)

In a comment to The Verge following this article’s publication, Castbox COO Gene Wuu said he hadn’t seen this issue before, and the team would update its instructional page for uploading private RSS feeds because it’s “very confusing.” It would also block the known, leaked shows “immediately.”

He says the team, after investigating, found the leaked podcast issue mostly affected a specific hosting company’s shows, so it would work to figure out what went wrong and patch the problem. He admitted that podcasters had, in the past, reached out about private shows being published publicly, but that issue was much smaller in scope.

“Obviously this is not intentional,” he says. “We always take this very seriously, and we have done quite a bit of cleanup.”

Podcasters and app developers clearly see paid memberships as part of the industry’s future, but the risks of private RSS feeds could compromise the industry’s headway. It might even give Spotify and Apple a leg up on competitors that have built entire businesses around locking down the open technology. But even a proprietary solution can’t prevent piracy entirely, and for podcasters, they’ll likely have to accept some risk and rely on the good faith of the podcasting players themselves to keep their shows from going wide.

Update May 13th, 5:32PM ET: Updated to include Castbox’s comment.