La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates
from the goooooooal dept
Roughly one year ago, we wrote about La Liga, the Spanish soccer league, pushing out an app to soccer fans that allowed the software to repurpose a mobile device's microphone and GPS to try to catch unauthorized broadcasts of La Liga matches. The league publicized this information, which had previously been buried in obscure language in its TOS, as mandated by the GDPR. At the same time, the league attempted to brush the whole thing off as above board, claiming that what was in the TOS informed users of the app enough that their own mobile devices were being compromised and turned into copyright snoop networks.
If this all sounds like The Dark Knight Rises for European soccer... you aren't wrong.
La Liga apparently was wrong, however, in its claims that all of this was okey-dokey.
While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.
As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.
The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.
Now, the GDPR is an absolutely useless monstrosity in nearly every instance, but it's actions -- such as those taken against La Liga -- fool everyone into thinking such laughably broad regulation is necessary in the first place. For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars, something like fining the business via the GDPR sure makes it seem like the GDPR is doing something. This is what poisons the well, in other words.
The pro-GDPR argument stemming from this example is undercut, however, by the fact that La Liga is arguing that it modeled its actions to very specifically follow the spelled out way the GDPR enables these kinds of privacy intrusions. This too is an argument we've made about the GDPR.
In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations. Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.
“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.
As if another test case was needed, the outcome of the appeal will certainly be one for the usefulness of the GDPR. Because if the outcome is that La Liga actually did comply with it, all while snooping on 3rd parties using the mobile hardware of customers that didn't really know what was happening, that should be revealing.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: apps, copyright, gdpr, piracy, pirates, recording, surveillance
Companies: la liga
Reader Comments
Subscribe: RSS
View by: Time | Thread
While spars on details the 'techincal' description sounds.... dubious at best.
If you record the same 'sound' (as played by, say, a movie) than then hash the recording, twice. The resulting hashes are almost garanteed to be different.
Cryptographic hashes (which is almost certainly what they are refering to, since the design of them resists deriving the content from a given hash) are designed to have a few properties. One of those properties is that minor changes to the inputs (for example small amounts of noise) will have a significant impact on the output.
In other words. Even if they were hashing the recordings... it would tell them nothing... unless there is something important they are not mentioning.
[ link to this | view in chronology ]
Re:
I'd imagine they mean something along the lines of how Shazam does things. But, you have to actively tell Shazam to listen, while this app was apparently monitoring the whole time...
[ link to this | view in chronology ]
Re:
While this is the normal way that hashes work it is possible to define hashing algorithms that are insensitive to small (or even specific types of) variations
[ link to this | view in chronology ]
Re:
It's not really a hash like your are thinking, more of an "acoustical signature". If you understand how the frequency domain works, it's not that difficult to zero in on a set of specific frequencies while ignoring (filtering out) the frequencies that are not needed.
I have personally designed a system using the Goertzel algorithm that can easily determine if a CTCSS tone is present in a signal. It is amazingly accurate and very robust, such that I can determine which sub-audible CTCSS tone is being transmitted on a voice repeater even though the actual voice is buried in noise and can't even be understood.
I would guess that they would implement a system like this considering their statement:
My system checks for the presence of roughly 50 very specific frequencies ranging from about 65 Hz up to about 255 Hz, which are all "technically" sub-audible, i.e. a very small percentage of the information (the audible frequency range,) discarding the rest.
I would guess that transmitting a handful of tones such as that would be very easy to listen to and determine if they have been "compromised" in some way due to streaming sites using compression techniques.
So their "fingerprint" is probably nothing more than a very narrow set of filters used in the frequency domain.
For further reading: Fourier Transform
[ link to this | view in chronology ]
Re: Re:
Of course, the user can only accept or (maybe) reject the request for microphone permission. They don't get a chance to analyze the algorithm or grant the permission in a way that makes full recording impossible.
[ link to this | view in chronology ]
Re: Re: Re:
True, but my point was more about their statements describing how their software works and that it can be done as described quite easily when working in the frequency domain.
[ link to this | view in chronology ]
Re: Re: Re: Re:
It's a good and useful description of how one could implement it in a privacy-respecting way (and how this relates to their explanation), but we all know there are apps that abuse people's trust. At present the general public are given little ability to tell which is which. There's no obvious fix for this, except for apps to avoid asking for things that would look suspicious.
[ link to this | view in chronology ]
I await them turning over evidence to experts to back their claims of it only did the right thing & exactly what they claimed.
Isn't it nice that rightsholders have decided once again they are entitled to use your things for their benefit?
Used your battery life.
Tracked you to bars.
Used your data.
Well we were kinda sorta upfront about this in our clickwrap agreement & just because we HID the fact we were recording from all of you who opted in doesn't mean we never did anything wrong.
One wonders what happens when the swat team shows up to raid an unauthorized stream only to discover a guy watching a match he DVR'ed cause he had to work.
[ link to this | view in chronology ]
"in order to catch pubs and bars"
I'd be interested in how accurate this could possibly be anyway. There's plenty of places where you have numerous bars and other establishments close to each other in Spain. How do you track which pub someone's using? Mobile location? What if they're using wifi from the bar next door? Do they send the fines out to people who weren't playing the match just because a neighbour wasn't paying his bill?
"believes the agency has “not made the effort to understand how the technology works.” "
They understand perfectly. You're using peoples phones as surveillance devices, and even if you're not listing to their actual conversations you're tracking them and tying them to their location in order for this tech to be of any use. That's concerning enough even if you've opted not to record their full audio.
[ link to this | view in chronology ]
Re:
It's an app. It requests microphone permission, so why not GPS permission? Then you send the goons to catch the publicans in the act. Doesn't matter if the position's not accurate, because they may as well go into all the nearby pubs that haven't paid the protection money.
[ link to this | view in chronology ]
Re: Re:
"It requests microphone permission, so why not GPS permission? "
Yeah, but does the phone still report GPS if it's using wifi? I'm not 100% clear but if the OS rather than the app enforces where the data comes from then it might report differently.
"Doesn't matter if the position's not accurate, because they may as well go into all the nearby pubs that haven't paid the protection money"{
Sadly. this is true.
[ link to this | view in chronology ]
How is it that copyright enforcement can't find any employees who don't all have a soul full of day-old dog shit?
[ link to this | view in chronology ]
Slap on the wrist
250 thousand Euros? That's all? That's barely a dinner for one of their execs. I would be surprised that they bothered to appeal this, but they also want to keep doing it, so I guess they have to. I imagine if this had been an American company, they might have levied a real fine, but it's not only local, but one the people love.
[ link to this | view in chronology ]
Is them following the lead of governments in collecting as much data as possible to detect crimes.
[ link to this | view in chronology ]
Followed the Law
Sounds like La Liga had their lawyers look over the law and followed it. The enforcement arm said they couldn't have avoided all this if they'd have followed it correctly.
So what's worse - the fact that they are being fined for following the GDPR because no one agrees on how it works, or that this sort of snooping is clearly allowed under GDPR if you have the right disclaimer on your app?
[ link to this | view in chronology ]
Re: Followed the Law
Quoting extensively from Wikipedia:
None of the articles I've seen show screenshots of the app installation and consent screens, but does anyone believe the users would specifically override the default and choose to grant microphone permission for the purpose of catching "pirate" bars?
[ link to this | view in chronology ]
Re: Re: Followed the Law
Most likely there was no "default" option at all.
What probably happens is that when the user opens it for the first time it requests various permissions from the user, who can then select to grant permissions or not to grant permissions using two separate (virtual) buttons on the touch screen. The app would not continue to load until the user selects one of the options. There would be no "default" option; rather than hitting "yes/no" and then hitting a third button to submit your decision (in which case, one button could be pre-selected as a "default") best practices in mobile app design is that the "yes/no" buttons serve to both select which decision to make, and to submit that decision. This differs from desktop app design primarily due to the smaller screen and greater difficulty in scrolling in mobile apps, which makes it more uncomfortable to read and make multiple selections on a single screen prior to submitting. Though this has started to translate into some areas on desktop as well, due to requiring fewer clicks and allowing a cleaner interface.
The legal question is highly unlikely to revolve around "default options" (except in the unlikely event the deliberately varied from both best practice and default android operating system settings) but rather how details of use must be provided to the end user.
[ link to this | view in chronology ]
Re: Re: Re: Followed the Law
Yes, that goes with "consent must have been explicit for data collected and each purpose data is used for". Asking "do you want to let this app use your microphone" (with no reason given) wouldn't constitute informed consent, and it's hard to imagine someone clicking Yes if that were followed by "...to snitch on bar operators" (and arguably the snitching itself would require separate confirmation from the monitoring).
[ link to this | view in chronology ]
No, they're "asking" the wrong person for consent
If they want to use the fine print and "consent" as a pretext, it's not enough to claim to have the "consent" of the person who owns the device... they need the consent of everyone being spied upon, which would be everyone in the bar. They don't have that. Lock 'em up.
[ link to this | view in chronology ]
Sounds like a hastily tossed together excuse for their nefarious activities.
[ link to this | view in chronology ]
No, they're "asking" the wrong person for consent
If they want to use the fine print and "consent" as a pretext, it's not enough to claim to have the "consent" of the person who owns the device... they need the consent of everyone being spied upon, which would be everyone in the bar. They don't have that. Lock 'em up.
[ link to this | view in chronology ]
Re: No, they're "asking" the wrong person for consent
Spain is a one-party consent country for recordings; but even ignoring that, conversations held in a public location without making any special effort to ensure privacy are not granted protection anyway.
[ link to this | view in chronology ]
Re: Re: No, they're "asking" the wrong person for cons
Phones can record conversations when people are making efforts to ensure privacy. The microphones are more sensitive than human ears and can pick up hushed conversations; the software can filter background noise that would otherwise mask the speech.
[ link to this | view in chronology ]
Censorship test.
[ link to this | view in chronology ]
Re:
Result: You're still not censored, as always.
[ link to this | view in chronology ]
Just get a GPS jammer, to prevent your phone's GPS from getting its location. If they get can't get your location, they cannot prove anything.
[ link to this | view in chronology ]