La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates

from the goooooooal dept

Roughly one year ago, we wrote about La Liga, the Spanish soccer league, pushing out an app to soccer fans that allowed the software to repurpose a mobile device’s microphone and GPS to try to catch unauthorized broadcasts of La Liga matches. The league publicized this information, which had previously been buried in obscure language in its TOS, as mandated by the GDPR. At the same time, the league attempted to brush the whole thing off as above board, claiming that what was in the TOS informed users of the app enough that their own mobile devices were being compromised and turned into copyright snoop networks.

If this all sounds like The Dark Knight Rises for European soccer… you aren’t wrong.

La Liga apparently was wrong, however, in its claims that all of this was okey-dokey.

While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.

As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.

The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.

Now, the GDPR is an absolutely useless monstrosity in nearly every instance, but it’s actions — such as those taken against La Liga — fool everyone into thinking such laughably broad regulation is necessary in the first place. For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars, something like fining the business via the GDPR sure makes it seem like the GDPR is doing something. This is what poisons the well, in other words.

The pro-GDPR argument stemming from this example is undercut, however, by the fact that La Liga is arguing that it modeled its actions to very specifically follow the spelled out way the GDPR enables these kinds of privacy intrusions. This too is an argument we’ve made about the GDPR.

In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations. Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.

“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.

As if another test case was needed, the outcome of the appeal will certainly be one for the usefulness of the GDPR. Because if the outcome is that La Liga actually did comply with it, all while snooping on 3rd parties using the mobile hardware of customers that didn’t really know what was happening, that should be revealing.

Filed Under: , , , , , ,
Companies: la liga

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates”

Subscribe: RSS Leave a comment
Anonymous Coward says:

While spars on details the ‘techincal’ description sounds…. dubious at best.

If you record the same ‘sound’ (as played by, say, a movie) than then hash the recording, twice. The resulting hashes are almost garanteed to be different.
Cryptographic hashes (which is almost certainly what they are refering to, since the design of them resists deriving the content from a given hash) are designed to have a few properties. One of those properties is that minor changes to the inputs (for example small amounts of noise) will have a significant impact on the output.

In other words. Even if they were hashing the recordings… it would tell them nothing… unless there is something important they are not mentioning.

Anonymous Coward says:

Re: Re:

While spars on details the ‘techincal’ description sounds…. dubious at best.

It’s not really a hash like your are thinking, more of an "acoustical signature". If you understand how the frequency domain works, it’s not that difficult to zero in on a set of specific frequencies while ignoring (filtering out) the frequencies that are not needed.

I have personally designed a system using the Goertzel algorithm that can easily determine if a CTCSS tone is present in a signal. It is amazingly accurate and very robust, such that I can determine which sub-audible CTCSS tone is being transmitted on a voice repeater even though the actual voice is buried in noise and can’t even be understood.

I would guess that they would implement a system like this considering their statement:

This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%,

My system checks for the presence of roughly 50 very specific frequencies ranging from about 65 Hz up to about 255 Hz, which are all "technically" sub-audible, i.e. a very small percentage of the information (the audible frequency range,) discarding the rest.

I would guess that transmitting a handful of tones such as that would be very easy to listen to and determine if they have been "compromised" in some way due to streaming sites using compression techniques.

So their "fingerprint" is probably nothing more than a very narrow set of filters used in the frequency domain.

For further reading: Fourier Transform

Anonymous Coward says:

Re: Re: Re: Re:

Of course, the user can only accept or (maybe) reject the request for microphone permission. They don’t get a chance to analyze the algorithm or grant the permission in a way that makes full recording impossible.

True, but my point was more about their statements describing how their software works and that it can be done as described quite easily when working in the frequency domain.

Anonymous Coward says:

Re: Re: Re:2 Re:

It’s a good and useful description of how one could implement it in a privacy-respecting way (and how this relates to their explanation), but we all know there are apps that abuse people’s trust. At present the general public are given little ability to tell which is which. There’s no obvious fix for this, except for apps to avoid asking for things that would look suspicious.

That Anonymous Coward (profile) says:

I await them turning over evidence to experts to back their claims of it only did the right thing & exactly what they claimed.

Isn’t it nice that rightsholders have decided once again they are entitled to use your things for their benefit?
Used your battery life.
Tracked you to bars.
Used your data.

Well we were kinda sorta upfront about this in our clickwrap agreement & just because we HID the fact we were recording from all of you who opted in doesn’t mean we never did anything wrong.

One wonders what happens when the swat team shows up to raid an unauthorized stream only to discover a guy watching a match he DVR’ed cause he had to work.

PaulT (profile) says:

"in order to catch pubs and bars"

I’d be interested in how accurate this could possibly be anyway. There’s plenty of places where you have numerous bars and other establishments close to each other in Spain. How do you track which pub someone’s using? Mobile location? What if they’re using wifi from the bar next door? Do they send the fines out to people who weren’t playing the match just because a neighbour wasn’t paying his bill?

"believes the agency has “not made the effort to understand how the technology works.” "

They understand perfectly. You’re using peoples phones as surveillance devices, and even if you’re not listing to their actual conversations you’re tracking them and tying them to their location in order for this tech to be of any use. That’s concerning enough even if you’ve opted not to record their full audio.

Anonymous Coward says:

Re: Re:

How do you track which pub someone’s using? Mobile location?

It’s an app. It requests microphone permission, so why not GPS permission? Then you send the goons to catch the publicans in the act. Doesn’t matter if the position’s not accurate, because they may as well go into all the nearby pubs that haven’t paid the protection money.

PaulT (profile) says:

Re: Re: Re:

"It requests microphone permission, so why not GPS permission? "

Yeah, but does the phone still report GPS if it’s using wifi? I’m not 100% clear but if the OS rather than the app enforces where the data comes from then it might report differently.

"Doesn’t matter if the position’s not accurate, because they may as well go into all the nearby pubs that haven’t paid the protection money"{

Sadly. this is true.

Gary (profile) says:

Followed the Law

Sounds like La Liga had their lawyers look over the law and followed it. The enforcement arm said they couldn’t have avoided all this if they’d have followed it correctly.

So what’s worse – the fact that they are being fined for following the GDPR because no one agrees on how it works, or that this sort of snooping is clearly allowed under GDPR if you have the right disclaimer on your app?

Anonymous Coward says:

Re: Followed the Law

Quoting extensively from Wikipedia:

If informed consent is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely[ ]given. (Recital 32)

Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in. (Article 7(3)) A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.

None of the articles I’ve seen show screenshots of the app installation and consent screens, but does anyone believe the users would specifically override the default and choose to grant microphone permission for the purpose of catching "pirate" bars?

Anonymous Coward says:

Re: Re: Followed the Law

Most likely there was no "default" option at all.

What probably happens is that when the user opens it for the first time it requests various permissions from the user, who can then select to grant permissions or not to grant permissions using two separate (virtual) buttons on the touch screen. The app would not continue to load until the user selects one of the options. There would be no "default" option; rather than hitting "yes/no" and then hitting a third button to submit your decision (in which case, one button could be pre-selected as a "default") best practices in mobile app design is that the "yes/no" buttons serve to both select which decision to make, and to submit that decision. This differs from desktop app design primarily due to the smaller screen and greater difficulty in scrolling in mobile apps, which makes it more uncomfortable to read and make multiple selections on a single screen prior to submitting. Though this has started to translate into some areas on desktop as well, due to requiring fewer clicks and allowing a cleaner interface.

The legal question is highly unlikely to revolve around "default options" (except in the unlikely event the deliberately varied from both best practice and default android operating system settings) but rather how details of use must be provided to the end user.

Anonymous Coward says:

Re: Re: Re: Followed the Law

The legal question is highly unlikely to revolve around "default options" … but rather how details of use must be provided to the end user.

Yes, that goes with "consent must have been explicit for data collected and each purpose data is used for". Asking "do you want to let this app use your microphone" (with no reason given) wouldn’t constitute informed consent, and it’s hard to imagine someone clicking Yes if that were followed by "…to snitch on bar operators" (and arguably the snitching itself would require separate confirmation from the monitoring).

Anonymous Coward says:

Re: Re: No, they're "asking" the wrong person for cons

conversations held in a public location without making any special effort to ensure privacy are not granted protection

Phones can record conversations when people are making efforts to ensure privacy. The microphones are more sensitive than human ears and can pick up hushed conversations; the software can filter background noise that would otherwise mask the speech.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...