La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates

from the goooooooal dept

Roughly one year ago, we wrote about La Liga, the Spanish soccer league, pushing out an app to soccer fans that allowed the software to repurpose a mobile device's microphone and GPS to try to catch unauthorized broadcasts of La Liga matches. The league publicized this information, which had previously been buried in obscure language in its TOS, as mandated by the GDPR. At the same time, the league attempted to brush the whole thing off as above board, claiming that what was in the TOS informed users of the app enough that their own mobile devices were being compromised and turned into copyright snoop networks.

If this all sounds like The Dark Knight Rises for European soccer... you aren't wrong.

La Liga apparently was wrong, however, in its claims that all of this was okey-dokey.

While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.

As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.

The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.

Now, the GDPR is an absolutely useless monstrosity in nearly every instance, but it's actions -- such as those taken against La Liga -- fool everyone into thinking such laughably broad regulation is necessary in the first place. For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars, something like fining the business via the GDPR sure makes it seem like the GDPR is doing something. This is what poisons the well, in other words.

The pro-GDPR argument stemming from this example is undercut, however, by the fact that La Liga is arguing that it modeled its actions to very specifically follow the spelled out way the GDPR enables these kinds of privacy intrusions. This too is an argument we've made about the GDPR.

In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations. Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.

“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.

As if another test case was needed, the outcome of the appeal will certainly be one for the usefulness of the GDPR. Because if the outcome is that La Liga actually did comply with it, all while snooping on 3rd parties using the mobile hardware of customers that didn't really know what was happening, that should be revealing.

Filed Under: apps, copyright, gdpr, piracy, pirates, recording, surveillance
Companies: la liga


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 14 Jun 2019 @ 3:38am

    While spars on details the 'techincal' description sounds.... dubious at best.

    If you record the same 'sound' (as played by, say, a movie) than then hash the recording, twice. The resulting hashes are almost garanteed to be different.
    Cryptographic hashes (which is almost certainly what they are refering to, since the design of them resists deriving the content from a given hash) are designed to have a few properties. One of those properties is that minor changes to the inputs (for example small amounts of noise) will have a significant impact on the output.

    In other words. Even if they were hashing the recordings... it would tell them nothing... unless there is something important they are not mentioning.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 14 Jun 2019 @ 4:11am

      Re:

      I'd imagine they mean something along the lines of how Shazam does things. But, you have to actively tell Shazam to listen, while this app was apparently monitoring the whole time...

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2019 @ 5:34am

      Re:

      While this is the normal way that hashes work it is possible to define hashing algorithms that are insensitive to small (or even specific types of) variations

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2019 @ 6:29am

      Re:

      While spars on details the 'techincal' description sounds.... dubious at best.

      It's not really a hash like your are thinking, more of an "acoustical signature". If you understand how the frequency domain works, it's not that difficult to zero in on a set of specific frequencies while ignoring (filtering out) the frequencies that are not needed.

      I have personally designed a system using the Goertzel algorithm that can easily determine if a CTCSS tone is present in a signal. It is amazingly accurate and very robust, such that I can determine which sub-audible CTCSS tone is being transmitted on a voice repeater even though the actual voice is buried in noise and can't even be understood.

      I would guess that they would implement a system like this considering their statement:

      This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%,

      My system checks for the presence of roughly 50 very specific frequencies ranging from about 65 Hz up to about 255 Hz, which are all "technically" sub-audible, i.e. a very small percentage of the information (the audible frequency range,) discarding the rest.

      I would guess that transmitting a handful of tones such as that would be very easy to listen to and determine if they have been "compromised" in some way due to streaming sites using compression techniques.

      So their "fingerprint" is probably nothing more than a very narrow set of filters used in the frequency domain.

      For further reading: Fourier Transform

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jun 2019 @ 9:01am

        Re: Re:

        I would guess that they would implement a system like this

        Of course, the user can only accept or (maybe) reject the request for microphone permission. They don't get a chance to analyze the algorithm or grant the permission in a way that makes full recording impossible.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jun 2019 @ 10:32am

          Re: Re: Re:

          Of course, the user can only accept or (maybe) reject the request for microphone permission. They don't get a chance to analyze the algorithm or grant the permission in a way that makes full recording impossible.

          True, but my point was more about their statements describing how their software works and that it can be done as described quite easily when working in the frequency domain.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 14 Jun 2019 @ 12:30pm

            Re: Re: Re: Re:

            It's a good and useful description of how one could implement it in a privacy-respecting way (and how this relates to their explanation), but we all know there are apps that abuse people's trust. At present the general public are given little ability to tell which is which. There's no obvious fix for this, except for apps to avoid asking for things that would look suspicious.

            reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 14 Jun 2019 @ 3:41am

    I await them turning over evidence to experts to back their claims of it only did the right thing & exactly what they claimed.

    Isn't it nice that rightsholders have decided once again they are entitled to use your things for their benefit?
    Used your battery life.
    Tracked you to bars.
    Used your data.

    Well we were kinda sorta upfront about this in our clickwrap agreement & just because we HID the fact we were recording from all of you who opted in doesn't mean we never did anything wrong.

    One wonders what happens when the swat team shows up to raid an unauthorized stream only to discover a guy watching a match he DVR'ed cause he had to work.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 14 Jun 2019 @ 4:10am

    "in order to catch pubs and bars"

    I'd be interested in how accurate this could possibly be anyway. There's plenty of places where you have numerous bars and other establishments close to each other in Spain. How do you track which pub someone's using? Mobile location? What if they're using wifi from the bar next door? Do they send the fines out to people who weren't playing the match just because a neighbour wasn't paying his bill?

    "believes the agency has “not made the effort to understand how the technology works.” "

    They understand perfectly. You're using peoples phones as surveillance devices, and even if you're not listing to their actual conversations you're tracking them and tying them to their location in order for this tech to be of any use. That's concerning enough even if you've opted not to record their full audio.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2019 @ 1:19pm

      Re:

      How do you track which pub someone's using? Mobile location?

      It's an app. It requests microphone permission, so why not GPS permission? Then you send the goons to catch the publicans in the act. Doesn't matter if the position's not accurate, because they may as well go into all the nearby pubs that haven't paid the protection money.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jun 2019 @ 1:54am

        Re: Re:

        "It requests microphone permission, so why not GPS permission? "

        Yeah, but does the phone still report GPS if it's using wifi? I'm not 100% clear but if the OS rather than the app enforces where the data comes from then it might report differently.

        "Doesn't matter if the position's not accurate, because they may as well go into all the nearby pubs that haven't paid the protection money"{

        Sadly. this is true.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2019 @ 4:56am

    How is it that copyright enforcement can't find any employees who don't all have a soul full of day-old dog shit?

    reply to this | link to this | view in chronology ]

  • icon
    JoeCool (profile), 14 Jun 2019 @ 5:21am

    Slap on the wrist

    250 thousand Euros? That's all? That's barely a dinner for one of their execs. I would be surprised that they bothered to appeal this, but they also want to keep doing it, so I guess they have to. I imagine if this had been an American company, they might have levied a real fine, but it's not only local, but one the people love.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2019 @ 5:31am

    For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars

    Is them following the lead of governments in collecting as much data as possible to detect crimes.

    reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 14 Jun 2019 @ 6:06am

    Followed the Law

    Sounds like La Liga had their lawyers look over the law and followed it. The enforcement arm said they couldn't have avoided all this if they'd have followed it correctly.

    So what's worse - the fact that they are being fined for following the GDPR because no one agrees on how it works, or that this sort of snooping is clearly allowed under GDPR if you have the right disclaimer on your app?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2019 @ 7:46am

      Re: Followed the Law

      Quoting extensively from Wikipedia:

      If informed consent is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely[ ]given. (Recital 32)

      Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in. (Article 7(3)) A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.

      None of the articles I've seen show screenshots of the app installation and consent screens, but does anyone believe the users would specifically override the default and choose to grant microphone permission for the purpose of catching "pirate" bars?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jun 2019 @ 8:37am

        Re: Re: Followed the Law

        Most likely there was no "default" option at all.

        What probably happens is that when the user opens it for the first time it requests various permissions from the user, who can then select to grant permissions or not to grant permissions using two separate (virtual) buttons on the touch screen. The app would not continue to load until the user selects one of the options. There would be no "default" option; rather than hitting "yes/no" and then hitting a third button to submit your decision (in which case, one button could be pre-selected as a "default") best practices in mobile app design is that the "yes/no" buttons serve to both select which decision to make, and to submit that decision. This differs from desktop app design primarily due to the smaller screen and greater difficulty in scrolling in mobile apps, which makes it more uncomfortable to read and make multiple selections on a single screen prior to submitting. Though this has started to translate into some areas on desktop as well, due to requiring fewer clicks and allowing a cleaner interface.

        The legal question is highly unlikely to revolve around "default options" (except in the unlikely event the deliberately varied from both best practice and default android operating system settings) but rather how details of use must be provided to the end user.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 14 Jun 2019 @ 8:59am

          Re: Re: Re: Followed the Law

          The legal question is highly unlikely to revolve around "default options" ... but rather how details of use must be provided to the end user.

          Yes, that goes with "consent must have been explicit for data collected and each purpose data is used for". Asking "do you want to let this app use your microphone" (with no reason given) wouldn't constitute informed consent, and it's hard to imagine someone clicking Yes if that were followed by "...to snitch on bar operators" (and arguably the snitching itself would require separate confirmation from the monitoring).

          reply to this | link to this | view in chronology ]

  • identicon
    carlb, 14 Jun 2019 @ 6:34am

    No, they're "asking" the wrong person for consent

    If they want to use the fine print and "consent" as a pretext, it's not enough to claim to have the "consent" of the person who owns the device... they need the consent of everyone being spied upon, which would be everyone in the bar. They don't have that. Lock 'em up.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2019 @ 6:53am

    Sounds like a hastily tossed together excuse for their nefarious activities.

    reply to this | link to this | view in chronology ]

  • identicon
    carlb, 14 Jun 2019 @ 7:48am

    No, they're "asking" the wrong person for consent

    If they want to use the fine print and "consent" as a pretext, it's not enough to claim to have the "consent" of the person who owns the device... they need the consent of everyone being spied upon, which would be everyone in the bar. They don't have that. Lock 'em up.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jun 2019 @ 8:30am

      Re: No, they're "asking" the wrong person for consent

      Spain is a one-party consent country for recordings; but even ignoring that, conversations held in a public location without making any special effort to ensure privacy are not granted protection anyway.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Jun 2019 @ 9:42am

        Re: Re: No, they're "asking" the wrong person for cons

        conversations held in a public location without making any special effort to ensure privacy are not granted protection

        Phones can record conversations when people are making efforts to ensure privacy. The microphones are more sensitive than human ears and can pick up hushed conversations; the software can filter background noise that would otherwise mask the speech.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 14 Jun 2019 @ 8:26am

    Censorship test.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jun 2019 @ 8:34pm

    Just get a GPS jammer, to prevent your phone's GPS from getting its location. If they get can't get your location, they cannot prove anything.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.