LaLiga fined $280k for soccer apps privacy violating spy mode

Spanish soccers premier league, LaLiga, has netted itself a 250,000 (~$280k) fine for privacy violations of Europes General Data Protection Regulation (GDPR) related to its official app.
As we reported a year ago, users of the LaLiga app were outraged to discover the smartphone software does rather more than show minute-by-minute commentary of football matches but can use the microphone and GPS of fans phones to record their surroundings in a bid to identify bars which are unofficially streaming games instead of coughing up for broadcasting rights.
Unwitting fans who hadnt read the tea leaves of opaque app permissions took to social media to vent their anger at finding theyd been co-opted into an unofficial LaLiga piracy police force as the app repurposed their smartphone sensors to rat out their favorite local bars.
The spy mode function is not mentioned in the apps description.
El Diaro reports the fine being issued by Spains data protection watchdog, the AEPD. A spokesperson for the watchdog confirmed the penalty but told us the full decision has not yet been published.
Per El Diaros report, the AEPD found LaLiga failed to be adequately clear about how the app recorded audio, violating Article 5.1 of the GDPR which requires that personal data be processed lawfully, fairly and in a transparent manner. It said LaLiga should have indicated to app users every time the app remotely switched on the microphone to record their surroundings.
If LaLiga had done so that would have required some form of in-app notification once per minute every time a football match is in play, being as once granted permission to record audio the app does so for five sections every minute when a league game is happening.
Instead the app only asks for permission to use the microphone twice per user (per LaLigas explanation).
The AEPD found the level of notification the app provides to users inadequate pointing out, per El Diaros reports, that users are unlikely to remember what they have previously consented each time they use the app.
It suggests active notification could be provided to users each time the app is recording, such as bydisplaying an icon that indicates the microphone is listening in, according to the newspaper.
The watchdog also found LaLiga to have violated Article 7.3 of the GDPR which stipulates that when consent is being used as the legal basis for processing personal data users should have the right to withdraw their consent at any time. Whereas, again, the LaLiga app does not offer users an ongoing chance to withdraw consent to its spy mode recording after the initial permission requests.
LaLiga has been given a month to correct the violations with the app. However in a statement responding to the AEPDs decision the association has denied any wrongdoing and said it plans to appeal the fine.
LaLiga disagrees deeply with the interpretation of the AEPD and believes that it has not made the effort to understand how the technology [functions], it writes. For the microphone functionality to be active, the user has to expressly, proactively and on two occasions grant consent, so it can not be attributed to LaLiga lack of

transparency or information about this functionality.
LaLiga will appeal the decision in court to prove that has acted in accordance with data protection regulations, it adds.
A video produced by LaLiga to try to sell the spy mode function to fans following last years social media backlash claims it does not capture any personal data and describes the dual permission requests to use the microphone as an exercise in transparency.
Clearly, the AEPD takes a very different view.
LaLigas argument against the AEPDs decision that it violated the GDPR appears to rest on its suggestion that the watchdog does not understand the technology its using which it claims neither record, store, or listen to conversations.
So it looks to be trying to push its own self-serving interpretation of what is and isnt personal data. (Nor is it the only commercial entity attempting that, of course.)
In the response statement, which weve translated from Spanish, LaLiga writes:
The technology used is designed to generate exclusively a specific sound footprint (fingerprint acoustic). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations.
This fingerprint is transformed into an alphanumeric code (hash) that cannot be reversed to recreate the original sound. The technologys operation is backed by an independent expert report, that among other arguments that favor our position, concludes that it does not allow LaLiga to know the contents of any conversation or identify potential speakers. Furthermore, it adds that this fraud control mechanism does not store the information captured from the microphone of the mobile and the information captured by the microphone of the mobile is subjected to a complex transformation process that is irreversible.
In comments to El Diaro, LaLiga also likens its technology to the Shazam app which compares an audio fingerprint to try to identify a song also being recorded in real-time via the phones microphone.
However Shazam users manually activate its listening feature, and are shown a visual listening icon during the process. Whereas LaLiga has created an embedded spy mode that systematically switches itself on thereafter, after being granted two initial permissions. So its perhaps not the best comparison to try to suggest.
LaLigas statement adds that the audio eavesdropping on fans surroundings is intended to achieve a legitimate goal of fighting piracy.
LaLiga would not be acting diligently if it did not use all means and technologies at its fingertips to fight against piracy, it writes. It is a particularly relevant task taking into account the enormous magnitude of fraud in the marketing system, which is estimated at approximately 400 million euros per year.
LaLiga also says it will not be making any changes to how the app functions because it already intends to remove what it describes to El Diario as experimental functionality at the end of the current football season, which ends June 30.
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »