LaLiga fined $280K for soccer app’s privacy-violating spy mode

Spanish soccer’s premier league, LaLiga, has netted itself a €250,000 (~$280k) fine for privacy violations of Europe’s General Data Protection Regulation (GDPR) related to its official app.

As we reported a year ago, users of the LaLiga app were outraged to discover the smartphone software does rather more than show minute-by-minute commentary of football matches — but can use the microphone and GPS of fans’ phones to record their surroundings in a bid to identify bars which are unofficially streaming games instead of coughing up for broadcasting rights.

Unwitting fans who hadn’t read the tea leaves of opaque app permissions took to social media to vent their anger at finding they’d been co-opted into an unofficial LaLiga piracy police force as the app repurposed their smartphone sensors to rat out their favorite local bars.

The spy mode function is not mentioned in the app’s description.

El Diaro reports the fine being issued by Spain’s data protection watchdog, the AEPD. A spokesperson for the watchdog confirmed the penalty but told us the full decision has not yet been published.

Per El Diaro’s report, the AEPD found LaLiga failed to be adequately clear about how the app recorded audio, violating Article 5.1 of the GDPR — which requires that personal data be processed lawfully, fairly and in a transparent manner. It said LaLiga should have indicated to app users every time the app remotely switched on the microphone to record their surroundings.

If LaLiga had done so that would have required some form of in-app notification once per minute every time a football match is in play, being as — once granted permission to record audio — the app does so for five sections every minute when a league game is happening.

Instead the app only asks for permission to use the microphone twice per user (per LaLiga’s explanation).

The AEPD found the level of notification the app provides to users inadequate — pointing out, per El Diaro’s reports, that users are unlikely to remember what they have previously consented each time they use the app.

It suggests active notification could be provided to users each time the app is recording, such as by displaying an icon that indicates the microphone is listening in, according to the newspaper. 

The watchdog also found LaLiga to have violated Article 7.3 of the GDPR which stipulates that when consent is being used as the legal basis for processing personal data users should have the right to withdraw their consent at any time. Whereas, again, the LaLiga app does not offer users an ongoing chance to withdraw consent to its spy mode recording after the initial permission requests.

LaLiga has been given a month to correct the violations with the app. However in a statement responding to the AEPD’s decision the association has denied any wrongdoing — and said it plans to appeal the fine.

“LaLiga disagrees deeply with the interpretation of the AEPD and believes that it has not made the effort to understand how the technology [functions],” it writes. “For the microphone functionality to be active, the user has to expressly, proactively and on two occasions grant consent, so it can not be attributed to LaLiga lack of
transparency or information about this functionality.”

“LaLiga will appeal the decision in court to prove that has acted in accordance with data protection regulations,” it adds.

A video produced by LaLiga to try to sell the spy mode function to fans following last year’s social media backlash claims it does not capture any personal data — and describes the dual permission requests to use the microphone as “an exercise in transparency”.

Clearly, the AEPD takes a very different view.

LaLiga’s argument against the AEPD’s decision that it violated the GDPR appears to rest on its suggestion that the watchdog does not understand the technology it’s using — which it claims “neither record, store, or listen to conversations”.

So it looks to be trying to push its own self-serving interpretation of what is and isn’t personal data. (Nor is it the only commercial entity attempting that, of course.)

In the response statement, which we’ve translated from Spanish, LaLiga writes:

The technology used is designed to generate exclusively a specific sound footprint (fingerprint acoustic). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations.

This fingerprint is transformed into an alphanumeric code (hash) that cannot be reversed to recreate the original sound. The technology’s operation is backed by an independent expert report, that among other arguments that favor our position, concludes that it “does not allow LaLiga to know the contents of any conversation or identify potential speakers”. Furthermore, it adds that this fraud control mechanism “does not store the information captured from the microphone of the mobile” and “the information captured by the microphone of the mobile is subjected to a complex transformation process that is irreversible”.

A spokesperson for LaLiga told us it was unable to send the expert report cited in the statement.

In comments to El Diaro, LaLiga also likens its technology to the Shazam app — which compares an audio fingerprint to try to identify a song also being recorded in real-time via the phone’s microphone.

However Shazam users manually activate its listening feature, and are shown a visual ‘listening’ icon during the process. Whereas LaLiga has created an embedded spy mode that systematically switches itself on thereafter, after being granted two initial permissions. So it’s perhaps not the best comparison to try to suggest.

LaLiga’s statement adds that the audio eavesdropping on fans’ surroundings is intended to “achieve a legitimate goal” of fighting piracy. 

“LaLiga would not be acting diligently if it did not use all means and technologies at its fingertips to fight against piracy,” it writes. “It is a particularly relevant task taking into account the enormous magnitude of fraud in the marketing system, which is estimated at approximately 400 million euros per year.”

LaLiga also says it will not be making any changes to how the app functions because it already intends to remove what it describes to El Diario as “experimental” functionality at the end of the current football season, which ends June 30.