Privacy foul for soccer league app that eavesdropped on users

A privacy violation case this month has illustrated the dangers of giving apps access to your smartphone sensors. Spain’s data protection agency is reportedly fining Spanish football league LaLiga €250,000 (around $280,000) for co-opting users’ smartphones as digital eavesdropping tools.

The organization’s app, available on both the Android and iOS platforms, provides users with soccer commentary, news, and data. Unbeknownst to those who didn’t read the fine print, it also used their GPS functions to determine where they were during football matches.

The app would then use their smartphones’ microphones to record ambient noise and see if it matched game noise. If the app found a match, and discovered that you were in a public place like a bar, it could deduce that the game was being broadcast illegally.

This approach is similar to the Shazam app’s technique of matching ambient noise with known songs to tell you what music your coffee shop is playing. The difference is that this is Shazam’s primary and publicised purpose. LaLiga’s app was doing its matching unobtrusively in the background while it provided users with another service.

LaLiga, officially known as the Campeonato Nacional de Liga de Primera División, is the top men’s professional soccer division in Spain. It admitted to introducing the snooping code on 8 June 2018, complaining that it loses around €150m ($168m) each year from illicit broadcasts of its games in establishments like cafes and bars. However, it points out that it asks for consent to activate your microphone and GPS.

[Translated] If you decide to accept it, the microphone will capture the binary code of audio fragments, with the sole purpose of knowing if you are watching LaLiga football matches, but the content of the recording will never be accessed.

The program only snoops during game time, and the app irreversibly converts the audio to “binary code”, it goes on. The codes document your IP address and the app’s unique ID. It periodically checks that users are still ok with the app using their phone’s mic and GPS, and they can revoke that consent at any time, it points out.

LaLiga explained what it’s doing in its terms and conditions, which is how users found out about it in the first place a year ago. However, it doesn’t make this clear in its app description on the Google Play or Apple app stores.

The fine from Spain’s data protection authority shows how careful companies must be when writing apps that collect data from phone sensors, even if they ask for permission to use those sensors. The EU data privacy directive, GDPR, mandates that organizations must tell users clearly what they will use that data for.