Spanish Soccer League App Spies on Fans

The Spanish Soccer League's smartphone app spies on fans in order to find bars that are illegally streaming its games. The app listens with the microphone for the broadcasts, and then uses geolocation to figure out where the phone is.

The Spanish data protection agency has ordered the league to stop doing this. Not because it's creepy spying, but because the terms of service -- which no one reads anyway -- weren't clear.

Posted on June 27, 2019 at 6:41 AM • 11 Comments

Comments

JamesJune 27, 2019 6:58 AM

On one hand, why would anyone grant so many sensitive permissions (record audio, location) to a soccer app ? I can't figure out why that particular app would need those permissions to function. If an app requests more permission then it needs, it should be uninstalled immediately.
On the other hand, the smart ass that approved such practice should face some prison time.

YetAnotherBruceJune 27, 2019 9:12 AM

My reading of the article suggests that spying on fans was incidental to spying on the establishments where fans watch soccer.

The reason this makes the story interesting to me is that some users of the app might possibly have given informed consent to this kind of spying. I can imagine superfans convinced by a video appeal from a star player arguing that bars who pirate the games are stealing food from his children's mouth. This scenario still makes me very uncomfortable but the ethical and legal issues are less clear to me.

We worry our phones are spying on us but I think we should also worry about the phones of others.

Petre Peter June 27, 2019 9:32 AM

Cellphones are already not allowed in some courtrooms, and I am wondering if this trend will spread to sport bars.

MichaelJune 27, 2019 9:34 AM

Re: fining just for ToS: why would regulator spend effort on detailed legal analysis when it is so bad the accused didn't even dare to admit it in the terms of service?

meJune 27, 2019 9:37 AM

@YetAnotherBruce
> We worry our phones are spying on us but I think we should also worry about the phones of others.

*Especially* about other people phones!

> informed consent
if i invite a friend and he has a phone with that app where is my consent to have my personal house spied by third party app???
the consent model is completly broken and no sense

cyanogen readyJune 27, 2019 11:22 AM

Perhaps the granularity of cell phone security privileges plays a part.

The user gets ask "Allow xxx app to access this that and the other", where Android or iOS has decided that "this that and the other" are a fixed group of things, only one of which the app really needs.

I run a Cyanogenmod version of Android that breaks "this that and the other" into the individual parts "this" and "that" and "and the other", and regularly have forbidden apps to not look at my contacts or use my compass/physical sensors when they have no functional need.

It does throw some roadblocks into abusers trying to finger-print my phone, or figure out what my social network looks like.

Unfortunately, Cyanogen has been effectively dead for new phones since at least 2016. IIRC they are out of business. And my phone is dieing of old age...

Another big hole is "Access my storage". An app may have obvious need for local persistent storage, but the privilege opens up 90% of what other apps and the phone itself uses. Now lets go data mining!!

Still, the OS should announce and control all privileges individually. This "we'll make it ease for the user by grouping majorly different things" is BS to allow the revenue base (tracking and targeted advertising) to slip though "unnoticed". Shame on Android and iOS.

JamesJune 27, 2019 5:32 PM

@cyanogen ready: Don't get me wrong, but if you are still using Cyanogenmod, you have bigger problems then some random app. Cyanogen was discontinued in 2016 while being on Android 7. If you are still running it, you are running obsolete software on obsolete hardware, those fake fine grained permissions won't help you at all. You have a device riddled with known vulnerabilities and the fake permission model won't help you at all.

TomJune 28, 2019 1:20 AM

@Michael:
According to this comment on arstechnica, the app did ask for consent:
https://arstechnica.com/tech-policy/2019/06/spanish-soccer-leagues-app-caught-eavesdropping-on-users-in-anti-piracy-push/?comments=1&post=37515627&mode=quote

Apart from the creepy spying part, this is actually a pretty smart idea. I could imagine this happening more often in the near future. The La Liga app has double-digit million downloads, not enough to make people notice such spying right away, but enough to make international news. Once this happens in apps with less than a million downloads, nobody will even notice.

@TomJune 28, 2019 2:00 AM

Even if it did ask for consent, it was misleading, to say it nicely. Usually most malware does the same. Indeed i'm sure they are not the only ones doing it, and sadly most people don't even look at permissions. If they do, they don't bother questioning why they are required and simply grant them all.
Also, audio can be recorded using other sensors present on modern smartphones, not necessarily the microphone. Just another example of surveillance software that people willingly install. I can sense a bit on envy from the ones like NSO Group right now.

Jakub NarębskiJune 28, 2019 6:03 AM

@cyanogen ready: First, while Cyanogenmod was discontinued in 2016, there are successors, among others LineageOS.

Second, for apps targeting Android 6.0 and up, there is dynamic permission system for sensitive permissions (like localization and microphone): apps need to ask user permissions also before using them, and user can deny those permissions, grant them for one operation, or grant them fully. It is also possible to revoke such permissions from settings.

ThomasJune 28, 2019 8:50 AM

@Petre Peter

> Cellphones are already not allowed in some courtrooms, and I am wondering if this trend will spread to sport bars.

And have the vultures miss out on all that phone-based gambling revenue?
You'll have a fight on your hands if you propose that...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.