back to article Own goal: $280,000 GDPR fine for soccer app that snooped on fans' phone mics to snare pub telly pirates

A top Spanish soccer body is facing a six-figure GDPR fine for inappropriately and covertly accessing the microphones of fans using its cellphone app. La Liga – the highest men's professional division of the Euro nation's football league system – must cough up the €250,000 ($280,000, £222,000) penalty after it was slapped by …

  1. Doctor Syntax Silver badge

    "AEPD has not made the necessary efforts to understand how the technology works"

    GDPR isn't concerned with how it works, it's concerned with what it does.

    1. JimboSmith Silver badge

      Having just completed the GDPR training at work I cannot but agree with that. Those tactics.have large fine written all over them. What happened if you were at home had the app open and were doing some horizontal jogging with your (or someone elses) partner? I can imagine the backlash if the Premier League did this.

      1. Lord Kipper III

        I'd expect more than a large GDPR fine from my partner (or indeed someone else's partner) if I were following the football on my phone whilst, ahem, partaking of some horizontal jogging.

        1. Korev Silver badge
          Coat

          I'm sure the turnover would be greater than 1% if that was the case...

      2. DrXym Silver badge

        As long as you don't scream GOOOOOOAAAAAAL!!!!!! you should be fine.

      3. iron Silver badge

        I'm pretty sure the Premier League has done this in the past and other shady practices in order to try to gouge pubs for showing a bit of foot the ball on telly. Bunch of over paid crooks the lot of 'em.

        1. JimboSmith Silver badge

          When I used to have a landline at a previous address it was the number for a local public house that had sadly closed. I received calls for the first two years I was in the from the Performing Rights Society. The first call was to ask why I hadn't renewed my PRS license? The nice lady didn't seem to believe me when I said I wasn't the pub as she could hear my music playing in the background. I again suggested that the pub had closed and ended the call. They phoned again a couple of months later and I was again asked about my lack of a license. The woman who called this time was a bit more direct and told me at the start of the call that I needed a license. I said I didn't and she said she could hear the music playing and talked about fines. I told her that the pub didn't exist anymore and they were wasting their time. But if you don't believe me come round and check us out. A week later my answerphone had a fairly garbled message about being unable to locate the pub and had we moved? There were a few more calls to the answerphone over the next year or so until the pub website was finally taken down. Also had calls from suppliers to the licensed trade who were forever offering me deals on Alcoholic beverages. Sadly to take advantage of those I needed to be licensed just not a PRS license.

          1. DontFeedTheTrolls Silver badge
            Pirate

            Had similar but opposite when I worked at Sky TV Customer Service many years ago as a student.

            Customer phoned from "he White Horse" (or similar address) as something not working, and could clearly hear he was in a pub. About to come out with the standard challenge questions about being a pub on a residential contract when the account opened on screen with huge notes attached to the history confirming they had been visited several times and the Sky was only in the flat above the pub and there were no TVs in the bar.

  2. Mephistro Silver badge

    Cyberstalking, in all its splendor!

    And they got off lightly. Gathering users location data and recording audio without informed consent? Seriously?

    And the fine doesn't even reach the slap-on-the-wrist level. The AEPD should have go at least after the 1% of turnover.

    1. ThatOne Silver badge

      Re: Cyberstalking, in all its splendor!

      Well, they simply thought they played in the same league with Google, Amazon and Facebook. Kind of stupid error for a sports league when you think about it.

    2. Dan 55 Silver badge

      Re: Cyberstalking, in all its splendor!

      It's in the EULA, and that's the Spanish League's argument for being allowed to do it.

      I think they had delusions of being Google or Facebook, but unfortunately are based in the country and have to contend with the legal system instead of just ignoring it until it goes away.

    3. quxinot Silver badge

      Re: Cyberstalking, in all its splendor!

      Call it a million downloads, though it doesn't say how many people it was suspected of spying on, so let's assume all of them... Divide by 280k? Bargain.

      Absolutely toothless. These fines need to shove companies into the red. Say, 100 % of turnover.

      And I'm not remotely interested in football.

  3. b0llchit
    Facepalm

    Data Spoof

    Why is is still not standard for each and any "smart" phone to spoof any requested data stream by default to any app? Want my location, fine here have one, or any, just not there where I am. Want to listen in on me, fine, here are some nice sounds of the waves of the ocean. Want to take a picture, have a nice black one (its always night where I am). Want to connect to the net? Well, my random-generator will give you some nice data. Etc...

    1. YetAnotherJoeBlow

      Re: Data Spoof

      Like exposed privacy filter? A real nice piece of work.

      1. DropBear Silver badge

        Re: Data Spoof

        Unfortunately, I have long given up trying to understand the byzantine way exposed offers to deny/spoof/allow stuff to various apps by profiles or individual settings. And there's not a lot of tech I can say that about. No idea which position of which toggle hides or shows something. Nice tech, but the UI is incompatible with my brain on some fundamental level...

    2. DougS Silver badge

      Re: Data Spoof

      Why not simply deny permission to access things it doesn't need to access? That app had no reason to access the microphone unless it also lets you give it commands like "show me the score of x vs. y". So the question is, why did people enable that permission in the first place?

      What the app writers should do is be up front that they're doing this to catch illegal misuse of their broadcasts in commercial establishments, that nothing you say in front of it will be saved, and provide some incentive for people to enable the listening. Maybe it lets you stream one free game every month or something.

      1. Anonymous Coward
        Anonymous Coward

        Re: Data Spoof

        Why not simply deny permission to access things it doesn't need to access? That app had no reason to access the microphone unless it also lets you give it commands like "show me the score of x vs. y". So the question is, why did people enable that permission in the first place?

        It's based on abusing the innocence of most users. Data hounds like us ask that question, but the general public is still FAR too trusting and will just say "yes" to anything, partly because they have been trained that way by Windows installers which also demand copiious confirmations - after the 5th you get confirmation fatigue and just accept anything following (I don't, but I know the game, if you pardon the pun). Combine that with nigh unreadable privacy policies (I hope you can access the link, it's worth it) and I can understand why they got away with it re. confirmation.

        1. Richard Boyce

          Re: Data Spoof

          So many so-called privacy policies say at the begining that they will never take or sell any personal data without your permission. Many, many pages later, it will say that by using their software/service you're giving them permission to do anything they wish. That sort of professional dishonesty is still standard in many jurisdictions.

    3. iron Silver badge

      Re: Data Spoof

      Because how would that help Google? Any time you wonder why your phone does X or doesn't do Y ask yourself "How is Google making money out of this" and you'll realise the answer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Data Spoof

        When I had Android I used XPrivacy which worked quite well, as mentioned by an earlier poster.

        I've now been forced by work to use an iPhone. To my surprise it seems to handle privacy much better than default Android. I noticed a lot of Android apps simply don't work if you refuse permissions even when they haven't got anything to do with the app whereas it seems to me that iPhone apps tend to ask for more realistic permissions and th iPhone will alert you to the fact that an App is currently using your location.

        Perhaps there's some skulduggery going on that I'm not seeing but in this respect I was more impressed with Apple than I expected to be.

        1. I ain't Spartacus Gold badge

          Re: Data Spoof

          That's because Apple make their money by selling you phones - and Google make their money by selling advertising. Even with Android totally dominating the mobile space, Google still make over 90% of their revenue from selling ads - and barely anything from apps, music and all their smart home gubbins.

          Apple did try to run the iAds platform, but it didn't really succeed - so they've less incentive to data-mine all their customers in the way Google do.

        2. rcw88

          Re: Data Spoof

          Its really quite straightforward, Android leaks info to Google and anyone else smart enough to ask - or mostly not - so if you have an Android device, you are the product, the phone is cheap because you are the product. If you've been given an Apple phone, which of course costs money, because you are NOT the product, you can turn practically everything off, simply denying an app the ability to use mobile data kills off the microphone feed. Its all a matter of trust, Google / Faceache et al are giving services away for free in exchange for your personal data so they can flog you stuff - so clear out your cookie cache and enable NoScript and AdBlockers - but not on ElReg, OK?

        3. chivo243 Silver badge
          Unhappy

          Re: Data Spoof

          " a lot of Android apps simply don't work if you refuse permissions"

          This was my exact experience on holiday in the US, funny how the simcards in the US wouldn't work in my iPhone, so, I bought a cheapo AT&T phone at the corner shop, had android. I'm still finding google calendar issues two years later, calendar says I'm only working two days this week!!!

    4. DontFeedTheTrolls Silver badge
      Terminator

      Re: Data Spoof

      And in what universe are Google, the principle authors of Android, going to add such a feature given the really don't give a shit about you as a user and only want to sell the most accurate data they can to the highest bidder.

      And I'm not suggesting Apple are much better

    5. Carpet Deal 'em Bronze badge
      Big Brother

      Re: Data Spoof

      Last I checked, iOS fed a blank white screen to any app wanting the camera without permission(I've had to deal with this when people accidentally turned it off for an app that needed to scan a QR code to work). The problem with that is that it's easily detected: an app can simply check to see if it's being fed pre-rendered bullcrap and refuse to run until it's actually given permissions. You'd need dynamically-generated spoof data to keep ahead of malicious apps - and even then they might defeat your battery-hungry measures by noticing the pattern.

  4. Garymrrsn

    The Fine... a Pitance. GDPR Erosion?...Priceless!

    The relatively small fine is not worth challenging the ruling, however, the possibility of eroding the scope of GDPR is worth enough that I'm sure there are a lot of corporations that would gladly offer to help defray their legal expenses.

  5. Jason Bloomberg Silver badge
    Facepalm

    "this application wants access to your microphone"

    It simply isn't getting installed.

    1. DougS Silver badge

      Re: "this application wants access to your microphone"

      Why? Just deny it that permission and use it for the purpose you want to use it for, and not the purpose they want to use you for.

      Their problem was trying to do this on the sly, instead of being upfront and compensating people for using them in this way. I'm sure plenty of people would be willing to do it if they were clear about what it would and would not do, and were getting something for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "this application wants access to your microphone"

        Just deny it that permission and use it for the purpose you want to use it for, and not the purpose they want to use you for.

        That's now an option, but some applications won't even install without that permission. Try installing WhatsApp without giving it access to the one thing it was developed for: grabbing your address book.

        1. DougS Silver badge

          Re: "this application wants access to your microphone"

          Easy to do on iOS, app doesn't ask for permissions when it is installed it asks for permissions when it starts up. If you don't give it permissions it wants it may not function correctly, but they'd have a tough argument to make that it needs to grab your address book.

          Luckily no one I know has ever asked me if I'm on whatsapp so I have no reason to install Zuckerberg's steaming turd.

          1. Anonymous Coward
            Anonymous Coward

            Re: "this application wants access to your microphone"

            Luckily no one I know has ever asked me if I'm on whatsapp so I have no reason to install Zuckerberg's steaming turd.

            I can't even install it for legal reasons (GDPR et al), and I am very, very happy with that.

      2. DontFeedTheTrolls Silver badge
        Big Brother

        Re: "this application wants access to your microphone"

        "Their problem was trying to do this on the sly, instead of being upfront and compensating people for using them in this way"

        I wonder if they got the idea from Chris Nolan's The Dark Knight (2008)

        LUCIUS FOX: You took my sonar concept and applied it to every phone in the city. With half the city feeding you sonar, you can image all of Gotham. This is wrong.

  6. Claverhouse Silver badge

    'Disproportionate' is right; no one loathes soccer and people who even accidentally watch soccer for a second, more than myself, but this was a hideous breach of trust, and it should have been nearer 8 million.

    These people transformed their dim fans, who incomprehensibly trusted them, into unwitting copper's narks. The shame of being informants will follow these poor creatures the rest of their lives. It's rather like some massive fence such as Jonathan Wild or Ma Mandelbaum duping some half-witted feeble neighbours into acting as unpaid watchdogs for when policemen were about.

    1. Slabfondler

      Indeed! Grassing up the pirated pitches!

  7. druck Silver badge
    Devil

    A new twist on Big Brother...

    ...where even the telescreens are being kept under surveillance.

  8. Anonymous South African Coward Silver badge

    Big Brother is watching listening...

  9. Anonymous Coward
    Anonymous Coward

    Sony= "We really screwed up when we got caught embedding rootkits for DRM"

    La Liga= "Hold my beer!"

    ============================

    "it will challenge the ruling in court to demonstrate that its actions have always been responsible and in accordance with the law.”

    Maybe in accordance with USA's privacy laws (or lack thereof, but not in the EU

    1. Anonymous Coward
      Anonymous Coward

      Since La Liga is a Spanish entity and AEPD an arm of the Spanish government, and the offense involves acts committed within Spain (and victims most of whom are likely Spanish subjects and residents) violating Spanish law, the spokesweasel's statement indicates a clear intent to challenge the ruling in a Spanish court under Spanish law. There is no conceivable way for La Liga to challenge this in a USA court or under USA law. Not every legal matter involving the Internet is a tangled web of jurisdictional mayhem.

  10. eldakka Silver badge

    Excellent, so the users of the app consented to the microphone being accessed.

    But this access is enabling a recording device. Did the other people in the room consent to being recorded? (which admittedly may not matter in 1st party consent jurisdictions, but be an issue where all parties need to consent).

  11. Flak
    Flame

    Bandits!

    La Liga either didn't consider GDPR (unlikely) or didn't care. I suspect they knew exactly what they were doing. Anyone advising them and worth their salt would have told them not to do it. The fine is modest and I hope on appeal it will be increased!

  12. Halfmad Silver badge

    Monetary penalties should work the other way..

    Start out at the maximum and reduce it based on what they have done since the breach, how open they have been with those affected and investigating, any controls which were in place prior (and working) and then balance that against what they failed to do e.g. ineffective controls.

    Currently breaches as with data protection fines of old sit into categories of "low, medium, high, holy**** and finally the big *we're moving to GDPR so we can finally hit them with max* "

  13. rcw88

    Why would you let any app access the microphone? Unless its an app that actually NEEDS it, like a VOIP or voice recording app..

    Cannot educate pork..

  14. Rich 2 Silver badge

    What?

    "La Liga disagrees profoundly with this decision, rejects the penalty imposed as unjust, unfounded..."

    How, exactly, is it unjust, unfounded, bla bla bla... ?????

    Sounds completely justified to me

    1. Nunyabiznes Silver badge

      Re: What?

      PR people and lawyers are going to say what they are paid to. That sentence is engraved on a plaque and given to you when you pass the bar - flip it over to get the opposite reading if you become a prosecutor.

    2. Fred Flintstone Gold badge

      Re: What?

      Oh, don't worry, that's not an actual statement, that's lawyerese boilerplate.

      Stating "It's a fair cop, guv" would amount to public admittance of guilt, so they always start with the Shaggy defence. It's a boring default that amounts to absolutely nothing. Think of it as a legal Lore Ipsum.

  15. John Savard Silver badge

    Jail time, not fines

    Police tap phones and plant bugs only after getting a court order authorizing them to do so, to investigate serious crimes.

    For a private individual or corporation to do this on its own is a criminal offence.

    Fines are a slap on the wrist; whoever was behind this should go to prison. Only that will send the message that is needed here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Jail time, not fines

      I think they should be convicted to have an Amazon Alexa in their house. And their car. And their office.

  16. Anonymous Coward
    Anonymous Coward

    Excellent news

    I hope they lose even more in exorbitant lawyer fees and don't learn their lesson.

    A bigger fine would be icing on the cake.

  17. giggler

    I hate downloading apps now, mostly the comments on google play are a good indicator but all the permissions left open, like why does a spirit level app require access to my phone contacts?? it doesn't

  18. Jake Maverick

    these perverts belong in jail! it obviously wasn't just the mike they were WATCHING!!! and shhhshh......only the spooks and the avengers are 'allowed' to do these things.....but if you talk about it it's first class ticket to being ass raped in mental prison, it's in the DSM manual.....and they have to blindly follow the orders.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020