Own goal: $280,000 GDPR fine for soccer app that snooped on fans' phone mics to snare pub telly pirates A top Spanish soccer body is facing a six-figure GDPR fine for inappropriately and covertly accessing the microphones of fans using its cellphone app. La Liga – the highest men's professional division of the Euro nation's football league system – must cough up the €250,000 ($280,000, £222,000) penalty after it was slapped by …
Having just completed the GDPR training at work I cannot but agree with that. Those tactics.have large fine written all over them. What happened if you were at home had the app open and were doing some horizontal jogging with your (or someone elses) partner? I can imagine the backlash if the Premier League did this.
When I used to have a landline at a previous address it was the number for a local public house that had sadly closed. I received calls for the first two years I was in the from the Performing Rights Society. The first call was to ask why I hadn't renewed my PRS license? The nice lady didn't seem to believe me when I said I wasn't the pub as she could hear my music playing in the background. I again suggested that the pub had closed and ended the call. They phoned again a couple of months later and I was again asked about my lack of a license. The woman who called this time was a bit more direct and told me at the start of the call that I needed a license. I said I didn't and she said she could hear the music playing and talked about fines. I told her that the pub didn't exist anymore and they were wasting their time. But if you don't believe me come round and check us out. A week later my answerphone had a fairly garbled message about being unable to locate the pub and had we moved? There were a few more calls to the answerphone over the next year or so until the pub website was finally taken down. Also had calls from suppliers to the licensed trade who were forever offering me deals on Alcoholic beverages. Sadly to take advantage of those I needed to be licensed just not a PRS license.
Had similar but opposite when I worked at Sky TV Customer Service many years ago as a student.
Customer phoned from "he White Horse" (or similar address) as something not working, and could clearly hear he was in a pub. About to come out with the standard challenge questions about being a pub on a residential contract when the account opened on screen with huge notes attached to the history confirming they had been visited several times and the Sky was only in the flat above the pub and there were no TVs in the bar.
It's in the EULA, and that's the Spanish League's argument for being allowed to do it.
I think they had delusions of being Google or Facebook, but unfortunately are based in the country and have to contend with the legal system instead of just ignoring it until it goes away.
Call it a million downloads, though it doesn't say how many people it was suspected of spying on, so let's assume all of them... Divide by 280k? Bargain.
Absolutely toothless. These fines need to shove companies into the red. Say, 100 % of turnover.
And I'm not remotely interested in football.
Why is is still not standard for each and any "smart" phone to spoof any requested data stream by default to any app? Want my location, fine here have one, or any, just not there where I am. Want to listen in on me, fine, here are some nice sounds of the waves of the ocean. Want to take a picture, have a nice black one (its always night where I am). Want to connect to the net? Well, my random-generator will give you some nice data. Etc...
Unfortunately, I have long given up trying to understand the byzantine way exposed offers to deny/spoof/allow stuff to various apps by profiles or individual settings. And there's not a lot of tech I can say that about. No idea which position of which toggle hides or shows something. Nice tech, but the UI is incompatible with my brain on some fundamental level...
Why not simply deny permission to access things it doesn't need to access? That app had no reason to access the microphone unless it also lets you give it commands like "show me the score of x vs. y". So the question is, why did people enable that permission in the first place?
What the app writers should do is be up front that they're doing this to catch illegal misuse of their broadcasts in commercial establishments, that nothing you say in front of it will be saved, and provide some incentive for people to enable the listening. Maybe it lets you stream one free game every month or something.
Why not simply deny permission to access things it doesn't need to access? That app had no reason to access the microphone unless it also lets you give it commands like "show me the score of x vs. y". So the question is, why did people enable that permission in the first place?
It's based on abusing the innocence of most users. Data hounds like us ask that question, but the general public is still FAR too trusting and will just say "yes" to anything, partly because they have been trained that way by Windows installers which also demand copiious confirmations - after the 5th you get confirmation fatigue and just accept anything following (I don't, but I know the game, if you pardon the pun). Combine that with nigh unreadable privacy policies (I hope you can access the link, it's worth it) and I can understand why they got away with it re. confirmation.
So many so-called privacy policies say at the begining that they will never take or sell any personal data without your permission. Many, many pages later, it will say that by using their software/service you're giving them permission to do anything they wish. That sort of professional dishonesty is still standard in many jurisdictions.
When I had Android I used XPrivacy which worked quite well, as mentioned by an earlier poster.
I've now been forced by work to use an iPhone. To my surprise it seems to handle privacy much better than default Android. I noticed a lot of Android apps simply don't work if you refuse permissions even when they haven't got anything to do with the app whereas it seems to me that iPhone apps tend to ask for more realistic permissions and th iPhone will alert you to the fact that an App is currently using your location.
Perhaps there's some skulduggery going on that I'm not seeing but in this respect I was more impressed with Apple than I expected to be.
That's because Apple make their money by selling you phones - and Google make their money by selling advertising. Even with Android totally dominating the mobile space, Google still make over 90% of their revenue from selling ads - and barely anything from apps, music and all their smart home gubbins.
Apple did try to run the iAds platform, but it didn't really succeed - so they've less incentive to data-mine all their customers in the way Google do.
Its really quite straightforward, Android leaks info to Google and anyone else smart enough to ask - or mostly not - so if you have an Android device, you are the product, the phone is cheap because you are the product. If you've been given an Apple phone, which of course costs money, because you are NOT the product, you can turn practically everything off, simply denying an app the ability to use mobile data kills off the microphone feed. Its all a matter of trust, Google / Faceache et al are giving services away for free in exchange for your personal data so they can flog you stuff - so clear out your cookie cache and enable NoScript and AdBlockers - but not on ElReg, OK?
" a lot of Android apps simply don't work if you refuse permissions"
This was my exact experience on holiday in the US, funny how the simcards in the US wouldn't work in my iPhone, so, I bought a cheapo AT&T phone at the corner shop, had android. I'm still finding google calendar issues two years later, calendar says I'm only working two days this week!!!
Last I checked, iOS fed a blank white screen to any app wanting the camera without permission(I've had to deal with this when people accidentally turned it off for an app that needed to scan a QR code to work). The problem with that is that it's easily detected: an app can simply check to see if it's being fed pre-rendered bullcrap and refuse to run until it's actually given permissions. You'd need dynamically-generated spoof data to keep ahead of malicious apps - and even then they might defeat your battery-hungry measures by noticing the pattern.
The relatively small fine is not worth challenging the ruling, however, the possibility of eroding the scope of GDPR is worth enough that I'm sure there are a lot of corporations that would gladly offer to help defray their legal expenses.
Why? Just deny it that permission and use it for the purpose you want to use it for, and not the purpose they want to use you for.
Their problem was trying to do this on the sly, instead of being upfront and compensating people for using them in this way. I'm sure plenty of people would be willing to do it if they were clear about what it would and would not do, and were getting something for it.
Just deny it that permission and use it for the purpose you want to use it for, and not the purpose they want to use you for.
That's now an option, but some applications won't even install without that permission. Try installing WhatsApp without giving it access to the one thing it was developed for: grabbing your address book.
Easy to do on iOS, app doesn't ask for permissions when it is installed it asks for permissions when it starts up. If you don't give it permissions it wants it may not function correctly, but they'd have a tough argument to make that it needs to grab your address book.
Luckily no one I know has ever asked me if I'm on whatsapp so I have no reason to install Zuckerberg's steaming turd.
"Their problem was trying to do this on the sly, instead of being upfront and compensating people for using them in this way"
I wonder if they got the idea from Chris Nolan's The Dark Knight (2008)
LUCIUS FOX: You took my sonar concept and applied it to every phone in the city. With half the city feeding you sonar, you can image all of Gotham. This is wrong.
'Disproportionate' is right; no one loathes soccer and people who even accidentally watch soccer for a second, more than myself, but this was a hideous breach of trust, and it should have been nearer 8 million.
These people transformed their dim fans, who incomprehensibly trusted them, into unwitting copper's narks. The shame of being informants will follow these poor creatures the rest of their lives. It's rather like some massive fence such as Jonathan Wild or Ma Mandelbaum duping some half-witted feeble neighbours into acting as unpaid watchdogs for when policemen were about.
Sony= "We really screwed up when we got caught embedding rootkits for DRM"
La Liga= "Hold my beer!"
============================
"it will challenge the ruling in court to demonstrate that its actions have always been responsible and in accordance with the law.”
Maybe in accordance with USA's privacy laws (or lack thereof, but not in the EU
Since La Liga is a Spanish entity and AEPD an arm of the Spanish government, and the offense involves acts committed within Spain (and victims most of whom are likely Spanish subjects and residents) violating Spanish law, the spokesweasel's statement indicates a clear intent to challenge the ruling in a Spanish court under Spanish law. There is no conceivable way for La Liga to challenge this in a USA court or under USA law. Not every legal matter involving the Internet is a tangled web of jurisdictional mayhem.
Excellent, so the users of the app consented to the microphone being accessed.
But this access is enabling a recording device. Did the other people in the room consent to being recorded? (which admittedly may not matter in 1st party consent jurisdictions, but be an issue where all parties need to consent).
Start out at the maximum and reduce it based on what they have done since the breach, how open they have been with those affected and investigating, any controls which were in place prior (and working) and then balance that against what they failed to do e.g. ineffective controls.
Currently breaches as with data protection fines of old sit into categories of "low, medium, high, holy**** and finally the big *we're moving to GDPR so we can finally hit them with max* "
Oh, don't worry, that's not an actual statement, that's lawyerese boilerplate.
Stating "It's a fair cop, guv" would amount to public admittance of guilt, so they always start with the Shaggy defence. It's a boring default that amounts to absolutely nothing. Think of it as a legal Lore Ipsum.
Police tap phones and plant bugs only after getting a court order authorizing them to do so, to investigate serious crimes.
For a private individual or corporation to do this on its own is a criminal offence.
Fines are a slap on the wrist; whoever was behind this should go to prison. Only that will send the message that is needed here.
these perverts belong in jail! it obviously wasn't just the mike they were WATCHING!!! and shhhshh......only the spooks and the avengers are 'allowed' to do these things.....but if you talk about it it's first class ticket to being ass raped in mental prison, it's in the DSM manual.....and they have to blindly follow the orders.....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
