The official Android app of Spanish Soccer LeagueLa Liga is using the microphone and GPS position of phones in an attempt to identify venues such as bars or restaurants that are broadcasting soccer games illegally, as noted by ESET Security’s blog, which cites Spanish publication El Diario. Presently, the app has over 10 million downloads in Google Play.

This behavior–while peculiar–is not happening surreptitiously. The app is upfront about the activities occurring. The app requests access to the microphone and geolocation service in Android as any other app would, it does not rely on any vulnerability or software trickery in order to record the environment of users. Enabling this behavior is not a requirement for using the app. By virtue of the fact that the app is upfront about what it does, it appears to not actually violate Google’s Terms of Service for apps distributed in Google Play.

The way that this actually works, in a technical sense, is somewhat unclear. La Liga’s statement about the app details the functionality in an oblique way (Google translated):

La Liga has implemented appropriate technical measures to protect the user’s privacy if you authorize us to use this functionality. Here are the following measures:

  • La Liga will only activate the microphone and geolocation of the mobile device during the time slots of matches in which La Liga teams compete. La Liga does not access the audio fragments captured by the microphone of the device, since these are automatically converted into a binary code on the device itself. La Liga only has access to this binary code, which is irreversible and does not allow to obtain audio recording again.
  • If this code matches a previous control code, La Liga will know that you are watching a particular match. If it does not match, the code is deleted.
  • The codes will not refer to your name, but to your IP address and the specific ID assigned by the APP when the user registers.
  • We will periodically remind you that La Liga can activate your microphone and geolocation and we will ask you to confirm your consent.
  • You may revoke your consent at any time in the settings of the mobile device.

The most starkly peculiar point about this description is the meaningless distinction of “binary code,” as any means by which audio is captured for storage on a computer is inherently a binary code. Likely, the app is using some type of audio fingerprinting or discrete cosine transform in order to identify the audio. The mechanics of how this works in terms of broadcasting are similarly unknown.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

While it is possible to attempt audio fingerprinting of the commentators, the overlap which would inevitably occur of background sounds in public places would make accurate identification via audio fingerprinting exponentially more difficult. It is possible that broadcasts could be watermarked with a pattern of ultrasonic sounds that humans would not be able to hear, as focusing on a frequency outside of normal human speech would greatly simplify filtering out background noise. This, however, relies heavily on the receiving equipment (TV, speaker systems, etc.) to be sensitive enough to reliably reproduce this sound, and for the microphone of a given smartphone to be able to pick it up.

Additionally, outside of commentary, soccer is not a particularly sound-oriented sport to telecast. This surveillance scheme devised by La Liga could swiftly be undercut by simply muting a television. No matter what technical means are being used for this scheme, the amount of engineering that is required to operate this surveillance system is trivially easy to bypass.

La Liga claims that unauthorized broadcasts of soccer games cost the organization €150 million ($176.25 million USD) annually. Despite this claim, it is not a justification for passing on the cost of fighting these broadcasts to smartphone users, as the processing power and battery use, as well as the bandwidth cost to transfer data to La Liga are likely not insignificant (though, this is speculatory, as the exact implementation is unknown.)

As it is, the Spanish Agency for Data Protection has launched an investigation into the plans. The season for La Liga starts in August, so it is yet to be seen how this plan is implemented, or if it will even be used.

For this situation, there are two big takeaways for enterprises. Organizations that have even a modicum of privacy requirements should be concerned if the practice of having apps monitor the environment of users by gathering geolocation and microphone data becomes mainstream. This could be particularly troubling for organizations that rely on a BYOD policy, or even allow outside devices on premises.

Second, this strategy is excessively complex for minimal benefit. Aside from potentially attracting scorn from fans for attempting to make them the piracy police, the practicality of this plan is quite low, given that it can be defeated by simply muting a television. It would be unwise both from a public relations angle, but also from a cost/benefit standpoint, to attempt to implement a similar strategy.

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • La Liga, the Spanish soccer league, is using the microphone and GPS position of phones to identify venues that are broadcasting soccer games illegally.
  • While the exact engineering and implementation details are unknown, the scheme can be circumvented by muting TVs. The Spanish government has launched an investigation into the plans.