Spanish soccer league LaLiga is facing a fine of €250,000 (approximately $283,000) for GDPR violations resulting from a convoluted wiretap in their smartphone app intended to curb piracy of soccer match broadcasts. The Spanish Agency for Data Protection (La Agencia de Protección de Datos, or AEPD) levied the fine this week due to the league’s violation of consent-related clauses in the GDPR, as LaLiga did not properly disclose the nature of the microphone usage, according to a report from Spanish newspaper ABC.
According to the ABC report, LaLiga intends to appeal, stating that AEPD “has not made the necessary effort to understand how technology works.” (Quote software translated.) Despite this, LaLiga will disable the listening function on June 30, the end of the season.
LaLiga’s convoluted attempt to wiretap fans to curb piracy
LaLiga introduced a feature in the official Android app last year that activates the microphone and GPS functions when matches are being played, under the pretense of using the features to identify venues such as bars or restaurants that are broadcasting soccer games illegally.
This functionality is not happening surreptitiously, as the app requests access to the microphone and geolocation service—it does not rely on a vulnerability to access these components without explicit permission—as TechRepublic reported a year ago.
Despite this, users were not explicitly informed of the intended use of the microphone and geolocation permissions, which is central to the decision by AEPD to levy fines against LaLiga.
SEE: GDPR: A guide for tech and business leaders (free PDF) (TechRepublic)
LaLiga’s explanation of the app behavior was oblique—even granting an allowance for software translation diluting the meaning of their official statement, LaLiga contended that the app “does not access the audio fragments captured by the microphone of the device, since these are automatically converted into a binary code on the device itself,” which is a meaningless distinction, as any audio captured for storage on a computer is inherently a binary code. The methodology is likely some type of audio fingerprinting, or a discrete cosine transform.
The difficulties of this strategy were noted in TechRepublic’s previous coverage:
While it is possible to attempt audio fingerprinting of the commentators, the overlap which would inevitably occur of background sounds in public places would make accurate identification via audio fingerprinting exponentially more difficult. It is possible that broadcasts could be watermarked with a pattern of ultrasonic sounds which humans would not be able to hear, as focusing on a frequency outside of normal human speech would greatly simplify filtering out background noise. This, however, relies heavily on the receiving equipment (TV, speaker systems, etc.) to be sensitive enough to reliably reproduce this sound, and for the microphone of a given smartphone to be able to pick it up.
Additionally, outside of commentary, soccer is not a particularly sound-oriented sport to telecast. This surveillance scheme devised by La Liga could swiftly be undercut by simply muting a television. No matter what technical means are being used for this scheme, the amount of engineering which is required to operate this surveillance system is trivially easy to bypass.
GDPR enforcement should concern businesses of any size
In just over a year since GDPR enforcement commenced, businesses small and large are facing fines for improper handling of private data. While the fine levied against LaLiga is relatively small, Google faces a fine of €50 million for collecting personal data without transparently disclosing how that is used to target advertising.
GDPR is far-reaching regulation, as it also covers the use of information collected through third parties—a Polish company was fined €220 thousand for collecting information available on the internet and using it to contact over 90,000 people for promotional purposes.
For more, check out “One year in, fewer than half of professionals believe GDPR increased data protection” and “How has GDPR actually affected businesses?” on TechRepublic.