
Spanish football league defends phone 'spying' - Element_
https://www.bbc.com/news/technology-44453382
======
glitcher
> The broadcasting of football matches in public places without a paid licence
> cost the game an estimated 150 million euros (£132m; $177m) a year, it said.

Sounds suspiciously familiar to the way questionable data have been
represented about money lost due to piracy in other industries (software,
movies, music). I am very skeptical about those types of claims.

~~~
oh_sigh
That's a bad one I agree. I think a better argument for enforcing their rights
is the fact that if they don't, they are effectively punishing establishments
that actually do pay to license the broadcast.

~~~
admax88q
> I think a better argument for enforcing their rights

I don't think anyone is arguing that they shouldn't be enforcing their rights.
But that they shouldn't use use people's phones as listening devices to do so.

~~~
oh_sigh
Yes, but OP took umbrage to how the estimated losses were calculated, and a
statement like:

> The broadcasting of football matches in public places without a paid licence
> cost the game an estimated 150 euros (£132; $177) a year, it said.

would not be anywhere near as convincing as a statement with monetary values
multiplied by a million. Focusing on the unfairness of what unlicensed
streamers are doing avoids that issue.

------
nkassis
Well... I hope this is something GPDR covers. If there was a case to start
seeing the impact of the new law, this seems like a good example.

~~~
lightbyte
Would GDPR even cover this? I don't see why La Liga would need to include any
personal information about the user in their data. They are concerned with
identifying the buisness streaming pirated matches, not who is watching.

Edit: The official statement actually answers this

>The codes will not refer to your name, but to your IP address and the
specific ID assigned by the PPP when you register.

~~~
paulcole
If someone's recording the sounds around me, I don't see anyway that's _not_
personal information about me.

~~~
Tharkun
Who would be the guilty party here? If your phone is spying on me, I'll likely
get angry with you. The fact that you're a victim of the football league isn't
my problem, you're the one doing the spying.

~~~
chopin
La Liga of course. They are recording data about me, without my consent. Doing
it through some third party (the phone owner) doesn't absolve them.

~~~
Tharkun
You're probably right, but doesn't the owner of the phone share some
responsibility?

~~~
chopin
I would think so. I would love to see authorities going after both. That would
set a wonderful precedent.

------
danbruc
If you generate a fingerprint of the audio on the phone, you would not leak
too much information about the environment. Shazam, for example, computes the
spectrum, picks the strongest peaks, and uses the relative positions of small
groups of peaks in time and frequency as features to search for in known
recordings. Those features are quite sparse and you can not reconstruct the
audio from them. You could however identify more or less every audio signal in
the environment you have a copy of to compare against.

You could do better by sending out the fingerprint you are looking for and
compare it against the past couple of seconds or minutes on the phone so that
you could only report a match if one occurred. This would avoid leaking what
music you are listening to or what you are watching on TV unless it is what
they are looking for. If you report a match with GPS coordinates, the server
could throw away everything but the position so that the position is not
easily linked to a user.

This still reveals all the living rooms in which someone watched the match and
used the app, so it's not perfect. If you have a map of all relevant
businesses, you could just count matches in the proximity for each or you
could only keep matches from locations from which a certain minimum number of
matches were reported which should also get rid of most living rooms. This is
still not perfect, it, for example, potentially leaks how popular different
places are but from a privacy perspective of app users it seems acceptable to
me, at least given you trust them to do it right.

The real issue, at least in my opinion, is that they turn the app users
against the business owners of the places they like to watch matches at. I am
not against them trying to track the ones down that are not paying, they have
a legitimate interest in that. But the way they are trying to do it seems
wrong to me. There are probably some app users that would welcome if everyone
had to pay but I guess most don't really care whether their favorite sports
bar pays or not and even more would not want to cause trouble for the business
owner even if they think they should pay. In consequence this is a feature
that many if not most app users would not want to use even if there were no
privacy issues. They still put it in hoping that nobody would take notice and
that they could get away with it, at least for some time.

~~~
narag
Private home licenses are different from public locals licenses and signals
are also slightly different. Actually what bars do is buy a home license and
use it for public locals.

What I would find infuriating is they get away with it. Data Protection laws
are very strict for the little guy, we will see what they do with the 500
pound gorilla.

I'm not optimist. These laws did nothing to curb "legal spam" until GDPR. I'm
very satisfied with how all the idiots that flooded us with spam are now
begging me to allow them to keep doing it. Good riddance!

~~~
CaptainZapp
That's why sports broadcasts in English pubs contain a beer glass in the
image[1]

[1] [https://www.lbc.co.uk/radio/special-shows/the-mystery-
hour/c...](https://www.lbc.co.uk/radio/special-shows/the-mystery-
hour/culture/why-do-pub-tvs-have-a-pint-glass-in-the-corner-715/)

------
throw2016
Interesting only Android users are targeted thanks to Google's frivolous
approach to privacy and surveillance. At what point does Google take
responsibility?

Here is an OS and permission system that works against its users based on open
source technology by a surveillance loving company actively involved in
building a techno dystopia. That summarizes everything wrong with tech today.

But even worse is the army of short sighted and self serving apologists happy
to hand wave and diminish everything when not muddying the waters. If this is
what a football league is doing one can only imagine what governments and
other nefarious interests are upto with Android. When surveillance
infrastructure is there it will be used exactly for that.

~~~
Larrikin
Android has had the exact same permission model as Apple for years now

~~~
graeme
The app is using the app for background audio monitoring. Ios apps can't do
that without displaying a big bar showing they are recording.

I'm assuming la liga app is background audio.

------
petepete
The sooner there's a _Netflix for sport_ the better. Allowing fans to watch
matches at a reasonable price, without having to sign up for channels and
sports they're not interested in is such an obvious move, but the way rights
are distributed means we'll be stuck in the dark ages for years.

~~~
martinald
I don't think this is the problem, at least in the UK market.

For English Premier League there was initially just Sky bidding. Prices got
pretty ridiculous for the matches as the football association could keep on
putting price up and as so many people take Sky just for sports, they had no
option to accept.

It then has got even more loopy. BT under the ex-CEO got into the fray, with
BT and Sky bidding against each other for matches. Fees skyrocketed even more.

Now Amazon is bidding for live matches, so there is a 3 way bid driving prices
even higher.

Even buying Sky Sports by itself is still really expensive, about
£35/$50/month via NowTV. Plus you'd need BT Sports (~£10/month) and now Amazon
Prime (~£8/month) to watch all the matches.

Sports are just going to keep on getting more and more expensive until the end
customer stops paying, as the market will just work that way.

------
Rjevski
Just wondering, are the games broadcast on paid channels or on public and
free-to-view ones?

This approach would make sense if the games are on paid channels and the
nominal fee for those only covers viewing for one person (in which case it
makes sense for establishments to pay more, given they're showing it to more
people).

But if the games are broadcast on free channels, then there shouldn't be any
difference whether or not a person is watching it at home or a bar is showing
the game - in either case, the TV advertisers are the ones paying for the
game, and this revenue depends on how many people watch the channel (so
showing off the game in a bar actually benefits everyone).

I feel like in this situation it's the latter, and the people from the
football league are just greedy (what a surprise) and any excuse to try and
extort money is a good one in their book.

~~~
Jare
Showing the TV program in a bar is a public performance, and the license only
allows for private use. Regardless how you interpret the benefits of public
display (and I agree 100% with you), it's not our decision but the licensor's.

~~~
Rjevski
Anything that can be received for free over the air without signing any kind
of license agreement should not count as "public performance" in my book.

~~~
acjohnson55
Aereo thought so too. Their business model was based around hosting colocated
TV antennas, from which they streamed broadcast TV to users on a 1:1 basis,
geofenced by broadcast market. The Supreme Court shot this argument down.

[https://en.m.wikipedia.org/wiki/Aereo](https://en.m.wikipedia.org/wiki/Aereo)

The problem is that this is the business model of broadcast networks in a
world of cable TV. The statutory retransmission fees funnel some cable TV
revenue back to the broadcasters. It doesn't really make sense from first
principles, but it has been a pragmatic compromise.

The messed up thing about Aereo is that after being shot down by the Supreme
Court, they tried to get a license to operate as a cable company but were shot
down on that front, too.

~~~
darkarmani
Maybe they should have sold a share rather than leasing it? If a user owns an
antenna and views their own stream, that's a private performance.

~~~
acjohnson55
Yeah, that would be an interesting twist.

My guess is the RF tech is a lot easier to deploy when you can plan for some
percentile of peak utilization, rather than 1:1 with the user base. Even then,
they'd undoubtedly face legal challenges, so they must have made the judgment
call that the odds were on their side. Which may have been a reasonable
conclusion. A lot of the judgments were actually on their side until the
circuit split and the final Supreme Court decision.

After all, one wouldn't imaging that leasing an old-school aerial antenna
would be a legal issue.

It was a hot topic on HN several years back. I may be biased, as my wife did
PR for Aereo through the firm she works for. But I definitely buy the logic
that what they were doing was technical a private performance.

------
leephillips
The article doesn’t say what this app does - is it for match schedules, news,
or what?

But this is probably a good example of why I generally refuse to install apps
unless I genuinely need to. Almost all apps that people install can be
replaced by using a web browser. Yet I see my friends installing tons of apps
for no specific reason. Each one increases your attack surface.

------
mkeyhani
> It added it had received the microphone data only as code rather than audio,
> and that it could match that code with audio data from a match.

That sounds funnily absurd to me. By that line of argument, even sound is not
really audio. After all, it's being encoded as air pressure waves :-)

EDIT: Pardon my ignorance. Based on Google Translate's translation of their
statement [1], it seems that they are using some kind of perceptual hashing
which is quite interesting.

[1]: [http://www.laliga.es/noticias/nota-
informativa-138](http://www.laliga.es/noticias/nota-informativa-138)

~~~
Bromskloss
I guess they mean that they just have a summary of the sound, not enough to
listen to it or anything. It would be a bit like just having the hash of a
piece of data, not the data itself.

~~~
mkeyhani
Thanks. You are right. I stand corrected.

------
lightbyte
The actual statement from La Liga is in spanish, I translated it with DeepL
[1] here:

>Privacy policy of the LaLiga app.

>Regarding the new privacy policy of the LaLiga app, we would like to make
some clarifications.

>Origin

>LaLiga has the responsibility to protect clubs and their fans from fraud in
the broadcasting of football matches by public institutions (HORECA). These
fraudulent activities represent an estimated annual loss of 150 million euros
for Spanish football, which translates into direct damage to clubs, operators
and fans, among others.

>For this reason, LaLiga has implemented a new functionality in its official
app with the sole purpose of detecting these fraudulent exploitations,
transparently informing about them and asking users for their express and
specific consent, with or without their being able to lend it freely.

>This new functionality for fraud detection is enabled in the app since last
Friday, June 8, 2018, only for Android system users and nationally*.

>Functioning

>When a user downloads or updates the APP, the operating system of your mobile
device will prompt them through a pop-up window to provide their consent for
LaLiga to activate the microphone and geopositioning of their mobile device.
Only if you decide to accept it, the microphone will pick up the binary code
from audio clips, for the sole purpose of knowing if you are watching football
matches played by LaLiga teams, but the content of the recording will never be
accessible.

>We protect user privacy

>LaLiga has implemented appropriate technical measures to protect your privacy
if you authorize us to use this feature. These measures are detailed below:

>LaLiga will only activate the microphone and geopositioning of the mobile
device during the time slots of matches in which LaLiga teams compete.

>LaLiga does not access the audio fragments picked up by the device's
microphone, as they are automatically converted into binary code on the device
itself. LaLiga only accesses this binary code, which is irreversible and does
not allow you to obtain the audio recording again.

>If this code matches a previous control code, LaLiga may know that you are
watching a particular match. If it does not match, the code is removed.

>The codes will not refer to your name, but to your IP address and the
specific ID assigned by the PPP when you register.

>We will periodically remind you that LaLiga may activate your microphone and
geo-positioning and ask you to confirm your consent.

>You can revoke your consent at any time in the mobile device settings.

[1] [https://www.deepl.com/translator](https://www.deepl.com/translator)

~~~
severine
This would be the corresponding translation of the analysis linked upthread,
from [https://reversecodes.wordpress.com/2018/06/12/analizando-
la-...](https://reversecodes.wordpress.com/2018/06/12/analizando-la-app-de-la-
liga-para-android/):

Leaving aside the first part where they try to justify themselves by talking
about economic losses and other stories, in the third paragraph they already
begin to say things that do not agree with reality.

    
    
        This new functionality for fraud detection is enabled in the app since last Friday, June 8, 2018, only for Android system users and nationally*.
    

They say that the functionality of collecting microphone and location
information was enabled on June 8, 2010, so version 6.4.0 released on February
21, 2018 with SHA1 efd50120f73c0d674492126ce9e9198da57c8287 has the ability to
collect microphone and location information in exactly the same way as the
latest version available. It may have been implemented in an earlier version,
it's a matter of looking at it, but with this example it's enough to dismantle
that part of the release. Unless the'functionality' they refer to is that of
asking permission and not that of'spying on users'.

    
    
        (....) the microphone will pick up the binary code of audio fragments, with the sole purpose of knowing if you are watching football matches of competitions played by LaLiga teams, but the content of the recording will never be accessed.
    

There's little to say here, it's obviously outrageous to say that the
microphone doesn't record audio clips. It is also contradictory to say that
the recording is analyzed (in any way, it will be seen later) and in the
following line that the content will never be accessed. What we mean by that
is that they record and then immediately delete, because the moment they do
anything else about the generated file other than delete it they are already
accessing the content.

Now they tell us how they protect the privacy of the user....

    
    
        LaLiga will only activate the microphone and geopositioning of the mobile device during the time slots of matches in which LaLiga teams compete.
    

This time slot thing is very relative, if a Spanish team plays in China when
it's 5 a.m. here, they can activate the 10 million terminals and record them.

    
    
        LaLiga does not access the audio fragments picked up by the device's microphone, as they are automatically converted into binary code on the device itself. LaLiga only accesses this binary code, which is irreversible and does not allow you to obtain the audio recording again.
    

Tjis is wjere the statement loses all credibility it could have. On the one
hand, they tell us that La Liga does not access the audios, that they
transform them into binary code automatically in the device (obviously, in
computing everything is binary data, which does not mean that they are not
recording an audio that can be played later) but if we give them the benefit
of the doubt, what they are trying to tell us is that they are generating a
progressive hash with their application after recording the audio and in the
terminal itself? or in other words, do they mean that their application does
what Shazam (valued at EUR 400 million) does? But in this case it is much more
complex, because Shazam can build a database of songs that are a finite and
concrete ensemble; but to recognize that the ambient sound corresponds to a
football match in a bar are already big words.

It is quite clear at this point that what they do is that, but obviously they
do not do it locally, but they send the recording to another service to
identify it and maybe I have searched wrong, but at no point in the general
conditions of use and privacy policies of the application I have seen that it
is mentioned that the data collected are sent to another company for analysis,
really do not know how these issues go at the legal level, but in the legal
notice on privacy and cookies makes a mention to

    
    
        Your personal data will not be transferred to other persons or companies to be used for their own purposes. However, some entities subcontracted by LaLiga may access Personal Data and information as Processors or Sub-processors to provide LaLiga with a necessary service. In particular, LaLiga receives assistance from:
    
        (a) Service Providers. Sometimes, we share your information with our third party service providers, who help us provide our services. Examples of service providers: hosting, metrics and analytics.
    

That's generic again and in my view leaves the door open for unlimited data
traffic, so any company can become a service provider overnight, right?

From this point on, the following points already seem to me to be pure
rejoicing of those who have written it and those who have approved it as a
serious statement.

    
    
        (...)
    

Translated with www.DeepL.com/Translator \--

There's more, and then a technical analysis, thanks JorgeGT!

~~~
narag
The signal for public broadcast is different from the home licenses. They can
choose a few seconds fragment where they know volume peaks at certain points
and create a hash. Then calc probabilities. Seems feasible.

------
eveningcoffee
They should be prosecuted for unlawful surveillance.

