Hacker News new | comments | show | ask | jobs | submit login
Spanish football league defends phone 'spying' (bbc.com)
128 points by Element_ 62 days ago | hide | past | web | favorite | 51 comments

> The broadcasting of football matches in public places without a paid licence cost the game an estimated 150 million euros (£132m; $177m) a year, it said.

Sounds suspiciously familiar to the way questionable data have been represented about money lost due to piracy in other industries (software, movies, music). I am very skeptical about those types of claims.

could I as a fan not use a similar justification to tap phones of executives and agents to locate cases of gouging and fraud to prevent "costing the fans an estimated x million euros" through inflated ticket prices?

That's a bad one I agree. I think a better argument for enforcing their rights is the fact that if they don't, they are effectively punishing establishments that actually do pay to license the broadcast.

> I think a better argument for enforcing their rights

I don't think anyone is arguing that they shouldn't be enforcing their rights. But that they shouldn't use use people's phones as listening devices to do so.

Yes, but OP took umbrage to how the estimated losses were calculated, and a statement like:

> The broadcasting of football matches in public places without a paid licence cost the game an estimated 150 euros (£132; $177) a year, it said.

would not be anywhere near as convincing as a statement with monetary values multiplied by a million. Focusing on the unfairness of what unlicensed streamers are doing avoids that issue.

Well... I hope this is something GPDR covers. If there was a case to start seeing the impact of the new law, this seems like a good example.

This was indeed discovered because as per GPDR, they had to specify why they were using the mic and GPS. As soon as the update hit the store (after the GPDR entered into effect) and some users saw the changelog and user permission requests disclosing this use, it started to hit the news here in Spain.

The Spanish regulator, AEPD, has stated that preliminary steps to begin an official investigation are being conducted already: https://twitter.com/AEPD_es/status/1006115567227559936

For those who understand Spanish, here's a good technical analysis: https://reversecodes.wordpress.com/2018/06/12/analizando-la-...

Thanks for sharing! Entertaining read.

The app uses rot(4) to obscure data, includes a debug link with the collected data, and has the Fluzo service api key hardcoded, among other gems.

Of course the API key is hardcoded... how else would the app contact the server?

At some point the app needs to have some credential hardcoded, but you can make it more obscured by getting the API key from your own server with some kind of challenge/response. This makes it easier to rotate third party API keys and cut off unauthorized usage, by including information in the challenge request that could be used to correlate unauthorized requests.

Your hardcoded credential could then become a cryptographic key that you could rotate on app upfates.

I am not sure how many apps actually go through this trouble.

You mean they were using the mic to see if you were watching the game?

Yes. Then, they would try to pinpoint your location and if you were watching the game at a bar that doesn't have a license from them, they would sue the owner.

Now that they need your consent, they have named this feature "protect your team!" since the teams get royalties from bar licenses...

Would GDPR even cover this? I don't see why La Liga would need to include any personal information about the user in their data. They are concerned with identifying the buisness streaming pirated matches, not who is watching.

Edit: The official statement actually answers this

>The codes will not refer to your name, but to your IP address and the specific ID assigned by the PPP when you register.

Well, that (IP address and specific ID) probably constitutes information from which the identity of a natural living person can be discerned and therefore does fall under the protections of GDPR.

However, that by itself doesn't mean you can't collect it, just that you need to have specifically asked for their informed consent and not hidden this purpose away in a changelog.

Isn't this really gathering data about a nonconsenting third party, the business?

Does GDPR generally allow you or your apps to collect information that helps identify legal and moral transgressions around you?

What if you are watching the game at a friend's house? The collection is definitely going to have some false positives.

In that case the coordinates would identify your friend.

It seems like deputizing devices to spy on others. Regardless if those others may be doing something wrong or are caught up by accident, it seems like the sort of thing data protection would prevent.

This will be a good test of real competing interests. I don't know that privacy should win in the end here, but both sides actually have powerful prima facie cases to make.

If someone's recording the sounds around me, I don't see anyway that's not personal information about me.

Who would be the guilty party here? If your phone is spying on me, I'll likely get angry with you. The fact that you're a victim of the football league isn't my problem, you're the one doing the spying.

La Liga of course. They are recording data about me, without my consent. Doing it through some third party (the phone owner) doesn't absolve them.

You're probably right, but doesn't the owner of the phone share some responsibility?

I would think so. I would love to see authorities going after both. That would set a wonderful precedent.

If you generate a fingerprint of the audio on the phone, you would not leak too much information about the environment. Shazam, for example, computes the spectrum, picks the strongest peaks, and uses the relative positions of small groups of peaks in time and frequency as features to search for in known recordings. Those features are quite sparse and you can not reconstruct the audio from them. You could however identify more or less every audio signal in the environment you have a copy of to compare against.

You could do better by sending out the fingerprint you are looking for and compare it against the past couple of seconds or minutes on the phone so that you could only report a match if one occurred. This would avoid leaking what music you are listening to or what you are watching on TV unless it is what they are looking for. If you report a match with GPS coordinates, the server could throw away everything but the position so that the position is not easily linked to a user.

This still reveals all the living rooms in which someone watched the match and used the app, so it's not perfect. If you have a map of all relevant businesses, you could just count matches in the proximity for each or you could only keep matches from locations from which a certain minimum number of matches were reported which should also get rid of most living rooms. This is still not perfect, it, for example, potentially leaks how popular different places are but from a privacy perspective of app users it seems acceptable to me, at least given you trust them to do it right.

The real issue, at least in my opinion, is that they turn the app users against the business owners of the places they like to watch matches at. I am not against them trying to track the ones down that are not paying, they have a legitimate interest in that. But the way they are trying to do it seems wrong to me. There are probably some app users that would welcome if everyone had to pay but I guess most don't really care whether their favorite sports bar pays or not and even more would not want to cause trouble for the business owner even if they think they should pay. In consequence this is a feature that many if not most app users would not want to use even if there were no privacy issues. They still put it in hoping that nobody would take notice and that they could get away with it, at least for some time.

The whole thing could be done locally on the phone: "You appear to be watching the match at a commercial premises which hasn't paid to license - report this?"

Actually, thinking about this you wouldn't even really need the users to report the venues - just shaming the venue to their customers with a banner in the app might well be enough.

Private home licenses are different from public locals licenses and signals are also slightly different. Actually what bars do is buy a home license and use it for public locals.

What I would find infuriating is they get away with it. Data Protection laws are very strict for the little guy, we will see what they do with the 500 pound gorilla.

I'm not optimist. These laws did nothing to curb "legal spam" until GDPR. I'm very satisfied with how all the idiots that flooded us with spam are now begging me to allow them to keep doing it. Good riddance!

I'm not in favor of content owners being able to enforce conditions on usage.

Imagine if your shovel from Home Depot contained a little gps unit and connected to your phone via bluetooth to allow you to license it for usage at different sites with different rates and terms and packages you could sign up for. Buy the homeowner package for only 9.99 a year for one site. Buy the groundskeeper package for 24.99 a year for any site within a 3 mile radius of a given point. Licence unlimited locations for only 49.99 a year!

Want to lend your shovel to your friend no problem just login to your account and share a link and ensure your friend pays the 4.99 fee!

If it doesn't make sense for a shovel I'm not sure why it makes sense for anything else.

Market segmentation certainly means money but I don't see why we as consumers should buy into it or care if its violated.

That's why sports broadcasts in English pubs contain a beer glass in the image[1]

[1] https://www.lbc.co.uk/radio/special-shows/the-mystery-hour/c...

Interesting only Android users are targeted thanks to Google's frivolous approach to privacy and surveillance. At what point does Google take responsibility?

Here is an OS and permission system that works against its users based on open source technology by a surveillance loving company actively involved in building a techno dystopia. That summarizes everything wrong with tech today.

But even worse is the army of short sighted and self serving apologists happy to hand wave and diminish everything when not muddying the waters. If this is what a football league is doing one can only imagine what governments and other nefarious interests are upto with Android. When surveillance infrastructure is there it will be used exactly for that.

You always have to explicitly approve recording, and I pretty sure permission monitor can alert you when background recording is happening. It does this for background location usage, for sure.

Granted, the Apple App Store review process would probably have shot down this app.

Android has had the exact same permission model as Apple for years now

The app is using the app for background audio monitoring. Ios apps can't do that without displaying a big bar showing they are recording.

I'm assuming la liga app is background audio.

iPhones in Spain are absurdly expensive.

My other thinking is ROI. The people with the $100 Android phones were perceived as more likely to watch a black-market broadcast.

Of course. If you can spare more than 600€ for a phone, you surely have no problem with pay tv for you giant tv at home. Some like the crowd no matter what, though.

The sooner there's a Netflix for sport the better. Allowing fans to watch matches at a reasonable price, without having to sign up for channels and sports they're not interested in is such an obvious move, but the way rights are distributed means we'll be stuck in the dark ages for years.

I don't think this is the problem, at least in the UK market.

For English Premier League there was initially just Sky bidding. Prices got pretty ridiculous for the matches as the football association could keep on putting price up and as so many people take Sky just for sports, they had no option to accept.

It then has got even more loopy. BT under the ex-CEO got into the fray, with BT and Sky bidding against each other for matches. Fees skyrocketed even more.

Now Amazon is bidding for live matches, so there is a 3 way bid driving prices even higher.

Even buying Sky Sports by itself is still really expensive, about £35/$50/month via NowTV. Plus you'd need BT Sports (~£10/month) and now Amazon Prime (~£8/month) to watch all the matches.

Sports are just going to keep on getting more and more expensive until the end customer stops paying, as the market will just work that way.

Just wondering, are the games broadcast on paid channels or on public and free-to-view ones?

This approach would make sense if the games are on paid channels and the nominal fee for those only covers viewing for one person (in which case it makes sense for establishments to pay more, given they're showing it to more people).

But if the games are broadcast on free channels, then there shouldn't be any difference whether or not a person is watching it at home or a bar is showing the game - in either case, the TV advertisers are the ones paying for the game, and this revenue depends on how many people watch the channel (so showing off the game in a bar actually benefits everyone).

I feel like in this situation it's the latter, and the people from the football league are just greedy (what a surprise) and any excuse to try and extort money is a good one in their book.

Showing the TV program in a bar is a public performance, and the license only allows for private use. Regardless how you interpret the benefits of public display (and I agree 100% with you), it's not our decision but the licensor's.

Anything that can be received for free over the air without signing any kind of license agreement should not count as "public performance" in my book.

Aereo thought so too. Their business model was based around hosting colocated TV antennas, from which they streamed broadcast TV to users on a 1:1 basis, geofenced by broadcast market. The Supreme Court shot this argument down.


The problem is that this is the business model of broadcast networks in a world of cable TV. The statutory retransmission fees funnel some cable TV revenue back to the broadcasters. It doesn't really make sense from first principles, but it has been a pragmatic compromise.

The messed up thing about Aereo is that after being shot down by the Supreme Court, they tried to get a license to operate as a cable company but were shot down on that front, too.

Maybe they should have sold a share rather than leasing it? If a user owns an antenna and views their own stream, that's a private performance.

Yeah, that would be an interesting twist.

My guess is the RF tech is a lot easier to deploy when you can plan for some percentile of peak utilization, rather than 1:1 with the user base. Even then, they'd undoubtedly face legal challenges, so they must have made the judgment call that the odds were on their side. Which may have been a reasonable conclusion. A lot of the judgments were actually on their side until the circuit split and the final Supreme Court decision.

After all, one wouldn't imaging that leasing an old-school aerial antenna would be a legal issue.

It was a hot topic on HN several years back. I may be biased, as my wife did PR for Aereo through the firm she works for. But I definitely buy the logic that what they were doing was technical a private performance.

The article doesn’t say what this app does - is it for match schedules, news, or what?

But this is probably a good example of why I generally refuse to install apps unless I genuinely need to. Almost all apps that people install can be replaced by using a web browser. Yet I see my friends installing tons of apps for no specific reason. Each one increases your attack surface.

> It added it had received the microphone data only as code rather than audio, and that it could match that code with audio data from a match.

That sounds funnily absurd to me. By that line of argument, even sound is not really audio. After all, it's being encoded as air pressure waves :-)

EDIT: Pardon my ignorance. Based on Google Translate's translation of their statement [1], it seems that they are using some kind of perceptual hashing which is quite interesting.

[1]: http://www.laliga.es/noticias/nota-informativa-138

I guess they mean that they just have a summary of the sound, not enough to listen to it or anything. It would be a bit like just having the hash of a piece of data, not the data itself.

Thanks. You are right. I stand corrected.

The actual statement from La Liga is in spanish, I translated it with DeepL [1] here:

>Privacy policy of the LaLiga app.

>Regarding the new privacy policy of the LaLiga app, we would like to make some clarifications.


>LaLiga has the responsibility to protect clubs and their fans from fraud in the broadcasting of football matches by public institutions (HORECA). These fraudulent activities represent an estimated annual loss of 150 million euros for Spanish football, which translates into direct damage to clubs, operators and fans, among others.

>For this reason, LaLiga has implemented a new functionality in its official app with the sole purpose of detecting these fraudulent exploitations, transparently informing about them and asking users for their express and specific consent, with or without their being able to lend it freely.

>This new functionality for fraud detection is enabled in the app since last Friday, June 8, 2018, only for Android system users and nationally*.


>When a user downloads or updates the APP, the operating system of your mobile device will prompt them through a pop-up window to provide their consent for LaLiga to activate the microphone and geopositioning of their mobile device. Only if you decide to accept it, the microphone will pick up the binary code from audio clips, for the sole purpose of knowing if you are watching football matches played by LaLiga teams, but the content of the recording will never be accessible.

>We protect user privacy

>LaLiga has implemented appropriate technical measures to protect your privacy if you authorize us to use this feature. These measures are detailed below:

>LaLiga will only activate the microphone and geopositioning of the mobile device during the time slots of matches in which LaLiga teams compete.

>LaLiga does not access the audio fragments picked up by the device's microphone, as they are automatically converted into binary code on the device itself. LaLiga only accesses this binary code, which is irreversible and does not allow you to obtain the audio recording again.

>If this code matches a previous control code, LaLiga may know that you are watching a particular match. If it does not match, the code is removed.

>The codes will not refer to your name, but to your IP address and the specific ID assigned by the PPP when you register.

>We will periodically remind you that LaLiga may activate your microphone and geo-positioning and ask you to confirm your consent.

>You can revoke your consent at any time in the mobile device settings.

[1] https://www.deepl.com/translator

>>LaLiga does not access the audio fragments picked up by the device's microphone, as they are automatically converted into binary code on the device itself. LaLiga only accesses this binary code

Audio fragments are a "binary code", usually pulse code modulation samples. In this case, JorgeGT's link[1] shows that the app is reading PCM data with Android's AudioRecord API.

If they mean that they are hashing or otherwise obscuring the data (which probably can be reversed or correlated to other data in some situation), they need to say that. This statement could be interpreted that they "only access this binary [PCM samples]", not the "[raw, analog] audio fragments".

>>If this code matches a previous control code

Maybe this is a translation issue, but they seem to be conflating "codes" representing audio patterns with identification codes such as "your IP address and the specific ID assigned by the PPP when you register". The last part also admits they are "referring to your name" that you used when registering. They are simply using a synthetic key as a proxy. This is confirmed by this function in the code[2]:

    public void linkUserIds(String fluroId, String adId)
that sends a GET request specifically for the purpose of linking their "fluroId" to what is presumably some type of ad tracker id.

[1] https://reversecodes.wordpress.com/2018/06/12/analizando-la-...

[2] Ibid.

They're pretty much describing a hash. The statement is for general public, don't expect technical jargon.

This would be the corresponding translation of the analysis linked upthread, from https://reversecodes.wordpress.com/2018/06/12/analizando-la-...:

Leaving aside the first part where they try to justify themselves by talking about economic losses and other stories, in the third paragraph they already begin to say things that do not agree with reality.

    This new functionality for fraud detection is enabled in the app since last Friday, June 8, 2018, only for Android system users and nationally*.
They say that the functionality of collecting microphone and location information was enabled on June 8, 2010, so version 6.4.0 released on February 21, 2018 with SHA1 efd50120f73c0d674492126ce9e9198da57c8287 has the ability to collect microphone and location information in exactly the same way as the latest version available. It may have been implemented in an earlier version, it's a matter of looking at it, but with this example it's enough to dismantle that part of the release. Unless the'functionality' they refer to is that of asking permission and not that of'spying on users'.

    (....) the microphone will pick up the binary code of audio fragments, with the sole purpose of knowing if you are watching football matches of competitions played by LaLiga teams, but the content of the recording will never be accessed.
There's little to say here, it's obviously outrageous to say that the microphone doesn't record audio clips. It is also contradictory to say that the recording is analyzed (in any way, it will be seen later) and in the following line that the content will never be accessed. What we mean by that is that they record and then immediately delete, because the moment they do anything else about the generated file other than delete it they are already accessing the content.

Now they tell us how they protect the privacy of the user....

    LaLiga will only activate the microphone and geopositioning of the mobile device during the time slots of matches in which LaLiga teams compete.
This time slot thing is very relative, if a Spanish team plays in China when it's 5 a.m. here, they can activate the 10 million terminals and record them.

    LaLiga does not access the audio fragments picked up by the device's microphone, as they are automatically converted into binary code on the device itself. LaLiga only accesses this binary code, which is irreversible and does not allow you to obtain the audio recording again.
Tjis is wjere the statement loses all credibility it could have. On the one hand, they tell us that La Liga does not access the audios, that they transform them into binary code automatically in the device (obviously, in computing everything is binary data, which does not mean that they are not recording an audio that can be played later) but if we give them the benefit of the doubt, what they are trying to tell us is that they are generating a progressive hash with their application after recording the audio and in the terminal itself? or in other words, do they mean that their application does what Shazam (valued at EUR 400 million) does? But in this case it is much more complex, because Shazam can build a database of songs that are a finite and concrete ensemble; but to recognize that the ambient sound corresponds to a football match in a bar are already big words.

It is quite clear at this point that what they do is that, but obviously they do not do it locally, but they send the recording to another service to identify it and maybe I have searched wrong, but at no point in the general conditions of use and privacy policies of the application I have seen that it is mentioned that the data collected are sent to another company for analysis, really do not know how these issues go at the legal level, but in the legal notice on privacy and cookies makes a mention to

    Your personal data will not be transferred to other persons or companies to be used for their own purposes. However, some entities subcontracted by LaLiga may access Personal Data and information as Processors or Sub-processors to provide LaLiga with a necessary service. In particular, LaLiga receives assistance from:

    (a) Service Providers. Sometimes, we share your information with our third party service providers, who help us provide our services. Examples of service providers: hosting, metrics and analytics.
That's generic again and in my view leaves the door open for unlimited data traffic, so any company can become a service provider overnight, right?

From this point on, the following points already seem to me to be pure rejoicing of those who have written it and those who have approved it as a serious statement.

Translated with www.DeepL.com/Translator --

There's more, and then a technical analysis, thanks JorgeGT!

The signal for public broadcast is different from the home licenses. They can choose a few seconds fragment where they know volume peaks at certain points and create a hash. Then calc probabilities. Seems feasible.

Why couldn't you do it on device? All you would need to do it have some distinct sounds playing during the broadcast that the phone would pick up and you wouldn't notice. Kind of like how Amazon didn't set off everyone's Alexa during the super bowl.

They should be prosecuted for unlawful surveillance.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact