Viewpoints

La Liga: Turning users into involuntary spies

Garry Kasparov, 22 August 2019

There is little that security software can do when the users themselves give apps broad permissions

I’ve often written here about how companies exploit our tendency to accept lax security defaults. People don’t have time to read thousands of pages of terms of service or bother to ask why a mobile game needs to know their ID and location. (It’s usually to sell your info to advertisers.) And once you’ve given permission on installation there is little to be done to monitor their activities – assuming they even play by the rules.

An example that hit the news again recently was the official app of the Spanish football league, La Liga. Installed more than 10 million times, it used the phone’s microphone and location info to listen to background audio to detect if pubs and restaurants were illegally broadcasting La Liga games. The app essentially turned every user into a spy for the company. This is abuse of course, and this surveillance “feature” was not disclosed to users. It takes little imagination to realize how dangerous this could be.

I was a little surprised to hear from Avast’s security experts that there is little that security software can do in this case, since the users themselves actually gave the app the permission to record audio. When the app is installed, it asks if it can use your phone’s location and microphone. Once you say yes to these permissions – required to install the app, and who ever says no to these requirements? – there is little any third-party software can do. You’ve handed over the keys, and users don’t want false positives warning them about things they’ve already approved. Similarly, phone manufacturers don’t want to create security obstacles that might annoy users, and they know they probably won’t suffer any consequences from the next privacy fiasco because they happen so often that we’ve become numb.

The privacy and security outrages come so fast on the heels of each other that regulatory agencies can’t keep up even when they are empowered to do so. Consumers have even less ability to keep track, or to discern which scandals matter from those that spread virally but aren’t real threats.

For example, the FaceApp panic spread almost as fast as the app itself when it was discovered that the virally popular (if not new) photo-altering app originates in Russia and was collecting user data and images. I’m the last person to wave off concerns about threats from Russia, but this appears to have been overblown, according to Avast’s head of mobile threat intelligence, Nikolaos Chrysaidos. To me, it shows how little people pay attention to these practices in general. FaceApp does what millions of other apps do: collect your information in exchange for advertising to you and selling your data to others. Those buyers could be political research firms, aggregators who create user profiles, or yes, even “the Russians.” 

This is an unacceptable status quo. La Liga was fined for the violation thanks to existing privacy protection regulations in Europe (which are weak, but still stronger than anywhere else). For corporate giants, such penalties are the price of doing business and are unlikely to deter future abuses when entire business models are based on pushing the limits of data collection, AI analysis, and marketing. Europe’s GDPR isn’t perfect, but more regulatory measures will need to be tried and tested for there to be any progress. Perhaps the fines should be scaled relative to the offending company’s revenues, like Finnish speeding tickets, so they won’t be ignored. More nations need agencies such as Spain's national data protection agency (AEPD), and consumers should listen to them.

Meanwhile, you might be bugged to set up strong privacy settings on your phone and use security software, but if you don’t, you might be bugged by an app!