The official Android app for the NBA’s Golden State Warriors continuously listens in on users’ private conversations without permission, according to a federal lawsuit that alleges the practice is a violation of privacy statutes.
The 15-page complaint filed in San Francisco federal court said the monitoring was part of beaconing technology integrated into the Golden State Warriors app. The beaconing is used to track users’ precise locations so the app can provide content that’s tailored to that locale. The app “listens to and records all audio within range” of a user’s microphone, and when the app detects a unique audio signal, it is able to determine the user is in close proximity to a specific location associated with the signal. The beaconing technology, the complaint alleged, is provided by aSignal360, a developer of proximity-related products.
The lawsuit names the Golden State Warriors, Signal360, and app developer Yinzcam as defendants. It was filed on behalf of New York state resident Latisha Satchell, and the lawsuit seeks class action status so that other smartphone users who installed apps with similar behavior may also seek damages. It was filed on Monday, and its docket currently shows no hearings are yet scheduled on the matter.
“Unbeknownst to plaintiff and without her consent, defendants programmed the app to turn on her smartphone’s microphone and listen-in,” the complaint alleges. “Specifically, because plaintiff carried her smartphone to locations where she would have private conversations and the app was continuously running on her phone, defendants app listened-in to private oral communications.”
The app, which at time of writing had from 500,000 to 1 million downloads, requires users to opt in to a long list of permissions before it can be installed. One of the permissions is described as “Microphone.” The complaint said the description doesn’t sufficiently disclose the beaconing and monitoring behavior, which happens continuously even when the app is running in the background. The only way to stop the monitoring, the complaint alleges, is when the user activates the phone’s app process to “hard close” the app. The allegations are based on what the complaint described as a “forensic accounting of the app that reveals exactly how the app operates and uncovers defendants’ ability to remotely eavesdrop on consumers’ lives.”
“At no time do defendants disclose to consumers that the app uses beacon technology,” the complaint states. “And, defendants have not disclosed that the Warriors app uses audio beacon technology that surreptitiously turns on consumers’ smartphone microphones and listens in”The allegations bring to mind revelations from last year that some advertisers are using inaudible high-frequency sounds to surreptitiously track a person’s activities across a range of devices, including phones, TVs, tablets, and computers.
With the complaint just days old, it’s too early to know what the central facts of the case will be. Still, it wouldn’t be surprising for a key issue to be whether it’s accurate to say the app “records” and “listens in to” conversations as alleged. With as many as 1 million people using the app, it seems likely that most or all of the audio is processed locally without ever leaving the user’s phone. If that’s the case, the behavior may not meet the legal definitions needed to prove it violated the Electronic Communications Privacy Act.
Update: At Ars’s request, mobile security firm Lookout examined the Golden State Warriors app. Here’s a quick take from Andrew Blaich, one of the company’s researchers.
The app absolutely contains code to record audio. However, at this time and based on our quick assessment the ability to record audio is gated by a software flag that is controlled by the provider of the beacon technology. The beacon technology provider could easily change this configuration on their
server side to enable recording in the app.We don’t know what the state of this flag was when the lawsuit was originally filed so these findings simply reflect the status of the app and provider as studied for version 2.2.1 of the app for Android.
In any event, the complaint underscores how vague many smartphone permissions can be. A screenshot of the permissions included in the court document show that the microphone permission only included text stating it “uses the device’s microphone(s).” It’s arguable that language doesn’t go far enough to notify most people that their smartphone mics will be constantly monitoring, or at least processing, all audio within range. The app’s current microphone permission has since been revised to read “record audio,” a change that may have been made to make the behavior clearer.
With a large number of other apps almost certainly doing similar undisclosed things, we’re likely to hear more about this controversy in the coming months.
[Source:-Ars technia]