Teemo, Fidzup: French privacy watchdog bans rogue geolocation, EU considers legalising it

3 September, 2018 - On 20 July 2018, France's data protection authority the CNIL declared (FR) that the activities of two French start-ups, Teemo et Fidzup, are illegal. They geolocate millions of people for advertising purposes and without their consent. The companies have three months to cease these activities. Unfortunately, in the long run their model could become legal. That is what the European Union is debating in an upcoming ePrivacy regulation.

Teemo

Teemo is the archetype of start-ups which focus not on sustained existence, but on reaping maximum profits through an activity which, from the onset, is illegal. A case of "take the money and run". With 35 employees and a revenue of 2.6 million euros (in 2016), Teemo will not be able to survive the CNIL's decision.

Teemo analyzes the geolocation data of 14 million phones, gathered through the mobile apps of their commercial partners, to deliver targeted localised advertising. Of course, the people monitored and under surveillance are not informed of this tracking and have no say about it. Today, the CNIL demands they obtain this consent, which the French Data Protection Act of 1978 requires unambiguously.

Teemo can now close up shop, given its income now rests on the absurd hope that users will give up their privacy with no compensation, but simply to make the startup richer.

Fine. But what about their many partners who financed and profited from this pervasive surveillance system? On Teemo's website, one can read the testimonials of companies such as LeaderPrice, ToysRus, InterSport and Volkswagen, all rejoicing about how such a massive violation of our rights facilitated their advertising activities. Further down the page, among the companies that have "put their trust" in Teemo (without consuting any legal experts, one imagines), we can find MacDonalds as well as the huge French retailers Carrefour, Decathlon and Fnac.

A year ago, Numerama published an investigation (FR) into Teemo, which probably led the CNIL to take the case up. The investigation showed how Teemo infiltrated the mobile apps of French newspapers and magazines le Figaro, Le Parisien, L'Équipe and Closer – with their approval.

Since, Exodus Privacy has described in great detail the workings of Teemo and the apps which incorporate it.

Today all these companies owe us some serious explanations: how could they finance and allow such an egregious violation of the law and their clients' fundamental freedoms? Their legal and political responsibility is at stake.

Fidzup

The Fidzup case is more complicated.

The smaller startup (24 employees, 500,000€ of revenue), operates in two stages. In the first stage it installs bits of code in mobile apps of its commercial partners. The CNIL has counted nine different apps, which appears to have let it infiltrate 6 million phones. This code lets Fidzup collect certain technical data on the spied-on phones. In the second stage, Fidzup supplies retail stores with devices which identify the phones that pass nearby, using technical data collected in the first stage. So the stores – about a hundred – can track their clients, on- and offline.

This second stage is particularly pernicious. Technically, our phones regularly emit technical data to be able to connect to surrounding WiFi access points. The devices Fidzup supplies intercept these technical data to identify phones, even though its devices are not in any way WiFi access points.

Exodus Privacy has described in detail how this works and which mobile apps collaborate with Fidzup.

The law, fortunately, explicitely forbids this interception technique. The 2002 “Directive 2002/58 of the EU”, aka "ePrivacy", specifies in its article 5 that it prohibits “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned”. The data captured by Fidzup here are the "related traffic data", intended to establish a connection to a WiFi access point.

Pointing back to this logic, the CNIL has demanded that Fidzup obtain prior consent from users before collecting these data, which is not currently the case.

One can reach here the same conclusion that in the Teemo case: users are not going to agree to give up their privacy for no purpose other than making Fidzup richer. The startup's future appears bleak.

Unfortunately, the overall situation is more disquieting.

ePrivacy

The ePrivacy directive, which forbids Fidzup's activity today, is being revised by the EU.

A year ago, the European Parliament finalised its position on the text (cf. our account of the debate). In article 8, §2 of the new text, the Parliament authorises collecting without consent "information emitted by users' terminal devices" – abandoning the fundamental protection we enjoy today.

The Parliament is authorising this surveillance while requiring a handful of conditions that are as vague as they are empty: analysing the data must be limited to uses for "statistical purposes" (the service Fidzup already provides), the data must be anonymised once the purpose is reached (once Fidzup has finished counting us), users have a right to refuse (which is indicated by a more or less visible notice in the store under surveillance – which Fidzup already does).

Reform of the ePrivacy directive is being debated today by Member States of the EU. Few Member States seem keen to oppose the Parliament's excesses regarding geolocation. With one hand, the EU claims to offer significant protection (FR) with the General Regulation on the Protection of Data (GRPD); with the other hand, it reduces the protection of our civil liberties in order to save a few illicit and harmful (useless) startups.

If the debates on the ePrivacy regulation confirmed this direction, we will have to oppose any idea of reforming the current law, which, together with the GRPD, currently protects us from the spying intentions of companies such as Teemo, Fidzup, and their partners.