You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Samsung "JAY-Z Magna Carta" App

Top News

  • EPIC Submits Comments on Regulation of Private Surveillance Industry: EPIC has submitted comments the UN Special Rapporteur on Freedom of Expression for a report on the surveillance industry. The Special Rapporteur is soliciting information for a report to UN General Assembly on how surveillance technology is regulated and used around the world. EPIC's submission details a recent U.S. proposal to limit exports of surveillance technology, new limits on access to surveillance tech in the United States, and key EPIC Freedom of Information Act cases to uncover details of ICE's procurement of mobile forensics and analytics technology. EPIC pursues an extensive FOIA docket. (Feb. 14, 2019)
  • EPIC Sues Border Agency about Searches of Cellphones: EPIC will file a lawsuit today to compel a federal agency to release audits so as to determine whether the searches of electronic devices are lawful. The Border Search Directive sets out when and how Customs and Border Patrol officials may inspect cellphones, tablets, and laptop computers of travelers crossing the US border. The Directive requires the agency to develop an auditing mechanism to ensure lawful searches, yet the agency has not published the auditing requirements or the results of the audits. So, EPIC has sed for the release of the procedures. The American Bar Association recently adopted a new policy that urges Congress, the courts, and the Department of Homeland Security to enact legislation and adopt policies to protect the privacy rights of travelers. EPIC filed a related lawsuit against Immigration and Customs Enforcement for information about the warrantless searches of cell phones. (Feb. 1, 2019)
  • EPIC Renews Call For FTC To Stop Samsung's Surveillance of the Home: EPIC has urged the Federal Trade Commission to act on a Complaint EPIC previously filed with the Commission concerning Samsung's "always on" SmartTV, which surreptitiously records consumers' private conversations and transmits their unencrypted voice recordings to third parties. EPIC also warned the FTC that "Samsung is now collecting viewing data from consumers," a practice the FTC found unlawful in a recent settlement with VIZIO. EPIC originally filed this complaint with the FTC on February 24, 2015, but the Commission took no action. EPIC routinely files complaints with the FTC. EPIC's complaints against Uber, Facebook and Google all led to FTC settlements with the companies. Last week, EPIC renewed its complaint against Google for tracking consumers' in-store purchases. (May. 18, 2018)
  • EPIC Sues ICE Over Technology Used to Conduct Warrantless Searches of Mobile Devices: EPIC has filed a Freedom of Information Act lawsuit against Immigration and Customs Enforcement for details of the agency's use of mobile forensic technology to conduct warrantless searches of mobile devices. ICE has contracts with a company called Cellebrite for techniques to unlock, decrypt, and extract data from mobile devices, including personal data stored in cloud-based accounts. Privacy complaints regarding the search of mobile devices at the border continue to increase. In a statement to Congress last year, EPIC warned that enhanced surveillance at the border will impact the rights of U.S. citizens. Senator Patrick Leahy (D-VT) and Senator Steve Daines (R-MT) have introduced legislation to place restrictions on searches and seizures of electronic devices at the border. (Apr. 9, 2018)
  • EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees: In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)
  • In Merger Reviews, EPIC Advocates for Privacy, Algorithmic Transparency: EPIC has sent a statement to the Senate Judiciary Committee ahead of a hearing on the new Antitrust Chief. EPIC urged the Committee to consider the role of consumer privacy and data protection in merger reviews. EPIC warned that "monopoly platforms" are reducing competition, stifling innovation, and undermining privacy. EPIC pointed to the FTC's failure to block the Google/DoubleClick merger which accelerated Google's dominance of Internet advertising and the WhatsApp/Facebook merger which paved the way for Facebook to access confidential WhatsApp user data. EPIC also suggested that "algorithmic transparency" would become increasingly important for merger analysis. EPIC is a leading consumer privacy advocate and regularly submits complaints urging investigations and changes to unfair business practices. (May. 9, 2017)
  • FTC Reaches Settlement with VIZIO Over Smart TV Tracking: The Federal Trade Commission has reached a $2.2 million settlement with smart TV manufacturer VIZIO over the company's tracking of consumers' viewing habits without their knowledge or consent. The FTC's complaint alleged that VIZIO's collection and sale of viewing data was unfair and deceptive, and the settlement agreement requires the company to delete all viewing data. EPIC previously filed a complaint with the FTC over Samsung's smart TV data collection practices, including surveillance of consumers' private conversations. EPIC has also defended the privacy of consumers' TV viewing habits in a federal court case involving the Video Privacy Protection Act. (Feb. 6, 2017)
  • California Enacts Innovative Privacy Protections for Drones and SmartTVs: California Governor Jerry Brown has signed laws that provide California residents with privacy protections against drones and SmartTVs. AB856 prohibits drone flight in the airspace above private property with the intent of taking photos, video, or a sound recording of a person. AB1116 prohibits the use of voice recognition on SmartTVs unless consumers are "prominently inform[ed]" during the initial setup of the TV. The new California law also prohibits the use of voice recording for advertising purposes. Earlier this year, EPIC filed a complaint to the Federal Trade Commission about Samsung's SmartTVs and recommended new consumer safeguards. EPIC has also recommended drone privacy safeguards to the US Congress, the FAA, and State courts. (Oct. 9, 2015)
  • Campaign for a Commercial-Free Childhood Protests Eavesdropping Barbie: The Campaign for a Commercial-Free Childhood has launched a campaign and petition to protest Mattel's "Hello Barbie." The toy is a WiFi-connected doll with a built-in microphone. Hello Barbie records and transmits children's conversations to Mattel, where they are analyzed to determine "all the child's likes and dislikes." The advocacy group explained that Hello Barbie is "a significant violation of children's privacy...Kids using 'Hello Barbie' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial." EPIC has participated in numerous campaigns to safeguard childrens' privacy and recently filed a complaint with the FTC about Samsung's always on "SmartTV." (Apr. 2, 2015)
  • EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint: EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015)

Background on The Magna Carta App

In a promotional deal, Samsung bought one million digital copies of Jay Z’s new album “Jay-Z Magna Carta Holy Grail” to distribute to users of certain Samsung smartphones and tablets. Samsung developed a mobile application, called “Jay-Z Magna Carta,” and required Samsung users to download and use the app in order to participate in Samsung’s promotional offer. The Magna Carta App provided certain Samsung mobile device users the ability to download Jay Z’s new album for free on July 4th, three days before the album was set to be released. Once downloaded, the application prompted a permission window that a user had to accept before the application would install. The user was required to agree to all of the permissions in order to access any of the content provided by the Magna Carta App.

Permissions Requested

The application required permissions to:

  • modify or delete contents of phone USB storage
  • prevent the user's phone from sleeping
  • view and record data regarding all running apps
  • read phone status and identity (i.e. who the user is talking to on voice calls)
  • run automatically at startup and to continue running in the background the entire time the phone is on
  • test access to protected storage
  • receive data from the Internet, view Wi-Fi connections, and view network connections
  • control the phone's vibration
  • search through accounts on the device and collect account information (gathering e-mail addresses and social-media user names connected to the phone)
  • and access the user's precise (GPS) and approximate (network-based) location.

The application also required permission for full network access. As New York Times reporter Jon Pareles noted, the number of permissions requested "verges on parody."

Information Collected

The Magna Carta App accessed a vast amount of users’ personal information, including:

  • Approximate user location using cell site locations and Wi-Fi networks
  • Precise user location using precise location using the Global Positioning System (GPS), cell site locations, and Wi-Fi networks
  • Mobile device identifiers, including the International Mobile Subscriber Identity and International Mobile Station Equipment Identity numbers, both of which are unique identifiers
  • Time periods during which the phone is active
  • Telephone numbers dialed
  • The identity of other applications installed on the device
  • The identity of user accounts associated with other applications Sensitive log data
  • The identity of Wi-Fi networks and other devices connected to Wi-Fi networks

Social Media Requirement

Furthermore, in order to download the Magna Carta App, users were forced to register with or sign into Facebook or Twitter to access the album. Once users signed in to their Facebook or Twitter accounts, they had to pass through an age gate. Entering an age below 13 had no impact on their ability to re-enter a higher age. Additionally, the Magna Carta App required permission to post on users’ behalf on those accounts, presumably to create social buzz. In the run-up to the album’s release, the Magna Carta App allowed users to view song lyrics, but only if the user posted a tweet or Facebook status update promoting the fact that they had unlocked each lyric.

Privacy Risks Posed by the Magna Carta App

Mobile applications that require overbroad data collection permissions violate a number of the fundamental privacy rights established by both the FTC in its prior decisions, and by the White House in the CPBR.

Samsung Did Not Disclose To Users Why It Collected So Much User Data

In listing the permissions requested by the Jay-Z Magna Carta App, Samsung failed to disclose the purposes for which it collected users’ information as required by law and public policy. For example, Samsung did not explain why it collected users’ approximate location, precise location, unique device identifiers, phone numbers and phone numbers called, application usage information, log files, and Wi-Fi network and connected device identifiers. Facts about the purpose for which data was collected would be material to users in their decision to use and install the App.

Samsung Prevented Users From Making Meaningful Privacy Choices

Integrating users' social media accounts into the Magna Carta App unfairly restricted user choice. Samsung requires users of the Jay-Z Magna Carta App to also have either a Facebook or Twitter account. By tying the Magna Carta App to Facebook and Twitter, Samsung required consumers who consented to using the Magna Carta App to also consent to the full range of Facebook or Twitter’s business practices, thereby depriving them of the choice to use the Magna Carta App alone. Public policy and FTC precedent establish that users should have meaningful choices regarding the collection and use of their data. Users of the Magna Carta App, however, could not reasonably avoid this restriction of choice.

Samsung Collected Unnecessary Data

Samsung collected vast quantities of user data, most of which were unnecessary to run the app. The Magna Carta App served no useful purpose other than to capture user data, to control access to music downloads, and to provide incremental access to lyrical content in exchange for access to social media accounts. After the user finished downloading content and sharing information, the Magna Carta App served no purpose at all—the music became part of the user’s regular download library.

Samsung had other primary means of distributing digital music and lyrics that did not involve sharing extensive personal data. Much of the data collected, e.g., account usernames and passwords, in no way supported the implied entertainment purpose of the Magna Carta App. Public policy establishes that companies should operate according to reasonable data collection limits. Samsung did not establish reasonable data collection limits in the App.

Samsung Did Not Immediately Discard Unnecessary Personal Data

Samsung retained the data it collected from consumers even after that data no longer aided the functionality of the Magna Carta App. Public policy establishes that companies should operate under sound data retention practices and data minimization procedures. In violation of FTC precedent and firmly established public policy, Samsung did not incorporate data minimization procedures into its data collection practices.

The Magna Carta App Interfered With the Users' Ability to Operate Their Smartphones

The Magna Carta App unfairly interfered with mobile device functionality, and in ways that users could not reasonably have expected. For instance, the user had to agree to allow the Magna Carta App to accept cloud-to-device messages sent by the App’s service. The Permissions explanations page noted, “Using this service will incur data usage. Malicious apps could cause excess data usage.” The Magna Carta App affected the smartphone’s battery by controlling the device’s vibration and preventing the device from going into “sleep” mode.

The Magna Carta App also affected the device’s speed and efficiency. The last term on the Permissions page noted, “[This permission] allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.” This activity is likely to cause substantial injury to consumers. (“Substantial injury” has been found where unauthorized implementation of anti-spyware software on users’ computers affected the computers’ functionality.)

However, users could not switch off or opt out of any of these functions. All of the Permissions were prerequisite for the user to run the Magna Carta App. Consumers who wished to use the Magna Carta App could not do so without allowing the software to access their personal information. If a person is subject to the potential for "always on" recording, that fundamentally alters how that person behaves. Privacy is the ability to control how and to whom one expresses oneself. If a person cannot control to whom they are expressing themselves, they will tailor the nature of their expression. Without the ability to control one's audience, individuals will fear reprisals for non-conforming, unusual, or unprofessional behavior. The resulting chilling effect will stifle creativity, innovation, and self-discovery.

The FTC's Interest

The Commission’s decisions in cases such as In re HTC and U.S. v. Path established protections against material omissions and poor privacy practices in mobile privacy.

In Path, Inc., the Commission required that a social media application display a prominent explanation of the types of information it collected. The version of the application that could be installed on a mobile device would gather information from the user’s address book and contacts lists. The Commission explained, “The feature provided users with three options: ‘Find friends from your contacts;’ ‘Find friends from Facebook;’ or ‘Invite friends to join Path by email or SMS.’ However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the ‘Find friends from your contacts’ option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.”

In HTC America, Inc., the Commission found that mobile application providers may not misrepresent, even by implication, the security protections they use when gathering and storing user data. The Commission noted that HTC "failed to detect and mitigate these vulnerabilities, which, if exploited, provide third-party applications with unauthorized access to sensitive information and sensitive device functionality." The Commission also noted that HTC secretly installed Carrier IQ on its devices, which collected "GPS-based location information; web browsing and media viewing history; the size and number of all text messages; the content of each incoming text message; the names of applications on the user’s device; the numeric keys pressed by the user; and any other usage and device information specified for collection by certain network operators.”

The Consumer Privacy Bill of Rights and the FTC's Privacy Report

The Obama Administration's Consumer Privacy Bill of Rights ("CPBR") lists "Respect for Context" as one of its seven principles. This principle provides that "Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data."

The CPBR lists "Control" as another of its seven principles. The Control principle provides that "Consumers have a right to exercise control over what personal data companies collect from them and how they use it." The CPBR establishes that "Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place." The CPBR states that, in cases involving sensitive data collection, companies should offer "fine-grained control of personal data use and disclosure."

The CBPR also lists lists “Focused Collection” as one of its seven principles. The Focused Collection Principle provides that “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Further, “Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it[].”

Additionally, the Commission’s March 2012 report “Protecting Consumer Privacy In an Era of Rapid Change” sets out “Privacy By Design” as one of its three principles. “Privacy By Design” encompasses the principle of “Reasonable Collection Limitation: Companies Should Limit Their Collection of Data.” “Reasonable Collection Limitation” provides that “Companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business[].” The report further clarifies that “Reasonable Collection Limitation” is analogous to the CPBR’s “Respect for Context” principle.

The Commission has established meaningful consent as a foundational privacy practice. The Commission’s 2012 Privacy Report states that “a company should provide the choice mechanism at a time and in a context that is relevant to consumers - generally at the point the company collects the consumer’s information.” In particular, the Commission explained that “businesses should not offer consumers a “take it or leave it” choice when collecting consumers’ information in a manner inconsistent with the context of the interaction between the business and the consumer.”

The Commission has also identified “Sound Data Retention” as one of the defining principles of Privacy By Design in its 2012 report. The Sound Data Retention principle provides that “Companies Should Implement Reasonable Data Retention and Disposal Rules.” The report further clarifies that “companies should implement reasonable restrictions on the retention of data and should dispose of it once the data has outlived the legitimate purpose for which it was collected.”

EPIC and the FTC

EPIC is the group responsible for several of the Federal Trade Commission's major privacy decisions, including:

Samsung's Response

"We are aware of the complaint filed with the FTC and believe it is baseless. Samsung takes customer privacy and the protection of personal information very seriously. Any information obtained through the application download process was purely for customer verification purposes, app functionality purposes, and for marketing communications, but only if the customer requests to receive those marketing communications," Samsung said in a statement to the L.A. Times. "Samsung is in no way inappropriately using or selling any information obtained from users through the download process."

Music and Tech Industry's Response

"If Jay-Z wants to know about my phone calls and e-mail accounts, why doesn’t he join the National Security Agency?"
- Jon Pareles, music writer, New York Times

"This app's very existence is vaguely bewildering. The number of permissions it asks for verges on parody. Its (previous) ability to spam up your social feeds is obnoxious. Its presentation is perfunctory at best. It does nothing to protect the songs from downloading and sharing—of course, this would have happened with Samsung's cooperation or not, but if the point was "exclusivity," then somebody missed a memo somewhere."
- Andrew Cunningham, technology writer, Ars Technica

"When an artist self-identifies as a corporate entity, are we still Jay-Z fans? Or are we Jay-Z customers? The answer to that late-capitalist riddle arrives with the rap icon’s insidious new album, “Magna Carta . . . Holy Grail” — which first appeared last week as a data collection exercise disguised as a smartphone app capable of delivering a bundle of mediocre rap songs to your mobile device."
Chris Richards, music writer, Washington Post

"Such auto-posting is usually endemic to spam, not apps released by a major IT company and a top-selling pop artist."
- Robert Schoon, technology writer, Latinos Post

"Now consider the three-way trade that has been done here. Jay-Z gets paid directly for his music in a way that wouldn’t be quite so likely if he had to rely on traditional record sales and “traditional" digital downloads. You, the listener, get free (or almost-free) music, which is what you’re used to at this point. It’s a frictionless transaction, to borrow a Silicon Valleyism. And Samsung — which is not a cellular provider and would therefore not normally have access to this, I don’t think — gets some of that raw uncut data, which is all anybody wants anymore."
- Willy Staley, writer and editor at New York Times magazine

"I read this and .... "Naw I'm cool"
- Killer Mike, rapper

Resources

News Reports

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security