Samsung "JAY-Z Magna Carta" App
- California Enacts Innovative Privacy Protections for Drones and SmartTVs: California Governor Jerry Brown has signed laws that provide California residents with privacy protections against drones and SmartTVs. AB856 prohibits drone flight in the airspace above private property with the intent of taking photos, video, or a sound recording of a person. AB1116 prohibits the use of voice recognition on SmartTVs unless consumers are "prominently inform[ed]" during the initial setup of the TV. The new California law also prohibits the use of voice recording for advertising purposes. Earlier this year, EPIC filed a complaint to the Federal Trade Commission about Samsung's SmartTVs and recommended new consumer safeguards. EPIC has also recommended drone privacy safeguards to the US Congress, the FAA, and State courts. (Oct. 9, 2015)
- Campaign for a Commercial-Free Childhood Protests Eavesdropping Barbie: The Campaign for a Commercial-Free Childhood has launched a campaign and petition to protest Mattel's "Hello Barbie." The toy is a WiFi-connected doll with a built-in microphone. Hello Barbie records and transmits children's conversations to Mattel, where they are analyzed to determine "all the child's likes and dislikes." The advocacy group explained that Hello Barbie is "a significant violation of children's privacy...Kids using 'Hello Barbie' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial." EPIC has participated in numerous campaigns to safeguard childrens' privacy and recently filed a complaint with the FTC about Samsung's always on "SmartTV." (Apr. 2, 2015)
- EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint: EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015)
- Pew Survey Finds Most Mobile Users Avoid Apps Due to Privacy Concerns: A survey by the Pew Research Center found that the majority of mobile phone users have uninstalled or avoided apps due to privacy concerns. According to the report, 54% of mobile users have decided to not install an app after discovering the amount of information it collect, and 30% of mobile users uninstalled an app after discovering that it was collecting personal information that they didn’t wish to share. Owners of Android and iPhone devices are also equally likely to delete (or avoid entirely) cell phone apps due to concerns over their personal information. Younger cellphone users were also twice as likely as older users to report that "someone has accessed phone in a way that felt like privacy invasion." This poll follows another survey by Pew that found that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 5, 2012)
- EPIC Urges FTC to Develop Meaningful Privacy Protections for Mobile Services: EPIC has submitted comments to the Federal Trade Commission concerning "Advertising and Privacy Disclosures in a Digital World". The FTC is currently exploring ways businesses could improve privacy notices for mobile devices. EPIC pointed out that many of the techniques, such as privacy icons, suffer from the same problems as traditional privacy notices. EPIC recommended that the FTC focus instead on substantive privacy protections, such as those found in the federal Privacy Act, sectoral privacy laws, and the Consumer Privacy Bill of Rights, proposed by the White House. An earlier FTC report called for new privacy legislation and an FTC investigation documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (Jul. 11, 2012)
- EPIC Calls on FTC to Develop Substantive Privacy Protections at Workshop on Mobile Advertising: EPIC submitted comments to the Federal Trade Commission for the May 30 workshop on mobile advertising disclosures. EPIC recommended that the agency focus on the development of substantive privacy protections, such as the Consumer Privacy Bill of Rights announced by the President earlier this year, for mobile services. EPIC also recommended that the workshop address a series of problems with the "notice and consent" approach, as well as the merits of innovative, nonverbal approaches proposed by privacy scholars. The workshop follows an FTC report calling for privacy legislation and an investigation that documented privacy problems with mobile applications for children. For more information, see EPIC: Federal Trade Commission. (May. 11, 2012)
- EPIC FOIA - New Details About Automated License Plate Readers Obtained: In response to an EPIC Freedom of Information Act request, Customs and Border Protection has disclosed nearly 1,000 pages of documents on automated license plate readers and border body scanners. The documents include contracts with several companies, such as Rapiscan and L3, for vehicle and cargo screening x-ray devices. Previous documents obtained by EPIC revealed that the agency is developing integrated vehicle scanners, with backscatter x-ray, Closed Circuit Television, and automated license plate readers, that would be used with human subjects. Radiation experts have questioned the safety of these systems, which produce ionizing radiation. For more information see EPIC FOIA: Automated License Plate Readers and Border Checkpoint Body Scanners. (Feb. 14, 2012)
- iPhones, iPads Collect and Store User Location Data: Security researchers have found that Apple records detailed location data of iPhone and iPad users. The information, which includes latitude/longitude and a time stamp, is captured by the devices and then transferred to a user's computer where it is stored unencrypted. It is not clear whether Apple is able to access the file directly. Senator Al Franken (D-MN) and Rep. Ed Markey (D-MA) have asked Apple CEO Steve Jobs to explain why the company is storing information on its users in a secret file. Apple may have violated Section 222 of the Communications Act, which requires companies to obtain customer consent before location data is used or disclosed for commercial purposes. A recent Nielsen poll finds that US smartphone users are concerned with privacy when it comes to location. For more information, see EPIC: iPhone and Privacy, EPIC: Locational Privacy and EPIC: Consumer Proprietary Network Information. (Apr. 21, 2011)
The application required permissions to:
- modify or delete contents of phone USB storage
- prevent the user's phone from sleeping
- view and record data regarding all running apps
- read phone status and identity (i.e. who the user is talking to on voice calls)
- run automatically at startup and to continue running in the background the entire time the phone is on
- test access to protected storage
- receive data from the Internet, view Wi-Fi connections, and view network connections
- control the phone's vibration
- search through accounts on the device and collect account information (gathering e-mail addresses and social-media user names connected to the phone)
- and access the user's precise (GPS) and approximate (network-based) location.
The application also required permission for full network access. As New York Times reporter Jon Pareles noted, the number of permissions requested "verges on parody."
The Magna Carta App accessed a vast amount of users’ personal information, including:
- Approximate user location using cell site locations and Wi-Fi networks
- Precise user location using precise location using the Global Positioning System (GPS), cell site locations, and Wi-Fi networks
- Mobile device identifiers, including the International Mobile Subscriber Identity and International Mobile Station Equipment Identity numbers, both of which are unique identifiers
- Time periods during which the phone is active
- Telephone numbers dialed
- The identity of other applications installed on the device
- The identity of user accounts associated with other applications Sensitive log data
- The identity of Wi-Fi networks and other devices connected to Wi-Fi networks
Social Media Requirement
Furthermore, in order to download the Magna Carta App, users were forced to register with or sign into Facebook or Twitter to access the album. Once users signed in to their Facebook or Twitter accounts, they had to pass through an age gate. Entering an age below 13 had no impact on their ability to re-enter a higher age. Additionally, the Magna Carta App required permission to post on users’ behalf on those accounts, presumably to create social buzz. In the run-up to the album’s release, the Magna Carta App allowed users to view song lyrics, but only if the user posted a tweet or Facebook status update promoting the fact that they had unlocked each lyric.
Mobile applications that require overbroad data collection permissions violate a number of the fundamental privacy rights established by both the FTC in its prior decisions, and by the White House in the CPBR.
Samsung Did Not Disclose To Users Why It Collected So Much User Data
In listing the permissions requested by the Jay-Z Magna Carta App, Samsung failed to disclose the purposes for which it collected users’ information as required by law and public policy. For example, Samsung did not explain why it collected users’ approximate location, precise location, unique device identifiers, phone numbers and phone numbers called, application usage information, log files, and Wi-Fi network and connected device identifiers. Facts about the purpose for which data was collected would be material to users in their decision to use and install the App.
Samsung Prevented Users From Making Meaningful Privacy Choices
Integrating users' social media accounts into the Magna Carta App unfairly restricted user choice. Samsung requires users of the Jay-Z Magna Carta App to also have either a Facebook or Twitter account. By tying the Magna Carta App to Facebook and Twitter, Samsung required consumers who consented to using the Magna Carta App to also consent to the full range of Facebook or Twitter’s business practices, thereby depriving them of the choice to use the Magna Carta App alone. Public policy and FTC precedent establish that users should have meaningful choices regarding the collection and use of their data. Users of the Magna Carta App, however, could not reasonably avoid this restriction of choice.
Samsung Collected Unnecessary Data
Samsung collected vast quantities of user data, most of which were unnecessary to run the app. The Magna Carta App served no useful purpose other than to capture user data, to control access to music downloads, and to provide incremental access to lyrical content in exchange for access to social media accounts. After the user finished downloading content and sharing information, the Magna Carta App served no purpose at all—the music became part of the user’s regular download library.
Samsung had other primary means of distributing digital music and lyrics that did not involve sharing extensive personal data. Much of the data collected, e.g., account usernames and passwords, in no way supported the implied entertainment purpose of the Magna Carta App. Public policy establishes that companies should operate according to reasonable data collection limits. Samsung did not establish reasonable data collection limits in the App.
Samsung Did Not Immediately Discard Unnecessary Personal Data
Samsung retained the data it collected from consumers even after that data no longer aided the functionality of the Magna Carta App. Public policy establishes that companies should operate under sound data retention practices and data minimization procedures. In violation of FTC precedent and firmly established public policy, Samsung did not incorporate data minimization procedures into its data collection practices.
The Magna Carta App Interfered With the Users' Ability to Operate Their Smartphones
The Magna Carta App unfairly interfered with mobile device functionality, and in ways that users could not reasonably have expected. For instance, the user had to agree to allow the Magna Carta App to accept cloud-to-device messages sent by the App’s service. The Permissions explanations page noted, “Using this service will incur data usage. Malicious apps could cause excess data usage.” The Magna Carta App affected the smartphone’s battery by controlling the device’s vibration and preventing the device from going into “sleep” mode.
The Magna Carta App also affected the device’s speed and efficiency. The last term on the Permissions page noted, “[This permission] allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.” This activity is likely to cause substantial injury to consumers. (“Substantial injury” has been found where unauthorized implementation of anti-spyware software on users’ computers affected the computers’ functionality.)
However, users could not switch off or opt out of any of these functions. All of the Permissions were prerequisite for the user to run the Magna Carta App. Consumers who wished to use the Magna Carta App could not do so without allowing the software to access their personal information. If a person is subject to the potential for "always on" recording, that fundamentally alters how that person behaves. Privacy is the ability to control how and to whom one expresses oneself. If a person cannot control to whom they are expressing themselves, they will tailor the nature of their expression. Without the ability to control one's audience, individuals will fear reprisals for non-conforming, unusual, or unprofessional behavior. The resulting chilling effect will stifle creativity, innovation, and self-discovery.
In Path, Inc., the Commission required that a social media application display a prominent explanation of the types of information it collected. The version of the application that could be installed on a mobile device would gather information from the user’s address book and contacts lists. The Commission explained, “The feature provided users with three options: ‘Find friends from your contacts;’ ‘Find friends from Facebook;’ or ‘Invite friends to join Path by email or SMS.’ However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the ‘Find friends from your contacts’ option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.”
In HTC America, Inc., the Commission found that mobile application providers may not misrepresent, even by implication, the security protections they use when gathering and storing user data. The Commission noted that HTC "failed to detect and mitigate these vulnerabilities, which, if exploited, provide third-party applications with unauthorized access to sensitive information and sensitive device functionality." The Commission also noted that HTC secretly installed Carrier IQ on its devices, which collected "GPS-based location information; web browsing and media viewing history; the size and number of all text messages; the content of each incoming text message; the names of applications on the user’s device; the numeric keys pressed by the user; and any other usage and device information specified for collection by certain network operators.”
The Obama Administration's Consumer Privacy Bill of Rights ("CPBR") lists "Respect for Context" as one of its seven principles. This principle provides that "Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data."
The CPBR lists "Control" as another of its seven principles. The Control principle provides that "Consumers have a right to exercise control over what personal data companies collect from them and how they use it." The CPBR establishes that "Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place." The CPBR states that, in cases involving sensitive data collection, companies should offer "fine-grained control of personal data use and disclosure."
The CBPR also lists lists “Focused Collection” as one of its seven principles. The Focused Collection Principle provides that “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” Further, “Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it.”
Additionally, the Commission’s March 2012 report “Protecting Consumer Privacy In an Era of Rapid Change” sets out “Privacy By Design” as one of its three principles. “Privacy By Design” encompasses the principle of “Reasonable Collection Limitation: Companies Should Limit Their Collection of Data.” “Reasonable Collection Limitation” provides that “Companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business.” The report further clarifies that “Reasonable Collection Limitation” is analogous to the CPBR’s “Respect for Context” principle.
The Commission has established meaningful consent as a foundational privacy practice. The Commission’s 2012 Privacy Report states that “a company should provide the choice mechanism at a time and in a context that is relevant to consumers - generally at the point the company collects the consumer’s information.” In particular, the Commission explained that “businesses should not offer consumers a “take it or leave it” choice when collecting consumers’ information in a manner inconsistent with the context of the interaction between the business and the consumer.”
The Commission has also identified “Sound Data Retention” as one of the defining principles of Privacy By Design in its 2012 report. The Sound Data Retention principle provides that “Companies Should Implement Reasonable Data Retention and Disposal Rules.” The report further clarifies that “companies should implement reasonable restrictions on the retention of data and should dispose of it once the data has outlived the legitimate purpose for which it was collected.”
EPIC is the group responsible for several of the Federal Trade Commission's major privacy decisions, including:
- Microsoft. FTC, "Microsoft Settles FTC Charges Alleging False Security and Privacy Promises: Passport Single Sign-In, Passport "Wallet," and Kids Passport Named in Complaint Allegations" (Aug. 8, 2002)
- Choicepoint. FTC, "ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress: At Least 800 Cases of Identity Theft Arose From Company's Data Breach" (Jan. 26, 2006)
- Google Buzz. FTC, "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network: Google Agrees to Implement Comprehensive Privacy Program to Protect Consumer Data" (Mar. 30, 2011)
- Facebook. FTC, "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises" (Aug. 10, 2012)
"We are aware of the complaint filed with the FTC and believe it is baseless. Samsung takes customer privacy and the protection of personal information very seriously. Any information obtained through the application download process was purely for customer verification purposes, app functionality purposes, and for marketing communications, but only if the customer requests to receive those marketing communications," Samsung said in a statement to the L.A. Times. "Samsung is in no way inappropriately using or selling any information obtained from users through the download process."
"If Jay-Z wants to know about my phone calls and e-mail accounts, why doesn’t he join the National Security Agency?"
- Jon Pareles, music writer, New York Times
"This app's very existence is vaguely bewildering. The number of permissions it asks for verges on parody. Its (previous) ability to spam up your social feeds is obnoxious. Its presentation is perfunctory at best. It does nothing to protect the songs from downloading and sharing—of course, this would have happened with Samsung's cooperation or not, but if the point was "exclusivity," then somebody missed a memo somewhere."
- Andrew Cunningham, technology writer, Ars Technica
"When an artist self-identifies as a corporate entity, are we still Jay-Z fans? Or are we Jay-Z customers?
The answer to that late-capitalist riddle arrives with the rap icon’s insidious new album, “Magna Carta . . . Holy Grail” — which first appeared last week as a data collection exercise disguised as a smartphone app capable of delivering a bundle of mediocre rap songs to your mobile device."
Chris Richards, music writer, Washington Post
"Such auto-posting is usually endemic to spam, not apps released by a major IT company and a top-selling pop artist."
- Robert Schoon, technology writer, Latinos Post
"Now consider the three-way trade that has been done here. Jay-Z gets paid directly for his music in a way that wouldn’t be quite so likely if he had to rely on traditional record sales and “traditional" digital downloads. You, the listener, get free (or almost-free) music, which is what you’re used to at this point. It’s a frictionless transaction, to borrow a Silicon Valleyism. And Samsung — which is not a cellular provider and would therefore not normally have access to this, I don’t think — gets some of that raw uncut data, which is all anybody wants anymore."
- Willy Staley, writer and editor at New York Times magazine
"I read this and .... "Naw I'm cool"
- Killer Mike, rapper
- EPIC Complaint to FTC, July 12, 2013
- Feds asked to investigate privacy issues in rapper app, Consumer Affairs, July 30, 2013
- From the Magazine: Lessons to Be Learned from the 'Magna Carta' App's Privacy Snafu, Billboard, July 22, 2013
- This Week in Cybercrime: Jay-Z and Samsung Face the Music Over Data Privacy Violations, Spectrum IEEE, July 20, 2013
- Jay-Z's 'Magna Carta' mobile app is too snoopy, privacy advocates complain, Naked Security, July 19, 2013
- Jay-Z Being Investigated For Privacy Laws?, Star Pulse, July 18, 2013
- Jay-Z's Samsung Magna Carta App Under Investigation, Vibe, July 17, 2013
- Should Jay-Z And Lady Gaga Fans Be Wary Of Downloading Album Apps?, Entertainment Wise, July 17, 2013
- Jay-Z's Magna Carta Holy Grail app under investigation, The Guardian, July 17, 2013
- Samsung denies Jay-Z Magna Carta app privacy claims, BBC News, July 17, 2013
- Jay-Z's Samsung App Under Investigation For Privacy Violations , Huffington Post, July 17, 2013
- Why Is Jay-Z’s Magna Carta Holy Grail Samsung App Coming Under Fire Right Now? , Dr. Jay's, July 17, 2013
- Privacy group calls for investigation into Jay-Z's Samsung app as album hits US number one, breaks streaming record, Complete Music Update, July 17, 2013
- Samsung calls Magna Carta Holy Grail privacy concerns “baseless”, Android Community, July 17, 2013
- Invasion of Privacy? Jay-Z's App wants to Know who You're Calling, EUR Web, July 17, 2013
- Jay-Z's 'Magna Carta Holy Grail' App: FTC Asked To Investigate Privacy Concerns, Latinos Post, July 17, 2013
- Jay-Z Scores 13th No. 1 Album With Magna Carta Holy Grail Amid App Privacy Flap, E Online, July 17, 2013
- Samsung Responds to Privacy Breach Allegations Against Jay-Z App, US Daily Voice, July 17, 2013
- Privacy Group Wants Jay-Z Samsung App Investigated, BET News, July 16, 2013
- Jay-Z's 'Magna Carta Holy Grail' App Under Investigation by Privacy Group, Rolling Stone, July 16, 2013
- Privacy group: Why does Jay-Z's app check who you call?, NBC News, July 16, 2013
- Privacy Group Asks FTC to Investigate Jay-Z's Samsung App, Complex, July 16, 2013
- Jay-Z App Has Privacy Problems, Group Tells FTC, Law 360, July 16, 2013
- Jay-Z Samsung app 'intrusive', angers privacy group, Digital Spy, July 16, 2013
- Privacy Group Files FTC Complaint Over Jay-Z's Android App, Ubergizmo, July 16, 2013
- Jay Z's Magna Carta Android app is slammed over privacy fears, The Inquirer, July 16, 2013
- Rap for rap chap in crap rap app flap: Jay-Z blasted by privacy bods, The Register, July 16, 2013
- Privacy Group Requests FTC Investigation On Jay-Z's "Magna Carta" App, Hot New Hip Hop, July 16, 2013
- Remember Jay-Z’s terrible Android app? Privacy group wants feds to investigate, Ars Technica, July 15, 2013
- Privacy group calls for FTC investigation of Jay-Z app, Los Angeles Times, July 15, 2013
- Jay-Z App, Amazon Extension Slammed On Privacy, Information Week, July 15, 2013
- Was Jay-Z's Magna Carta app bad design or a sleazy data grab?, The Verge, July 12, 2013
- Jay-Z ‘Magna Carta . . . Holy Grail’ review: When fans are reduced to customers, The Washington Post, July 8, 2013
- Samsung Botches Jay-Z App Launch?, Forbes, July 4, 2013
- Jay-Z Is Watching, and He Knows Your Friends, New York Times, July 4, 2013
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.