Paléo is watching you

TL;DR: The Paléo Tickets app, now mandatory to enter the festival, uses the location tracker Kontakt, specialised in tracking people and devices indoors. This also works with festivals and can be useful to the Paléo for measuring attendance in certain areas in real time. But can also easily be linked to identities through the personal information provided with the tickets. This could make it possible to track the movement of individuals in the festival and abused for marketing or surveillance.

The city of Nyon in Switzerland is hosting right now it's yearly music festival Paléo. Last year's event was cancelled due to Covid, giving more time to the organization to bring new improvements. One of these is the digitalisation of tickets via a dedicated app, the Paléo Tickets App available on iOS and Android, mandatory to enter the festival.

The usage of the app is being justified to reduce fraud, but this has already been addressed by having named tickets (non-transferable after printing). If you happen to not have a smartphone, it is suggested to use a friend's device. Alternatively, it is possible to request tickets in PDF format (to print) by writing to the festival's ticket department. When it comes to data collection from the app, Paléo briefly tells us in the FAQ:

You'll be asked for your first name, last name, address and e-mail address. This data is stored securely and will only be used for your identification in the app. Your data will never be passed on to third party companies. Location and Bluetooth services are not mandatory. However, we recommend that you authorise them on arrival at the Festival to facilitate access to the event.

The relevance of using location and Bluetooth services for a ticketing app is questionable. Presenting and validating a ticket should not require these services and the app contains no user facing features to facilitate the access to the event. Could it be for measuring attendances in certain areas of the festival? Paléo already did this experiment in partnership with the EPFL back in 2013, passively tracking people's Bluetooth MAC addresses (for those who had it enabled) to observe the crowd's flow. This year, with the app being mandatory and potentially having access to more information on the device and user but also control over certain functionalities of the device, the scale of this type of tracking could be way larger and more precise.

Maybe it's time to download the app and run it for myself. I'm running LineageOS with no Google services. I have to use a proxy such as Aurora Store to get the app which is easily done. But first surprise, I can't run it. I'm presented with an error message saying that I cannot run this app on rooted devices, which mine isn't but I'm also not running the most standard setup...

With not many options left to see what the app is doing, I'm turning myself to the reviews. The score is low due to people having issues retrieving their tickets but there are a few relevant parts on what the app is doing. Apparently, giving permissions to access your contacts is required for it to work. Position is also asked but if denied it still works. The app's page on the Play Store indicates advertisements but users report that there aren't any ads (it would be strange for a festival ticket app to display ads).

So what's in it? A quick look at the Exodus privacy scanner reveals the following trackers: Google Firebase Analytics, Adobe Experience Cloud and Kontakt. The last one is quite particular as it's an SDK used for tracking people indoors which also theoretically works for festival terrains. Looking at the permissions, we can see that the app requires 15 (!!), some of which are also raising questions for a ticket app: Read/write contacts, Bluetooth admin (allowing to initiate device scans and change Bluetooth settings), approximate and precise location, camera or also network state (which can be used for device tracking via WiFi).

Let's dig deeper and unpack the APK file, see what else the app includes and what it does. Doing this, I discovered that the app was written with Flutter. It also contains the SDK for the Swiss Government Covid pass checker as well as the library for Google Ads (which is not used). It also bundles all the translations for other events using the Tixngo service (developer's of the app, part of SECUTIX) such as the Stade de France.

Reading the de-compiled source code would take some time and I haven't done it fully. I read some sections but couldn't piece things together entirely giving me only room for assumptions and also advice to the organisation of the Paléo Festival.

In itself, the app does way more than what it advertises to do. The lack of transparency in that regard is concerning. Despite finding no reason for accessing contacts, it is definitely justifiable to want to follow the movement of crowds in a festival to better respond to the flow of people. But the flip side of this is creating a system that gives room to abuse. All the data and technical capabilities are there. Whether they are linked together is something I cannot say. But if it is the case, and the barrier to this is little to none existent, the breach of privacy is immense. Even without PII linked to location data, the app and festival should inform users and ask them for consent or give the possibility to opt-out. Not doing so just raises questions and mistrust.