If ever there were a case for rejecting requested device permissions, it’s made by an Android app with more than 10 million downloads from Google Play. The official app for the Spanish soccer league La Liga was recently updated to seek access to users’ microphone and GPS settings. When granted, the app processes audio snippets in an attempt to identify public venues that broadcast soccer games without a license.

According to a statement issued by La Liga officials, the functionality was added last Friday and is enabled only after users click “yes” to an Android dialog asking if the app can access the mic and geolocation of the device. The statement says the audio is used solely to identify establishments that broadcast games without a license and that the app takes special precautions to prevent it from spying on end users.

According to the statement, which was translated by Google:

La Liga has implemented appropriate technical measures to protect the user's privacy if you authorize us to use this functionality. Here are the following measures: La Liga will only activate the microphone and geolocation of the mobile device during the time slots of matches in which La Liga teams compete.

La Liga does not access the audio fragments captured by the microphone of the device, since these are automatically converted into a binary code on the device itself. La Liga only has access to this binary code, which is irreversible and does not allow to obtain audio recording again.

If this code matches a previous control code, LaLiga will know that you are watching a particular match. If it does not match, the code is deleted.

The codes will not refer to your name, but to your IP address and the specific ID assigned by the APP when the user registers.

We will periodically remind you that LaLiga can activate your microphone and geolocation and we will ask you to confirm your consent.

You may revoke your consent at any time in the settings of the mobile device.

Without more details and a technical analysis of the app, it’s hard to evaluate the claims about collected audio being converted to a binary format that can’t be converted back into sound. That alone should be enough reason for users to reject this permission.

But even if the app uses a cryptographic hash or some other means to ensure that stored or transmitted audio fragments can’t be abused by company insiders or hackers (a major hypothetical), there are reasons users should reject this permission. For one, allowing an app to collect the IP address, unique app ID, binary representation of audio, and the time that the audio was converted could provide a fair amount of information over time about a user. For another, end users frequenting local bars and restaurants shouldn’t be put in the position of policing the copyrights of sports leagues, particularly with an app that uses processed audio from their omnipresent phone.

A Google spokesman didn’t have a comment on the app other than to refer to this policy, which is binding on all apps available in the Play marketplace. Among other things, the policy requires that apps prominently disclose any collection of personal or sensitive user data. Such apps must also present a consent dialog in a “clear and unambiguous way.” The policy also bars deceptive behavior.

If the La Liga app does what league officials say, it’s probably complying with Google terms. Fortunately, those terms require that the app provides a consent dialogue. That puts the onus on users to choose “no.”