L'Équipe, first in sport, first in surveillance

L'Équipe's iOS app leaks my personal data upon launch

After investigating a French media (Le Figaro), then a famous streaming service that I subscribe to (Spotify), let's now study THE French sports newspaper: L'Équipe. As a subscriber to L'Équipe, I have already installed the iOS app. To get a feel for what a fresh install looks like, I delete the app first.

So let's install L’Équipe’s iOS app and check whether third parties can track me. To do that, I follow these steps:

Close any apps running in the background.
Launch the Charles Proxy application and start the capture.
Launch the L’Équipe application.

I'm logged straight in because I'm a subscriber — deleting the app earlier hadn't removed all my data. And I'm greeted by a clearly visible consent banner:

Consent banner L’Equipe

Still, you can see that the "accept" button is highlighted, while L'Équipe offers no "refuse" button, only an inconspicuous "configure" one: a good example of "Dark Pattern".

If I don't click "configure" but simply scroll the page or click to read an article, the consent banner disappears. L'Équipe exploits a loophole in the rules, still tolerated by the CNIL, under which a simple scroll on the page can be treated as consent (read my article on the lie of consent banners).

So let's click on "configure":

L'Équipe configures

We see yet another example of "Dark Pattern" with the "accept all" button clearly highlighted compared to the "refuse all" button. I click on "refuse all" and am redirected to the L'Équipe homepage.

I then stop recording my Charles Proxy session and send the logs to my computer for analysis:

L'Équipe Install

Surprise, despite my refusal of tracking, I am being tracked by several third parties:

Google : you can't escape the Mountain View giant. L'Équipe calls several Firebase services here, Google's toolbox for developers, including Crashlytics (crash reports) and Remote Config (which lets L'Équipe personalize its application without publishing an update).
Facebook : you can't escape the Menlo Park giant either. L'Équipe calls Facebook's developer toolkit, and Facebook then tracks your every move, logging each article you read.
Amazon : yes, L'Équipe pulls off the feat of leaking your personal data to 3 of the 4 GAFA companies, even if you are a subscriber! L'Équipe uses Amazon Transparent Ad Marketplace, Amazon's header bidding solution (programmatic advertising monetization). Problem: I am a subscriber, so I do not see ads, and I had already refused advertising tracking.
Wonderpush : I refused notifications but L'Équipe leaks my personal data to a notification service.
AT Internet : a Bordeaux-based analytics solution, which therefore receives all my browsing activity.

I refused tracking, but L'Équipe considers that I accept the tracking of 512 companies

Having just installed L'Équipe and refused tracking, I read a few articles and watch the new requests L'Équipe sends:

L'Équipe connects

The list of trackers is growing, new companies are tracking me:

Weborama : a French data marketing company. Weborama enriches and sells your profile. It also offers tools for advertisers and agencies, such as a Data Management Platform (to segment users and then retarget them) and an ad server (to distribute ad campaigns and measure their effectiveness).
SAP : via Gigya, acquired by SAP in 2017. SAP is a CRM giant (and Salesforce competitor) which, thanks to Gigya, offers a "Customer Data Platform" designed to profile you, track all your interactions and retarget you more effectively.
Dailymotion : L'Équipe's video player. Dailymotion may have lost the match against YouTube long ago (and continued to decline after its acquisition by Bolloré), but that does not stop it from selling its white-label player to media companies and tracking you to feed its advertising business.
Médiamétrie : via estat, audience measurement tool.
Comscore : via scorecardresearch.com, a marketing giant which can profile you on L'Équipe.

Let's look in detail at the information sent to Didomi, the French consent management platform of L'Équipe (via the domain api.privacy-center.org):

Didomi consent

Didomi follows the IAB Transparency & Consent Framework, which is supposed to allow all parties in the digital advertising chain to ensure compliance with the GDPR and the ePrivacy Directive, in the IAB's words (the adtech lobby). Let's look at what Didomi stores after my refusal of consent:

purposes: the purposes I authorize or not, here all purposes are correctly refused.
vendors: the companies that I authorize or not. The screenshot is cut, but L'Équipe via Didomi considers that I have given my consent to be tracked by 512 adtech companies (list of company identifiers entered in the “vendors”: “enabled” table)!

How is it that L’Équipe allows these 512 companies to track me when I refused tracking?

An obstacle course to find the consent banner

In order to find the "consent banner" and check if I have not missed an option to block these 512 companies, I have to go to "menu", then scroll to the bottom to unfold the "legal notices" menu and finally "cookies management". There, while scrolling again in the “Cookie policy on Lequipe.fr” page on my iPhone, I find the CMP (Consent Management Platform) link and click on it:

refusal consent

L'Équipe offers yet another magnificent "Dark Pattern": I have to click on "By all our partners - See" (which I deliberately framed in red) to understand that I have not fully refused tracking, and that I would supposedly have consented to these 512 partners:

all our partners - consent

I hasten to refuse these partners and then save the change.

But L’Équipe continues to leak my personal data

I then close the app, relaunch it and read a few articles to check the tracking:

L'Équipe tracking off

Nothing changes, L'Équipe continues to leak my information, as if I had always said yes to the sale of my personal data.

On the lequipe.fr website, the Wild West starts on the homepage

In order to understand if L’Équipe also abuses tracking on its website, here are the steps to follow:

Disable your adblocker.
Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
Then go to the home page lequipe.fr.
Do not browse the site; just observe the different third-party companies that track you.

You can already see that without an adblocker, the user experience is catastrophic, with the content hidden behind ads and the consent banner:

L'Équipe home page

Your personal data enriches so many companies that I was forced to delete certain requests and take 2 screenshots:

L'Équipe web tracking home 1 L'Équipe web tracking home 2

Before you can even read the main headlines, you are already being tracked by:

Google : omnipresent on the web, L’Équipe monetizes its advertising inventory via Google Ad Manager, measures your behavior on its site via Google Analytics and relies on AMP to speed up article loading times on the mobile web.
Weborama : the French “Data Marketing” company profiles you on the L’Équipe app as well as on its website.
Oracle : via its acquisition of Grapeshot, a company specializing in contextual advertising. Grapeshot provides adtech players with contextual information about the pages you visit, which can then enrich your profile. Here are official detailed explanations of how it works, as well as a Grapeshot interview by Ciaran O'Kane. Oracle has diversified into adtech through successive acquisitions; it no longer only sells databases. Here is how it presents its surveillance marketing offer : Oracle Data Cloud is built on technologies created by six different acquired companies, each a leader or pioneer in its field.
Realytics : a French solution for measuring the performance of TV campaigns.
ACPM : formerly the OJD, a professional association of French media, whose role here is to certify the sites' audience figures.
Bluekai : another Data Marketing company acquired by Oracle. It allows its customers to build and enrich your profile in order to target you more effectively.
Facebook : also omnipresent, L'Équipe uses one of its building blocks for websites, which ensures Facebook misses none of your browsing.
AT Internet : via the xiti.com domain, the Bordeaux analytics company also collects your web browsing.
Kameleoon : French A/B testing and website personalization service, profiles you in order to provide you with the version of the site that will work best for L'Équipe's objective (example: subscription).
Integral Ad Science : via the domain adsafeprotected.com, a solution for verifying the ads that get served. Integral Ad Science measures ad viewability, whether an ad is shown to a human (and not a bot), and whether the context it appears in is suitable for brands (who want to avoid streaming, porn or illegal content).
MediaSquare : via the domains audiencesquare.com and mediasquare.com, an advertising monetization platform made up of several French media groups. The goal was to join forces against Google and Facebook. This alliance makes less and less sense today, because most advertising opportunities are sold individually by publishers on the “programmatic” market (RTB). For the record, MediaSquare is the merger of 2 competing groups, La Place Media and AudienceSquare (originally: a squabble between Parisian media).
Pubstack : a French "header bidding" solution. What does that mean? L'Équipe queries several advertising monetization platforms, which then query multiple advertising inventory buying platforms, all to show you an ad. In the meantime, your personal data has been leaked to hundreds of players (on this subject, watch the Brave browser's video, “Data-Leakage in Real-Time Bidding”).
Rubicon : an advertising monetization solution, tracks you on a wide range of websites and leaks your personal data to numerous purchasing platforms.
AppNexus : another advertising monetization solution. AppNexus also offers an ad inventory buying platform, is now called Xandr and has been acquired by the American telecoms giant AT&T.
Wonderpush : the notification service already seen on the L’Équipe app.
Dailymotion : whether you watch videos on the L'Équipe app or website, Dailymotion enriches your advertising profile, and even synchronizes it with advertising space purchasing platforms.
Moat : via the domain moatads.com, also bought by Oracle. Moat is a competitor to Integral Ad Science. It offers fraud prevention solutions, but its specialty is viewability measurement (whether the ad is visible on your screen or hidden).
Comscore : American giant of media planning, Comscore profiles you on many websites.

This list of trackers is not exhaustive because if we repeat the test, new advertising companies appear.

Refusal of consent is almost impossible, on the web too

As on the L'Équipe application, let's try to refuse the leak of my personal data by clicking on "configure" from the consent banner (and yes, no refuse button). You must then click on “Refuse” for the 5 purposes:

L'Équipe web consent refusal - step 1

You might think that's enough, but the L'Équipe app experience taught us about the "Dark Pattern" in the Didomi CMP implemented by L'Équipe: you now need to click on "see our partners", then click again on "block all":

L'Équipe web consent refusal - step 2

Finally click on "save", then a second time on "save": in total, it will have taken you 11 clicks to refuse consent (!) compared to one click or even a simple continuation of navigation via a scroll on the page to “consent” to being tracked by dozens of companies.

A note on these "Consent Management Platforms" (Didomi is not alone in letting its clients offer these "Dark Patterns", we noticed the same problem with SFBX on the Le Figaro site): if L'Équipe has properly configured Didomi to make refusal of consent almost impossible, Didomi should not offer this option (and the CNIL should investigate the few CMPs on the market to force them not to offer "Dark Patterns"). In other words: L'Équipe is indeed responsible, but Didomi should also be responsible.

Refusing consent on the web is of no use

What happens now when you view articles? As with its iOS app, L'Équipe does not hesitate to continue leaking your personal data, even though you have explicitly refused tracking:

L'Équipe no consent 1 L'Équipe no consent 2

We find many of the third parties already seen, and some additional trackers:

LinkedIn : do you have a LinkedIn profile? You are also profiled through your web browsing, LinkedIn sells your profile to advertisers.
Adomik : French solution to optimize advertising monetization, offers a header bidding solution and analyzes the performance of different advertising monetization platforms.
Outbrain : world leader in sponsored-link recommendations — those clickbait articles at the bottom of the page? That's usually them!
SpotX : via the spotxchange.com domain, acquired by RTL Group, an advertising monetization platform specializing in video.
Zemanta : bought by Outbrain, an ad inventory buying platform specializing in native advertising (ads that mimic the look and feel of regular content, such as ads on Facebook or Twitter).

Connected to the web but still monitored

I now log in to my L’Équipe account. As a reminder, I refused all trackers and I pay for my subscription to L'Équipe every month, so I do not receive advertising. But once again, this does not prevent L'Équipe from leaking my personal data to Google, Facebook, LinkedIn, Comscore, Dailymotion, AppNexus, AT Internet, Adomik and Médiamétrie:

L'Équipe web connected

Paying and refusing trackers is therefore not enough to prevent L'Équipe from leaking your personal data.

The lies in the privacy policy

If we now read L’Équipe’s privacy policy, and search for “advertising”:

confidentiality - L'Équipe

L'Équipe therefore declares that it has your consent to profile you and display advertising. As we have seen, L'Équipe leaks your data to numerous players (Google, Facebook, Amazon, Weborama, Comscore, SAP) who carry out advertising profiling without your consent.

L'Équipe also declares that you can manage advertising cookies in the cookie information page or report your opposition to advertising profiling in your account, but we have already seen that nothing works.

Beyond these lies, L'Équipe seems to forget that the world has changed and that its content can be viewed outside a browser. There is no mention of iOS or Android applications in its Privacy Policy, its Cookie policy or its "use of cookies" page.

A necessary clean-up of media sites

We had already seen with Le Figaro that advertising surveillance is widespread on media sites. L'Équipe follows the same pattern and adds one extra twist: being a subscriber and not seeing ads is not enough to limit tracking. As we have seen, L'Équipe shows contempt for you and your privacy on several levels:

L'Équipe leaks your personal data as soon as the website or iOS app is launched, even before you can give your consent.
L'Équipe and its partner Didomi do everything to prevent you from refusing consent.
Even if you have refused consent, L'Équipe continues to leak your personal data.
Even if you are logged in and paying, L'Équipe continues to leak your personal data.
L'Équipe's privacy policy seems to forget the world of apps, and lies to you by claiming it asks for your consent for advertising profiling.

Without penalties from the CNIL, and despite the degraded user experience, L'Équipe is unfortunately unlikely to change. As an individual, you can install an adblocker such as uBlock Origin on the web or apps such as DNSCloak, Adguard or NextDNS on iOS.