Jawaker, a card game application popular in Arabic-speaking countries, has been recently sold to the Swedish company Stillfront. It would be interesting to see if the company will respect the data of users in the Middle East.
In May 2020, SMEX ran a technical analysis on Jawaker’s security and privacy and found some critical issues that had not been addressed. We brought forward the underlying vulnerabilities to the public after the app had witnessed a surge in popularity at the height of COVID-19. Today, we analyzed Jawaker again and provided updated recommendations for the app’s team and its new owner, Stillfront.
Privacy Policy Review
Jawaker had previously published a privacy policy that adheres to the laws of its country of origin: Jordan.
Since the app operates outside Europe, the Swedish company has no obligation to follow the General Data Protection Regulations (GDPR) that must be implemented when writing and publishing privacy policies. These entail different requirements to those under Jordanian law. Yet, it would be interesting to examine whether Stillfront managed to update its privacy policies in line with the latest legislations that would protect users’ rights and safeguard their data.
Data Collection
The company states that its privacy policy would be applicable to websites, games, stores and other services related to Jawaker, and users’ personal data will be collected on all these platforms. Yet, Jawaker fails to identify its data protection officer or a contact within the company who would handle concerns around data privacy and security. This is relevant as the app collects a significant amount of personal information, such as data about players’ device model, device ID, advertising ID, operating system, carrier, browser type and language, players’ IP address, and approximate location data derived from that IP. This data automatically expires two years after a user’s inactivity, which is the average time of retention of users’ data through an automated system.
Jawaker’s privacy policy also thoroughly mentions the purposes for which an individual’s data is collected. For example, a user’s data could be used to create an account to play the games they provide, to customize the player’s service experience and to deliver, target and improve advertising campaigns, among other reasons. Nevertheless, it fails to mention any type of legal basis for processing personal data and information. It is worth mentioning that the privacy policy does include a commitment to security of information that would “ensure data privacy and security, including through various hardware and software methodologies,” according to Jawaker’s privacy policy. However, the company did not include in its privacy policy a commitment to minimize collection of data to what is directly relevant and necessary to accomplish a specified purpose.
Third Parties
Regarding third parties, the privacy policy states that it would never release or sell personal information to any third party. Nevertheless, it mentions a few exceptions, such as meeting any applicable law, regulation or enforceable governmental requests. At the same time, it does not reveal details regarding any transfer or share of personal data and the safeguards taken, nor does it mention recipients or categories of recipients of an individual’s data.
Data Subject’s Rights
In principle, the data subject should have the right to lodge complaints with a supervisory authority, whether the provision of personal data is a statutory or contractual requirement, and to know their rights. In the Jawaker privacy policy, these fundamental rights are absent and the policy only mentions the right to withdraw from push notifications, without mentioning withdrawing consent in regards to sharing data and personal information.
Conclusion
The Jawaker privacy policy tries to create a safe playing space by creating a list of rules and stating the subsequent consequences of noncompliance. It thoroughly mentions the data collected by the application, but it does not provide a legal basis towards this collection nor does it provide data protection mechanisms in accordance with the GDPR.
In addition, the privacy policy does not mention the data subject’s rights, thus failing to provide a proper remedy system for the players. In order to conform with European laws and to protect users’ rights and data, Jawaker will have to update their privacy policy to meet GDPR requirements.
Jawaker should adhere to the latest cybersecurity measures and protect the privacy of their users in a transparent way. The app should also be regularly patched with the support of a dedicated security team.
