I’m not really sure who this article is trying to convince. Besides, who thinks it’s the “phones” listening to us? It’s the apps that do the listening. Only recently are iOS and android finally clawing back errant permissions on these apps to prevent such behavior.
> The security specialists kept apps open for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon with full permissions granted to each platform.
If you read the article, test were conducted with some popular apps open (e.g. facebook). “My phone is listening” is just shorthand for “various apps on my phone are listening, i’m not sure which ones but ads for things i’ve never looked at online keep uncannily showing up after i talk about them”.
A possible route for this info that I've considered is that whatever service is serving you ads knows who your friends are and perhaps they are interested in this thing you spoke of together.
That or you and I are just a lot more predictable than we think (which is actually what I think).
I know someone who worked at Qualcomm with access to that baseband code, who had a personal project to scan it for backdoors. He came up empty. So if they are there, they are subtle. At least in Qualcomm basebands. Exploits probably provide all the backdoors the spooks need.
* Firmware is patched after the fact either by inserting a backdoor into the build process, or binary patching the resulting firmware image. Such an operation is likely to be compartmentalised to avoid employees knowing about it.
* Intelligence agencies seed online discussions with false assurances (note that I'm not suggesting any wrongdoing on your part - merely pointing out that an anonymous forum post is hardly verification that can be relied upon).
That said, I do agree that exploits are likely sufficient, and that planting a mass backdoor is probably not worth the risk of it being detected.
I was in fact referring to exploits in my post. That's typically how NSA and GCHQ operate these days: either find exploits, or if a sufficient number can't be found, have some hard-to-detect exploits inserted into the code by operatives or as part of unrelated bug fixes.
There's also hardware exploits. The firmware doesn't need to have a back door if a certain sequence of packets sent to the network controller will cause key memory to be overwritten and live patch in a backdoor.
Agreed, hardware backdoors are very possible, but software is much cheaper to mess with. The spooks have in the past shown a preference for hardware jimmying, but those have been one-off cases.
That said: monkey-patching is much more easily concealed than hardware or source-code changes, and is more in line with how US spooks have been seen to operate.
the fact that both for android and for iphone seperately, there is a correlation with sound / silence and data usage, even if in the opposite sense. why did this not at least prompt the investigator to dig deeper?
Android runs on a processor that operates, or not, at the pleasure of the baseband processor. The latter has complete access to all memory, and complete control over the Android's CPU cores. Android and the cores it runs on have no access to the baseband processor's memory, or any control over its execution.
This is funny. You can review the audio files Android records online. This feature is completely unknown to my parents, secretly maybe a strong word though.
> Interestingly, the study found that most of the android phone apps seem to consume significantly more data in the silent rooms with many iOS apps using more in the audio-filled rooms.
Disturbing. The fact that there is a difference suggests that they are doing something with microphone input...
> For 30 minutes they played the sound of cat and dog food adverts on loop.
I feel like this could’ve been more similar to what was being suggested, adverts or background TV/radio isn’t what any ad-driven telemetry is going to be interested in. Definitely not discounting the research, just seems like this element could’ve been improved.
It's not a myth though. After GDPR and Google added the new privacy tools to their accounts I was able to hear the audio files it had "accidentally" recorded of me.
Usually I just heard ambiant noise like computer, media, some distant talking. My naive assumption was that it had misfired on "OK google" and recorded for a few seconds to see if I'd give it a command.
I've never opted-in for any OK google type service or device but I did own two vanilla Pixel devices.
I've since opted-out of such recordings and it appears that Google has made no more recordings of me since then.
In other words, not a myth at all. "It's not the phones listening, it's apps on the phones. And maybe also the phones, when somebody cares to snoop."
Likely snooping happens more when phones are moving, and not lying about in a room with recognizable recordings playing, and that belong to people somebody cares to snoop on.
But it is true that readily available metadata being deliberately sent by users, via clickstream, is much easier to extract usable detail from.
My wife and I were watching John Wick and got to talking about owning a handgun. The next morning my facebook feed was showing me marketplace listings for holsters.
These kind of corrolation incidents are why the myth exists. The truth is that advertising companies like Facebook don't need to listen to us. They already know more than enough personal information about us to target ads.
Shame about your downvotes -- I guess people don't want to believe that vac. scepticism can be a reasonable conclusion from limited evidence.
Well: it is. Autism is a childhood disorder (therefore) whose symptoms usually follow vaccination. It is not unreasonable to hypothesize a causal link.
It may be unreasonable to maintain it in light of other evidence (eg., no difference in rate amongst the non-vax'd). But people don't live in the macro (ie., comparative contexts) they live in the micro (ie., their own experience). And its hard to communicate macros to micros.
Well this instance spooked me because I hadn't done any kind of lookup for anything "gun" related. While anything I search for is usually what shows up in my feeds. I'm usually not a "tin-hatter" and seems far-fetched, but it spooked me.
From an advertisement standpoint, there is so much noise in a microphone signal. It would be helpful for large-scale surveillance so a human could pin-point individual persons-of-interest and listen to what they're saying (big brother style). But that's not how advertisements work.
For me, until now, this kind of target has only lead to funny anecdotes. Like telling a friend on Whatsapp I just bought new shirt only to receive shirt ads for weeks. Well, too late. Another one is receiving cat food ads because I send a pic of the cat I was feeding while a friend was in vacation. Fail again, I do not own a cat. Good try anyway.
But I recon, you're case is creepy. But more likely that the VOD service you use sent data to Facebook.
Frequency illusion or Baader–Meinhof effect: The illusion in which a word, a name, or other thing that has recently come to one's attention suddenly seems to appear with improbable frequency shortly afterwards (not to be confused with the recency illusion or selection bias).[51] This illusion is sometimes referred to as the Baader–Meinhof phenomenon.[52]
The information that you've watched that movie likely went into the ad-placement algorithm and it then may have decided that you could be interested in guns.
Now, is this reassuring? Maybe the ad-placement algorithm with all the data available is much better at knowing who you are and what you want that than recording audio, and extracting meaning from it.
The insistence, in the absence of concrete evidence, that tech companies are using illicit speech recognition is a symptom of tech illiteracy in the broader population. People are basically anthropomorphizing their phones - since humans acquire most of their knowledge by listening to others talk, people irrationally assume that the machines must be operating using the same methods. They don't quite grok that there are other less anthropomorphic, less intuitive, but more sophisticated methods for apps to make inferences about you without having to listen to you talk.
I saw some guy on Reddit once triumphantly declare he had proof that Google (or Facebook?) was listening to his microphone because he started receiving Spanish language ads after he began working at an office with a bunch of Spanish speakers. Come on dude, you share a wifi network with them, your GPS location overlaps with theirs 8 hours a day, and you presumably frequently send/receive emails from them. Facebook/Google doesn't need to listen to your mic to know that you have a bunch of Spanish speakers in your social network.
We're long past the days when you had to be paranoid and 'computer illiterate' to believe computing devices couldn't pick up speech.
For a decade or more vendors have been shipping voice recognition technology onto consumer devices, with less and less friction to operate, actively attempting to make it part of very common device interactions.
Now the only questions are:
A. Do these omnipresent hot mics have adequate access control?
B. How many parties have access to them, and
C. Are these parties worthy of being trusted with such responsibility?
Not just Intelligence agencies, if I remember correctly FBI used switched off phones to record mobsters. But I can't find the link now, hope it was not a hoax.
The notation that phones that secretly listen to us, because the big tech companies are evil and they do it because they can - may be a complete myth.
But the notation that phones, due to their system insecurity, widespread of malicious applications, the reliance of voice recognition over 3rd-party servers (and in turns, their insecurity), and the ethical problems of handing training data and samples, are all avenues that can be easily exploited to secretly listen to us, is very true.
Overemphasizing the first notion while downplaying the second one is a way to manipulatively shutdown the public concerns over privacy issues.
Even if there were not already ample evidence that phones do listen to us, the very publishing of this article would basically be a blaring confirmation.
This feels like it was dictated to the writer directly by a not-super-competent intern at an intelligence agency.
Then how do they explain the third party company with audio recordings from Facebook?
Plus sending full audio recordings to a server would be somewhat odd, isn't collecting key words converted in text and sending that a lot more plausible?
So, there are hardware in phone whos job is to recognize trigger words and phrases like "Hello Google" , "Alexa" and "Siri" and wake up the phone so it can listen to the users request. They probably have limited memory, but I would not be surprised if they can store a few hundred low quality rules for detecting certain words. The ad-network already have a profile on you, and could compile a list of trigger words you are likely to use based on your profile. They upload this list to the phone, and lets the phone build up a frequency list that they can use to better target you with ads you are likely to click on.
All this would just require a few thousand bytes transferred between the phone and the ad-network. Since they are using information they already have about you, and there are little or no additional CPU or network usage it would be really hard to detect.
Short summary: I received in my Google news feed a story about something I would never expect to see in my news feed. The only rational explanations I could think of were that (i) Google had eavesdropped on an earlier conversation, or (ii) Google had received the full data for an offline credit card purchase in a bricks and mortar store made with a credit card which had been saved in my Google profile.
Full story: My wife went to a bricks and mortar bookshop to buy a boy's birthday present. In the bookshop, our daughter said he liked football, so she bought a children's book by an English footballer. She did not know what to buy beforehand, and did not look the author up online afterwards, so there was zero online footprint for the transaction. When she got home, I asked what present she'd got, and she told me it was a football book. When she told me the author's name, and I said I'd never heard of him, joking that the only footballer's names I knew were Scottish footballers from the 1980s that I'd memorised to try to fit in at school. Again this conversation had zero online footprint. The next day there was an article in my Google news feed about that specific English footballer. I don't recall ever seeing any football related story in my newsfeed, so would never expect to have seen that specific footballer appear by chance.
I'm inclined in this case to believe it was Google buying data on credit card transactions for credit cards linked to the Google account. I keep on meaning to ask around if anyone knows if Google do this. Perhaps someone here knows?
Is it possible that there's a missing step where before any of this happens there's a story on google about the footballer which your wife read/saw so when someone says "buy a book about football" and that name appeared for it in the shop it was the one she picked up?
Pretty sure that wouldn't be the case - neither of us have any interest in football, to the point that if we ever saw anything football related in a news feed or advert or whatever we'd have noticed because it would have been so odd.
It's interesting to see how slowly we are all catching up to what is going on behind the scenes, and how we all struggle to come to terms with the implications.
Thanks for the link. Certainly sounds feasible. FWIW the credit card used for the purchase was a Mastercard. This would definitely go beyond what is described in the article though because (i) I'm pretty sure neither of us were shown any online adverts for football related children's books prior to going into the store (if we had they'd have stuck out like a sore thumb among all the unicorn, pony, fairy etc. children's books we normally see based on our purchase history), (ii) to target an individual's newsfeed the Mastercard data can't have been anonymised.
Oh yes! "We monitored a few phones for a few minutes and are now so convinced that we write an article telling everyone to relax"
While I am not a fan of conspiracy theories, such half-assed pseudo-proofs actually make me believe there might be something behind the underlying conspiracy theory.
My personal favorite anecdote: I was out driving in the car with my partner. I said "hey, that guy is riding an electric unicycle", and then starting 4 hours later and lasting for 5 months, facebook showed me ads for electric unicycles.
Sure, we all have funny little anecdotes about times we talked about something and then saw ads for it later that day.
But as a technologist and software developer myself, I know just how difficult it would be to make a device that would be able to constantly transcribe the audio input stream and surreptitiously upload that data all day - and do so without destroying the battery life or having a noticeable network bandwidth footprint.
Not too mention the fact that if any memos/emails documenting any part of these "black-ops" advertising programs were leaked, it would be the tech story of the decade and probably result in billions of dollars of fines and legal fees for Facebook/Google/Apple/Amazon.
No, in the end, it seems much more likely to me that these occurrences are just the Baader-Meinhof phenomenon in effect.
After all, how many things have you talked about that DIDN'T end up in your advertising stream? I mean, this is pretty easy to test. Why don't you just start talking about adult diapers in front of your phone right now and see what happens?
And do you recall all the times when you said something and didn't see any ads for it? It sounds like you are letting confirmation bias rule your thoughts.
71 comments
[ 4.3 ms ] story [ 147 ms ] threadThat or you and I are just a lot more predictable than we think (which is actually what I think).
* Firmware is patched after the fact either by inserting a backdoor into the build process, or binary patching the resulting firmware image. Such an operation is likely to be compartmentalised to avoid employees knowing about it.
* Intelligence agencies seed online discussions with false assurances (note that I'm not suggesting any wrongdoing on your part - merely pointing out that an anonymous forum post is hardly verification that can be relied upon).
That said, I do agree that exploits are likely sufficient, and that planting a mass backdoor is probably not worth the risk of it being detected.
There's also hardware exploits. The firmware doesn't need to have a back door if a certain sequence of packets sent to the network controller will cause key memory to be overwritten and live patch in a backdoor.
That said: monkey-patching is much more easily concealed than hardware or source-code changes, and is more in line with how US spooks have been seen to operate.
everyone is ignoring what was pointed out by "kennywinker"
https://news.ycombinator.com/item?id=20884384
the fact that both for android and for iphone seperately, there is a correlation with sound / silence and data usage, even if in the opposite sense. why did this not at least prompt the investigator to dig deeper?
Do Android and baseband firmware run on one and the same processor(s)? Or are we calling ARM Secure World / TrustZone baseband these days?
I haven't used iOS in a while but hasn't it always been extremely obvious when an app was using the microphone in the background?
It’s a distinction without a difference.
https://support.google.com/websearch/answer/6030020?co=GENIE...
Disturbing. The fact that there is a difference suggests that they are doing something with microphone input...
To your specific point, Shazam has to be activated (hey siri, what song is this?) on iOS.
I feel like this could’ve been more similar to what was being suggested, adverts or background TV/radio isn’t what any ad-driven telemetry is going to be interested in. Definitely not discounting the research, just seems like this element could’ve been improved.
Wasn’t it just last year that a wide network of android apps using inaudible cues for ad tracking was uncovered? What are they trying to prove here?
Usually I just heard ambiant noise like computer, media, some distant talking. My naive assumption was that it had misfired on "OK google" and recorded for a few seconds to see if I'd give it a command.
I've never opted-in for any OK google type service or device but I did own two vanilla Pixel devices.
I've since opted-out of such recordings and it appears that Google has made no more recordings of me since then.
Likely snooping happens more when phones are moving, and not lying about in a room with recognizable recordings playing, and that belong to people somebody cares to snoop on.
But it is true that readily available metadata being deliberately sent by users, via clickstream, is much easier to extract usable detail from.
"I vaccinated my child and 6 months later he was diagnosed with autism. Cause and effect!"
Well: it is. Autism is a childhood disorder (therefore) whose symptoms usually follow vaccination. It is not unreasonable to hypothesize a causal link.
It may be unreasonable to maintain it in light of other evidence (eg., no difference in rate amongst the non-vax'd). But people don't live in the macro (ie., comparative contexts) they live in the micro (ie., their own experience). And its hard to communicate macros to micros.
Being listened to, or companies being able to predict my behaviour before it happens based on the data they’ve got on me.
But I recon, you're case is creepy. But more likely that the VOD service you use sent data to Facebook.
https://en.wikipedia.org/wiki/List_of_cognitive_biases
Or maybe you watched john wick on netflix or amazon and boom.
Now, is this reassuring? Maybe the ad-placement algorithm with all the data available is much better at knowing who you are and what you want that than recording audio, and extracting meaning from it.
I saw some guy on Reddit once triumphantly declare he had proof that Google (or Facebook?) was listening to his microphone because he started receiving Spanish language ads after he began working at an office with a bunch of Spanish speakers. Come on dude, you share a wifi network with them, your GPS location overlaps with theirs 8 hours a day, and you presumably frequently send/receive emails from them. Facebook/Google doesn't need to listen to your mic to know that you have a bunch of Spanish speakers in your social network.
For a decade or more vendors have been shipping voice recognition technology onto consumer devices, with less and less friction to operate, actively attempting to make it part of very common device interactions.
Now the only questions are:
A. Do these omnipresent hot mics have adequate access control?
B. How many parties have access to them, and
C. Are these parties worthy of being trusted with such responsibility?
I am hoping that the datasets used by Wandera will be available for us to look at.
Because we know they're doing it. Therefore, not a secret.
But the notation that phones, due to their system insecurity, widespread of malicious applications, the reliance of voice recognition over 3rd-party servers (and in turns, their insecurity), and the ethical problems of handing training data and samples, are all avenues that can be easily exploited to secretly listen to us, is very true.
Overemphasizing the first notion while downplaying the second one is a way to manipulatively shutdown the public concerns over privacy issues.
This feels like it was dictated to the writer directly by a not-super-competent intern at an intelligence agency.
Plus sending full audio recordings to a server would be somewhat odd, isn't collecting key words converted in text and sending that a lot more plausible?
All this would just require a few thousand bytes transferred between the phone and the ad-network. Since they are using information they already have about you, and there are little or no additional CPU or network usage it would be really hard to detect.
Short summary: I received in my Google news feed a story about something I would never expect to see in my news feed. The only rational explanations I could think of were that (i) Google had eavesdropped on an earlier conversation, or (ii) Google had received the full data for an offline credit card purchase in a bricks and mortar store made with a credit card which had been saved in my Google profile.
Full story: My wife went to a bricks and mortar bookshop to buy a boy's birthday present. In the bookshop, our daughter said he liked football, so she bought a children's book by an English footballer. She did not know what to buy beforehand, and did not look the author up online afterwards, so there was zero online footprint for the transaction. When she got home, I asked what present she'd got, and she told me it was a football book. When she told me the author's name, and I said I'd never heard of him, joking that the only footballer's names I knew were Scottish footballers from the 1980s that I'd memorised to try to fit in at school. Again this conversation had zero online footprint. The next day there was an article in my Google news feed about that specific English footballer. I don't recall ever seeing any football related story in my newsfeed, so would never expect to have seen that specific footballer appear by chance.
I'm inclined in this case to believe it was Google buying data on credit card transactions for credit cards linked to the Google account. I keep on meaning to ask around if anyone knows if Google do this. Perhaps someone here knows?
https://www.theverge.com/2018/8/30/17801880/google-mastercar...
It's interesting to see how slowly we are all catching up to what is going on behind the scenes, and how we all struggle to come to terms with the implications.
While I am not a fan of conspiracy theories, such half-assed pseudo-proofs actually make me believe there might be something behind the underlying conspiracy theory.
But as a technologist and software developer myself, I know just how difficult it would be to make a device that would be able to constantly transcribe the audio input stream and surreptitiously upload that data all day - and do so without destroying the battery life or having a noticeable network bandwidth footprint.
Not too mention the fact that if any memos/emails documenting any part of these "black-ops" advertising programs were leaked, it would be the tech story of the decade and probably result in billions of dollars of fines and legal fees for Facebook/Google/Apple/Amazon.
No, in the end, it seems much more likely to me that these occurrences are just the Baader-Meinhof phenomenon in effect.
After all, how many things have you talked about that DIDN'T end up in your advertising stream? I mean, this is pretty easy to test. Why don't you just start talking about adult diapers in front of your phone right now and see what happens?