352 comments

[ 2.8 ms ] story [ 406 ms ] thread
Google Meet at least it's very obvious to tell they do this because if you talk while muted, they will show a pop-up saying that you're talking but you're muted.

Whether this functionality is justification for more nefarious data usage remains to be seen.

I have to cough a lot, so I have a headset with a flip-to-mute mic.

As a result, I don't generally use in-software mute effects. :/

In Google Meet, the UI will change to show that it thinks you have hardware muted the microphone and so "unmuting" the Meet software won't help. I think it's a red ! mark or similar. All my USB headsets have hardware mute.
Couldn’t this be done by using some ML on the video stream?
Probably the user experience would not be as good, though, since it'd be an audio-only feature that only works if you've enabled video.
The solution is obvious: have the camera watch you even when it's "off".

:-)

That is for the "You are talking, but others can't see your face" notification.
"We can see that you are talking. Would you like others in the meeting to see you as well?"
That's way more computationally expensive and only available if the camera is on (and the user's mouth is visible).
That’s true. I’ve never tried it with the camera off.
- Is device X receiving input

vs

- Training models, wasting years of CPU cycle world wide, &c.

For such a dumb feature... I just don't see the point

Once I was on Teams meeting and someone exclaimed “We can see your screen, systemvoltage!”. Sure as hell, I wasn’t sharing anything. Thankfully I wasn’t browsing HN, but writing code.

These things implemented somewhere in the middle of the stack seems dangerous. I much more prefer a slider switch. Preferably made from real atoms and molecules.

Not long ago I dialed into a 100+ person, 3+ hour long quarterly planning type call. It was a video call, but I had to be in the car for part of the time so I dialed in.

After sitting through over an hour, including the part I thought was essential to my team, I jumped off the call and proceeded to explain the shit show to my fellow passengers for 15m or so.

When I got to my destination and pulled out my phone I discovered _I had never hung up_ - I was on the line the whole time. I had said some things that you should never say about your employer within their earshot and expect to remain in their employ.

After some nauseating minutes I realized I had been saved by the auto-mute feature. When a call has over x participants, everyone is muted until they take their mic off of mute.

I am much more careful now about these things, bc I don't expect to get that lucky again.

Holy shit, I cannot imagine the stomach drop when you pulled that phone out. This is one of my biggest anxieties. Sheesh.
Yes, be careful. You were lucky. Also, bloated apps lie to you and UIs are buggy, what you see in the UI may not be the case.

I now disabled screensharing in MacOS privacy settings for all apps unless I am explicitly sharing.

But then when you need to use it you have to restart the app, right?
(comment deleted)
I love Discord for some usecases but a while ago I pressed the mute button to talk to my brother sitting next to me and my discord friend made a joke about what I said while muted.

I double-checked Discord and the mic icon was displaying as muted but I could still talk to my friend regardless.

Zoom also has a similar popup. It's quite useful, too.

> “It turns out, in the vast majority of cases, when you mute yourself, these apps do not give up access to the microphone,” says Fawaz. “And that’s a problem. When you’re muted, people don’t expect these apps to collect data.”

I wouldn't assume that's nefarious

I can't speak to all videoconferencing software, but Zoom does this to throw up a "Hey nobody can hear you, did you mean to unmute?" banner
What about those cases where you wish you'd been muted?

"Hey everyone can hear you, did you want me to erase the last 5 seconds from their memory?" would be a nice feature.

Facepalm.

There's a Zoom setting to Mute Attendees Upon Entry. I make that my default for every meeting.

Some people complain, but I've had way too many people join and not realize their mic is live, so the meeting is interrupted by random dude shouting at his children to stop making noise, etc.

Or even better, when the meeting tool has a "Call me at this number" tool, but does not require validation before bridging the audio. So instead the CEO's All-Hands PowerPoint presentation is interrupted by that one guy who tried to have Zoom/WebEx/GoToMeeting call his cellphone, but the call goes to his voicemail instead and the voicemail audio plays over the (recorded) conference. Fun times. I've seen it happen multiple times.

Huh, isn't this the default behavior? I never set that and all meetings I attended mutes me by default
Business users might get different defaults from their admin.
Am I the only one who actually likes this feature?

Zoom prints out a huge full screen notification of "you are muted press X+Y to unmute". Very rarely people speak on Zoom while they are muted.

Now if someone would add the reverse of "your mic seems to be sending nonsense crap and everyone can hear it, maybe you should mute yourself?"

Have a mute button on your microphone and cover for your camera. Something you can see is engaged (e.g. a light goes on/off).

Some laptops now have switches that disconnect them from USB... which can be a different kind of pain, if there are other devices that may be connected to.

Lots of the mutes for external mics still do it in software. The software may run on the microphone itself and not the host computer, but still. I don't trust it. Give me something that interrupts a circuit.

Many laptops (notably including MacBooks) can be damaged by even fairly thin camera covers. Which sucks, because they should very obviously be standard.

Most MacBooks are also designed so the camera “on” light is impossible to disable in software.
Some hardware up there must be active and sending data even when the light's not on. It's how they make the (excellent, can hardly live without it now that I'm used to it) automatic monitor color temp adjustment work, AFAIK. Though maybe that's a separate sensor from the camera proper.
That’s certainly a different sensor, called the ambient light sensor.
The camera and microphones are run through the T2 security chip. Also, there's a separate ambient light sensor.
Tell me you don't understand how things work without telling me don't understand how things work. /s

All the apps tell you that you are muted when you are trying to talk while muted. How do they think they do that?

If I could pick one hardware feature that I'd love on all my i-devices and laptops, it'd be physical shut-off switches for the mic and camera(s). Or, in the camera's case, maybe a cover, since that way you're less likely to have the camera "turned on" without realizing it.

[EDIT] and by "physical" I mean "actually breaks a circuit when off"

I feel like they're trying to make an insidious suggestion about the usage of these. IMO, there's likely a good reason - user experience.

At a hardware level, grabbing the microphone can take time. Even worse that timing is inconsistent across devices, workloads, etc. That leads to a bad experience when unmuting and needing to delay your commentary. The solution to this is to keep the microphone on, but mute at a software level. This way the mic is always hot and ready to relay audio as fast as the software can switch.

I'd be somewhat willing to bet continue to stream audio is also a quality assurance mechanism. Some networks will shape traffic according to load. A quick jump in bandwidth can introduce unexpected jitter and latency. By continuing to stream audio (but not necessarily process or re-transmit), video conferencing can better ensure an un-interupted experience.

----

With that being said, if you really care about privacy, consider getting a hardware mute microphone.

Teams has a notice that it pops up if you're talking and on mute, and there's another for if you're not on mute but your mic is producing no signal (mic has it's own mute). I find those super helpful, personally.
I hate the latter, because I use a keyboard shortcut to mute/unmute the microphone on the OS-level. This works fine with Google Meet, but in Microsoft Teams I have to use the button in its UI because that pop-up gets in the way (also: Teams not working at all in Firefox, what's up with that?).
It's BS. I changed my user agent to Chrome and it worked just fine.
It is BS, but when I tried that, I had other things not working, like sharing my screen. So it is BS, but not merely for looking at the user agent of the browser, but for the software development incapability or unwillingness on the side of MS. (Edit: While basically every other voice chat / video chat web app works fine on FF, so basically everyone but MS and Slack has solved this problem years ago. Go figure.)
GoToMeeting also refuses to work in Firefox.
Yes, I have the exact same situation, and had to resort to uBlock Origin's element zapper because of how annoying that popup is. Of course it's an alphabet soup of minified CSS classes, so I assume it'll break the next time they update the UI.
I know! Eight zillion designer-hours in to one of the most-used applications of all time, and yet the "you can join now" popup blocks the "join" button.
Firefox is an unsupported browser - Teams works fine on Edge.
> Teams works fine for me on Edge.

"If you don't want to install our app, you can just install our browser."

Except it works when you supply the Edge user agent on Firefox, unlike Google services which are much harder to work around.
Define "it works".

For me, with this method, text chat works a bit (often forgets chat history on reload). Notifications get dropped all the time. No video conferencing at all. Sometimes I have to discuss with colleagues, why my teams acts weird.

(comment deleted)
Yeah, Meet does the same thing. I find it annoying, because I am muted because the kids are making a bunch of noise, not because I am trying to talk.

I am muting because I don't want the sound in my room broadcasted... if it was silent, I wouldn't have to mute!

In like 25% of my meetings, somebody is accidentally muted while they are trying to speak. The popup speeds up the process of them unmuting.
I still don't know how professionals keep making this mistake. Having used Discord for so many years, this has never been a problem aside from a select few people who had very clear reason to mute themselves. Meanwhile in professional settings, people seem to be falling for this over and over while lacking the common curtesy of not letting random environmental noise bleed through (read: their mics are barely ever turned off).

Not to mention push-to-talk has solved this issue for almost a few decades now.

>I still don't know how professionals keep making this mistake.

Because

1) most group calls that need people to be on mute most of the time are useless, boring, snooze fests, most attendees don't care about, so those 'professionals', who are caffeinated zombies half asleep, will space out and forget the status of their mic within 10 seconds of toggling it

and

2) most chat apps suck at drawing attention to the status of the mic and, if you have multiple monitors, you can be staring at one monitor (Jira, reddit, Redmine, HN, VS Code, etc.) while the chat app and the status of the mic is being displayed on another monitor where you're not looking

It's a mistake super easy to make. Still, better be safe and make the mistake of being muted all the time, than forgetting to mute yourself and have participants hear something you didn't want them to hear.

Ideally I'd want a feature that gives the image on all my monitors a nuclear red vignette, or something like that, whenever my mic is hot, so I don't have to keep paranoidly glancing at the mute toggle every couple of minutes, to make sure my mic is still muted, so they can't hear me mumbling on how incompetent management is and on how useless this meeting is.

People are not communication professionals. They are not ATC nor even pilots.

Still, PTT is the solution, preferrably in hardware. Not supported in sw anyway by e.g. Teams. In hw it keeps the mike-on symbol lit, and the device powered. Always having to push prevents ever forgetting to do so.

Discord's input handler sucks, uses semantic keys, not keycodes. Can't be mapped to an otherwise disabled capslock. TS and mumble can do that. Compared with those Teams audio looks like a toy.

It takes a long time for the masses to adopt software in the way you mention. I’d bet that discord users are not representative of the masses. The main reason I notice people talking while muted is 1) forgot they were muted 2) multitasking / distracted 3) unfamiliar with the software / how to unmute. #3 was probably #1 in summer of 2020 when everyone was just starting. The #1 and #2 I listed just happen. It’s common to never speak in a meeting. It’s common to never speak in a meeting and then randomly get called on leading to forgetting to unmute. It’s also common that your mic isn’t working and you don’t realize it until you do try to speak and everyone is say “you’re on mute”. This happens all the time with some Bluetooth Bose headphones and my work PC, some configuration has this device matchup to be a constant problem and my IT couldn’t care less about a permanent solution since they found a temporary one (reverts on reboot).

I know people that literally retired early when they were forced to use PCs in the office. Over 30 years later, many people can barely use the most basic features of their computer. All to say, I’m not surprised this is an issue and I don’t see people as a whole digging their way out any time soon.

We all have our shortcomings.

Some people don’t intuitively track the state of the video conferencing microphone, especially if they have cognitively involved jobs or lots of distractions. Mine are 1) the inability to resist that little self esteem boost from disdainfully highlighting inanity of other people’s shortcomings, and 2) making snide comments.

They’re both super obnoxious but I’m working on them.

Main reason why I invested in a mic that has its own mute button with a very obvious red light when it's muted.

It also can keep the Teams mute status in sync as long as I don't touch it in the app myself (I believe through Teams detecting whether the mic interface is marked as muted or not, so it isn't exclusive to my mic).

Because in Discord you hop into an audio call and you're there for however long you want to hang out in the room. People can come and go from this room, but the room is persistent. In a job, you're going from meeting to meeting each with different attendees and stakeholders. You might have been on top of it in the morning for standup then 3 hours and a head full of code/spreadsheets/whatever later when you're discussing tech debt with other people you forget to unmute until your portion of the meeting comes 5 minutes into the start. Push-to-talk certainly helps, but if you're frequently talking in small meetings (say 3-5 people) then PTT becomes more of a hindrance than a help.

Personally I just have a headset with hardware mute functionality and a big red circle showing me it's muted. It remembers its muted status, so I just mute it by default and default my OS to use the headset's mic. That way I know quickly and easily when I'm muted and when I'm not, though even then I have small mistakes in the mornings when I'm tired. Over time I've optimized my meeting workflow because my company has gone all remote and I'm in a lot of meetings.

I also considered this, but the article is talking about audio _telemetry_, not that they're keeping your hardware mic "hot" locally. Audio detection like that could be done entirely locally.
My mic has a physical mute switch and it causes all kinds of problems with auto-leveling in videoconferences. Even with the switch left on, the mic itself rejects enough background noise to cause problems for the software that assumes half-broken built-in condenser mics.
On Linux at least, Teams continue to grab the microphone even after the meeting has ended. You can see this by looking at apps registered for "recording".

I'm not sure how that can be justified. Besides privacy, the issue is that this prevents the sound card from going to sleep, which may be an issue on laptops. But I guess this is insignificant compared to the rest of Teams' power consumption.

Teams is a real clustefuck, I do not believe it is a design decision but rather just poorly written code.
From the outside perspective, this must be true. Recently I have noticed, that Teams, unlike any other app I tried, is unable to properly distinguish between stereo and mic, when that arrives both at the headset jack (made for both, stereo and mic) of my laptop. When I switch in Teams to use that as mic, it means, that others hear themselves and do not hear me. I tried everything, but Teams is simply unable to take the proper mic input from the headset jack, while an app like audacity has no issue at all. Teams is utter garbage. Found topics on MS websites, where people are describing similar problems. The answers usually are: "Well, it is MS, what do you expect?" and no solution in sight. In the year. 2000 and 22. And this is what I am forced to deal with. So I had to go back to only have the output on headset jack and use the laptop internal mic, which very likely has much worse quality than my external on the desk standing microphone, which I am effectively unable to use, because I have to use Teams...

This stuff can drive you crazy. Each month there is some new annoyance or broken part, that I discover.

I've never had your particular issue, but my favorite has got to be that it somehow "loses" the mic between conferences, although the sound server shows it as still recording...

I can understand not detecting something, or badly, but if it works now, and then on the next conference it figures "nah, there's no mic", I just can't understand what it does.

Oh losing the mic has happened to me mid-call many many times. Suddenly I would notice, that someone does not respond to anything I am saying, then check in Teams and, what do you know ... "Your microphone is not working.". I leave call, call again, without changing anything, mic works again ...
I find that usually (but not always...) restarting Teams works. I chalk it up to "made by Microsoft". People make fun of me at work when I ask them if they tried rebooting it whenever they have a problem (the company I work for runs Windows on the desktop, I'm the odd one out running Linux).

I used to think that this was an issue with me running Linux, and an "unsupported" distro at that (Arch). But I'm always reassured (in a way) when I see people having the exact same issues I do on Windows, with basic, run-of-the-mill configs (I have multiple sound cards, some of which come and go).

Teams and audio problems is pervasive. Since a few months I cannot use Teams on the iPhone any more [1] because they changed/broke volume control so that even the lowest possible volume is way too loud (and interestingly, Teams somehow manages to circumvent the hearing protection settings in iOS). The audio quality on iOS is also very jarring, regardless of connection speed, basically to the point of it hurting in the ears even if you reduce the volume to a safe level (e.g. by dangling the headphones in front of your ears instead of putting them in, which is absolutely ridiculous). Similarly I had issues with Teams mute control on a dedicated, certified headset, where both the mute button on the headset and in the Teams UI did nothing, only the special Fn key on the laptop worked. "It magically fixed itself at some point".

[1] I really liked to walk'n'talk for a few recurring meetings. Unfortunately, Microsoft does not like people touching grass.

It also doesn't happen on MacOS where you can see the indicator dot go away after a call. Teams just has a lot of bugs.
Completely agree, there's a lot of user friendly reasons to want the software to behave this way. I use a headset with a hardware mute that engages when I put the mic arm up, that's what I use when I want to make sure I'm muted.
Very much this, it takes time to recapture the microphone and it's really annoying to lose the first part of what you say every time you unmute. I lead the video team at a videoconferencing app (gather.town) and we keep the microphone active when you mute for this reason.

As seems to be pretty common, for the sake of privacy we do stop sending audio to the media server. That's a tradeoff, since we're still susceptible to losing a little bit while the audio connection resumes.

Edit: as others have mentioned, also useful to keep bluetooth headsets in two-way audio mode rather than reverting to audio output mode, since that's really disruptive.

Shoutout to gathertown. Love what you’re doing.
Just throwing it out there but maybe to avoid bandwidth spikes that might lead to latency depending on the setup, could you inject some kind of easily identifiable "is muted" signal along with white noise in place of silences? or would that sort of pre-mixing be too slow to do in real time on the client side?
got a modmic - popular mic - has a button on it to mute the mic- light turns red - pushed the button and went for a pee - came back to the meeting - left again to get a drink - came back - was asked to mute my mic - light was red - clicked hardware button - red light turned off - clicked again - right light turned on - mic was still active - no longer trust hardware buttons
That is a button that works via software, not a physical disconnect like on some other mics. When its a physical disconnect the os can’t tell if you’ve sent a mute command, just that all audio input stopped.
Not all mics are like this. I have a Corsair gaming headset which has a hardware mute button. I frequently set it on mute when I'm munching on something, forget to unmute, and despite videoconferencing software and the OS thinking the Mic is unmuted, no signal is detected.
The worst part is that on iOS you can't just start and stop input stream separately from output, but you have to stop the entire audio session and restart it in output only category. You can configure the session to ignore all input channels, but that won't get rid of the mic indicator (or at least didn't back when the mic indicator was introduced in the first place).

Yes, I work on an app that keeps the mic running all the time because of the above, and because ASIO doesn't allow disabling input at all.

It’s something to be aware of.

The first time I had ever heard of Zoom, it was long before the pandemic and it was about how Zoom was a videoconferencing app that was installing an http server (read, a security hole on the user’s computer) which remained even if you deleted the app. This was to “improve the user experience” so that it could quickly reinstall itself if you clicked one of their web widgets to start a call.

It’s worth checking in on exactly what software is doing in the background, auditing its activity and coming to a more precise understanding of 1. The reputation of the company behind it and 2. How they came to have this reputation and whether it is still relevant.

My first introduction to Zoom was their malware-like pre-install install. https://twitter.com/c1truz_/status/1244737672930824193
That was March 2020?

This is from July 2019: https://daringfireball.net/linked/2019/07/10/zoom

After they were called out, supposedly they fixed it, but that tweet you just linked looks like more of the same nonsense which goes right back to my original point: reputation matters. If the first could be taken as honestly naïve, the second proves it was not. Zoom doesn’t go on anything I own or control.

Yep. I don't trust them at all.
For me the problem was that they were called out about the backdoor they installed on Macs, and then totally refused to do anything about it, and it took Apple to actually incorporate a system update to remove Zoom's malware.

I understand 'mistakes' happen (though this was way too elaborate to be a mistake). But to just shrug it off and refuse to do anything when it's discovered is just total ignorance of security.

Honestly, it feels like most people here aren't reading the article.

> The researchers then decided to see if they could use data collected on mute from that app to infer the types of activities taking place in the background. Using machine learning algorithms, they trained an activity classifier using audio from YouTube videos representing six common background activities, including cooking and eating, playing music, typing and cleaning. Applying the classifier to the type of telemetry packets the app was sending, the team could identify the background activity with an average of 82% accuracy.

How is this not extremely concerning for anybody who cares about privacy?

How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?

I think there are two different problem here.

1. When the mic is soft muted, information is getting sent to the conference provider which could leak information about private matters.

2. When the mic is not muted all information is definitely going to the conference provider in a way they can decrypt so they can mix it.

That is to say that when using most conference software, you have already granted then access to contents of the meeting.

If you can't trust them to not miss use information they get when the mic is off, then you also can't trust them when the mic is on.

End-to-End encryption for group video and audio is now supported. I'm not sure it works or who is supporting besides Signal, but it is apparently not not required that the conference provider decrypt the streams to mix them.

https://mashable.com/article/signal-end-to-end-encrypted-gro...

Element/Matrix also support e2ee.

Jitsi has supposed e2ee videoconferencing (on Chrome - they used some chrome-specific API for processing) for (I believe) at least a year or two.

The API is called Insertable Streams. It's not actually supposed to be Chrome-specific, others are just lagging in implementing it.

Element has native E2EE for 1-to-1 calls, but uses Jitsi for group calls. Native E2EE group calls actually also exist, called Element Call (https://element.io/blog/introducing-native-matrix-voip-with-...) but they're yet to be integrated into Element and specced into Matrix, I believe.

Jitsi's own solution I assume (also on Jitsi Meet), and not the usual XMPP/Jabber that (non-Meet) Jitsi uses ?
> it is apparently not not required that the conference provider decrypt the streams to mix them

I don't believe this could be true, and the linked article doesn't have the word "mix" anywhere. I imagine that there is no mixing happening until after decryption on the client device. Of course this means that every audio source goes to each recipient discretely, which means more bandwidth, but audio (especially near-silent moments therein) is lightweight enough for reasonably sized groups. Obviously this same n^2 scaling issue happens with the video anyway which is never mixed.

Because a video conferencing app with a bad UX is going to be quickly supplanted with one with a better UX; the privacy concerns of being spied on by a video conferencing app while you are muted is very minute for most people.

There should be a line between "companies doing whatever they want" because of some implied "nefarious" reasons, and "companies doing whatever they want" because their customers want a better experience even if it has security/privacy implications.

Because a video conferencing app with a bad UX is going to be quickly supplanted with one with a better UX

For the vast majority of users, price beats UX. If a company can keep their app free by selling user data, they will out-compete paid alternatives, regardless of the UX.

Mostly agree. Price has a higher weight than UX but a bad enough UX will succumb to reasonably priced competitors.

Anecdotally, privacy/security seem to be on the bottom of the stack. Platform support and necessity for work are above them all.

This is not how enterprise software works. Audited data privacy is a core selling point of enterprise communication systems like Slack and Zoom, which are able to charge a lot of money for enterprise licenses and have very viable business models. You're right that this may not work in the consumer space, but that battle is already lost -- there are myriad free communication options available to consumers such as messenger calls, facetime, etc.
> Audited data privacy is a core selling point of enterprise communication systems like Slack and Zoom

Is Zoom audited? Zoom had been lying for about having end-to-end encryption, for example, until they were caught by the US Federal Trade Commission. Surely, something like that would have been discovered earlier in an audit, if they were audited and the audits were worth something.

They were also sending data to third parties like Facebook and Google through their SDKs.

https://arstechnica.com/tech-policy/2020/11/zoom-lied-to-use...

https://arstechnica.com/tech-policy/2021/08/zoom-to-pay-85m-...

They also kept microfone on after closing calls, and reverted after getting caught https://thinksproutinfotech.com/news/zoom-update-fixes-macos...
this was definitely a thing in windows too although no idea if changed now - I remember zoom running in the tray would cause the microphone to activate even outside of calls. I was weirded out by it enough to stop running zoom on startup and eventually replace zoom with other applications that didn't exhibit that behaviour.
Seriously, who in their right mind is using Zoom at this point? They've been "accidentally" collecting people's data, disclosing people's data to others, and have been caught lying so many times there's nearly zero chance that it's just total incompetence and even if it were, why use something made by people who are that bad at their job?

There are so many alternatives, how is it Zoom has any business at all?

> how is it Zoom has any business at all?

Zoom was the first videoconferencing software I experienced where the first 15 minutes of the meeting was not spent with "can you see me," "can you hear me," some people falling back to dialing in to a speakerphone, and one or more out-of-band calls to various participants to troubleshoot problems.

Zoom was click a link. And it worked. Nobody cared much about anything else beyond that.

Perhaps I am misremembering but I remember using Skype 9-10 years ago without any issues. Zoom does not seem to be that much of an improvement in terms of ease of use
But is Skype that way now? Zoom was in good position when the pandemic made everyone pick a video conferencing app. Some of the competition (Webex comes to mind) got slapped so hard they basically copied the Zoom interface in order to stay somewhat competitive.
This morning my boss tried to host a meeting on his favorite Zoom substitute. The first 20 minutes were spent trying to fix a ten second delay in his audio. Finally we just switched to a Zoom call, and it worked flawlessly.

There are only two videoconferencing platforms I've never had any problems with: Zoom and Google Meet. I don't trust either company, but sometimes you just have to get your work done.

(comment deleted)
Considering the trouble I have with WebEx again and again UX indeed comes late.

I often call it "golf-course-ware" the sales person goes golfing with the executive, they discuss features and prices and discounts ober the match and the executive typically doesn't have to use the software but only their employees or the assistant.

Interestingly Zoom for me was a game changer in usability and it spread during pandemic, when executives where at home partially without their physical conference room with video conf setup and without assistant.

Zoom’s better than it used to be, still some big orgs and their IT security treat it (with some justification and I think informed paranoia) as something to be tolerated due to client demand and avoided for anything sensitive.
I don't know about this, Zoom has been taking over the enterprise world and they have /awful/ security.
I have been using Microsoft Teams and its hard to imagine anyone buying it for the user experience, yet it's not an unpopular choice. It seems more likely to me that the fact that the organization already had a bunch of managed Microsoft software was the most important selling point, and that this is a common situation. "Admin experience" if you will.

So sure, Teams gets some things right, UX-wise, but for every "notify the user if they're speaking while they are muted" there's a "randomly scroll the chat back down while you're looking through history", a "randomly make it impossible to erase a link with backspace in the chat box" or a "don't let people see who is participating in the conference", and there's little incentive for them to avoid crap like it and avoiding whole categories of bugs because people are buying it for other reasons.

If your VC software decides to perform signal processing on the microphone input while it is running but you are muted then yes, it can determine things about your behavior.

But that's true for literally all applications running on your computer. Evil software running on your machine can do all sorts of bad things.

You can tell that an application accesses the microphone these days.
It's not that simple. An application could have access to the microphone, but an OS could be providing the mute functionality, thereby not passing any data to the app even if it keeps access to it (there are hardware/software issues with releasing and reaccessing it with extremely low latency like one expects of a mute/unmute button).

The problem, as reported in the article, is that apps are not making use of the OS mute, but are instead still reading from the microphone, and some are even passing the readout to their servers.

On Macos, there is an indicator dot in the status bar, on all chat apps, the mic dot is always active while the camera dot does turn off when the camera is disabled. The most likely situation is that turning the mic and camera on at the OS level has delay which is acceptable for turning on video but not for audio where you want to be able to respond to something quickly.
> But that's true for literally all applications running on your computer. Evil software running on your machine can do all sorts of bad things.

This is why I personally insist on using the web version of streaming software over an installed binary.

If software that actually exists is really already sending "telemetry" that can reliably identify your activities in the real world the concern isn't that theoretical anymore.
Why did you move the goalpost? The comment you're responding to claims that there isn't a malicious purpose here. You instead claim to rebut it by saying that it's "concerning for those concerned with privacy". Can you see how those are different things?
It is, just most people don’t care. And you can’t buy a little shutter for your laptop mic like you can for the camera.
You can control your microphone in your OS settings. While we are still on PulseAudio, check out pavucontrol for Linux systems. I am sure there are equivalent tools for Windows or MacOS.

There are also laptops with hardware microphone switches (eg. https://puri.sm/products/librem-14/ or https://frame.work/).

You can easily buy a microphone with a physical mute switch though.
Yes, more addons for the employer-supplied Mac. I miss my Thinkpads
> How is this not extremely concerning for anybody who cares about privacy?

Because they're not actually doing that?

These researchers did everything they could think of to come up with the most concerning headline.

I imagine someone, somewhere is going to make a video conferencing app that closes the audio interface every time you press mute. I also expect few people will use that option because it adds additional latency every time you unmute.

I want my mute button to work ASAP and I don't believe Zoom (or anyone else) is interested in whether or not I'm eating while muted.

> Because they're not actually doing that?

>> Applying the classifier to the type of telemetry packets the app was sending

Are you sure they’re not? The used these algorithms on telemetry packets sent from browsers. I see no reason to give companies whose revenue is built on ads the benefit of the doubt here.

I don't think one should go to the level of making random bs claims about things, and then blaming the groups one is making the claims about.
Are you sure they are? That seems to be the bar we should meet when you make an accusation, right?

Besides - is it really super valuable to know that while I (thought I) was muted that I was cooking? Zoom's going to find out I... eat?

> and I don't believe Zoom (or anyone else) is interested in whether or not I'm eating while muted.

If they are, the continuing video feed is pretty likely to answer their question.

> ....and I don't believe Zoom (or anyone else) is interested in whether or not I'm eating while muted.

But the detectives with a search warrant are pleased to be able to listen to your private conversations.

The secret police who do not need a warrant (or legality) are glad to be able to listen too.

The staff at Zoom are happy to spy on you, probably, for a small reward.

A proper mute removes those concerns. A mute that does not mute is inviting a lawsuit

If these are your threat models, your microphone should have a hardware mute switch, and you should at least have something opaque to cover your camera.
> How is this not extremely concerning for anybody who cares about privacy?

I manage some properties for a family member on the side, one of which is in a very bad neighborhood. When I travel to this neighborhood I have a certain state of alertness that I would not normally have in my boring suburbistani neighborhood. This is better known as "situational awareness" - the man approaching me in my own neighborhood is likely a just having a friendly conversation, the man approaching me in bad neighborhood is guaranteed going to at least try to bum a smoke off me, which I don't have as I don't smoke, and will likely act belligerent if I refuse to give him money as a follow-on to the request for a smoke.

Contextually, I expect a video conferencing software to be listening to and watching me even if it doesn't necessarily reflect in the UI, it has the capability and is actively meant to do so. As such, I explicitly don't have any form of sensitive conversation in the vicinity regardless of status. On the other hand, I do not expect it to do so when not running nor my laptop to do anything similar.

Perhaps there is a legitimate criticism to be made here of poor UX around "not listening" - but to paint this as an "extremely concerning" issue is sky-is-falling critique. This over-the-top concern seems further alarmist in that both my laptop and phone display clear and obvious warnings to the user when the microphone is hot.

Most of the time, audio that a videoconference app receives while the mic is unmuted is going to be a lot more useful for surveillance purposes than the audio the app receives while it's muted. If you're so concerned about the app knowing when you're eating 82% of the time, why would you trust the app at all?
"They found that all of the apps they tested occasionally gather raw audio data while mute is activated, with one popular app gathering information and delivering data to its server at the same rate regardless of whether the microphone is muted or not."

The way I read that is, only one of the apps actually sends audio data to the server when the mic is muted. I'm not sure why they don't say which one, and I'm not sure what is meant by "occasionally gather raw audio data" but it could be as innocuous as the mute button not updating and a half second of audio being sent before muting starts. Nobody is building a machine learning profile out of that.

The real story here should be that one app where the mute button doesn't actually work. The others are all operating normally as far as I can tell.

> I'm not sure why they don't say which one

Yeah, that's very annoying.

Zoom, for example, will tell you, when you are muted and you begin to speak. It's a very nice thing.

I have a microphone (that wasn't expensive) that has a hardware mute. I use it when I really want to make sure I'm not heard, even for "speaking" detection.

> Zoom, for example, will tell you, when you are muted and you begin to speak

MS Teams has that feature too.

TBH I'm not surprised: when you mute the mic in an app, you're still letting the app in control. If you really want to be safe, you need to mute at OS level or in hardware. That's why cameras have a hardware cover in modern laptops.

Precisely, this is why I think the earlier comment's suggestion:

> How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?

Sounds nice on the surface, but is ultimately silly. Sure, it'd be nice if everyone did the right thing, but you can never guarantee that, and hence if you really care you need to perform the mute at a lower level than what the app has access to.

Well, I have hardware buttons, too. But without some basic trust, this society could not operate anymore.

And the increasingly (or is it just perceived?) shady behavior of big companies are not helping.

>But without some basic trust, this society could not operate anymore.

I am afraid this eludes our leaders across the board.

The apps can control the sound devices at the OS level too. But fortunately most(/all) don't, so muting in the sound server / OS is generally safe.
MacBook pros already have a mute-speaker button.

It would be so nice to have a mute-mic button which lights up when muted.

Ironically this is a good use case for a Touch Bar: a button on your keyboard that is only there _sometimes_ because it’s only needed in certain contexts (when you’re on a call)
The touch bar is like an idea that works really well in your head. It has so many theoretical cool uses. But in reality I end up never using it for anything.. I would have been happy if the new one had the touch bar and the function keys, but that would have been extra cost for a feature people just aren't using.
After using a stream deck for some odd automation, I think the real flaw was having the touch bar be so contextual, and replacing the existing function keys. Had both existed, and and allowed the user to extend their customisation; say buttons for common actions, siri suggestions, shortcuts it may have been perceived differently, and more of power user tool.

Most of the actions just duplicated existing UI elements.

I think one thing that makes an external stream deck work, is that it is a separate context sensitive device, that is mentally separated from the keyboard.

So when you go to the deck to perform an action, you mentally context switch away from the keyboard, so your brain is looking for different clues.

So even with a touch bar + function keys, the function keys stay in keyboard context, but the touch bar requires that switch in any case. Maybe taking your eyes to the touch bar is enough of a context switch, mentally.

It’s nice in theory for so many things (my favorite is choosing characters when typing in Japanese) but almost never overcomes the friction of using a third input device. I was somewhat of a proponent of it until I got a desktop, then I was happy to ditch it and have a consistent keyboard for desktop and laptop.
I liked the touch bar..

The problem was that it was too much of a tradeoff. Either a touch bar or function keys. I need function keys. The touch bar was useless for this purpose (no tactile feel).

Apple could easily have done both. There's more than enough space even on the 13" macbooks. It would have taken a bit of space from the vertical range of the touchpad but it's already comically large anyway.

It might be but not really.

I carefully made sure I didn't mention the touch bar. I waited until 2022 to finally be able to buy a MBP without a touchbar (and with magsafe charger).

I would very much like a physical button with a reassuring tactile feeling to it. Like the mute button on the function keys row.

But then we're back at a software button, not an hw one.
For that you need an actual pro laptop like a lenovo which has mute button and led for Mic
My Dell laptop from work has this feature, there is a mute mic button and it lights up. With my desktop I have a usb mic that has a mute button and a red/green LED to indicate the state.
Quite interestingly the only laptops I've seen with such a feature (button to mute and LED to display the mic is muted) are huawei's matebooks. Some of them also have the camera under a keyboard button, extremely weird angle but when the camera is hidden you can be 100% sure you are not being recorded.

The mic mute button of course works at the OS level but still...

Also controlled by the OS, but many ThinkPad's have such a button and light too.
My ASUS laptop has a dedicated mute mic button, not a key, on top of the keyboard.
> Zoom, for example, will tell you, when you are muted and you begin to speak. It's a very nice thing.

Zoom was discussed 2 months ago in "Why is the Zoom app listening on my microphone when not in a meeting?"

https://news.ycombinator.com/item?id=30266894

There's a weird culture around reporting problems without reporting names. You see it a lot here on HN and occasionally in media. I'll never understand. Why bother talking about corporate misbehavior (or etc) and not back it up with the basic, minimal data you could provide?
Makes claims impossible to falsify, without naming names nobody can poke holes in your analysis.
Or, you know, keeps your ass safe from being sued...
Anybody can sue you at any time for any reason.

For libel and slander cases though, telling the truth is a valid defense.

This view vastly underestimates the ability of a completely wrong party to sue for slander. In the US at least. You see this with pseudoscientific snake oil salesmen all the time.
>Anybody can sue you at any time for any reason.

Which is neither here, nor there, as some are more likely to sue you than others.

>For libel and slander cases though, telling the truth is a valid defense.

Which is neither here, nor there, again. Not everybody wants the hassle of going through a lawsuit or the time and money costs associated, even if they have a "valid defense".

In theory, but assholes often aren’t creative, and justice system is as it always had been, so,
Maybe their research is ongoing, maybe they are afraid of being sued, maybe they'd rather not harm a company so reputation without fully understanding why they do this
So why did they publish the text now then (other than obviously for self-promotion)?

Why not finishing their research first, discussing with lawyers how not get sued, and contacting the company about it so that they can fix it or comment on it, and only then publishing the proper, responsible research that is actually useful to someone?

They state that their findings will be presented at Privacy Enhancing Technologies Symposium in July. So it seems they want to keep some info for that event.

Should i hazard a guess, it would be either Zoom or Teams.

My guess was going to be Google Meets because I suspect this happens in order to pipe audio to their voice to text translation engine they use to offer you the live closed-captioning feature.

As well as, I assume, to archive a text indexable/searchable log of your conversations. I say this latter part based on multiple experiences I've had receiving clearly targeted advertising for topics I make random passing jokes or commentary about in live conversation, but which I've never once searched, click-imprinted, etc. for online. But, this is purely suspicious speculation. The live closed-captioning feature is a real thing and a thing I could absolutely see resulting in Google always sending audio streams to their backend for.

> You see it a lot here on HN and occasionally in media

It makes some sense here on HN where people often post under their real names and want to think carefully before badmouthing a former employer, or otherwise picking a fight.

I agree that journalists have little excuse.

> I agree that journalists have little excuse.

Except wanting anyone, ever to talk to them again about something controversial.

I disagree.

Bob Woodward has gotten PLENTY of high level politicians to talk to him candidly even though he's publishing what they are saying often in an unflattering light.

If someone as famous as the watergate guy can STILL get politicians to talk to him, what does a random journalist have to fear?

I mean, FFS, the gamer nexus guy got newegg to talk to him even after blasting them about ripping him off and letting them know "we are recording everything".

Journalists are acting like a single inkling of a bad word said will lock them out of access to everyone everywhere. The truth is, there are so many journalists out there that one could make a career of asking hard questions and publishing unflattering statements and the STILL would likely not be recognized by most individuals if they asked for an interview.

> Bob Woodward has gotten PLENTY of high level politicians to talk to him candidly even though he's publishing what they are saying often in an unflattering light.

Woodward is absolutely one of the few exceptions, if not the only one.

He publishes on a long timescale with dozens of sources, not a short timescale with one or two.

So everyone knows the story will come out but not immediately, and everyone knows everyone talks to Bob.

But like it or not, most (not all) of the people he talks to have less to lose, because they are at or close to the apex of power in DC; there will always be jobs for them elsewhere in the USA, in a thinktank or on a board somewhere.

(It's also worth noting that Woodward's most famous source was anonymous for essentially his entire life)

In the real world outside seats of government, talking to a journalist on the record about stuff you should not often means you are the single source -- the only person who made the unflattering or damaging story possible, in a story that maybe won't wait even a week to be published.

It puts you out there on your own, gets you fired, makes it difficult to get immediately re-hired, and I suspect for an American with a family in an at-will state makes telling the truth on the record a luxury they can't afford.

The gamer nexus guy? He got a 1-on-entire-team-of-PR-and-customer-service-people interview at a deep-discount computer parts company in their own office to discuss known implications of decisions they deliberately made. THAT's your benchmark?

Nothing about that situation has bearing on whether people first think of safely concealed sources or being publicly dragged through the mud like Chelsea Manning and Edward Snowden before sharing things far more important than entitled rants about customer service for entertainment-related products. My lord.

this is a press release about a new study not a news article
I imagine it's to avoid getting sued by the company behaving poorly. Companies bring lawsuits against good-faith security researchers all the time to try to silence them, so if you were a researcher, why would you expect the one company among the several you researched who's potentially misbehaving to not misbehave by trying to sue you into silence?
I have said negative things about someone's favorite product and then abandoned a thread (not here on this site) because the stream of hate that followed drowned out the original message.

People can be irrationally attached to the things they use.

As a farm kid growing up, you didn't step between two guys arguing the merits of I-H and J-D farm equipment (1970s...)

"occasionally gather raw audio data" could be used to remind you that you're muted when you're trying to talk. I've seen that in either GoToMeeting or Zoom
In their actual paper[1] they identify it as Webex.

[1] https://wiscprivacy.com/papers/vca_mute.pdf

Webex will by default listen for ultrasound emitted by some video conferencing devices for easy stop. If you disable this, does that change the results?
I was suspecting this was webex, I use an external audio device (plantronics/polycom Calisto 7200) that has an indicator when the microphone is active. It's only anecdotal, but for me when the webex ultrasound features is activated, the microphone is constantly active as long as webex chat is running. When the ultrasound detection is disabled, the microphone is disabled when not in a meeting. As an aside, this setting was reset recently, but that just seems like the ongoing dark pattern/incompetence of "forgetting" privacy settings between software releases.
My understanding is that it activates when you make the Webex Teams/Meeting the application with focus, and should turn off some time after it is no longer the active application, I think ~60 seconds.

It is doing this for the ultrasonic room detection feature, which can be turned off.

> The way I read that is, only one of the apps actually sends audio data to the server when the mic is muted

You're reading it incorrectly.

The paper outlines that as far as they can tell Webex is not sending audio when the mute button is pressed, but is gain and other parameters, based on this audio. And this has been reported to Webex, and they are investigating.

There's no cost to privacy if it's all being written to /dev/null. I'm not worried because the cost benefit analysis is not even remotely in the video conferencing app's favor to listen to that traffic. Are they really going to use the compute time to analyze all this audio, then do what? Try and monetize data on what people are doing in the background of their video calls?

The technical cost of deploying this is probably large, and the cost to reputation immense if they were caught doing this. By comparison, giving people the additional sense of privacy by actually turning off and on the mic is likely more than outweighed by the annoyance of lag between turning on and off your mic and being heard by the other chat members.

Although they could do something like write random bits of audio to the stream when the mic is muted in software. That'd at least let users know that the actual audio isn't leaving their device. But the hardware peripheral activation is probably not going to go away.

please go away and read about the architectural permissions for things like this, performance, latency and re-read this... if it bugs you throw away your smartphone or custom-compile lineageOS
> How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic

You're implying government policy for how companies operate in this area... Which is worth pursuing, but we all know that usually ends up half way effective, requires a cat and mouse game of auditing and enforcement, or big companies playing fight club math with the fines.

Even if this was already the case for this particular issue, as users we end up never really being sure if a company is violating that particular requirement.

> users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?

This should be the default, just like how operating systems and networking evolved over the past 30 years starting with a "trusts everyone" attitude towards a "trust no one" by default. We need to assume most companies are potential bad actors, the hardware and software that comprises the basic operation of our device needs to provide the user with facilities to control flow of information separate from third parties, especially when it comes to input devices. In the case of microphones and cameras hardware switches should be the norm, or at minimum indicator lights.

This could also quite easily be a government policy for hardware vendors, and I suspect it would be more effective... It only has to reach a threshold after which users expectations shift to force manufacturers hands, so it's direct effect need not be as comprehensive to be effective.

It's amazing how many people down thread simply ignore or minimize what you point out here. And this on the same site where people get mad about the wrong kind of cookie which they always had full control over anyways ...
> With that being said, if you really care about privacy, consider getting a hardware mute microphone.

But still consider using both software and hardware mutes. I was on a sales call years ago and activated the hardware mute. While one of our salespeople was talking I groaned out loud, and the call suddenly went silent. Somehow the hardware mute had failed, despite the light being lit.

> At a hardware level, grabbing the microphone can take time. Even worse that timing is inconsistent across devices, workloads, etc. That leads to a bad experience when unmuting and needing to delay your commentary. The solution to this is to keep the microphone on, but mute at a software level. This way the mic is always hot and ready to relay audio as fast as the software can switch.

Another solution is to mute at the microphone, if your hardware has a button for that. This way the application can do whatever it wants, it will still get nothing. Using the hardware button is often less effort, than switching windows, finding that unmute button visually and moving the mouse to that button to click it. Or one could use push to talk. Since there are ways to mute yourself without having to do it in the app, it would be acceptable, if unmuting took a part of a second to be effective, indicating that by some "unmuting ..." label somewhere.

Okay, given that they are not listening for any insidious purpose, they should all just add a legally binding, unrevokable clause to their all of their terms of service indicating that they will never sell any audio data or data derived from the audio data while the microphone is muted. Absent that, it is entirely legal for them to do so at any time for any reason with no consequences, so I see no reason why we should take the word of a amoral entity that pinky swears they will not do so when a legally binding statement is so much cleaner and more straightforward.
Would you use a service that sells your audio data when unmuted? :/
Not to mention the feature of notifying a user they are muted if it sounds like they're trying to talk.
You are right that the problems you listed are easily solved by keeping the mic open/streaming.

If you actually value privacy as a company though, these are all very solvable problems.

"if you really care about privacy, consider getting a hardware mute microphone"

Even if you get an external microphone which can be muted, if you're on a laptop you'll still have an internal microphone which can't be muted except through software.

What we really need are laptops sold without microphones and cameras. Then you can just use external ones only, and be sure that no one's listening/looking when you unplug them.

Usually software only captures one mic at a time.
Unfortunately, even if a company offered this, in today's world the product would likely have a hidden microphone that isn't listed on the featured hardware.

Much like the old physical typewriters had spyware hidden on them without the users knowledge. I would be willing to bet that every keyboard has something similar today.

It's also striking to see how many people believe that they can trust the 'little indicator lights' on their microphone and cameras to actually indicate that their physically cut off from power. Very, very few devices are made in a way that this is true, and I would be hard pressed to believe it even if it was started in a manual unless I physically checked the equipment.

Ultimately, just assume that the entire world can scrutinize everything that happens on or around any electronic device... so everything, all the time.

Technically any speaker can also potentially be used as a microphone.
It's simple. Most video conferencing apps that I've used will let you know that your mic is muted when you try to speak and your mic is muted.

If you think they're doing something else, then don't use it. If you think you don't have a choice because your employer requires you to use it, your choice is not in whether or not to use the software. If it's something you care about, there's always a choice.

I don't think an application has to actually do anything with the audio data in order to retain its access to the microphone. I'm not an expert here, but I'd imagine it's something like this:

    mic = grab_access_to_mic()
    while app_is_running:
        if (is_muted):
            pass
        else:
            send_that_audio(mic)
It also mentions some of the apps sending the muted audio "to the cloud", which seems completely unrelated to retaining access to the mic.

Also, seems like an honest mistake, but I think they got this backwards, right?

> They used runtime binary analysis tools to trace raw audio in popular videoconferencing applications as the audio traveled from the app to the computer audio driver and then to the network while the app was muted.

Wouldn't it be driver -> app -> cloud? I think I'm splitting hairs at this point though.

Lastly, it would be nice if this article at least listed the apps that were investigated.

Exactly the reason I use a headset with a boom mic. Flip it up to mute, and back down to activate. Love it.
wait till the wear and tear on that hinge breaks from doing this 50 times a day lol
> I'd be somewhat willing to bet continue to stream audio is also a quality assurance mechanism. Some networks will shape traffic according to load. A quick jump in bandwidth can introduce unexpected jitter and latency. By continuing to stream audio (but not necessarily process or re-transmit), video conferencing can better ensure an un-interupted experience.

They don't have to actually send the data though in this case they should just send 0 padding. It's all encrypted presumably, so the only externally observable factor is the packet size.

have to agree, it's not well explained, but hardly seems like a smoking gun that google/zoom/skype are listening out for anti-government hysteria...
It could also be for background noise suppression when unmuted. This isn't a giant privacy concern, just be clear about what the mute button actual does for all the privacy people. Generally, when I'm on a Zoom call, I'm not expecting ridiculously high privacy, and expect my recipient and the service to have access to the conversation. If not, I would use Session.
Or how about an OS-level software mute? Like you have for muting the speaker.
At the hardware level, it takes 0 time (10's of microseconds at most for I2C connected codecs, maybe a millisecond for USB 2.0 sound card) to mute the mic input channel to the mixer sitting before the A/D converter.

If it takes any more than 0 time, it's caused by badly written software.

I wouldn't blame the HW for the privacy issues, here.

Yep, plus on many apps, if you're speaking while muted, a popup/toaster will show, notifying you that you're muted and if you want to unmute.
I never enjoyed Lync/ Skype for business but one thing it did right was supporting mute on headsets in sync with the app.
> user experience

The “Think of the children!” Of privacy violators.

Yeah pretty much. How exactly do people expect the "you appear to be muted and talking" notification to work... exactly? eye roll
> “With a camera, you can turn it off or even put your hand over it, and no matter what you do, no one can see you,” says Fawaz. “I don’t think that exists for microphones.”

Maybe it doesn't exist on whatever sleek glassy slabs they're working with, but the old Thinkpad, Elitebook, and Precision workstation laptops I have around me at the moment all have dedicated microphone mute buttons (the Precision has a Fn key combo, the others have physical buttons that do nothing but mute the microphone) that I reach for before trying to mouse over to a different mute button for a particular videoconferencing app.

I generally hate my HP laptops' hardware, but this is one of the features that I really love and wish more computers had.

On the one I'm typing this on, the key actually sends a standard Media Mute signal, that can be used under Linux (complete with the LED coming on when it's muted). Ironically, this needs special drivers under Windows.

On my Thinkpad, this was still just interpreted as an OS-level keyboard shortcut, as far as I remember.

A solution that actually (logically if not physically) deactivates any built-in microphone would arguably be at least as important as a "webcam shield".

Apple does this for the built-in microphone for their newer laptops, but that benefit is immediately negated when e.g. connecting a USB webcam that also contains a microphone.

Yes those mute lights have been stuck on "lit" (= "mute") on my Windows forever, both the mic and speaker lights. However recording and playback work fine, the lights just stay on. Very annoying, a little unsettling.

My daily driver is Ubuntu where both lights work fine, on the same machine (dual boot). But now I know not to trust them.

Lenovo ThinkPad P51

Check out if you can disable the mic in Audio MIDI Setup on Mac OS X. I tend to use the built in webcam so I’ve never looked on an external one, but in theory you should be able to selectively disable the input/output of any device via its interface. I do this to disable the mic on Work equipment and use my own AirPods as the mic input.
On my T480s the mic mute button is handled in hardware/low-level firmware however all it does is set the mic input level to 0%, where the OS can trivially set it back to 100% if it wants.

At least the LED on the button is driven by firmware based on that level, so it lights up only when the mic level is actually at 0%. While it won't prevent the OS from raising the volume, at least you'll know about it as the mute light will go off.

Do these mute buttons actually hardware-mute the mic or do they send a keycode to the OS?
Usually the second. If you have multiple buttons to do it (for example dedicated button + Fn+F4 combination) then it's almost certainly software.
They seem to do both, at least on some models? On my thinkpad running openbsd, the speaker mute can become desynced. Audio won't play unless both are unmuted. Pushing the button will flip flop the software state, but not the reverse (although I believe that code could be written, it doesn't exist). So if you soft mute, then push button, hardware mutes and software unmutes, but sound still doesn't play.
I always use the key mute button on the Thinkpad, but anyway it can be muted in the system menu easily (at least in XFCE).

(In fact, I just checked in Gnome, the menu does not expose microphone volume, it's only available from the settings window.)

I'm going to guess the hardware switches and key combos went away because they are too confusing for users. I remember constant complaints of "Internet doesn't work" because the wifi hardware switch was turned off. And as the saying goes, if the majority of users are using it wrong, it was designed wrong.

I think Apple picked the right middle ground by making access to the mic and camera a permissions request as well as showing a clear indicator to the user whenever these are active. Steve jobs said the best UI is to ask the user for their data when you want it and keep making them aware of this access every time you use it.

The problem with software-controlled permissions is that nation-state actors (who have unbounded resources) can snoop on your private matters with significantly greater ease.

At least with a hardware switch, someone would have to physically intercept the air waves in the room you're in. In software, the surface for OS-level vulnerabilities is massive, and state sponsored mass surveillance just gets easier.

Sadly, this is a trade-off we have made as a society for "ergonomics".

This line of argument is bikeshedding at it's finest.

If Mossad is out to get you, they are going to get you, no matter what you do. The threat model for 99.999% of the population doesn't include bespoke attacks from three letter agencies.

Use a Mute Me device. https://muteme.com/
This seems to just toggle the video conferencing software's native "mute" function, which is exactly the scope of this article.

How would that help here?

Isn't it common knowledge by now that cameras and microphones are still "on" even if you disable it at the software level?

Zuckerburg has been taping webcam/microphones/etc for a while now. Though being the CEO of a major corporation requires you take privacy more seriously.

https://www.macworld.com/article/228326/mic-drop-how-to-keep...

Probably not in the general population, I would guess from my friends and family. Or they just don't care, also possible. ^^

Even those that used to tape over webcams (some started doing so after the Snowden revelations in '13) gave up on that during the pandemic, due to video call after video call and "webcam taping fatigue". Webcam shutters in non-business laptops would be great. :D

Audio is another beast and way harder to solve, as there is no tape or (cheap) shutter that can really block a microphone, and physical disconnects are probably not a feature in most customers eyes, as they have no optical feedback, like webcam shutters. So they could, to most people, maybe only be a source of "why does my audio not work - ah, the stupid button" frustration. :/

> being the CEO of a major corporation requires you take privacy more seriously

My privacy is as valuable to me.

Zuckerberg is an attractive enough target that someone would go to the trouble of trying to compromise his MBP's iSight firmware (and such compromises have been proven to be possible, and pretty easy in pre-T2 macs.)

The tape, however, is probably about really making completely sure he doesn't accidentally show video on a call or videoconference when he didn't mean to.

Video could easily reveal even his approximate location (via shadows and such), and that could potentially lead to deriving, say, that he's working on an acquisition or talks with another company, leading to stock manipulation/speculation and so on.

> Isn't it common knowledge by now that cameras and microphones are still "on"

No. Can you provide evidence.

Because that would imply that applications are routinely bypassing OS security controls. Which at least on a Mac requires a sophisticated compromise i.e. the camera light is directly linked to the camera itself via an independent subsystem.

Instagram uses camera as soon as you open the app, as it's a relatively slow process to fully load the camera and make it fully usable in a way Instagram devs intended to.

They've admitted it themselves. Not sure about microphones.

Wrong.

On iOS there is an orange/green dot in the menu bar that indicates when the microphone or camera are in active use. The dot appears when you try and use say the Live feature but at all other times it does not appear.

My point still stands that unless apps have compromised iOS/OSX it is NOT true to say that the camera/microphone are always on.

I always noticed that the Mac version of Zoom stays open in the background rather than closing after you finish a meeting. Very sus. I have to manually close out the app.
Yes, I think we know this: how else do they think it's possible for Teams (or other videoconferencing app) to warn you that you're muted when you start talking whilst muted without the mic being switched on?

I'm not saying there's definitely not anything sinister happening here in the case of every videoconferencing app, but there are legitimate reasons for leaving the mic on that are about improving user experience, not spying on you.

My team and I built some of the world's most decentralized videoconferencing software, using WebRTC. You can try it on https://yang2020.app/meeting for example ... but it's available in all of our apps, including for teachers, etc.

Since a major point of our platform (qbix.com/platform) is to avoid relying on external third parties, that meant we built a version of livestreaming that is completely peer-to-peer. Imagine a giant tree at whose root are the WebRTC participants "on stage", the ones getting their feed directly get the least lag, and then people just join different parts of the tree (and ask to rejoin if the parent node dropped out or is too slow).

Here is what we learned:

1. On some platforms, it's hard to turn off the audio listening, because you can't turn it back on later. So you have to just disconnect the audio stream going out, but it's still being captured.

2. When someone is "muted" in a chat, what this really means in P2P setups is that the peers have to "respect this setting" and simply ignore the audio/video stream that the one muted is sending.

3. Sometimes, it's very valuable from a business standpoint to grab the incoming video, and do eye recognition and face tracking (yes we support all that too, in our platform, it's available in Javascript). So a teacher can, for example, take attendance and know which students are no longer present or engaged, without actually seeing their feed. All of it is done on the client side of the student, and with their consent.

Each of 1, 2, 3 can lead to a determined "hacker" kid making it seem like they're listening when they're not, etc. But there are some cool tricks to make it really hard and expensive to pull off perfectly.

We use this, for example, to award credits to people for completing educational materials or listening to a show, as with https://ftl.fm

Might want to hire some marketing and product branding agency folks to make sure you are branding this in a way that seems safe and trustworthy, so people will try it out and you can increase engagement and adoption.
That sounds like a great idea, but how much would it cost? We are kind of strapped for cash.
2) Seems like a waste of bandwidth, did you consider the use case that turning off the video stream might be done to try to reduce bandwidth usage either due to cost of bandwidth or bandwidth being limited enough to break other simultaneous needs? And since 3) while creepy, is at least done on the client so does not seem to require the stream to always be sent to the other clients.
Well, yes, it can be turned off and yes it can be not sent, but that's at the discretion of the client. They can "hack their client" to send it anyway which is why everyone has to "refuse" to receive it from a "muted" client, as well. It's a second line of defense. Never trust the client.
> Sometimes, it's very valuable from a business standpoint to grab the incoming video, and do eye recognition and face tracking ...

this should 100% be opt-in. Think what kind of future is being created.

it's a core feature of the app, in this case it's opt-in by the TEACHER, the student can simply choose not to participate in the course
I'm fine that the app locally still processes the audio stream - even if I'm muted - to show me a warning if I start talking while muted etc. The alarming part in the article is that at least one app would still send the audio stream _to the server_ while being muted. Any mentioning which "popular app" that is?
At least as far as not giving up microphone access is concerned, when using Bluetooth headphones, this is very much desirable:

Deactivating the microphone usually is seen as a signal by the OS to switch Bluetooth headphones from two-way conferencing mode (low latency, mediocre quality) back to "music" mode (high latency, good quality). This usually takes 2-3 seconds and disrupts all sound being played (most notably other people talking in the meeting).

I wouldn't want that to happen every time I mute myself.

Continuing to send data to the conferencing bridge is indeed quite shady. Hopefully this would just be (encrypted) silence or comfort noise parameters, which can be useful to e.g. keep NAT mappings alive.

I’ve often used Bluetooth headphones with a physical microphone switch (boom arm up) and there is never any disruption to the audio output.
This is entirely in line with my understanding of how these products should work.
The most unsurprising thing ever. Hardware switch would be the only way to be sure. (Apparently modern macbooks do hardware disable the mic and camera when the lid is shut)
The lack of a physical button to control camera and microphone access is really annoying. At least with a camera, I can cover up with a patch but I can't do anything about my microphone.
I am generally against new government regulations, but I would most likely support a law that requires all microphone and camera elements have an LED hard-wired into the power wire/trace. If the sensor is powered, the user should be able to tell.
The case where the school administrator was spying on kids - the macbook light would quickly turn on and then off and you had to look carefully to see it.
It's obvious that Zoom is listening, because if I try to speak when I'm muted, it tells me that I'm muted.
I always use my browser instead of these native apps precisely so I can deny microphone permission whenever I want it muted.
It would be nice if you could also have this level of control over native apps.
Once you use something like the Jack Audio Connection Kit it's hard to understand why a user-controllable system-wide audio graph isn't just the default thing baked into the kernel API.

I have full control over all apps. It involved some extra effort creating a fake ALSA device that sends/receives from JACK, but once it's in place, all audio connections become points you can easily make and break in the graph.

Purism's laptops (and cell phone) all include hardware kill-switches for mic and webcam (and also the radios, bluetooth and wifi)

https://puri.sm/

Years ago, an engineer working in videoconferencing told me that the algorithm they used for avoiding feedback loops involved listening at how it comes out at the other end.

I suppose that perhaps there could be audible artefacts when muting/unmuting if these algorithms didn't continuously do this.

This is the exact reason that made me develop MuteMyMic. I was really fed up with all these apps that alter input volume behind your back. Now, I can at least know that somebody is playing nasty as MMM beeps whenever mic's volume was changed.

This is not an advertisement ;) I no longer actively develop this app, however, I am still a happy user ;)