58 comments

[ 4.5 ms ] story [ 130 ms ] thread
I found this page after being pitched the service directly by a salesperson at Cox Media Group. They're claiming to target ads in real time based on private conversations overheard by people's phones.
Honestly impressive if they found a way to passively activate the mic on iPhones without the indicator being on and someone noticing. Because if all they get is some mic data when apps record like Snapchat that's gotta be some low-value data.
It’s almost certainly that – the alternative would hopefully get all apps implicated in that scheme kicked out of the App Store immediately (for circumventing the user-facing privacy settings).
> a way to passively activate the mic

Two comments:

   1) I would not be using the singular, even if there is just one mic that you can turn on-off. From an audio perspective it makes perfect sense with extra microphones to measure ambient noise levels in order to improve quality in the consumer-operated mics and speakers. Also, in case the phone has some voice-enabled "assistant" feature that you can just speak to by name, like, eh, Google/Siri?

   2) I would not blindly assume that you, as a user, can dictate which of these microphones are turned on/off, or when.
But then, that's just me.
I'm guessing this wasn't intended for public consumption, can't believe they even left this online!
> Our technology provides a process that makes it possible to know exactly when someone is in the market for your services in real-time, giving you a significant advantage over your competitors. Territories are available in 10 or 20 mile radiuses, but customizations can be made for regional, state and national coverage.

> CLAIM YOUR TERRITORY NOW, THEY ARE GOING FAST!

Wow.

How does this work with device permissions? Assuming most of these conversations are happening when there is no app in the foreground.
This works via an SDK included in many spammy freemium games you see advertised on instagram. They refuse to work without internet and permissions to do this.
On an iPhone, can they actually access mic input without the indicator being on?
No.

An insecure enough sensor implementation can pick up sound from the gyroscope though.

> Is this legal? YES- it is totally legal for phones and devices to listen to you. That's because consumers usually give consent when accepting terms and conditions of software updates or app downloads.

facepalm

also because a telephone needs to listen to you in order to work as a telephone?
Making a phone call doesn't require the phone to "listen" to you, i.e., to understand what you're saying. It's just encoding an analog signal from your microphone so it can be reproduced for the person you're calling. Our laws make a big distinction between this, and having a third party listen in on what's presumed to be a private conversation.
They seem to be missing an "is this ethical?" Q&A.
Even if you've consented to being recorded, that other person you're talking to hasn't consented. So if you're in a state with all-party consent laws, hasn't the listener violated the wiretapping law?
~Where is their CCPA request form?~ Nowhere in California is listed under "Markets"
If Apple was just a little more petty, they could just show this page in an ad to kill off another share of the remaining Android market
Why? Android’s microphone permission UI works pretty much the same as iOS these days, as far as I can tell.
Why? This isn't android only. It is also on Reddit and OP said the sales rep said android and iOS.
To software engineers who worked on stuff like this: how do you sleep at night? To PMs/leaders who push to include these listening SDKs in your apps: do you ever worry about vigilante justice?
One team is told they're building software to help students record their classes on automated basis (based on time/location). Another team repurposes that code into an API that can be added to random mobile games for chatting with other players. Nobody really ever knows where their code is ending up, and nobody ever directly built the functionality knowing its intended purpose.
I do not think this is really true. At some point you know what's happening. At least partially.

People/society is like that, people do this for $$$

> people do this for $$$

Probably, for $$, or even for $.

But other people sell it then for $$$.

The other team would be the one the OP is questioning.
> To software engineers who worked on stuff like this: how do you sleep at night?

Their salary is getting paid. Decent chance these days most of them work in India.

> To PMs/leaders who push to include these listening SDKs in your apps: do you ever worry about vigilante justice?

That smells like almost a flaggable threat. Very "won't someone rid me of this meddlesome priest" kinda vibes.

Also, haven't we figured out that we need to stop making societal problems a question of individual average-person morals? We're never going to recycle our way out of global warming, and we can't rely on all the software engineers in the world to down tools to prevent these kinds of business models. We need to start passing laws against this kind of shit (and, yes, we need hold the individuals that we elect to power to higher moral standards).

The broken English and slight technobabble feel makes me suspect this is some sort of scam, or at best an overly optimistic marketing page for something that doesn't do most of the things on offer.
At best, the audience data it claims to have is from the lowest of the low common denominator who never use security/privacy settings and leave admin/admin turned on on their routers.

I can't imagine this targeting is possible for all devices but I've been surprised deep diving into apple dev specs to find out there is always a workaround..

Apple notifications allow device location tracking for example (yes even if location services turned off).

> Apple notifications allow device location tracking for example (yes even if location services turned off).

How?

https://developer.apple.com/documentation/usernotifications/...

https://medium.com/@jonathan2457/location-triggered-notifica...

"Because the system actually monitors the regions, you don’t need to request always permissions for your app"

Can apps access the information whether a location based notification has been delivered even when the user does not click it?

In any case, this is quite visible to the user. I’d definitely be suspicious about apps showing me this kind of notification without asking for it.

It might be a non-issue but it was certainly interesting to discover that an app can have "only in-use" permissions yet trigger location based events while closed.
As I read it, this is not data that can be extracted by the app but a black box the phone’s internal systems handle? Not an iOS developer
Perhaps, but Cox Media Group is a pretty fair sized company, and its parent, Cox Enterprises, is a giant. This isn't some company made up to push this specific service.
(comment deleted)
Cox Enterprises isn't actually the "parent" of CMG, they're a minority stakeholder. The principal owner is a private equity firm called Apollo Global Management.
Appears you're correct. I assume it was spun off from Cox and then they sold the majority stake. Regardless, it's not some shell created to perpetuate a scam; it owns a ton of tv and radio stations.
To me it's pretty clearly the same targeted advertising available anywhere with the extra claim of using "voice data". It doesn't say what the voice data is or where it comes from. They could say that when people do google searches using Siri/OkGoogle/the microphone option on Google - it's information they would use in an anonymized way to target ads, or rather Google does on your behalf, and it's technically a derivative of voice data.
I clicked through to my "market". There was a bunch of boilerplate text and said something like "Contact us to find new customers in <not my market>".

While it might be an honest mistake, I smell an angle / fake site.

It's legit, it's part of Cox Media which is headquartered in the same building as this company. Although I think maybe this page wasn't supposed to be published yet.
Cox sells voip phone service, and cell service, and has cable boxes.

That's probably where all the 'listening' is happening.

Anyone know how this relates to some states' two-party-consent laws?

E.g., suppose person A is carrying a smart phone, and has an apparently private conversation with person B.

Is person A civilly and/or criminally liable for allowing his cell phone to record the conversation?

And, for example, if Cox Media Group made commercial use of that secret recording, could they be liable because they had no good reason to believe all parties consented to the recording?

I've wondered similar things ever since "smart speaker" devices started to become common. I live in a single-party consent state so technically if my friend consents to have their conversations recorded it's moot from my perspective, but what about if they leave on a quick trip to the store while I stay in their apartment and say random shit to their cats? (Yeah, it happens sometimes.) Alexa doesn't have permission from me or the cats.
> if Cox Media Group made commercial use of that secret recording

I don't think the law cares whether the recording is used for commercial purposes or not. It's the act of recording itself that would be illegal.

Maybe they don't need to record the conversation at all -- maybe they interpret on the fly and just preserve observation notes (likely to need tires and a birthday gift for 15 year old male).
I would like some sort of law that requires all microphones to have an integrated LED.
Would that really help? It would be continuously on for me (because of my phone listening for “Hey Siri” locally).

The OS-level “an app is using your microphone right now” indicator seems like the right trade off in most scenarios.

This is a marketing page. It's unclear what the company claims it's actually doing on a technical level, and for that matter whether it's basically snake oil.

While it's interesting (and ominous) if there's anything substantial behind their claims, without any technical details or real substance this is a bad fit for an HN submission, and I've flagged it as such.

I'd add that only two submissions were ever added from this domain, both within 44 days (as for 2023-11-14) and both are the same article.
Hmmm smells fake.

But if not, the EU will solve this, I hope

Lol no they won't. They use that data.
I can't wait for them to end up inside a product sold in the EU. The GDPR enforcement would be entertaining to watch if they bring this argument.
They should make their campaign more targeted using their own tools.

"Hey, we know that you are the head of marketing of xyz, and we overheard that you are just discussing budget. We have a great idea for you..."

No doubt this will work well.

I'm skeptical this is what people might think it is. To be clear, I think most readers would interpret this as "your phone is surreptiously listening to you via your microphone." If that were true, then there would be telltale signs of resource draw. Handling rich audio data has practical costs, whether battery, CPU, network, memory, and/or disk; that data has to be stored, transmitted, and processed somehow. I've never seen analysis that shows that's happening. Not to mention this capability is beyond what audio capture APIs in Android and iOS offer, as far as I know.
I would guess it is limited to certain applications that use more sketchy advertising SDKs, not anything mainstream
Agree. I’ve disassembled a few big-name social media APKs and looked for the API calls to activate the mic and it’s only there where you’d expect when eg recording audio for a post. This makes a lot of sense when you consider how much legal trouble they’d be in if they were found to be recording without consent.

I’m guessing here that this link is just exaggerated metaphor or using something like background sounds from people triggering in-app voice assistant search or something really low-quality like that.