
FTC Issues Warning Letters to App Developers Using ‘Silverpush’ Code - senthil_rajasek
https://www.ftc.gov/news-events/press-releases/2016/03/ftc-issues-warning-letters-app-developers-using-silverpush-code
======
kabdib
IIRC, there was US legislation in the 1990s that required phones to have an
indicator to be _wired in_ that lit up when a microphone was enabled.

Either this was relaxed, or reinterpreted (or I'm mis-remembering), and it was
deemed okay to activate the LED with firmware. Clearly a mistake. And it
probably only applied to land-line phones.

~~~
comex
iOS really ought to put a "currently recording audio" icon in the menu bar, in
addition to the existing one-time permission request. Sophisticated hacks
could bypass it, but it would at least help in more pedestrian scenarios like
this one.

~~~
dan1234
It already does! The menu bar turns red, with the name of the app using the
microphone, as shown in this example[0] where Shazam is backgrounded but
listening for songs.

[0][https://imgur.com/a/OzS4Z](https://imgur.com/a/OzS4Z)

~~~
comex
Yeah, I know about that. But that doesn't really help if the app only listens
while foregrounded. (In that case the red bar does usually show up briefly
before the app responds to the backgrounding event, but that's not very
noticeable and basically a bug.)

Location Services is a model here: like sound recording it asks for permission
first, like sound recording it flashes the menu bar if an app is using precise
location in the background, but there's also a small icon that shows up in the
menu bar whenever it's being used, even by the foreground app.

------
tshtf
It must have been nice while it lasted.

Android's capabilities system is much better with Android 6.0. Apps targeting
the latest SDK require users to accept permissions at runtime, and those built
with previous SDKs can have capabilities disabled through settings:

[http://inthecheesefactory.com/blog/things-you-need-to-
know-a...](http://inthecheesefactory.com/blog/things-you-need-to-know-about-
android-m-permission-developer-edition/en)

~~~
djrogers
That's not really going to fix these things - if you can open a mic in the
background without any UI to indicate it's happening, it will be abused. If I
write an app with a legitimate need for the mic and get permission to use it,
I can abuse it.

~~~
tshtf
Initial research suggests that few or none of the apps using SilverPush had a
legitimate use for mic permissions:

[https://public.addonsdetector.com/silverpush-android-
apps/](https://public.addonsdetector.com/silverpush-android-apps/)

~~~
mmohebbi
I'm getting a redirect loop on that for some reason. Archive.org version does
work for me:

[https://web.archive.org/web/20160320170615/https://public.ad...](https://web.archive.org/web/20160320170615/https://public.addonsdetector.com/silverpush-
android-apps/)

------
hackuser
Based on the letter, it looks like a weak statement by the FTC:

 _if your application enabled third parties to monitor television-viewing
habits of U.S. consumers and your statements or user interface stated or
implied otherwise, this could constitute a violation of the Federal Trade
Commission Act. We would encourage you to disclose this fact to potential
customers, empowering them to make an informed decision about what information
to disclose in exchange for using your application._

Note that there's a violation only if the developer's _statements or user
interface stated or implied otherwise_. By my reading, if the dev says nothing
and collects the data then they are not in violation; the violation occurs if
they lie about it. Also, the FTC doesn't require the dev to disclose anything,
they merely _encourage_ it.

However, I have no experience with these issues. Does anyone know more about
it?

~~~
tines
The FTC would probably argue (not saying it's a good argument) that _not_
implying that you _are_ collecting data is implying that you _won 't_.

------
a3n
It would be cool to have an app that could alert you to the production of
these sounds. Then you could complain to the station/channel, and to the FTC.
Complaint to the FTC, with recorded evidence, could be included in the app.

It would be cooler still if the FTC made this app available.

~~~
cbhl
There are benign use-cases for this technology, though. For example, any
TV/Radio ads containing the phrases "Hey Siri", "OK Google", or "Alexa"
definitely _should_ contain an audio beacon so that your iPhone/Android/Amazon
Echo knows that a TV or Radio ad is playing, and not a human legitimately
asking for a command.

~~~
teddyh
…cue someone playing that inaudible signal continuously to block all people
nearby using their Siri or what have you.

------
baldajan
I've always been annoyed at hitting a few accept dialogue boxes with first
launch apps on iOS. Kind of glad now that they exist.

~~~
ianlevesque
Yes, in hindsight (and I say this as a full-time app developer) Apple had
exactly the right amount of trust for app developers - almost none. In the few
instances where things didn't require approval (for example querying a URL
scheme to allow for for crude inter-app communication), they were abused by
even reputable developers like Twitter. Glad to see Google finally catching up
with Android 6.

~~~
icebraining
The J2ME/MIDP platform also had runtime permissions; for example, when I used
Opera Mini on my Nokia S60, it would ask for permissions to write to the
Downloads directory.

The MIDP security system probably had its flaws, but it seems weird that
Android simply ignored it and went with an exclusive ask-on-install model.

~~~
eropple
Agreed, but Android's made some pretty good strides on that front with Android
6.0. Just got it yesterday and, while a few apps were confusingly broken until
I went digging (my audiobook app looking in a no-longer-extant path for the SD
card, as apps get their own virtual storage path in 6.0), I'm pretty happy
with the changes.

------
jkot
Is not this wiretapping? Recording someone without consent is illegal in some
states.

~~~
dragonwriter
I think it's illegal in all states if no subject of the recording provides
consent, the split is between states with a one-party consent rule and an all-
parties consent rule.

~~~
colejohnson66
But doesn't agreeing to the ToS mean you agree to be surveilled?

~~~
brianwawok
ToS doesn't trump local law!

* By reading this post you give me the right to steal all your underwear

------
ianlevesque
It amazes me that television viewing data is still valuable to someone in
2016.

~~~
mhurron
You think people, or enough people, don't watch TV any more?

~~~
ianlevesque
Consumption of TV has moved almost entirely to platforms that can track that
data themselves (for example through a set top box or directly on the web),
without requiring someone to have a smartphone turned on, running spyware, in
the room.

~~~
mikeash
I think this data is still useful because there isn't a one-to-one
correspondence between those devices and the viewers. A box might be left on
with nobody around, or it might be the center of a viewing party with twenty
people. They also want to know who is watching, since demographics count for a
lot.

~~~
JoshTriplett
And the people using such invasive apps aren't the people running those boxes,
either, so they don't have access to the data.

------
an_account
It'd be nice if iPhones had an indicator symbol for when the camera or
microphone is enabled.

~~~
kobayashi
Agreed. There's an indicator for when the mic is activated in the background,
but not when the use utilizing app is in the foreground. Nothing at all for
camera activation.

------
caf
I wonder if it's technically feasible for the TV to filter these kinds of
inaudible beacons out, without severely degrading the sound quality?

