
Shazam Keeps Your Mac’s Microphone Always On, Even When You Turn It Off - qzervaas
http://motherboard.vice.com/read/shazam-keeps-your-macs-microphone-always-on-even-when-you-turn-it-off
======
wmeredith
"When a user of Shazam’s Mac app turns the app “OFF,” the app actually keeps
the microphone on in the background. For the security researcher who
discovered that the mic is always on, it's a bug that users should know
about."

That's not a bug. It's intentionally deceptive software.

~~~
myowncrapulence
Is this not illegal? Wouldn't this software be considered "hacking" as it is:

"modifying or altering computer software and hardware to accomplish a goal
that is considered to be outside of the creator's original objective"

~~~
hobarrera
> "modifying or altering computer software and hardware to accomplish a goal
> that is considered to be outside of the creator's original objective"

How would you make "keep a microphone open for faster startup, (which is the
creator's original objective)" fit into the above definition.

~~~
myowncrapulence

      (which is the creator's original objective)
    

It's not macOS' original objective.

------
sveiss
"If the mic wasn’t left on, it would take the app longer to both initialize
the mic and then start buffering audio"

Leaving aside any privacy concerns, it's reasonable that everybody with this
installed loses some battery life leaving the audio hardware powered up all
day on the off-chance they might want to tag a song at the very last moment at
some point?

It's not like the latency to start an audio stream on the Mac is huge to start
with.

~~~
CodeWriter23
Add to that, they're saying they don't send the recordings out except they do
send only “digital fingerprint summaries of the audio.” We all know they mean
"hashes" which can be reversed, given the correct set of circumstances.

~~~
nicky0
Yes, identifying the songs you listen to is the whole point of the app.

------
pmontra
They should start building hardware switches on mics, cameras, WiFi, Bluetooth
etc. And we should be able to check that they really work.

~~~
Joof
I also like the idea of building the notification LED for cameras directly
into the circuit so that it can't turn on the camera without the LED.

~~~
shostack
But honestly, most people won't audit the wiring of their device. I wonder if
a more low tech solution is the answer...a cover for cameras and some sort of
sound blocking cover/plug for microphone holes.

~~~
dredmorbius
That's the same argument that's been applied against open source software for
decades now.

The reality is _you don 't need everyone to audit their devices_, you only
need there to be credible auditors. Better: standards mandates that require
isolation of any ambient capture devices.

In the alternative, the ability to flood and overload such circuits might be
of interest.

------
orbitingpluto
Shazam keeping the microphone on at all times on the Mac shouldn't be a
surprise considering that it is already well known that Shazam has been
keeping the microphone on at all times on the iOS platform.

(sorry for the forbes link:
[http://www.forbes.com/sites/katherynthayer/2013/12/19/the-
al...](http://www.forbes.com/sites/katherynthayer/2013/12/19/the-always-on-
auto-shazam/#30088907b787) )

~~~
zimpenfish
You have to specifically enable that and you get the big red status bar that
tells you the microphone is on.

Unless there's a way for an app to use the microphone without that appearing?

------
nkrisc
On the radio today I heard a commercial instruct listeners to "Shazam this ad"
to learn more about whatever it was they were selling. That commercial angle
for Shazam is fine, but it makes the fact they keep your microphone on feel a
little more creepy.

~~~
dbot
I've seen similar logos pop up during commercials - this seems directly
related to that marketing effort. Still, I wonder who would rush to get out
their phone and open up Shazam, just to learn more about this product/service?
It's not any easier than a Google search. It's basically an audio version of
the famous tech flameout "CueCat."

~~~
atomical
If they incentivize it with a discount or free sample they might.

------
phs318u
This kind of behaviour is what led me to install Micro Snitch [1]. I'm sure
there are Windows and Linux equivalents.

[1]
[https://obdev.at/products/microsnitch/index.html](https://obdev.at/products/microsnitch/index.html)

~~~
mi100hael
The article mentions OverSight [1] which is free.

[1] [https://objective-see.com/products/oversight.html](https://objective-
see.com/products/oversight.html)

~~~
DrScump
Are there Android and/or Windows and/or Linux implementations, or other apps
that work similarly?

~~~
nitrogen
Linux has netstat and fuser from the CLI, but they can miss short-lived
processes.

    
    
      fuser /dev/snd/*
    

Will list most processes using audio

------
guihub-io
It seems to me that Shazam turns the microphone on as soon as the app in
launched on iOS.

Yesterday I wanted to Shazam the second song of an Instagram video playing on
my computer. The app was open while the first song was playing and I pressed
the record button as soon as the second one started playing. I was really
surprised to notice that the song found by Shazam was the first one and not
the second.

~~~
gcr
Just ask Siri, "What song is this?" It uses Shazam and doesn't require the app
to be installed.

~~~
ChristianGeek
You can also ask her to "name that tune!"

------
serge2k
> If the mic wasn’t left on, it would take the app longer to both initialize
> the mic and then start buffering audio

How much longer?

~~~
EwanToo
You need 3-5 seconds of audio to do the recognition.

It sounds like Shazam is storing the 5 seconds buffered, ready to hash then
upload when you press go

------
nathanaldensr
Why is Pearson so arrogant about this? Shazam doesn't control my device, I do.
What's to stop any other software vendor from ignoring the configuration with
whatever justification they want to use?

~~~
thieving_magpie
>Shazam doesn't control my device, I do.

I'm not sure how you can be confident in stating that as fact. I'm not at all.
In the US there are many issues with switching carriers, for one example.

You state that you're in control of the device but then say "What's to stop
any other software vendor from ignoring the configuration". Ignoring what
seems like a contradiction there, I think we would have different definitions
for what it means to control your own device.

------
mstade
At first I thought, this Oversight app sounds like it could be useful. And
then I thought, how do I know this Oversight app isn't spying on me? Ex-NSA
author unfortunately isn't something that makes me _more_ confident in the
tool. Why am I even worried that someone is spying on me? Oh how I miss
blissful ignorance some times.

~~~
JadeNB
> And then I thought, how do I know this Oversight app isn't spying on me?

While I agree that you don't know that this app isn't spying on you, surely it
doesn't _decrease_ the trustworthiness of your computer? In some sense, it
seems to me like centralising all your distrust in a single person: you now
have only to trust the author of _this_ piece of software, rather than of
_every_ piece of software you use.

~~~
mstade
My point wasn't so much whether _this_ app spies on me or not, but that this
is now a question that has to be asked for _all_ apps – no matter who you are
really. It's a sad state of affairs.

------
dom96
I use the iOS Shazam app rather often and always wonder why it takes it so
long to launch. Even after it launches, I cannot immediately press the
"Shazam" button (this is rather infuriating sometimes). Could initialising the
mic really take that long, even on an iPhone?

~~~
calvinbhai
initializing any hardware takes some time. Be it the microphone, the speaker,
the taptic engine (or the making the phone vibrate at the exact moment),
access to location (gps can probably be the longest initialization time), all
need some initialization time before they can be used as expected.

~~~
nitrogen
Opening an audio device and starting recording should take less than a few
hundred milliseconds.

Shazam may be looking backward in time to build its fingerprint, so it would
need to buffer some audio first.

------
rasz_pl
Im having a Chromium hotword flashbacks

[https://bugs.chromium.org/p/chromium/issues/detail?id=500922](https://bugs.chromium.org/p/chromium/issues/detail?id=500922)

------
chx
> If the mic wasn’t left on, it would take the app longer to both initialize
> the mic and then start buffering audio

> the mic is kept on “for technical reasons” but “no audio is processed

Beg your pardon? That's two, contradictory statements. You are either
buffering the audio or not. If yes, then the "no audio is processed" is very
thin truth. If not, then the only time you win it takes for the Mac to switch
the mic on, surely that takes a very small fraction of a second...?

~~~
nicky0
The audio is buffered but not otherwise processed. I would not call buffering
processing. The statement "not processed" in the context is reasonable.

------
huehehue
Do other "on-demand" voice-activated apps use this same technique?

I know that Google Now, Siri, Amazon Echo, and others respond to commands like
"Ok Google [...]". Those devices must necessarily be listening if they're to
catch those voice commands, right? Or is there a more clever solution for
recognizing predetermined phrases?

~~~
wcrichton
Phones usually have fixed-function low-power hardware dedicated to listening
ambiently for phrases like "Ok Google." So yes, it is technically always on,
but no, it's not understanding what you're saying or uploading it to the
cloud.

------
dredmorbius
And this is why hardware devices _must_ not have onboard microphones, but
rather rely on jacked-in devices which can be isolated through physical
separation.

Note that Bluetooth is _not_ an acceptable substitute.

------
mabbo
So why have the 'off' button at all? If it doesn't change anything putting it
there is purely to trick users.

~~~
estel
It's not being processed when off.

------
andrewfromx
this is a very deep question, if you record audio and only a computer listens
to it, does anyone hear it? it's totally the tree falling in the forest with
no one around does it make a sound.

------
yolesaber
If you're on a mac, go to Sound in System Preferences. Click Input. Do you see
activity in the input monitor? That means your microphone has been on the
entire time you've used your computer and has heard everything you said. I
HIGHLY recommend disabling your internal mic. So does Apple.

[http://images.apple.com/support/security/guides/docs/Leopard...](http://images.apple.com/support/security/guides/docs/Leopard_Security_Config_2nd_Ed.pdf)

~~~
SimpleMinds
"activity in the input monitor"

Hi. Are you sure about that?

Using one of the other tools mentioned here (Oversight) it looks like
Microphone starts when you open Input and closes when you close Input tab.
Which makes sense as you do want to see Input feedback instantly. Mac 10.11

~~~
yolesaber
The point is that your mic is 'hot' if you don't turn the volume all the way
down. You don't need root access to run 'sox' or other audio capturing
scripts. Very easy to eavesdrop, as this Shazam example illustrates.

