Hacker News new | past | comments | ask | show | jobs | submit login
Your phone is listening and it's not paranoia (2018) (vice.com)
74 points by rl3 on Oct 23, 2021 | hide | past | favorite | 62 comments



This article is insane. It basically claims that

1. In 2018 our phones were constantly snitching on our conversations

2. The author verified this experimentally

3. No one can prove it because "it's all encrypted" (since, as we all know, "encryption" makes all forensics impossible)

4. "It's not a big deal" because "it's just an extension of television advertising".

With journalists like these, who needs disinformation? They'll spontaneously fabricate a better story than you could possibly feed them, just to get attention.


But our phones are listening. We took a long drive today, and my wife and I discussed homosexuality during a significant portion of that drive. Once we got home, my wife started seeing ads for gay bars and events in Sarasota. Neither of us is homosexual, for what that’s worth.

This isn’t the first time this has happened. Every so often my wife would suddenly see ads on Facebook about things we’ve just discussed in meatspace. You might call this anecdata, but to me it’s a pattern because it keeps happening.


Agreed. Similar speech-to-ad conversions have been happening for years now, and they are definitely not coincidences or confirmation bias.


Sar…sarcasm?


I usually don't believe in this stuff and think it's coincidence, but it does happen very often.

One thing that happened in my case, I think I was discussing with someone at a table-tennis club about someone playing squash and he showed me a livestream of that guy playing squash. When I got home I started seeing ads for places to play squash even though I never searched for it on my phone, but this is what I think happened: my phone and his were on the same network, so someone the ad-network associated my device with the "squash" keyword because another device on the same network searched for it.

I think this is usually what happens when you "discuss" with someone, that person or someone else in your proximity might search online for that thing and your device will be indirectly associated with that search.


And did you count the times it did NOT happen? How many times have you talked about a subject, and then no ad related to that subject appeared?

You're noticing the exception to the rule, not the rule.


I think you are throwing a great deal of water on this, but, it sounds like it could be independently testable, and verifiable. Now, we might need to know more about what make model of phone was in use, as well as apps, provider, etc, to replicate this. However, this could be turned into a test campaign with a test plan, treating this as any SUT. To determine if there is any substance to it, of course.

Given some of the more recent exposures of "Phone always-on behavior", constant telemetry [1], apps violating policy, FB&Google collusion around bid rigging, bypassing privacy laws, and, data being sent to facebook whether or not it was intended to go there, it sounds like it is within the realm of technical possibility, or, that it is occuring in some situations that are not readily apparent, or a bug.

Maybe it isn't occuring too, that is a possibility also.

Given how much of the internet is trying to share data back with FB, Google, Apple, and many others just by looking at Umatrix/Ublock, and a few other privacy apps, there is no doubt that much of the mobile internet is really feeding data back to them all the time. Good luck controlling that on mobile though! And, I am not talking about back-end transactions either..

[1] https://www.tomsguide.com/news/android-ios-data-collection


This article doesn’t make any sense.

> For your smartphone to actually pay attention and record your conversation, there needs to be a trigger, such as when you say “hey Siri” or “okay Google.” In the absence of these triggers, any data you provide is only processed within your own phone. This might not seem a cause for alarm, but any third party applications you have on your phone—like Facebook for example—still have access to this “non-triggered” data. And whether or not they use this data is really up to them.

> “From time to time, snippets of audio do go back to [other apps like Facebook’s] servers but there’s no official understanding what the triggers for that are,” explains Peter. “Whether it’s timing or location-based or usage of certain functions, [apps] are certainly pulling those microphone permissions and using those periodically. All the internals of the applications send this data in encrypted form, so it’s very difficult to define the exact trigger.”

Now, I don’t know much about Android, but I do know how it works on iOS: the “Hey Siri” trigger is run by a specialized “always on” coprocessor that is designed to only detect the trigger word, and when it does it will power on the rest of the device to continue responding to the request. Until that happens your phone is pretty much entirely off: the AP isn’t powered. You can’t just “add a trigger” to listen to.

Plus, even if apps could somehow add triggers, or abuse background execution to do their own detection, you’d be able to see it. Bluntly: if you’re actually a “senior security consultant”, you need to do better than throw up your arms and go “boo hoo it’s encrypted who knows what is going on”. Reverse engineer the apps and find it…


You are correct. At least on early Android phones, there was a dedicated chip that monitored the microphone. Its capabilities were extremely limited - it can only be programmed to recognize certain phonemes (6 or so, I think?) and in a certain order, and when it hears them, it sends an interrupt to the main CPU which wakes up, starts recording, and sends the audio data to Google's servers.

Stuff has gotten more sophisticated (a sufficiently new enough iPhone can do background sound recognition for things like smoke alarms, barking dogs, etc to help deaf users - I think it uses significantly more battery, however), but there is no way in hell Apple and Google are letting others program or control this functionality.

I have said this over and over and over to friends and in online discussions: constant voice recognition or even just voice recording and transmitting would leave a huge footprint in terms of battery use, generated heat, data usage, and in the apps themselves (code and API calls). This stuff would leap off the page for any security researcher and be front-page mainstream media news.

And lastly, I point out that these companies do not do constant voice recognition...because they do not have to. Social media buttons, third party font services and javascript toolkits all feed Google and Facebook data about what pages you visit, at least from your IP even if you're not logged in. Google Maps alone constantly gorges itself on location and passively gathered bluetooth/wifi data, for example. Google sees the plain-text of any alert sent through Google Cloud Messenger, unless the app merely uses GCM to poke their app to retrieve the actual notification via their own servers, but google still knows something happened involving you and WaterBNB, or Fleabay, or Shminder Dating, etc. Your device's presence on a particular network and its activity level from your usage tells them even more, and they can know a lot about what you're doing because all the "good stuff" in Android isn't in Android, it's in Google Play Services, or whatever they call it these days. Then there's all the mobile app analytics data companies.

One of the reasons I switched to a used iPhone was because the privacy preferences allow you to switch off a huge number of 'system' data collection stuff that Android doesn't. It does wonders for one's battery life when your phone isn't constantly collecting wifi/bluetooth/cellular/GPS data for location mapping databases, noting when you go into stores, collecting traffic data, etc. This year I (accidentally, thanks to a not fully seated cigarette power adapter) managed a 6 hour trip w/ Apple Maps navigation, and it only used up about half of my battery. I was stunned.


What’s “AP” here?


Application Processor. It's what you'd refer to the "main" CPU running your OS and apps, as opposed to (say) the baseband chip or other coprocessor.


You’ve dived the source code?


No, because I don’t have it. But I’m familiar with how to use a disassembler ;)


They almost certainly aren’t listening to you https://mobile.twitter.com/RobertGReeve/status/1397032784703.... But the likely explanation isn’t any better imo.


What's scarier, that you saw an ad regarding very personal details of your life because your phone was listening, or even though your phone wasn't listening?

People see this happen and reach for an explanation they understand, "my phone must have been eavesdropping!" The truth is these ad and data companies know this about you without your phone having to listen.

To twist a quote from the Matrix: "So you're saying my phone listens to me? No, I'm saying these companies have such wide insights into your personal life and information that they don't have to listen."


When I notice this experience, it's usually because it's something I don't normally talk about. I don't believe that Facebook knows so much (about me and the people around me) that it knows about unlikely conversations I've just had based on (say) a conversation on a radio station I randomly heard while skimming through channels.

I'm willing to believe it's a coincidence combined with my brain happening to bring it to my attention; but I'd believe they're hacking my microphone before I'd believe in clairvoyance.


The reality is that they, the ad companies, caused you to think about it or talk about it in the first place without you ever realizing it. Ads work incredibly well on people even when they think they aren't susceptible.


What is more scary - they listened and then advertised to you or that you are so predictable that they can get you to talk about something totally random with your friends and then sell it to you all?


found the ad man.


I don't buy it for one simple reason. If they have so much data to target. Why is there targeting so shitty and ad quality so low? If they had so much data, why not do something useful with it besides low quality ads?

I don't subscribe to them listening either to be clear


I don't buy this.

I was at a social outing some years back at pub that I had been to a number of times before with some longtime friends of mine. Somehow we got on the topic of favorite candies from childhood. I mentioned Warheads.

I hadn't had one of those in two decades, and certainly hadn't seen any ads for them in a long time.

But still, the very next day, I was getting ads for them on social media.

Everyone I have ever asked about it has a similar story.

You could whip up some kind of explanation that a friend of mine searched Warheads later. Or maybe a nearby bar patron overheard the conversation and searched for the candies.

That just seems so unlikely, though. It was a miniscule detail in a larger conversation. But in terms of retail products discussed, it was one of only a few.


The chain of things that has to happen for this to work is implausible:

  1. The device has to record the things used by the always on mics listening for wake words somewhere, without any other developers figuring this out and sharing how it is done.

  2. Apps, using a background task, have to monitor those recordings, run speech recognition, and pick out key words, without anyone identifying this process.

  3. The apps then have send those keywords back to the ad network, without anyone ever sniffing the network traffic and seeing this process.
Other methods are similarly implausible, for example it is unlikely the ad networks would be able to get the audio off of the device for cloud (instead of local recognition) without researchers noticing. The only method that I buy for this is that open apps have a way to turn on the mic without the OS notification that the mic is on and share it while the app is open. This is still pretty unlikely (would not be hard to sniff for example), but more than the other options at least.


That's not how any of these things work, at all. Much in the same way that Facebook and WhatsApp already hash direct messages and compare them to hashes of ad key phrases known to be effective, both audio and video can be hashed at the device level and sent as comparatively small strings, rather than large buffers of media. This can happen while the device is offline, and they can be easily sent along with routine data, which wouldn't even look out of place. Speech recognition doesn't even need to enter the equation at any point.


Using some sort of hash instead of transcribing the speech doesn’t change any of the things I listed that make this implausible.

There would need to be a background service that has access to the mic without using the official APIs (which show a mic notification) that somehow no one has been able to find for the 5+ years that people have been claiming this is happening.

The truth for all of these is probably that we are boring and predictable combined with some version of the Baader-Meinhof Phenomenon.


I'm not sure where you're getting your information, but it does not need to be a background service that's subverting a sandbox. It just needs to be a running app that has been given microphone permissions. Zoom and even basic voice memo apps, for example, can capture and send audio just fine even while another app is in focus, and can do so without displaying a microphone icon of any sort within the OS UI.

Most people blindly install applications with whichever permissions are requested, and the typical social media user won't ever be intentionally force stopping the app when they're done checking it, so they are always effectively running in the background -- presuming that some battery optimization hasn't kicked in. Facebook and others are very overzealous about their default permissions, and that inarguably, absolutely, 1,000% gives them the technical ability to do whatever they want with your microphone while the app is running, and their user agreement allows them to do anything they want with anything they capture from any source.

So, with all of that in mind, it is completely reasonable to expect that audio recordings could be hashed locally and sent as routine API data without it being at all obvious. I'm not necessarily saying that past research into these claims had the wrong conclusions, but you're definitely being very naïve and apologetic toward companies whose entire business models are based around invading privacy at all costs, and aren't afraid to collude[0] with each other to make those invasions happen without public pushback.

[0] https://news.ycombinator.com/item?id=28967575


There's not a 3rd party app on my iPhone that accesses the mic that does not show the microphone notification. Zoom shows the recording icon when open in the background.

> but you're definitely being very naïve and apologetic toward companies whose entire business models are based around invading privacy at all costs

I'm not being naïve and I don't have a facebook for the reasons you mention. My problem is that you're making alot of assertions with no backing and suggesting something that is extremely unlikely is true, so the burden of proof is on you to show that it happens or, at least, how it could happen.

Right now, I think it is highly unreasonable that the social apps are using exploits to gain access to the microphone without the OS being aware. Not to mention the challenge of hashing messy, real world audio for keywords.


I'm happy your iPhone shows you the notification in all situations, but that's not true for older iOS versions or any version of Android -- aside from maybe v11. So to outright claim that it's not possible just because you, personally, don't experience it, is plain silly. Especially because I, personally, can open any number of apps on my Pixel 3 right now and have them record in the background without a microphone icon ever being visible.

And as far as real world audio being a challenge, I think you might be slightly behind the times on the power of perceptual hashing. It's disturbingly accurate with very little context or effort.


It has been that way for a long time on iOS, I just checked and even a phone call requires the icon. Yet another reason not to trust Android devices.

I am broadly aware of perceptual hashing and its capabilities. Where I feel like you are underestimating the amount of work involved is in performing perceptual hashing without anyone noticing and then matching without anyone noticing. If you take the OPs example of “warheads,” where does the matching happen?

Are you suggesting the social apps are storing the hashes of everything people said and then sending them to servers to match against a list of perceptual hashes? Because then you’re just hashing the audio and sending it, which would be obvious. The other option would require a list of perceptual hashed to be stored on device and a local match performed, this would, again, be obvious because now the social apps would have to store a giant set of hashes locally.

For example, Roku and TVs use the former - they sample your content and send hashes off to a server for matching, this is identifiable in their network data and would, similarly, be identifiable in mobile app network data. Importantly, they’re sampling controlled data and can simply send an image hash every X-seconds, you can’t do that with the “warheads” example, you need to capture and send it all to catch the key words.


I hear what you're saying, but I think you're making a few assumptions that aren't necessarily always true or guaranteed.

As to the obviousness of sending hashes to a server, I can think of a dozen ways to make that look like routine API data that's getting synced during a routine polling process. The app is a black box until data hits a networking layer, and it can be made to look like anything they want before it gets there. Would they need to be acting deviously to accomplish this? Of course. Is it in these companies' nature and history to act deviously? You bet it is!

As for the complexity of matching without anyone noticing, I think you may be overestimating the amount of data needed to accomplish this task. They wouldn't need to record full conversations or phrases, or even have any context at all. As you and others have noted, they already have so much contextual information about us, that all it would take is successfully capturing a few words once in a while to really fine-tune they're targeting.

Some very simple audio processing could easily chop up "probable" words based on any number of factors. It could throw out any recording that didn't meet some minimal requirements or seemed noisy. And at that point, you're just sending some strings to the server occasionally, no longer than the typical cookie.

And again, they already brazenly do this with Messenger and WhatsApp and everything else in the world that isn't Signal. So, that it's both technically possible and they have already invested heavily into such systems, makes this all a real possibility. At the very least, it's something that should continue to be investigated and actively monitored for, because even if the biggest of the companies aren't doing it, that doesn't mean nobody is doing it -- or doing it on their behalf.


Ha, I remember Warheads! Those were good.

Yeah, I've had one of those happen to me where it was just uncanny if it wasn't listening. I walked into work and my coworker was sitting there working and asked how I was. As I put down my stuff and was taking my lunch out of my backpack I was like, "I'm good, but my backpack zipper just broke!"

When I logged into facebook ~30 minutes later I had ads for backpack zippers. It was downright unsettling and I actually deleted facebook app from my phone over it. I still remember that unnerving feeling in the pit of my stomach when I saw the ad, as I never got any ads like that previously. I definitely was one of those people who thought the "your phone is listening" stuff was paranoia, but that made me at least reconsider if not agree.


> "Somehow we got on the topic of favorite candies from childhood. I mentioned Warheads."

Are you sure you don't have cause and effect backwards, and the "somehow" was actually one of you seeing an advert for Warheads earlier because they'd started advertising more in general or more at your group's demographic, then they were near in mind to talk about, then the ads were more noticable?


For how many topics and spoken words does this not happen for? You probably can't count them.

I don't think this happens because I don't think it's technically feasible. The hotword detection stuff that is always on ("hey siri", "ok google") is incredibly limited in vocabulary.

Maybe one day that will change, maybe it's even possible now, but people have been telling stories like yours since well before I know for sure it was technically infeasible to do it.


Given the incredibly poor search results I get from Google Assistant I find the idea that the old Samsung phone is listening to my every word is plausible but should be extremely ineffective since when I am deliberately using it, it sucks.

However, if I am half way through a movie and I want to find some detail on it, it inevitably shows up within the first few search results whether I'm watching it on DVD, a blu-ray or off a streaming service or broadcast TV. The streaming service I can understand, Blu-ray player could be talking to something I guess, the other two are harder to explain since I use an old DVD player that has no networking facility.


Is your TV internet connected? Some have content fingerprinting technology to determine what you're watching shares that back to the ad networks.


No, its an ancient panasonic with no network connection either.

The other thing I didn't count was that google probably know I search for movie information regularly and bias the search results accordingly, which is more plausible than it knowing what movie I am watching by listening to it. But maybe they have something like that "what am i listening to" feature that used to be in google play music.

I guess we unintionally might be triggering a pile of information side channels without the voice recognition spying being foremost.


Maybe it’s just playing dumb?


Ha. Voice recognition does seem to induce a large amount of anthropomorphism.


I had this with Elder Law ads, after I started watching Better Call Saul.

I was watching it as MP4s I'd pirated /years/ ago, on VLC, on a computer running Arch Linux.

I have lots of examples that I can hand-wave away as interest profiles, but I've thought about this one since and just have absolutely no idea how it would happen. If someone could explain how this happened without using the mic, I'd be really interested. Better Call Saul hadn't touched my browsing history for years, and elder law never had at all.


Your phone picked up on the theme.


Could also be selection or confirmation bias. Think about all those times you said a marketable term but didn't see an ad.


Or you get hundreds of ads every day and pay no attention to them at all unless they coincidentally correspond to something you were thinking about recently.


> You could whip up some kind of explanation that a friend of mine searched Warheads later.

I think that really is the most likely explanation. Facebook and Google knows who your friends are, and if a friend is interested in Warheads, maybe you are too. So you start seeing ads.


Does it happen regularly?


The Twitter post you linked says it has been “debunked” but gives no citation etc. Where is this debunking? I have had these experiences, and in the article the author does their own self experiment and sees the hypothesized result


I don't buy it. I have multiple times been served articles on my Google news feed about specific topics (e.g. dishwasher efficiency) that are orthogonal from my typical interests and that I had only ever discussed offline and never electronically in any form. I can think of no plausible explanation for this aside from Google obtaining audio that is ambiently gathered by my phone and feeding that back into their article-optimization engine.


How do you know that your conversation partner did not look up dishwashers after your conversation? Or that there was not a trending YouTube video about dishwashers around the same time that prompted the conversation?


In my case, I alone use my devices--nobody else uses my phone or computer, and no other devices are linked to my Google account. As to trending videos, I don't think I can fairly dismiss that conclusively, but all I can say is that it seems like a stretch and that an article about dishwasher efficiency stuck out like a sore thumb against my other news feed recommendations.


Yeah, and that's even more scary. Devices listening to you isn't NOT scary, but these companies are able to inject discussion topics into your personal life without you even realizing it. Online ads are, at worst, billboards. If you see a detergent ad right before you go grocery shopping, it doesn't matter that you didn't click it; just being at the top of your mental stack is worth a lot of money to them.


Going by this twitter poster's logic, the reason OP started seeing ads for traveling to Tokyo, is because the ad networks saw OP and his friend had a long conversation, and that OP and his friend had both previously traveled to Tokyo previously, and was betting on that subject coming up in conversation, triggering nostalgia, and figured that it might be able to convince one of these guys to buy a ticket based off of that :D


For me, its less about ads (I run adblocks everywhere, both on the computer and at the router level); but, the same idea surfaces in YouTube recommendations.

One recent example was some random show a friend was telling me to watch. Later that night, YouTube started recommending videos about the show. I've tried to explain it logically, in much the same way a character in scooby-doo would say "there must be a logical explanation for all of this" when faced with a ghost.

Did I search for it, or otherwise leave any intentional digital footprint of interest? Absolutely not.

Its reasonable to think Google has correlated the two of us as knowing one another. At the very least: I have this friend's phone number and email address in my Google Contacts. Our phones were in the same room together, and I certainly have some Google Apps installed. Maybe they know via GPS, or maybe its same WiFi/IP Address. It is reasonable that my friend has expressed a digital footprint of interest in the show, and Google is now funneling the results over to me, thinking "hey you have friends who are into this obscure show, maybe you will be to"

Of course, Google does not communicate its reasons. Its a black box.

What I cannot explain is why it chose that night to make the recommendation. We spend a few hours every week together. My friend has been watching this show for a while, mentioning it maybe once previously on a communication channel I feel reasonably satisfied as being "secure". Then, they mention it in person, and Google chooses that day to make the recommendation to me. Its one thing to assume I may be interested because this friend is interested; what raises concern with me was the perfect timing.

The funny part is, maybe Google isn't listening. It literally doesn't matter. Everyone I talk to, in my bubble outside of tech, believes they (meaning, "Big Tech") are. So, either: Google should be listening, because by-and-large people seem to think they are, and still use their products. Or: Google needs to realize their black box magic is conveying the impression that they are listening, and if their goal is to build trust, saying they aren't listening isn't enough; they need to dumb down their algorithms, or at least explain it better.

Personally: I think they're listening. I suspect its unintentional. I suspect their systems have grown so big, with so little responsible oversight, that some data stream is getting fed into some classifier then into another algorithm, and in the end its influencing the profile it builds on google accounts for things like ads and recommendations. I suspect it isn't the smartphones doing it; I suspect its Google Home speakers, in combination with a less controversial temporal + geographical correlation between two people.

Sure, this all sounds crazy. If you reading this works at Google; prove me wrong. I want to be proven wrong, with emphasis on the word proven. Why does YouTube make the recommendations it does? Why doesn't it explain the signals it uses in the generation of a recommendation? It must either be because you're afraid it would expose the depth and breadth of signals at your disposal, or, the algorithm isn't sophisticated enough to relay that information. And, maybe, just maybe, you'll begin to realize how bad both of those options are.


So I do agree that if someone found out how to subvert iOS and Android’s sandboxing and also figured out a way to block the OS from showing the icon that your mic is on, that FB or Google would guard the secret with their lives. But to assume they found it, and have kept it secret this long, and no one else has found any theoretical evidence it is possible… that’s too many highly improbable things to believe without just a hint of non-anecdote evidence. Law of large numbers (you talk about a lot of things, you see a lot of ads, there are a lot of people) says tons of these stories are real, but complete coincidence.


"any third party applications you have on your phone—like Facebook for example—still have access to this “non-triggered” data"

Source? (I know it's three years old.) The piece offers nothing to back this up, and I have trouble believing it. What OSes allow apps to access audio data that _didn't_ trigger the assistant?


>Because unless you’re a journalist, a lawyer, or have some kind of role with sensitive information, the access of your data is only really going to advertisers.

This is giving a lot of confidence to government law enforcement agencies, as if they are always honest, infallible and/or working in good faith. I assure you all of them are not. They're of the same human condition as everyone else with the same flaws, defects, and moral flexibility; they just have a lot more power and a lot less accountability.

https://innocenceproject.org/all-cases/

https://en.wikipedia.org/wiki/Geo-fence_warrant


it would have been interesting to note which of his apps had microphone access during this conversation. Without that explicit user-granted/revocable access, the difficulty of a given app recording while the phone is locked skyrockets to exotic heights, particularly on iOS. source: I'm an iOS developer

iOS instructions: https://support.apple.com/guide/iphone/control-access-to-har...


Here's a far fetched idea - Facebook/whatever have highly sensitive microphones scattered across cities, listing to peoples' private conversations, which they're able to link to individuals based on GPS data.


I like the authors attempt to experiment. It should be easy to know whether apps like Facebook are listening by only discussing topics off-line and then waiting to see if Facebook picks it up and serves related ads.


Sounded like the author did do that, the part about the new clothes for university and getting ads served up for those topics?


I want to believe this. But the article feels like speculation. I don't think this actually happens in practice.


Facebook doesn’t need to listen to your conversation when advertisers give them your identifying details to create audiences or literally buy purchase flow from Amazon.


I’m not sayin this is impossible but… if it emerged that big tech was secretly spying on every citizen the political backlash would end these companies as we know them and every CEO would end up in jail. Or there is at least a 50 percent probability of that outcome. It’s hard to see these companies engaging in such practices out of self interested rationality.


And they're risking it all getting out so that they can do some crappy ad targeting.


Author is trying to make it seem OK that this happens, too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: