I feel like they're trying to make an insidious suggestion about the usage of these. IMO, there's likely a good reason - user experience.
At a hardware level, grabbing the microphone can take time. Even worse that timing is inconsistent across devices, workloads, etc. That leads to a bad experience when unmuting and needing to delay your commentary. The solution to this is to keep the microphone on, but mute at a software level. This way the mic is always hot and ready to relay audio as fast as the software can switch.
I'd be somewhat willing to bet continue to stream audio is also a quality assurance mechanism. Some networks will shape traffic according to load. A quick jump in bandwidth can introduce unexpected jitter and latency. By continuing to stream audio (but not necessarily process or re-transmit), video conferencing can better ensure an un-interupted experience.
----
With that being said, if you really care about privacy, consider getting a hardware mute microphone.
Honestly, it feels like most people here aren't reading the article.
> The researchers then decided to see if they could use data collected on mute from that app to infer the types of activities taking place in the background. Using machine learning algorithms, they trained an activity classifier using audio from YouTube videos representing six common background activities, including cooking and eating, playing music, typing and cleaning. Applying the classifier to the type of telemetry packets the app was sending, the team could identify the background activity with an average of 82% accuracy.
How is this not extremely concerning for anybody who cares about privacy?
How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?
"They found that all of the apps they tested occasionally gather raw audio data while mute is activated, with one popular app gathering information and delivering data to its server at the same rate regardless of whether the microphone is muted or not."
The way I read that is, only one of the apps actually sends audio data to the server when the mic is muted. I'm not sure why they don't say which one, and I'm not sure what is meant by "occasionally gather raw audio data" but it could be as innocuous as the mute button not updating and a half second of audio being sent before muting starts. Nobody is building a machine learning profile out of that.
The real story here should be that one app where the mute button doesn't actually work. The others are all operating normally as far as I can tell.
Zoom, for example, will tell you, when you are muted and you begin to speak. It's a very nice thing.
I have a microphone (that wasn't expensive) that has a hardware mute. I use it when I really want to make sure I'm not heard, even for "speaking" detection.
> Zoom, for example, will tell you, when you are muted and you begin to speak
MS Teams has that feature too.
TBH I'm not surprised: when you mute the mic in an app, you're still letting the app in control. If you really want to be safe, you need to mute at OS level or in hardware. That's why cameras have a hardware cover in modern laptops.
Precisely, this is why I think the earlier comment's suggestion:
> How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?
Sounds nice on the surface, but is ultimately silly. Sure, it'd be nice if everyone did the right thing, but you can never guarantee that, and hence if you really care you need to perform the mute at a lower level than what the app has access to.
My Dell laptop from work has this feature, there is a mute mic button and it lights up. With my desktop I have a usb mic that has a mute button and a red/green LED to indicate the state.
Ironically this is a good use case for a Touch Bar: a button on your keyboard that is only there _sometimes_ because it’s only needed in certain contexts (when you’re on a call)
The touch bar is like an idea that works really well in your head. It has so many theoretical cool uses. But in reality I end up never using it for anything.. I would have been happy if the new one had the touch bar and the function keys, but that would have been extra cost for a feature people just aren't using.
After using a stream deck for some odd automation, I think the real flaw was having the touch bar be so contextual, and replacing the existing function keys. Had both existed, and and allowed the user to extend their customisation; say buttons for common actions, siri suggestions, shortcuts it may have been perceived differently, and more of power user tool.
Most of the actions just duplicated existing UI elements.
I think one thing that makes an external stream deck work, is that it is a separate context sensitive device, that is mentally separated from the keyboard.
So when you go to the deck to perform an action, you mentally context switch away from the keyboard, so your brain is looking for different clues.
So even with a touch bar + function keys, the function keys stay in keyboard context, but the touch bar requires that switch in any case. Maybe taking your eyes to the touch bar is enough of a context switch, mentally.
The problem was that it was too much of a tradeoff. Either a touch bar or function keys. I need function keys. The touch bar was useless for this purpose (no tactile feel).
Apple could easily have done both. There's more than enough space even on the 13" macbooks. It would have taken a bit of space from the vertical range of the touchpad but it's already comically large anyway.
It’s nice in theory for so many things (my favorite is choosing characters when typing in Japanese) but almost never overcomes the friction of using a third input device. I was somewhat of a proponent of it until I got a desktop, then I was happy to ditch it and have a consistent keyboard for desktop and laptop.
I carefully made sure I didn't mention the touch bar. I waited until 2022 to finally be able to buy a MBP without a touchbar (and with magsafe charger).
I would very much like a physical button with a reassuring tactile feeling to it. Like the mute button on the function keys row.
Quite interestingly the only laptops I've seen with such a feature (button to mute and LED to display the mic is muted) are huawei's matebooks. Some of them also have the camera under a keyboard button, extremely weird angle but when the camera is hidden you can be 100% sure you are not being recorded.
The mic mute button of course works at the OS level but still...
There's a weird culture around reporting problems without reporting names. You see it a lot here on HN and occasionally in media. I'll never understand. Why bother talking about corporate misbehavior (or etc) and not back it up with the basic, minimal data you could provide?
I imagine it's to avoid getting sued by the company behaving poorly. Companies bring lawsuits against good-faith security researchers all the time to try to silence them, so if you were a researcher, why would you expect the one company among the several you researched who's potentially misbehaving to not misbehave by trying to sue you into silence?
This view vastly underestimates the ability of a completely wrong party to sue for slander. In the US at least. You see this with pseudoscientific snake oil salesmen all the time.
Which is neither here, nor there, as some are more likely to sue you than others.
>For libel and slander cases though, telling the truth is a valid defense.
Which is neither here, nor there, again. Not everybody wants the hassle of going through a lawsuit or the time and money costs associated, even if they have a "valid defense".
They state that their findings will be presented at Privacy Enhancing Technologies Symposium in July. So it seems they want to keep some info for that event.
Should i hazard a guess, it would be either Zoom or Teams.
My guess was going to be Google Meets because I suspect this happens in order to pipe audio to their voice to text translation engine they use to offer you the live closed-captioning feature.
As well as, I assume, to archive a text indexable/searchable log of your conversations. I say this latter part based on multiple experiences I've had receiving clearly targeted advertising for topics I make random passing jokes or commentary about in live conversation, but which I've never once searched, click-imprinted, etc. for online. But, this is purely suspicious speculation. The live closed-captioning feature is a real thing and a thing I could absolutely see resulting in Google always sending audio streams to their backend for.
> You see it a lot here on HN and occasionally in media
It makes some sense here on HN where people often post under their real names and want to think carefully before badmouthing a former employer, or otherwise picking a fight.
Bob Woodward has gotten PLENTY of high level politicians to talk to him candidly even though he's publishing what they are saying often in an unflattering light.
If someone as famous as the watergate guy can STILL get politicians to talk to him, what does a random journalist have to fear?
I mean, FFS, the gamer nexus guy got newegg to talk to him even after blasting them about ripping him off and letting them know "we are recording everything".
Journalists are acting like a single inkling of a bad word said will lock them out of access to everyone everywhere. The truth is, there are so many journalists out there that one could make a career of asking hard questions and publishing unflattering statements and the STILL would likely not be recognized by most individuals if they asked for an interview.
> Bob Woodward has gotten PLENTY of high level politicians to talk to him candidly even though he's publishing what they are saying often in an unflattering light.
Woodward is absolutely one of the few exceptions, if not the only one.
He publishes on a long timescale with dozens of sources, not a short timescale with one or two.
So everyone knows the story will come out but not immediately, and everyone knows everyone talks to Bob.
But like it or not, most (not all) of the people he talks to have less to lose, because they are at or close to the apex of power in DC; there will always be jobs for them elsewhere in the USA, in a thinktank or on a board somewhere.
(It's also worth noting that Woodward's most famous source was anonymous for essentially his entire life)
In the real world outside seats of government, talking to a journalist on the record about stuff you should not often means you are the single source -- the only person who made the unflattering or damaging story possible, in a story that maybe won't wait even a week to be published.
It puts you out there on your own, gets you fired, makes it difficult to get immediately re-hired, and I suspect for an American with a family in an at-will state makes telling the truth on the record a luxury they can't afford.
The gamer nexus guy? He got a 1-on-entire-team-of-PR-and-customer-service-people interview at a deep-discount computer parts company in their own office to discuss known implications of decisions they deliberately made. THAT's your benchmark?
Nothing about that situation has bearing on whether people first think of safely concealed sources or being publicly dragged through the mud like Chelsea Manning and Edward Snowden before sharing things far more important than entitled rants about customer service for entertainment-related products. My lord.
Maybe their research is ongoing, maybe they are afraid of being sued, maybe they'd rather not harm a company so reputation without fully understanding why they do this
So why did they publish the text now then (other than obviously for self-promotion)?
Why not finishing their research first, discussing with lawyers how not get sued, and contacting the company about it so that they can fix it or comment on it, and only then publishing the proper, responsible research that is actually useful to someone?
I have said negative things about someone's favorite product and then abandoned a thread (not here on this site) because the stream of hate that followed drowned out the original message.
People can be irrationally attached to the things they use.
As a farm kid growing up, you didn't step between two guys arguing the merits of I-H and J-D farm equipment (1970s...)
Webex will by default listen for ultrasound emitted by some video conferencing devices for easy stop. If you disable this, does that change the results?
I was suspecting this was webex, I use an external audio device (plantronics/polycom Calisto 7200) that has an indicator when the microphone is active.
It's only anecdotal, but for me when the webex ultrasound features is activated, the microphone is constantly active as long as webex chat is running.
When the ultrasound detection is disabled, the microphone is disabled when not in a meeting.
As an aside, this setting was reset recently, but that just seems like the ongoing dark pattern/incompetence of "forgetting" privacy settings between software releases.
My understanding is that it activates when you make the Webex Teams/Meeting the application with focus, and should turn off some time after it is no longer the active application, I think ~60 seconds.
It is doing this for the ultrasonic room detection feature, which can be turned off.
> The way I read that is, only one of the apps actually sends audio data to the server when the mic is muted
You're reading it incorrectly.
The paper outlines that as far as they can tell Webex is not sending audio when the mute button is pressed, but is gain and other parameters, based on this audio. And this has been reported to Webex, and they are investigating.
"occasionally gather raw audio data" could be used to remind you that you're muted when you're trying to talk. I've seen that in either GoToMeeting or Zoom
Because a video conferencing app with a bad UX is going to be quickly supplanted with one with a better UX; the privacy concerns of being spied on by a video conferencing app while you are muted is very minute for most people.
There should be a line between "companies doing whatever they want" because of some implied "nefarious" reasons, and "companies doing whatever they want" because their customers want a better experience even if it has security/privacy implications.
I have been using Microsoft Teams and its hard to imagine anyone buying it for the user experience, yet it's not an unpopular choice. It seems more likely to me that the fact that the organization already had a bunch of managed Microsoft software was the most important selling point, and that this is a common situation. "Admin experience" if you will.
So sure, Teams gets some things right, UX-wise, but for every "notify the user if they're speaking while they are muted" there's a "randomly scroll the chat back down while you're looking through history", a "randomly make it impossible to erase a link with backspace in the chat box" or a "don't let people see who is participating in the conference", and there's little incentive for them to avoid crap like it and avoiding whole categories of bugs because people are buying it for other reasons.
Because a video conferencing app with a bad UX is going to be quickly supplanted with one with a better UX
For the vast majority of users, price beats UX. If a company can keep their app free by selling user data, they will out-compete paid alternatives, regardless of the UX.
This is not how enterprise software works. Audited data privacy is a core selling point of enterprise communication systems like Slack and Zoom, which are able to charge a lot of money for enterprise licenses and have very viable business models. You're right that this may not work in the consumer space, but that battle is already lost -- there are myriad free communication options available to consumers such as messenger calls, facetime, etc.
> Audited data privacy is a core selling point of enterprise communication systems like Slack and Zoom
Is Zoom audited? Zoom had been lying for about having end-to-end encryption, for example, until they were caught by the US Federal Trade Commission. Surely, something like that would have been discovered earlier in an audit, if they were audited and the audits were worth something.
They were also sending data to third parties like Facebook and Google through their SDKs.
Seriously, who in their right mind is using Zoom at this point? They've been "accidentally" collecting people's data, disclosing people's data to others, and have been caught lying so many times there's nearly zero chance that it's just total incompetence and even if it were, why use something made by people who are that bad at their job?
There are so many alternatives, how is it Zoom has any business at all?
Zoom was the first videoconferencing software I experienced where the first 15 minutes of the meeting was not spent with "can you see me," "can you hear me," some people falling back to dialing in to a speakerphone, and one or more out-of-band calls to various participants to troubleshoot problems.
Zoom was click a link. And it worked. Nobody cared much about anything else beyond that.
Perhaps I am misremembering but I remember using Skype 9-10 years ago without any issues. Zoom does not seem to be that much of an improvement in terms of ease of use
But is Skype that way now? Zoom was in good position when the pandemic made everyone pick a video conferencing app. Some of the competition (Webex comes to mind) got slapped so hard they basically copied the Zoom interface in order to stay somewhat competitive.
This morning my boss tried to host a meeting on his favorite Zoom substitute. The first 20 minutes were spent trying to fix a ten second delay in his audio. Finally we just switched to a Zoom call, and it worked flawlessly.
There are only two videoconferencing platforms I've never had any problems with: Zoom and Google Meet. I don't trust either company, but sometimes you just have to get your work done.
this was definitely a thing in windows too although no idea if changed now - I remember zoom running in the tray would cause the microphone to activate even outside of calls. I was weirded out by it enough to stop running zoom on startup and eventually replace zoom with other applications that didn't exhibit that behaviour.
Considering the trouble I have with WebEx again and again UX indeed comes late.
I often call it "golf-course-ware" the sales person goes golfing with the executive, they discuss features and prices and discounts ober the match and the executive typically doesn't have to use the software but only their employees or the assistant.
Interestingly Zoom for me was a game changer in usability and it spread during pandemic, when executives where at home partially without their physical conference room with video conf setup and without assistant.
Zoom’s better than it used to be, still some big orgs and their IT security treat it (with some justification and I think informed paranoia) as something to be tolerated due to client demand and avoided for anything sensitive.
End-to-End encryption for group video and audio is now supported. I'm not sure it works or who is supporting besides Signal, but it is apparently not not required that the conference provider decrypt the streams to mix them.
The API is called Insertable Streams. It's not actually supposed to be Chrome-specific, others are just lagging in implementing it.
Element has native E2EE for 1-to-1 calls, but uses Jitsi for group calls. Native E2EE group calls actually also exist, called Element Call (https://element.io/blog/introducing-native-matrix-voip-with-...) but they're yet to be integrated into Element and specced into Matrix, I believe.
> it is apparently not not required that the conference provider decrypt the streams to mix them
I don't believe this could be true, and the linked article doesn't have the word "mix" anywhere. I imagine that there is no mixing happening until after decryption on the client device. Of course this means that every audio source goes to each recipient discretely, which means more bandwidth, but audio (especially near-silent moments therein) is lightweight enough for reasonably sized groups. Obviously this same n^2 scaling issue happens with the video anyway which is never mixed.
> How is this not extremely concerning for anybody who cares about privacy?
I manage some properties for a family member on the side, one of which is in a very bad neighborhood. When I travel to this neighborhood I have a certain state of alertness that I would not normally have in my boring suburbistani neighborhood. This is better known as "situational awareness" - the man approaching me in my own neighborhood is likely a just having a friendly conversation, the man approaching me in bad neighborhood is guaranteed going to at least try to bum a smoke off me, which I don't have as I don't smoke, and will likely act belligerent if I refuse to give him money as a follow-on to the request for a smoke.
Contextually, I expect a video conferencing software to be listening to and watching me even if it doesn't necessarily reflect in the UI, it has the capability and is actively meant to do so. As such, I explicitly don't have any form of sensitive conversation in the vicinity regardless of status. On the other hand, I do not expect it to do so when not running nor my laptop to do anything similar.
Perhaps there is a legitimate criticism to be made here of poor UX around "not listening" - but to paint this as an "extremely concerning" issue is sky-is-falling critique. This over-the-top concern seems further alarmist in that both my laptop and phone display clear and obvious warnings to the user when the microphone is hot.
If your VC software decides to perform signal processing on the microphone input while it is running but you are muted then yes, it can determine things about your behavior.
But that's true for literally all applications running on your computer. Evil software running on your machine can do all sorts of bad things.
If software that actually exists is really already sending "telemetry" that can reliably identify your activities in the real world the concern isn't that theoretical anymore.
It's not that simple. An application could have access to the microphone, but an OS could be providing the mute functionality, thereby not passing any data to the app even if it keeps access to it (there are hardware/software issues with releasing and reaccessing it with extremely low latency like one expects of a mute/unmute button).
The problem, as reported in the article, is that apps are not making use of the OS mute, but are instead still reading from the microphone, and some are even passing the readout to their servers.
On Macos, there is an indicator dot in the status bar, on all chat apps, the mic dot is always active while the camera dot does turn off when the camera is disabled. The most likely situation is that turning the mic and camera on at the OS level has delay which is acceptable for turning on video but not for audio where you want to be able to respond to something quickly.
> How is this not extremely concerning for anybody who cares about privacy?
Because they're not actually doing that?
These researchers did everything they could think of to come up with the most concerning headline.
I imagine someone, somewhere is going to make a video conferencing app that closes the audio interface every time you press mute. I also expect few people will use that option because it adds additional latency every time you unmute.
I want my mute button to work ASAP and I don't believe Zoom (or anyone else) is interested in whether or not I'm eating while muted.
>> Applying the classifier to the type of telemetry packets the app was sending
Are you sure they’re not? The used these algorithms on telemetry packets sent from browsers. I see no reason to give companies whose revenue is built on ads the benefit of the doubt here.
If these are your threat models, your microphone should have a hardware mute switch, and you should at least have something opaque to cover your camera.
There's no cost to privacy if it's all being written to /dev/null. I'm not worried because the cost benefit analysis is not even remotely in the video conferencing app's favor to listen to that traffic. Are they really going to use the compute time to analyze all this audio, then do what? Try and monetize data on what people are doing in the background of their video calls?
The technical cost of deploying this is probably large, and the cost to reputation immense if they were caught doing this. By comparison, giving people the additional sense of privacy by actually turning off and on the mic is likely more than outweighed by the annoyance of lag between turning on and off your mic and being heard by the other chat members.
Although they could do something like write random bits of audio to the stream when the mic is muted in software. That'd at least let users know that the actual audio isn't leaving their device. But the hardware peripheral activation is probably not going to go away.
Most of the time, audio that a videoconference app receives while the mic is unmuted is going to be a lot more useful for surveillance purposes than the audio the app receives while it's muted. If you're so concerned about the app knowing when you're eating 82% of the time, why would you trust the app at all?
> How about we not make the default that companies can do whatever they want and users have to take steps like a hardware-muted mic
You're implying government policy for how companies operate in this area... Which is worth pursuing, but we all know that usually ends up half way effective, requires a cat and mouse game of auditing and enforcement, or big companies playing fight club math with the fines.
Even if this was already the case for this particular issue, as users we end up never really being sure if a company is violating that particular requirement.
> users have to take steps like a hardware-muted mic (which isn't always an option) to ensure a basic expectation of privacy?
This should be the default, just like how operating systems and networking evolved over the past 30 years starting with a "trusts everyone" attitude towards a "trust no one" by default. We need to assume most companies are potential bad actors, the hardware and software that comprises the basic operation of our device needs to provide the user with facilities to control flow of information separate from third parties, especially when it comes to input devices. In the case of microphones and cameras hardware switches should be the norm, or at minimum indicator lights.
This could also quite easily be a government policy for hardware vendors, and I suspect it would be more effective... It only has to reach a threshold after which users expectations shift to force manufacturers hands, so it's direct effect need not be as comprehensive to be effective.
You can control your microphone in your OS settings. While we are still on PulseAudio, check out pavucontrol for Linux systems. I am sure there are equivalent tools for Windows or MacOS.
Why did you move the goalpost? The comment you're responding to claims that there isn't a malicious purpose here. You instead claim to rebut it by saying that it's "concerning for those concerned with privacy". Can you see how those are different things?
It's amazing how many people down thread simply ignore or minimize what you point out here. And this on the same site where people get mad about the wrong kind of cookie which they always had full control over anyways ...
please go away and read about the architectural permissions for things like this, performance, latency and re-read this... if it bugs you throw away your smartphone or custom-compile lineageOS
Teams has a notice that it pops up if you're talking and on mute, and there's another for if you're not on mute but your mic is producing no signal (mic has it's own mute). I find those super helpful, personally.
I still don't know how professionals keep making this mistake. Having used Discord for so many years, this has never been a problem aside from a select few people who had very clear reason to mute themselves. Meanwhile in professional settings, people seem to be falling for this over and over while lacking the common curtesy of not letting random environmental noise bleed through (read: their mics are barely ever turned off).
Not to mention push-to-talk has solved this issue for almost a few decades now.
>I still don't know how professionals keep making this mistake.
Because
1) most group calls that need people to be on mute most of the time are useless, boring, snooze fests, most attendees don't care about, so those 'professionals', who are caffeinated zombies half asleep, will space out and forget the status of their mic within 10 seconds of toggling it
and
2) most chat apps suck at drawing attention to the status of the mic and, if you have multiple monitors, you can be staring at one monitor (Jira, reddit, Redmine, HN, VS Code, etc.) while the chat app and the status of the mic is being displayed on another monitor where you're not looking
It's a mistake super easy to make. Still, better be safe and make the mistake of being muted all the time, than forgetting to mute yourself and have participants hear something you didn't want them to hear.
Ideally I'd want a feature that gives the image on all my monitors a nuclear red vignette, or something like that, whenever my mic is hot, so I don't have to keep paranoidly glancing at the mute toggle every couple of minutes, to make sure my mic is still muted, so they can't hear me mumbling on how incompetent management is and on how useless this meeting is.
It takes a long time for the masses to adopt software in the way you mention. I’d bet that discord users are not representative of the masses. The main reason I notice people talking while muted is 1) forgot they were muted 2) multitasking / distracted 3) unfamiliar with the software / how to unmute. #3 was probably #1 in summer of 2020 when everyone was just starting. The #1 and #2 I listed just happen. It’s common to never speak in a meeting. It’s common to never speak in a meeting and then randomly get called on leading to forgetting to unmute. It’s also common that your mic isn’t working and you don’t realize it until you do try to speak and everyone is say “you’re on mute”. This happens all the time with some Bluetooth Bose headphones and my work PC, some configuration has this device matchup to be a constant problem and my IT couldn’t care less about a permanent solution since they found a temporary one (reverts on reboot).
I know people that literally retired early when they were forced to use PCs in the office. Over 30 years later, many people can barely use the most basic features of their computer. All to say, I’m not surprised this is an issue and I don’t see people as a whole digging their way out any time soon.
Some people don’t intuitively track the state of the video conferencing microphone, especially if they have cognitively involved jobs or lots of distractions. Mine are 1) the inability to resist that little self esteem boost from disdainfully highlighting inanity of other people’s shortcomings, and 2) making snide comments.
They’re both super obnoxious but I’m working on them.
People are not communication professionals. They are not ATC nor even pilots.
Still, PTT is the solution, preferrably in hardware. Not supported in sw anyway by e.g. Teams. In hw it keeps the mike-on symbol lit, and the device powered. Always having to push prevents ever forgetting to do so.
Discord's input handler sucks, uses semantic keys, not keycodes. Can't be mapped to an otherwise disabled capslock. TS and mumble can do that. Compared with those Teams audio looks like a toy.
Because in Discord you hop into an audio call and you're there for however long you want to hang out in the room. People can come and go from this room, but the room is persistent. In a job, you're going from meeting to meeting each with different attendees and stakeholders. You might have been on top of it in the morning for standup then 3 hours and a head full of code/spreadsheets/whatever later when you're discussing tech debt with other people you forget to unmute until your portion of the meeting comes 5 minutes into the start. Push-to-talk certainly helps, but if you're frequently talking in small meetings (say 3-5 people) then PTT becomes more of a hindrance than a help.
Personally I just have a headset with hardware mute functionality and a big red circle showing me it's muted. It remembers its muted status, so I just mute it by default and default my OS to use the headset's mic. That way I know quickly and easily when I'm muted and when I'm not, though even then I have small mistakes in the mornings when I'm tired. Over time I've optimized my meeting workflow because my company has gone all remote and I'm in a lot of meetings.
Main reason why I invested in a mic that has its own mute button with a very obvious red light when it's muted.
It also can keep the Teams mute status in sync as long as I don't touch it in the app myself (I believe through Teams detecting whether the mic interface is marked as muted or not, so it isn't exclusive to my mic).
I hate the latter, because I use a keyboard shortcut to mute/unmute the microphone on the OS-level. This works fine with Google Meet, but in Microsoft Teams I have to use the button in its UI because that pop-up gets in the way (also: Teams not working at all in Firefox, what's up with that?).
It is BS, but when I tried that, I had other things not working, like sharing my screen. So it is BS, but not merely for looking at the user agent of the browser, but for the software development incapability or unwillingness on the side of MS. (Edit: While basically every other voice chat / video chat web app works fine on FF, so basically everyone but MS and Slack has solved this problem years ago. Go figure.)
Yes, I have the exact same situation, and had to resort to uBlock Origin's element zapper because of how annoying that popup is. Of course it's an alphabet soup of minified CSS classes, so I assume it'll break the next time they update the UI.
I know! Eight zillion designer-hours in to one of the most-used applications of all time, and yet the "you can join now" popup blocks the "join" button.
For me, with this method, text chat works a bit (often forgets chat history on reload). Notifications get dropped all the time. No video conferencing at all. Sometimes I have to discuss with colleagues, why my teams acts weird.
My mic has a physical mute switch and it causes all kinds of problems with auto-leveling in videoconferences. Even with the switch left on, the mic itself rejects enough background noise to cause problems for the software that assumes half-broken built-in condenser mics.
I also considered this, but the article is talking about audio _telemetry_, not that they're keeping your hardware mic "hot" locally. Audio detection like that could be done entirely locally.
Very much this, it takes time to recapture the microphone and it's really annoying to lose the first part of what you say every time you unmute. I lead the video team at a videoconferencing app (gather.town) and we keep the microphone active when you mute for this reason.
As seems to be pretty common, for the sake of privacy we do stop sending audio to the media server. That's a tradeoff, since we're still susceptible to losing a little bit while the audio connection resumes.
Edit: as others have mentioned, also useful to keep bluetooth headsets in two-way audio mode rather than reverting to audio output mode, since that's really disruptive.
Just throwing it out there but maybe to avoid bandwidth spikes that might lead to latency depending on the setup, could you inject some kind of easily identifiable "is muted" signal along with white noise in place of silences? or would that sort of pre-mixing be too slow to do in real time on the client side?
The first time I had ever heard of Zoom, it was long before the pandemic and it was about how Zoom was a videoconferencing app that was installing an http server (read, a security hole on the user’s computer) which remained even if you deleted the app. This was to “improve the user experience” so that it could quickly reinstall itself if you clicked one of their web widgets to start a call.
It’s worth checking in on exactly what software is doing in the background, auditing its activity and coming to a more precise understanding of 1. The reputation of the company behind it and 2. How they came to have this reputation and whether it is still relevant.
After they were called out, supposedly they fixed it, but that tweet you just linked looks like more of the same nonsense which goes right back to my original point: reputation matters. If the first could be taken as honestly naïve, the second proves it was not. Zoom doesn’t go on anything I own or control.
For me the problem was that they were called out about the backdoor they installed on Macs, and then totally refused to do anything about it, and it took Apple to actually incorporate a system update to remove Zoom's malware.
I understand 'mistakes' happen (though this was way too elaborate to be a mistake). But to just shrug it off and refuse to do anything when it's discovered is just total ignorance of security.
On Linux at least, Teams continue to grab the microphone even after the meeting has ended. You can see this by looking at apps registered for "recording".
I'm not sure how that can be justified. Besides privacy, the issue is that this prevents the sound card from going to sleep, which may be an issue on laptops. But I guess this is insignificant compared to the rest of Teams' power consumption.
From the outside perspective, this must be true. Recently I have noticed, that Teams, unlike any other app I tried, is unable to properly distinguish between stereo and mic, when that arrives both at the headset jack (made for both, stereo and mic) of my laptop. When I switch in Teams to use that as mic, it means, that others hear themselves and do not hear me. I tried everything, but Teams is simply unable to take the proper mic input from the headset jack, while an app like audacity has no issue at all. Teams is utter garbage. Found topics on MS websites, where people are describing similar problems. The answers usually are: "Well, it is MS, what do you expect?" and no solution in sight. In the year. 2000 and 22. And this is what I am forced to deal with. So I had to go back to only have the output on headset jack and use the laptop internal mic, which very likely has much worse quality than my external on the desk standing microphone, which I am effectively unable to use, because I have to use Teams...
This stuff can drive you crazy. Each month there is some new annoyance or broken part, that I discover.
Teams and audio problems is pervasive. Since a few months I cannot use Teams on the iPhone any more [1] because they changed/broke volume control so that even the lowest possible volume is way too loud (and interestingly, Teams somehow manages to circumvent the hearing protection settings in iOS). The audio quality on iOS is also very jarring, regardless of connection speed, basically to the point of it hurting in the ears even if you reduce the volume to a safe level (e.g. by dangling the headphones in front of your ears instead of putting them in, which is absolutely ridiculous). Similarly I had issues with Teams mute control on a dedicated, certified headset, where both the mute button on the headset and in the Teams UI did nothing, only the special Fn key on the laptop worked. "It magically fixed itself at some point".
[1] I really liked to walk'n'talk for a few recurring meetings. Unfortunately, Microsoft does not like people touching grass.
I've never had your particular issue, but my favorite has got to be that it somehow "loses" the mic between conferences, although the sound server shows it as still recording...
I can understand not detecting something, or badly, but if it works now, and then on the next conference it figures "nah, there's no mic", I just can't understand what it does.
Oh losing the mic has happened to me mid-call many many times. Suddenly I would notice, that someone does not respond to anything I am saying, then check in Teams and, what do you know ... "Your microphone is not working.". I leave call, call again, without changing anything, mic works again ...
I find that usually (but not always...) restarting Teams works. I chalk it up to "made by Microsoft". People make fun of me at work when I ask them if they tried rebooting it whenever they have a problem (the company I work for runs Windows on the desktop, I'm the odd one out running Linux).
I used to think that this was an issue with me running Linux, and an "unsupported" distro at that (Arch). But I'm always reassured (in a way) when I see people having the exact same issues I do on Windows, with basic, run-of-the-mill configs (I have multiple sound cards, some of which come and go).
Okay, given that they are not listening for any insidious purpose, they should all just add a legally binding, unrevokable clause to their all of their terms of service indicating that they will never sell any audio data or data derived from the audio data while the microphone is muted. Absent that, it is entirely legal for them to do so at any time for any reason with no consequences, so I see no reason why we should take the word of a amoral entity that pinky swears they will not do so when a legally binding statement is so much cleaner and more straightforward.
I don't think an application has to actually do anything with the audio data in order to retain its access to the microphone. I'm not an expert here, but I'd imagine it's something like this:
mic = grab_access_to_mic()
while app_is_running:
if (is_muted):
pass
else:
send_that_audio(mic)
It also mentions some of the apps sending the muted audio "to the cloud", which seems completely unrelated to retaining access to the mic.
Also, seems like an honest mistake, but I think they got this backwards, right?
> They used runtime binary analysis tools to trace raw audio in popular videoconferencing applications as the audio traveled from the app to the computer audio driver and then to the network while the app was muted.
Wouldn't it be driver -> app -> cloud? I think I'm splitting hairs at this point though.
Lastly, it would be nice if this article at least listed the apps that were investigated.
The worst part is that on iOS you can't just start and stop input stream separately from output, but you have to stop the entire audio session and restart it in output only category. You can configure the session to ignore all input channels, but that won't get rid of the mic indicator (or at least didn't back when the mic indicator was introduced in the first place).
Yes, I work on an app that keeps the mic running all the time because of the above, and because ASIO doesn't allow disabling input at all.
"if you really care about privacy, consider getting a hardware mute microphone"
Even if you get an external microphone which can be muted, if you're on a laptop you'll still have an internal microphone which can't be muted except through software.
What we really need are laptops sold without microphones and cameras. Then you can just use external ones only, and be sure that no one's listening/looking when you unplug them.
Unfortunately, even if a company offered this, in today's world the product would likely have a hidden microphone that isn't listed on the featured hardware.
Much like the old physical typewriters had spyware hidden on them without the users knowledge. I would be willing to bet that every keyboard has something similar today.
It's also striking to see how many people believe that they can trust the 'little indicator lights' on their microphone and cameras to actually indicate that their physically cut off from power. Very, very few devices are made in a way that this is true, and I would be hard pressed to believe it even if it was started in a manual unless I physically checked the equipment.
Ultimately, just assume that the entire world can scrutinize everything that happens on or around any electronic device... so everything, all the time.
> At a hardware level, grabbing the microphone can take time. Even worse that timing is inconsistent across devices, workloads, etc. That leads to a bad experience when unmuting and needing to delay your commentary. The solution to this is to keep the microphone on, but mute at a software level. This way the mic is always hot and ready to relay audio as fast as the software can switch.
Another solution is to mute at the microphone, if your hardware has a button for that. This way the application can do whatever it wants, it will still get nothing. Using the hardware button is often less effort, than switching windows, finding that unmute button visually and moving the mouse to that button to click it. Or one could use push to talk. Since there are ways to mute yourself without having to do it in the app, it would be acceptable, if unmuting took a part of a second to be effective, indicating that by some "unmuting ..." label somewhere.
got a modmic - popular mic - has a button on it to mute the mic- light turns red - pushed the button and went for a pee - came back to the meeting - left again to get a drink - came back - was asked to mute my mic - light was red - clicked hardware button - red light turned off - clicked again - right light turned on - mic was still active - no longer trust hardware buttons
That is a button that works via software, not a physical disconnect like on some other mics. When its a physical disconnect the os can’t tell if you’ve sent a mute command, just that all audio input stopped.
Not all mics are like this. I have a Corsair gaming headset which has a hardware mute button. I frequently set it on mute when I'm munching on something, forget to unmute, and despite videoconferencing software and the OS thinking the Mic is unmuted, no signal is detected.
> With that being said, if you really care about privacy, consider getting a hardware mute microphone.
But still consider using both software and hardware mutes. I was on a sales call years ago and activated the hardware mute. While one of our salespeople was talking I groaned out loud, and the call suddenly went silent. Somehow the hardware mute had failed, despite the light being lit.
At the hardware level, it takes 0 time (10's of microseconds at most for I2C connected codecs, maybe a millisecond for USB 2.0 sound card) to mute the mic input channel to the mixer sitting before the A/D converter.
If it takes any more than 0 time, it's caused by badly written software.
I wouldn't blame the HW for the privacy issues, here.
> I'd be somewhat willing to bet continue to stream audio is also a quality assurance mechanism. Some networks will shape traffic according to load. A quick jump in bandwidth can introduce unexpected jitter and latency. By continuing to stream audio (but not necessarily process or re-transmit), video conferencing can better ensure an un-interupted experience.
They don't have to actually send the data though in this case they should just send 0 padding. It's all encrypted presumably, so the only externally observable factor is the packet size.
It could also be for background noise suppression when unmuted. This isn't a giant privacy concern, just be clear about what the mute button actual does for all the privacy people. Generally, when I'm on a Zoom call, I'm not expecting ridiculously high privacy, and expect my recipient and the service to have access to the conversation. If not, I would use Session.
Completely agree, there's a lot of user friendly reasons to want the software to behave this way. I use a headset with a hardware mute that engages when I put the mic arm up, that's what I use when I want to make sure I'm muted.
It's simple. Most video conferencing apps that I've used will let you know that your mic is muted when you try to speak and your mic is muted.
If you think they're doing something else, then don't use it. If you think you don't have a choice because your employer requires you to use it, your choice is not in whether or not to use the software. If it's something you care about, there's always a choice.
Google Meet at least it's very obvious to tell they do this because if you talk while muted, they will show a pop-up saying that you're talking but you're muted.
Whether this functionality is justification for more nefarious data usage remains to be seen.
Zoom also has a similar popup. It's quite useful, too.
> “It turns out, in the vast majority of cases, when you mute yourself, these apps do not give up access to the microphone,” says Fawaz. “And that’s a problem. When you’re muted, people don’t expect these apps to collect data.”
Once I was on Teams meeting and someone exclaimed “We can see your screen, systemvoltage!”. Sure as hell, I wasn’t sharing anything. Thankfully I wasn’t browsing HN, but writing code.
These things implemented somewhere in the middle of the stack seems dangerous. I much more prefer a slider switch. Preferably made from real atoms and molecules.
Not long ago I dialed into a 100+ person, 3+ hour long quarterly planning type call. It was a video call, but I had to be in the car for part of the time so I dialed in.
After sitting through over an hour, including the part I thought was essential to my team, I jumped off the call and proceeded to explain the shit show to my fellow passengers for 15m or so.
When I got to my destination and pulled out my phone I discovered _I had never hung up_ - I was on the line the whole time. I had said some things that you should never say about your employer within their earshot and expect to remain in their employ.
After some nauseating minutes I realized I had been saved by the auto-mute feature. When a call has over x participants, everyone is muted until they take their mic off of mute.
I am much more careful now about these things, bc I don't expect to get that lucky again.
I love Discord for some usecases but a while ago I pressed the mute button to talk to my brother sitting next to me and my discord friend made a joke about what I said while muted.
I double-checked Discord and the mic icon was displaying as muted but I could still talk to my friend regardless.
In Google Meet, the UI will change to show that it thinks you have hardware muted the microphone and so "unmuting" the Meet software won't help. I think it's a red ! mark or similar. All my USB headsets have hardware mute.
As a Deaf person, the notification annoyed the heck out of me and there are not even an option to disable the notification. I muted my mic because I am Deaf and I don't use my voice to communicate with my fellow Deaf friends over Zoom/Teams.
And there is no option to disable Zoom joining-room audio (the one that when you join the room, Zoom present the option to ask which microphone you want to enable). Why would I need to enable the microphone if I am signing to my Deaf boss? Deaf communities have major grief with those notifications.
At least, I can disable the microphone access in my macOS and Zoom won't complain. However disabling mic permission in iPadOS will make Zoom to whine about it. Every time I join a meeting, it will let me know that the microphone access is disabled and "kindly" asked me to enable it. In Windows, I can deny the microphone access to Zoom in the Windows setting, however for some reason that made Zoom to crash.
Why not? The only sound they will find is my dogs barking, doors slamming (I lives in apartment), my partner talking in his phone, all of that background noise. Why participants should be subjected to those noise and why Zoom need to know the noises?
> Why do you prefer to sign over video instead of typing? Are there forms of expression that are more natural that way?
We signs because Signed Languages is our modality and the only form of expression in Deaf communities. There are no written sign language or spoken sign language. Using sign language is natural for us to use. We avoid using typing because it is not a true representation of the community, we don't have same proficiency of written/spoken languages as you and others. So to them, it looks like we are from a call center in India with broken English.
I'm fascinated by your last point. Are you saying that being deaf impedes your written communication ? As a layman I would have thought that written communication would be a godsend.
Sign languages aren't English-but-via-hands (even American and British sign languages). They have their own unique vocabulary and grammar. For native speakers of a sign language, English is a foreign language.
I am not deaf, but a family member of mine is a studied American Sign Language in college and worked as an interpreter and we've discussed this topic a few times at length.
Some interesting take-aways I have from discussing this:
* Sign language communication is very different. We can speak with our mouths much faster than we can manipulate our hands, so fewer words are used. I have to imagine this means that the words that are used are far more significant.
* Names are interesting. Most people names don't have signs, and signing every letter would be annoying, so apparently people get nicknames made up of descriptive words. So, you might go by "tall mustache" in normal conversation, but you're 10u152 in writing.
People wouldn't write the same way they would sign. ASL is a completely different language and direct translations to written English modifies the meaning of a lot of statements.
I'm not deaf and/or use sign language, but I have modes where I prefer speaking rather than written text. I would presume deaf people would be the same for their more personal and expressive communication.
I am curious about that too (although others have already answered). I prefer typing over speaking.
But I have realized that a lot of people I interact with find it more difficult to understand information in written form. Ie it's easier to teach someone with spoken language than over written text.
Probably similar reason why, after about 5-6 back and forth cycles in a direct Slack chat, I will usually suggest we get open a voice call to finish the conversation. It is faster and the level of communication is better. Typing is slower and you don’t get nuance hence why some people use emoji.
I totally understand why the person above indicated that they preferred signing to typing.
Signing has tons of advantages over typing, since you can convey emotion/tone with your hands and facial expressions. I'd also imagine it has a higher WPM, although WPM might be a bad measure since some small words like "a" can get skipped when signing.
> “With a camera, you can turn it off or even put your hand over it, and no matter what you do, no one can see you,” says Fawaz. “I don’t think that exists for microphones.”
Maybe it doesn't exist on whatever sleek glassy slabs they're working with, but the old Thinkpad, Elitebook, and Precision workstation laptops I have around me at the moment all have dedicated microphone mute buttons (the Precision has a Fn key combo, the others have physical buttons that do nothing but mute the microphone) that I reach for before trying to mouse over to a different mute button for a particular videoconferencing app.
On my Thinkpad, this was still just interpreted as an OS-level keyboard shortcut, as far as I remember.
A solution that actually (logically if not physically) deactivates any built-in microphone would arguably be at least as important as a "webcam shield".
Apple does this for the built-in microphone for their newer laptops, but that benefit is immediately negated when e.g. connecting a USB webcam that also contains a microphone.
On my T480s the mic mute button is handled in hardware/low-level firmware however all it does is set the mic input level to 0%, where the OS can trivially set it back to 100% if it wants.
At least the LED on the button is driven by firmware based on that level, so it lights up only when the mic level is actually at 0%. While it won't prevent the OS from raising the volume, at least you'll know about it as the mute light will go off.
Check out if you can disable the mic in Audio MIDI Setup on Mac OS X. I tend to use the built in webcam so I’ve never looked on an external one, but in theory you should be able to selectively disable the input/output of any device via its interface. I do this to disable the mic on Work equipment and use my own AirPods as the mic input.
Yes those mute lights have been stuck on "lit" (= "mute") on my Windows forever, both the mic and speaker lights. However recording and playback work fine, the lights just stay on. Very annoying, a little unsettling.
My daily driver is Ubuntu where both lights work fine, on the same machine (dual boot). But now I know not to trust them.
I generally hate my HP laptops' hardware, but this is one of the features that I really love and wish more computers had.
On the one I'm typing this on, the key actually sends a standard Media Mute signal, that can be used under Linux (complete with the LED coming on when it's muted). Ironically, this needs special drivers under Windows.
I'm going to guess the hardware switches and key combos went away because they are too confusing for users. I remember constant complaints of "Internet doesn't work" because the wifi hardware switch was turned off. And as the saying goes, if the majority of users are using it wrong, it was designed wrong.
I think Apple picked the right middle ground by making access to the mic and camera a permissions request as well as showing a clear indicator to the user whenever these are active. Steve jobs said the best UI is to ask the user for their data when you want it and keep making them aware of this access every time you use it.
The problem with software-controlled permissions is that nation-state actors (who have unbounded resources) can snoop on your private matters with significantly greater ease.
At least with a hardware switch, someone would have to physically intercept the air waves in the room you're in. In software, the surface for OS-level vulnerabilities is massive, and state sponsored mass surveillance just gets easier.
Sadly, this is a trade-off we have made as a society for "ergonomics".
This line of argument is bikeshedding at it's finest.
If Mossad is out to get you, they are going to get you, no matter what you do. The threat model for 99.999% of the population doesn't include bespoke attacks from three letter agencies.
They seem to do both, at least on some models? On my thinkpad running openbsd, the speaker mute can become desynced. Audio won't play unless both are unmuted. Pushing the button will flip flop the software state, but not the reverse (although I believe that code could be written, it doesn't exist). So if you soft mute, then push button, hardware mutes and software unmutes, but sound still doesn't play.
I actually like how Zoom can warn you that you're muted if you start talking, happens to me all the time. And that obviously wouldn't be possible without keeping the access to the mic. So the light being on is OK for me. However continuing to stream the sound to the server is a huge problem, if it's really what's happening - but we can't confirm that without knowing which app is in question...
At least as far as not giving up microphone access is concerned, when using Bluetooth headphones, this is very much desirable:
Deactivating the microphone usually is seen as a signal by the OS to switch Bluetooth headphones from two-way conferencing mode (low latency, mediocre quality) back to "music" mode (high latency, good quality). This usually takes 2-3 seconds and disrupts all sound being played (most notably other people talking in the meeting).
I wouldn't want that to happen every time I mute myself.
Continuing to send data to the conferencing bridge is indeed quite shady. Hopefully this would just be (encrypted) silence or comfort noise parameters, which can be useful to e.g. keep NAT mappings alive.
There's a Zoom setting to Mute Attendees Upon Entry. I make that my default for every meeting.
Some people complain, but I've had way too many people join and not realize their mic is live, so the meeting is interrupted by random dude shouting at his children to stop making noise, etc.
Or even better, when the meeting tool has a "Call me at this number" tool, but does not require validation before bridging the audio. So instead the CEO's All-Hands PowerPoint presentation is interrupted by that one guy who tried to have Zoom/WebEx/GoToMeeting call his cellphone, but the call goes to his voicemail instead and the voicemail audio plays over the (recorded) conference. Fun times. I've seen it happen multiple times.
Yes, I think we know this: how else do they think it's possible for Teams (or other videoconferencing app) to warn you that you're muted when you start talking whilst muted without the mic being switched on?
I'm not saying there's definitely not anything sinister happening here in the case of every videoconferencing app, but there are legitimate reasons for leaving the mic on that are about improving user experience, not spying on you.
Isn't it common knowledge by now that cameras and microphones are still "on" even if you disable it at the software level?
Zuckerburg has been taping webcam/microphones/etc for a while now. Though being the CEO of a major corporation requires you take privacy more seriously.
Probably not in the general population, I would guess from my friends and family. Or they just don't care, also possible. ^^
Even those that used to tape over webcams (some started doing so after the Snowden revelations in '13) gave up on that during the pandemic, due to video call after video call and "webcam taping fatigue". Webcam shutters in non-business laptops would be great. :D
Audio is another beast and way harder to solve, as there is no tape or (cheap) shutter that can really block a microphone, and physical disconnects are probably not a feature in most customers eyes, as they have no optical feedback, like webcam shutters. So they could, to most people, maybe only be a source of "why does my audio not work - ah, the stupid button" frustration. :/
> Isn't it common knowledge by now that cameras and microphones are still "on"
No. Can you provide evidence.
Because that would imply that applications are routinely bypassing OS security controls. Which at least on a Mac requires a sophisticated compromise i.e. the camera light is directly linked to the camera itself via an independent subsystem.
Instagram uses camera as soon as you open the app, as it's a relatively slow process to fully load the camera and make it fully usable in a way Instagram devs intended to.
They've admitted it themselves. Not sure about microphones.
On iOS there is an orange/green dot in the menu bar that indicates when the microphone or camera are in active use. The dot appears when you try and use say the Live feature but at all other times it does not appear.
My point still stands that unless apps have compromised iOS/OSX it is NOT true to say that the camera/microphone are always on.
Zuckerberg is an attractive enough target that someone would go to the trouble of trying to compromise his MBP's iSight firmware (and such compromises have been proven to be possible, and pretty easy in pre-T2 macs.)
The tape, however, is probably about really making completely sure he doesn't accidentally show video on a call or videoconference when he didn't mean to.
Video could easily reveal even his approximate location (via shadows and such), and that could potentially lead to deriving, say, that he's working on an acquisition or talks with another company, leading to stock manipulation/speculation and so on.
It's always been risky to trust the mute button, even before zoom etc. The rules have been the same for at least 30 years. Never send an email or other type of text message you don't want the whole world to see. Never say anything on a conference call, even when muted, you wouldn't say when not muted.
Ethically any audio chat software shouldn't transmit any audio it receives when muted. The "hey, you are muted" notifications can all be done client side and don't need any server side support. But ethics is not a factor in the design of any enterprise office software.
It's been mentioned a few times in this thread, but it looks like they all have a legitimate reason for this which is making sure the unmute button is instant. Because having the first few words of your talking get through is more important than a theoretical privacy issue to most users.
I am one of the authors of the paper in this thread. You can find the paper here: https://wiscprivacy.com/papers/vca_mute.pdf. I can also answer any questions you have about the research.
They really need to keep reading mike input. When you start talking on mute, it is nice that the app reminds you that you are mute (although they could do better voice detection)
I wished that the whole conference app would be red on mute and green on unmute and would pulse (in both states) to the audio input level.
Is my keyboard typing loud? Show me that I’m sending loud noises to all my peers.
Make it dead obvious that I’m talking to a muted mike.
Quit hoping that software providers change in this regard and demand hardware with physical microphone kill switches.
The Framework laptop provides an example of a high quality, repairable laptop with physical kill switches for the mic and camera.
I love the UX of "Oops, it looks like you are talking but you are muted" and I also value privacy. The physical kill switch provides a true "mute button" when it's needed.
I love my framework... But be careful If taking out the battery. The battery connector socket on the mother board is extremely fragile. I learned that when I bent the pins in the socket when reattaching the battery...
The findings are largely reassuring, to be honest:
> 1. Continuously sampling audio from the microphone: apps stream data from the microphone in the same way as they would if they were not muted. Webex is the only VCA that continuously samples the microphone while the user is muted. In this mode, the microphone status indicator from an operating system remains continuously illuminated.
> 2. Audio data stream is accessible but not accessed: apps have permissions to sample the microphone and read data; but instead of reading raw bytes they only check the microphone’s status flags: silent, data discontinuity, and timestamp error. We assume that the VCAs, like Zoom, are primarily interested in the silent flag to tell if a user is talking while the software mute is active. In this mode, apps do not read a continuous real-time stream of data in the same way as they would while unmuted. Most Windows and macOS native apps can check if a users is talking even while muted but do not continuously sample audio in the same way as they would while unmuted. In this mode, the microphone status indicator in Windows and macOS remains continuously illuminated, reporting that the app has access to the microphone. We found that applications in this state do not show any evidence of raw audio data being accessed through the API.
> 3. Software mute: apps instruct the microphone driver to completely cut off microphone data. All of the web-based apps we studied used the browser’s software mute feature. In this mode, the microphone status indicator in the browser goes away when the app is muted, indicating that the app is not accessing the microphone.
> The notable exceptions to these trends are the Microsoft VCAs (Teams and Skype) and Cisco Webex. Microsoft VCAs are much more difficult to trace because they do not use the standard Windows userland API. Instead, they directly make calls to the operating system. Since the Windows syscall interface is undocumented, we could not determine how Teams and Skype use microphone data when muted. More interestingly, we observe that Cisco Webex — unlike the rest of the Windows native VCAs — continuously accesses the microphone while muted.
I still unplug my desktop's external camera and microphone when not in use (9" outty-inny cables plugged into my monitor so those ports are accessible), and use hardware buttons (that may really be implemented in software, unfortunately) to mute during calls, and can just flick the camera to point at the ceiling. Will be more of a concern when I'm back to laptop living.
I use this[0] on Mac OS and it works extremely well. It turns the mic off at the system level. Holding down a key acts as push to talk and triple-pressing the key locks it on.
Zoom is really bad for this. On my old thinkpad there is a "mute" button on the keyboard. When you press it, it mutes the mic in windows sound settings and turns an indicator light.
I've had Zoom un-mute the mic itself with not notification to the user and the "mute" led even stayed on.
In old version of Zoom, the host could unmute you without your consent and this would unmute the mic at the system level too. I resorted to disabling the microphone in the Device Manager so it would show up as unplugged instead. This also disables the popup other commentors mentioned.
It looks like newer versions have unmute-consen which hopefully fix it, but the original behaviour made me feel uneasy and not trust Zoom.
Once you use something like the Jack Audio Connection Kit it's hard to understand why a user-controllable system-wide audio graph isn't just the default thing baked into the kernel API.
I have full control over all apps. It involved some extra effort creating a fake ALSA device that sends/receives from JACK, but once it's in place, all audio connections become points you can easily make and break in the graph.
I have a older logitech "speakerphone" microphone that I normally use for video calls and the like as people have commented that it sounds better than the mic that is built into the webcam. One of the nice things about it is that you can touch a "mute" function and the LEDs around the edge of the speaker that usually will light up for a volume dial indicator will turn "red" when it is "muted". And I have found that it does track whether or not the session is muted or not.
Whether or not an application is correctly using the functionality or they try to do something sneaky like using a mute function on app to trigger a "cut audio" function on the server side of the video conference is one of the reasons why I use the speakermicrophone. That visual indicator is usually linked to the Audio Subsystem and with the speakermicrophone being a 1st tier HID device for audio purposes, makes it more likely that things are working as they should.
When it doesn't light up and I'm intentional on the mute is when I would worry.
If I could pick one hardware feature that I'd love on all my i-devices and laptops, it'd be physical shut-off switches for the mic and camera(s). Or, in the camera's case, maybe a cover, since that way you're less likely to have the camera "turned on" without realizing it.
[EDIT] and by "physical" I mean "actually breaks a circuit when off"
Google Meet certainly stays on, but does not try to pretend it doesn't. Feature, not a bug. And this is google, who you know has no compunctions about data collection. The microphone volume icon continues to show movement based on noise from your microphone and it will even prompt you if it thinks you're speaking to unmute yourself.
This is the exact reason that made me develop MuteMyMic. I was really fed up with all these apps that alter input volume behind your back. Now, I can at least know that somebody is playing nasty as MMM beeps whenever mic's volume was changed.
This is not an advertisement ;) I no longer actively develop this app, however, I am still a happy user ;)
I'm fine that the app locally still processes the audio stream - even if I'm muted - to show me a warning if I start talking while muted etc. The alarming part in the article is that at least one app would still send the audio stream _to the server_ while being muted. Any mentioning which "popular app" that is?
Yep! I have an older Steinberg UR22; quality is awesome. Mine doesn't have mute buttons, but with my Streamdeck I can mute/unmute the input sources very easily.
Years ago, an engineer working in videoconferencing told me that the algorithm they used for avoiding feedback loops involved listening at how it comes out at the other end.
I suppose that perhaps there could be audible artefacts when muting/unmuting if these algorithms didn't continuously do this.
Nothing beats black electrical tape that you can easily put over microphones and cameras when you don't want them to be live... It's going to really be the easiest and most reliable way to ensure a decent level of privacy moving forward. I've been using it for ages now.
My team and I built some of the world's most decentralized videoconferencing software, using WebRTC. You can try it on https://yang2020.app/meeting for example ... but it's available in all of our apps, including for teachers, etc.
Since a major point of our platform (qbix.com/platform) is to avoid relying on external third parties, that meant we built a version of livestreaming that is completely peer-to-peer. Imagine a giant tree at whose root are the WebRTC participants "on stage", the ones getting their feed directly get the least lag, and then people just join different parts of the tree (and ask to rejoin if the parent node dropped out or is too slow).
Here is what we learned:
1. On some platforms, it's hard to turn off the audio listening, because you can't turn it back on later. So you have to just disconnect the audio stream going out, but it's still being captured.
2. When someone is "muted" in a chat, what this really means in P2P setups is that the peers have to "respect this setting" and simply ignore the audio/video stream that the one muted is sending.
3. Sometimes, it's very valuable from a business standpoint to grab the incoming video, and do eye recognition and face tracking (yes we support all that too, in our platform, it's available in Javascript). So a teacher can, for example, take attendance and know which students are no longer present or engaged, without actually seeing their feed. All of it is done on the client side of the student, and with their consent.
Each of 1, 2, 3 can lead to a determined "hacker" kid making it seem like they're listening when they're not, etc. But there are some cool tricks to make it really hard and expensive to pull off perfectly.
We use this, for example, to award credits to people for completing educational materials or listening to a show, as with https://ftl.fm
2) Seems like a waste of bandwidth, did you consider the use case that turning off the video stream might be done to try to reduce bandwidth usage either due to cost of bandwidth or bandwidth being limited enough to break other simultaneous needs? And since 3) while creepy, is at least done on the client so does not seem to require the stream to always be sent to the other clients.
Well, yes, it can be turned off and yes it can be not sent, but that's at the discretion of the client. They can "hack their client" to send it anyway which is why everyone has to "refuse" to receive it from a "muted" client, as well. It's a second line of defense. Never trust the client.
Might want to hire some marketing and product branding agency folks to make sure you are branding this in a way that seems safe and trustworthy, so people will try it out and you can increase engagement and adoption.
“With a camera, you can turn it off or even put your hand over it, and no matter what you do, no one can see you,” says Fawaz. “I don’t think that exists for microphones.”
Some microphones have physical switches. Turn off your internal laptop microphone and only use a mic with a switch.
Google Meet will pop up a little "you're muted - are you trying to speak" bubble if it hears noise through your mic while you're muted. So obviously it's still accessing the mic. I don't see this as a big deal.
This is a mountain out of a mole hill. All of the video conference apps I've been on (like Zoom and Teams) are very clear that they don't give up the mic when they mute. They are simply not sending your audio. The apps even give you a helpful message on screen when you make noise but are muted. The "Trying to talk? You're muted!" type of message. How else would they get that other than to be monitoring the mic constantly?
Also there is a big difference between having the mic, listening for consistent sound above a certain level.... and actually doing something with it.
I have two different headsets I use for conferencing, on a USB with a mid-cable control for volume and mute, and a BT headset with physical buttons on the ear cups. I have messed with both, under Linux and Windows 10, and when they are muted, they are really muted.
I have not disassembled them, I am certain that the USB HID is inside the mid cable control unit, but the headsets themselves must be muting the audio stream.
If you use the mute button on the conferencing app? Then I assume all bets are off, but with controls on an external headset, I would assume all behave similarly.
"They found that all of the apps they tested occasionally gather raw audio data while mute is activated, with one popular app gathering information and delivering data to its server at the same rate regardless of whether the microphone is muted or not."
Sure would be nice if they named and shamed, with an opportunity for the company to comment as well.
I can imagine adaptive video rates eating up the freed bandwidth, but I would not bet on it. I would bet the audio was indeed being sent even on mute.
With some poor power saving implementations keeping the mike on can make sense. Switching the power back on when reactivating the mike may cause noticable stutter. An application with limited permissions might not be able to turn the mike off without dropping the device to some low power state.
Being in a conference, muted, hearing something that requires action, hitting "unmute", freeze for a second... bad thing.
A hardware switch would be the better option. But then people wanting to hear you cannot inform you about still being muted.
That's why I have a powered mike with a physical switch.
The web cam has a hinged lense cover.
The background picture is of the office, taken from the exact POV of the web cam, when it was clean. That way it is not necessary to straighten out the office before video conferencing.
It also causes the weird behavior of looking like I am "beaming in" to the office from my orbiting starship :-)
Or maybe it's just a glitch in the simulation of myself that has long since replaced me.
The lack of a physical button to control camera and microphone access is really annoying. At least with a camera, I can cover up with a patch but I can't do anything about my microphone.
They are confusing the concepts of an app level vs OS level mute. If the app itself paints a mute button, of course there's no guarantee that it will do what it says. You have to trust the developers at their word, that they are actually ditching the audio feed coming into their application. Some apps even use the audio to provide useful functionality (like a "you are speaking while muted" notification). If you are really concerned about it, mute the app from system controls instead.
If you're on a Mac, use Shush [0] to give yourself global mute control with a single keypress. You can set it on push-to-talk mode or push-to-silence mode, both are extremely useful. I have mine set to the Fn key and leave in PTT mode most of the time.
I use a hardware switch, albeit for a different reason: I hate the beeping sounds all videoconferencing apps make when you mute/unmute yourself. I guess a good call overall.
What's not clear to me is whether other participants of the meeting are aware of my sound while my mic is "muted".
I'm far less concerned about the videoconference system hearing me than my other meeting participants. This morning during a boring company-wide meeting I accidentally fell asleep (it was an early morning meeting and I was still in bed!)
All that said, it should really be a right of consumers that audio and video capture devices have a physical on/off switch.
Assuming the app that's using the microphone would still need to have hardware access to be able to switch back on when someone unmutes themselves, couldn't there be a higher level API within the OS that still allowed hardware access but wouldn't allow input through so that the audio couldn't be captured in third party apps? Seems like this is an OS issue that Microsoft, Apple and Linux team need to work on if that isn't already the case.
The most unsurprising thing ever. Hardware switch would be the only way to be sure. (Apparently modern macbooks do hardware disable the mic and camera when the lid is shut)
I make it a habit to utilize dial-in numbers for conference software and disable mic inputs on my computer for this reason. There’s no guarantee that my phone doesn’t listen in while I’m muted, but I feel like it’s a better choice. There is a bit of audio quality loss, but on the flip side it isn’t as much of a battle over bandwidth while streaming video, sharing my screen, and broadcasting on audio.
I use the hardware button to mute. My headphone has a mute button right on the cord. It's fast and easy and always within reach. If that's not available, I use the operating system to mute. My Linux systems have a mic icon on the top bar. I believe it's easy to do in Windows also. I don't know about mac.
I always get a good chuckle out of burping and farting while on "mute" because I have seen the traffic.
No expectations of privacy should be the norm when you have mics and cameras. In fact, cameras are easy to handle. Just cover it with something and you're done. Nice continue to listen even if you block them
I like the feature of my video conferencing software that popups up a helpful overlay when I start speaking while on mute. It lets me know I'm muted in case I don't intend to be and reminds me I can press and hold space to temporarily unmute.
Obviously it's listening white muted to do this, but it seems legit.
> “And that’s a problem. When you’re muted, people don’t expect these apps to collect data.”
The lesson here for the user:
Don't rely on the software. Mute at the hardware level (many headsets have a button for that), or at the OS level (many keyboards have a button for that).
Sometimes the best security is to go low-tech. At the risk of not being original, I vote for a mechanical/physical hardware switch for microphone, and a manual lid/lock for the camera (or chewing gum, but it will leave marks :-) )
I am generally against new government regulations, but I would most likely support a law that requires all microphone and camera elements have an LED hard-wired into the power wire/trace. If the sensor is powered, the user should be able to tell.
The case where the school administrator was spying on kids - the macbook light would quickly turn on and then off and you had to look carefully to see it.
There are other reasons to capture the mic (for example, to display a message to you that you are speaking while muted). Or to test the audio settings prior to unmuting yourself in the meeting.
I use Shush on my Mac to have a push to talk button that's independent of the app. That way I can leave the app unmuted if I plan to talk at all, and can always use the same button.
I always noticed that the Mac version of Zoom stays open in the background rather than closing after you finish a meeting. Very sus. I have to manually close out the app.
This reads like the app is open and active and muted within the app? So the answer is to close the app if you want privacy? Seems kind of obvious to me.
One valid use case for this is for the software to detect when you're speaking while on mute and notify you that "you're on mute". Maybe I dreamed it up, but I thought I've seen this before (WebEx?).
I could imagine a soft-mute feature where you're on mute when you're not talking (perhaps to keep down on background noise) but if your app detects that you're actively talking, it will unmute you. It might lose the first word or two that you say but could be effective. I could also see this going horribly awry when someone thinks they are on mute rather than soft mute and say something Biden-esque, like "what a stupid son of a bitch".
The reason they do this is to give you that little warning "You're muted" when you speak while on mute (if they weren't listening to the mic, they wouldn't know that). This is such common behavior (even with the warning!) that I think a videoconferencing app without such warnings would be virtually impossible to use.
The article specifically states
in a number of these apps the data is hitting the network. You don’t need to do that for what you describe.
Reduced latency after unmute is probably the better explanation.
> They used runtime binary analysis tools to trace raw audio in popular videoconferencing applications as the audio traveled from the app to the computer audio driver and then to the network while the app was muted.
> They found that all of the apps they tested occasionally gather raw audio data while mute is activated, with one popular app gathering information and delivering data to its server at the same rate regardless of whether the microphone is muted or not.
What bothers me a lot sometimes is that i fear there is a bug in the software mute. Specially when this is implemented separately by each VC software. The bug that even if you think you are muted, the software still fed the audio to the audience.
The reason i’m raising this is knowing software is very complicated nowadays and are more susceptible for bugs. The other day my MS teams froze. I closed the app and tried to open it again. That didn’t work. It felt like i merrily closed the frontend while the backend was stuck. I remember the days a window was a task, closing that window terminates the task. These days are over. Somehow these softwares are made so complicated, not sure for what reason, that the likelihood of introducing bugs is increased.
So taking this frontend-backend example. Imagine the mute button just sends the command to backend for mute but the backend failed to do so. And the frontend assumed all was fine. The user would have been misinformed.
I would use the (hardware) button that stops the audio at the microphone level all the time.
Have a mute button on your microphone and cover for your camera. Something you can see is engaged (e.g. a light goes on/off).
Some laptops now have switches that disconnect them from USB... which can be a different kind of pain, if there are other devices that may be connected to.
Lots of the mutes for external mics still do it in software. The software may run on the microphone itself and not the host computer, but still. I don't trust it. Give me something that interrupts a circuit.
Many laptops (notably including MacBooks) can be damaged by even fairly thin camera covers. Which sucks, because they should very obviously be standard.
Some hardware up there must be active and sending data even when the light's not on. It's how they make the (excellent, can hardly live without it now that I'm used to it) automatic monitor color temp adjustment work, AFAIK. Though maybe that's a separate sensor from the camera proper.
Always thought of muting as the other party not hearing what I say, not that the app wasn't listening. It's running after all. Assume it's listening to everything
I've been trying to buy one (bluetooth). I'm on headset #3, advertised as having a mute button, like the previous 2, which does absolutely nothing, like the previous 2.
I'd gladly shell out 100 bucks for a bluetooth headset with a real mute button, which just cuts off the mic, instead of telling the PC to do something (which the PC apparently won't do without custom drivers, which I can't install on my company-issued laptop, and which I wouldn't trust either).
Bonus if it's 1 ear only, I find those (esp. the ones with the arc overhead) more comfortable in long sessions, and my job has a lot of those.
Can anyone point me at one known to actually work? Thanks!
At a hardware level, grabbing the microphone can take time. Even worse that timing is inconsistent across devices, workloads, etc. That leads to a bad experience when unmuting and needing to delay your commentary. The solution to this is to keep the microphone on, but mute at a software level. This way the mic is always hot and ready to relay audio as fast as the software can switch.
I'd be somewhat willing to bet continue to stream audio is also a quality assurance mechanism. Some networks will shape traffic according to load. A quick jump in bandwidth can introduce unexpected jitter and latency. By continuing to stream audio (but not necessarily process or re-transmit), video conferencing can better ensure an un-interupted experience.
----
With that being said, if you really care about privacy, consider getting a hardware mute microphone.