In context: Does your smartphone listen to your conversations through the microphone? Whether it be by the government or by advertisers, it is a conspiracy theory that many people believe is true — that our phones are always on and always listening. According to a new study, this theory is wrong, but it did find another concern.
As conspiracy theories go, the line of reason that we are carrying around a device that records our every conversation probably comes up more often in tech forums than it should. Some laugh it off, while others are entirely convinced that phone makers and third-party apps are spying on us through the microphone. There is even some evidence that companies are at least thinking about doing this.
This belief is further fueled by the occasional non-scientific “study” put out by magazines like this one from Vice, which purports that purposely placed keywords over the course of five days produced Facebook ads for those keywords. Not to deny the author his hard work and research, but the methodology used was anything but scientific.
With the overall lack of real proof through valid scientific inquiry, researchers at Northeastern University decided to conduct a study to determine if there was any evidence to validate this “live mic” theory. Their paper titled "Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications" details how for one year, Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes conducted an experiment using more than 17,000 popular Android apps including Facebook and about 8,000 other apps that send information to the mega-powerful social media platform.
Their goal: To see if any apps quietly recorded audio and sent it off to third-party servers.
Their conclusion: Not only did none of the apps send out any audio files, none of them even activated the microphone without first being prompted to do so.
According to Gizmodo, “Like good scientists, they refuse to say that their study definitively proves that your phone isn’t secretly listening to you, but they didn’t find a single instance of it happening.”
Even though none of the apps used the microphone without prompting, over 9,000 of the 17,260 apps had permission to access the cameras and mics of the devices.
"They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so."
What was even more astonishing, however, was that some apps were found to be taking screenshots and screen recordings and sending them out from the device to third-party domains. The researchers gave an example using an app called GoPuff, which is a snack delivery service.
When their automated systems used GoPuff, the screen interactions were captured and sent to a mobile analytics firm called Appsee. They said that the video that was sent out “included a screen where you could enter personal information —in this case, [the] zip code.”
This feature of recording screen sessions is one that Appsee brags about on its website. Many apps use this feature for marketing purposes, and the researchers didn’t really find fault with that in and of itself. What bothered them was that the app did not make clear that it was doing this and that it happened to be recording personally identifiable information (PII).
The scientists contacted GoPuff about it, which immediately changed its privacy disclosure to say, “AppSee [sic] might receive users’ PII.”
They also contacted Appsee, which claimed that their SDK can “blacklist sensitive parts of the app to prevent [the SDK] from recording it.” Appsee insisted that GoPuff was at fault in this matter in that it did not blacklist that screen nor did it disclose the use of screen recording. Company CEO Zahi Boussiba told the researchers that this was a violation of its ToS.
“[Appsee’s terms of service] clearly state that our customers must disclose the use of a 3rd party technology, and our terms forbid customers from tracking any personal data with Appsee,” he said.
Boussiba claims that once they were notified of the violation, they disabled tracking from the GoPuff app and “purged” its servers of the recorded data.
"We always appreciate the research community’s hard work to help improve online privacy and security practices." — Google
The researchers also reached out to Google regarding GoPuff and Appsee. After reviewing the study, Google has decided that Appsee’s technology may be causing some developers to inadvertently violate Play policies, which state that developers must disclose when and how user data is collected.
“We’re working closely with [Appsee] to help ensure developers appropriately communicate the SDK’s functionality with their apps’ end-users,” said the spokesperson.
The long and the short of the study is that while we are not necessarily being listened to, it doesn’t mean we are not still being spied on — something which we all have been made well aware of in the last year.