> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
getWindow().getDecorView().draw(new Canvas(bitmap));
*Unless there's a zero-day that allows it.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
https://www.sfchronicle.com/bayarea/article/apple-siri-priva...
LLMs are only as good or bad as they are created - or their function / parameters? Google got real sad mid 00s - it's all about the money now isn't it.
Topic recently [1] re Google A.I. BSing.
[1] https://news.ycombinator.com/item?id=43748171 ('Epistemological Slop: Lies, Damned Lies, and Google' - <newcartographies.com>)
I'm not sure if you first thought it up or just repeated the term - as I see simonw meaning-slop link was posted as a separate post at HN 2 days ago.
However it's certainly bad when some piss poor LLM starts flogging some nonce as a meaning. For example when using less well documented idioms or terminology - google sadly isn't that great any more at finding stuff, so ... not good if it just makes stuff up instead. New creative stuff, sometimes people can get the gist of it but all the same no one wants the likes of a search assistant vomiting all over it.
I see your point - when LLMs just make stuff if to be helpful.
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
Based on this assumption, it wouldn’t be necessary for any of your friends to search for the topic during an evening together.. it would simply be enough that one of the friends showed some interest in the topic prior to the hangout (searched for something, read a blog, stopped for too long on an instagram reel).
Then, during an evening together, your phones all share the same location (and possibly movement). That’s enough for advertisers to suspect there’s some relationship there. Enough of an association to attempt an ad placement (or instagram reel) for a particular obscure topic.
As such, if location or device id data were available to build a larger picture, for any sort of common topic I'd agree the advertising could easily be a result of data analysis of various subsets of phones in a given region, applying algorithms and feeding it back into search results.
However like I said, the stuff was apparently way way out there zany - he ensured me he would ever bother searching for it. So zany in fact no one would ever bother. For all I know he may have ruled out other people and have just been talking to his pet dog and various other tame native animals that hang around his verandah. I would tend to believe way way out there as after a small smoke around me he's dribbling worthless bs. There's no low bar on my part either - something like if polka dot dogs exist I could accept as something that might / could be searched the next day by anyone who was involved in such a out there conversation, and as a result skew search results.
Any how I'm settled on it's one of the many worthless apps on his phone that exists because a website is not desktop friendly - as they say if the service is free, you're the product ...
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this: 1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed. 2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
It can work by burning through the battery. When you have a browser open or any number of apps, some of them are certainly detecting.
They describe how everything else they do works in great detail if you're someone who buys ads.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
until it isn't. anything apple is proprietary and any feature could silently change at any time even for only specific devices/user.
https://web.archive.org/web/20250415140321/https://www.thegu...
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
Having a hard time parsing what that means.
Lets say the CTR for 1000000 impressions of an add is 24.5898% and the ML predicts 25.1926%. How many 9s of accuracy is that?
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
https://www.pcworld.com/article/424417/ad-tracking-tech-uses...
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from "Your phone isn’t secretly listening to you"
The blog post never attempts to establish that your phone is not listening to you, just that some companies may not be going it.
The truth is that your phone may well be listening to you . There is plenty of malware / spywear that uses exploits to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources as well and we must assume that Mossad, NSA, and other major intellitence agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you. but probably it is not.
¹
https://www.bloomberg.com/news/features/2023-01-24/nso-group... https://www.britannica.com/topic/Pegasus-spyware https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
https://newatlas.com/computers/smartphone-listening-conversa...
https://www.bloomberg.com/news/features/2023-01-24/nso-group...
They started in ios14, iOS 17 got new Secure Exclave path that (A18, M4).
Search for “Secure Indicator Light”.
Also searching for “Secure Exclave” will reveal some fun reads.
Plus, what could a hacker really do with voice recordings that they couldn't do more easily with keylogging? It's not exactly common for people to say their credit card info or passwords aloud, much more common to type it
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
Let's say nothing surprises me anymore.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
Bonus: the iPad's device name is now "My iPhone" because it also synced the device name from the phone.
Here is a remnant from someone who replied at the time:
https://xcancel.com/kpcuk/status/601451439215353857
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
I didn't share any geolocation with Twitter. At least not voluntarily.
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
Also, sharing geolocation has been turned off by said user because reasons -- which make sense if you look at the location in the screenshot.
Geolocation has been turned off by me and others aswell.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
What it does is download all photos that the user shared on Twitter, extract GPS tags from EXIF, and put markers on Google maps, annotated with these photos.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
Like a smart TV, for example.
Second thing I do is block the TV access to internet after I do one firmware update.
I figure they will reset my no microphone preferences mostly, or make it only work when online someday.
Anyhow, ain’t broke, don’t fix it!
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
Building a word cloud would be trivial and with minimal battery impact
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
https://www.mcsweeneys.net/articles/calm-down-your-phone-isn...
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
You're free to take the bus, or hire a chauffeur. A private pilots license doesn't have any pictures either.
You can opt out, just say you do (and preferably cover the camera with your hat or bag)
And then be flagged and 10x more targeted because of that
It's not the private entity taking a 3D face scan, nor are they necessarily wanting for that scan to be taken. It's federal laws and regulations being done by federal agents in spaces controlled by the federal government.
> The Transportation Security Administration (TSA) is an agency of the United States Department of Homeland Security (DHS) that has authority over the security of transportation systems within and connecting to the United States.
https://en.m.wikipedia.org/wiki/Transportation_Security_Admi...
More generally, having your stuff screened for security to get on a commercial plane isn't a 4th amendment violation, the word "unreasonable" is right there in the amendment for a reason. You're in public in an enclosed flying object bringing your goods onto someone else's plane with 100+ strangers aboard, it is completely reasonable and necessary for the freedoms of everyone involved for the TSA to ensure that your stuff doesn't have dangerous objects aboard.
Don't forget that freedom also involves the freedom of other people to not be negatively impacted by you exercising your "freedom."
> Standard ID credential verification is in place – Travelers who decide not to participate in the use of facial recognition technology will receive an alternative ID credential check by the TSO at the podium. The traveler will not experience any negative consequences for choosing not to participate. There is no issue and no delay with a traveler exercising their rights to not participate in the automated biometrics matching technology.
My goodness this thread is just the most annoying tinfoil hat thread I've seen all day. Y'all are spending too much time online.
I know that, and you know that, but you have to convince the average traveler that nothing bad will happen if they say no. In the mind of the average traveler, it’s safer to just say “okay” to whatever the TSA wants. There needs to be some kind of neutral ombudsman to placate travelers’ fears of reprisal for opting to preserve their rights.
They are also running facial recognition on all of those round just-above-eye-level camera pods all up and down the concourse.
Also, the spirit of the 4th Amendment is most certainly not "here, this is the easy way!" (yes, we are conducting mass surveillance but you can sort of opt out of one piece of it by going through a manual process over here that we will make you feel like you are burdening us by requesting)
I trust the TSA agents brain to not get hacked in the next 24 hours, a database run by them, not so much.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
You might have just convinced me that the “phone is listening” is total bunk, because these dedicated devices are just so bad at recognizing the very specific, short, phrases when explicitly directed at them that I can’t imagine they are listening for much more. Listening to my in-laws try to activate their Alexa and Google Homes is something the CIA might consider for their next torture method.
Also, "Siri" and the like ends up waking the main processor, which is definitely easy to prove/disprove. Just talk to your phone continuously for a long time and see if it wakes.
Another thing to consider is that we should never fall into the trap of thinking we are immune from influence from advertisers. Firstly, it's basically what advertiser want; it allows more actions like this, more of our data to be sold and secondly because it's easier to influence someone if they think of a decision as their own choice, than if they think they were manipulated into it. We do not remember the ads we see but we can remember that we are all susceptible to influence.
Also, I don't see the relevance of your second paragraph. The baseline is not "no ads", the baseline is "ads supported by all the tracking that Meta/Google currently does".
I also knew an entrepreneur who tried this same thing, but with TV shows.
Fingerprinting specific audio is a different algorithm problem entirely. You only need to sample a short section of audio every few minutes and then process the spectral peaks, which are fingerprinted against a database of known samples.
This is how apps that name a song work. It’s not the same as constant full speech to text.
But you’re skipping the key part of the story: They had to hand out phones specifically for this because you can’t get constant audio background processing from installing an app on a modern phone OS without the user noticing.
> That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
Again, wake word monitoring is a different algorithm. Monitoring for a wake word is a much simpler problem. They’re not processing everything you say, concerting it to text, and then doing a string compare for the wake word. It’s a very tiny learning model trained to match on a very specific phrase, which might run at a hardware level.
Regardless, this would require so much coordination, network traffic, and on-device code that could be reverse engineered that you’re implying that nobody has every found a hint of it existing and no employees of these companies have ever leaked any hints of it existing.
It’s very much in the domain of conspiracy theories.
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
Boom, Illinois tourism ad shows up the next time I hit the internet. Scary thing is I didn't even say the state name, just the destination, and SOMETHING calculated that Illinois is in the middle.
This stuff has now happened far too many times in the last 10 years of my life, it is simply implausible to call it coincidence at this point. You are being listened to by your phone.
Ad firms have no ethical boundaries, and have lied about their data collection over and over.
What is really frightening is that if the ad companies know everything about you, then multiple state actors also know everything about you.
This would simply eat the battery immediately, it's simply not feasible and given all the other, cheap tracking it wouldn't even be beneficial.
You could easily record and do a fast voice transcription to gather keywords from a hardware perspective.
However:
— IIRC the phone was unlocked,
— this only affected the news feed, and
— this was 5–6 years ago.
We 1) noted how Google app shows some selection of news after opening, 2) talked clearly for a minute about a very random and conspicuous topic in presence of the unlocked phone, and 3) demonstrated that the Google app showing an article relevant to the topic within a few minutes. The article was a few days old, too, so it was clearly boosted out of more recent stories.
The only reason it could be something other than the phone microphone is if I was misled by my friend steering us towards a predefined topic. However, that would require some extensive preparation to rule out the story appearing in the first step and would be very atypical for that person.
I recall seeing an article about Google admitting this and changing their policy to stop, but can’t seem to find it now. I imagine it was bad publicity, though to my friend it was a feature to see personalized content.
That’s why it’s something you observed one time 5-6 years ago, not something that happens repeatedly in a testable way.
Having one incidence where you’re talking about something and then you also see that something on your phone out of 2000 days of using a phone is definitely more likely to be coincidence.
Here’s something relevant in Google’s current support KB[0], where the combination of the following further supports that the experiment did not have be staged (emphasis mine):
> Web & App Activity saves your searches and activity from other Google services in your Google Account. You may get more personalized experiences, like: <…> Content recommendations
> When Web & App Activity is on, you can include audio recordings from your interactions with Google Search, Assistant, and Maps as part of your activity.
Let’s now go back to the experiment. Given the phone was unlocked, voice activity was enabled, and Google app or search widget was on Google Pixel’s screen (I am certain at least the latter was true) during the experiment, could talking near the phone be counted as “interaction”? If the answer is “yes” then it seems very reasonable for us[1] to expect, per that KB, that the app would listen more actively than what’s required for assistant activation, and that recorded snippets would count as your “activity” designed to affect content recommendations (including the article feed Google app showed to us on its app’s main screen).
No tinfoil hat required.
***
Note that it does not mention ads among personalized experiences[2], and we had not observed any change in the ads either. I didn’t see what exactly counts as “interaction” or whether this blazing-fast content personalization used to include ads previously, but in line with the “move fast” culture of mid-2010s Silicon Valley it could well have been much more lax at some point. If so, I do not envy all the people who have observed it only to be gaslit and mocked by peers and media.
***
As to the article I was vaguely remembering in my original comment, the above makes me think that it was merely about the change of the default to opt-in, which it is as of today:
> This voice and audio activity setting is off unless you choose to turn it on.
[0] https://support.google.com/websearch/answer/54068?hl=en&co=G...
[1] Us tech people; this might not at all align with the intuition of other people.
[2] I rather suspect that ToS and possibly some other KB article would indicate that your activity would, in fact, affect your interest profile and by extension ads, but probably in a much less obvious and more gradual fashion.
It’s never packet captures, reverse engineering of the app, or one of the tens of thousands of employees working for these companies blowing the whistle.
Nobody can even show that their phone app is using background CPU when they talk, utilizing the microphone, or sending packets from that app. All of which are in reach for anyone with Android and some basic skills.
It’s always an anecdote about someone who said something out loud and then saw ad for it later. That’s it. That’s the entire basis for the conspiracy. Yet it persists.
It’s a very good litmus test for people who don’t understand technology as well as they claim to.
So maybe the microphones are safe and pristine, but we should be worried and appalled the same as if they were actually listening.
I like to think about it sorta thermodynamically: consider your behaviour under the blurred lens of interests, what you buy, what you read, how you react to news, etc, in this model humana have, let's say, n bits of entropy; how many of those bits can Facebook decode?
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
The advertiser trying to sell my friend appliances didn't really get a lot right about them. They're a renter and the advertiser thought they’d like to buy a major kitchen appliance just because we were in the same location.
If they were able to listen in to our conversations they wouldn't have sent them an advertisement at all.
Your feed is almost certainly personalized up to the individual post, but I think if we are making an analogy to human curation it's certainly not working the same way behind the scenes.
Think of it like an attacker (the app) would breach a cryptographic target (you and every other user of the app). The attacker starts to send random messages or try to mess around with signatures/tokens/APIs and listens for errors, timeouts, spam filters, possible side channels until it learns enough to figure out how to predict how the system will behave and maybe even to influence it.
Both in the analogy and with the timeline out does not matter if you mix a few random messages between a test and another as long as you comprehensively keep track of how the target behaves.
Every interaction is a data point, some data points are more useful than others but none is useless
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
If your smart toaster, light bulb, or fridge was listening to you, would anyone even notice? Does anyone examine these devices in depth?
It's like that old Soviet Russia joke, except it's not a joke.
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
Can you not see all the biases and fallacies in your own comment?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
And I’m assuming you also made them aware of other ads you’d seen recently so they could see if those showed up as well?
Why do you think I would put up a comment on HN of all places, with this degree of confidence.
> tested with other ads… If I knew that this, was going to be needed to study, 5 years into the future, I would have conducted a double blind study. Sadly I could not, however, it’s still fun, so we can always replicate.
The question is, have you found a horrid ad yet? Side note, this was in the UK
> The question is, have you found a horrid ad yet? Side note, this was in the UK
The question is, why does it have to be a horrid ad? Does the phone only listen for things about horrid ads to show you?
You have to know that your phone isn’t listening to you right? That it’s just a coincidence and that when you’re told to be on the lookout for an earwax ad that you’re more likely to see one, right?
Your phone might not be listening to you straight out of the box. Might. You don’t know for sure, nobody here does. Why err on the side of blissful ignorance? And then you accept 10 end-user-agreements you don’t read, install dozens of apps you don’t read the small letters of… and you think nobody had been listened to?
It’s a bigger chance it happens than that it doesn’t, in my mind. I haven’t been able to catch it using mitm proxies, but I’m not the best at that, and I haven’t a pretty virgin iphone on purpose.
Yeah but I am.
If you tell me a story about your phone listening to you that you absolutely swear is true, I know you love the idea of conspiracy theories and would laugh at someone who believes in astrology. But they’re the same thing.
It’s fun to see coincidences. It’s fun to think you’ve outsmarted the man. But that’s all it is — fun.
It’s not real.
> Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this
OK prove it.
> It’s a bigger chance it happens than that it doesn’t, in my mind
OK, should be easy for someone to prove then.
Is it really more likely that this thing is happening that nobody has been able to prove or that people like to see patterns to explain the weird things in the world?
> I haven’t been able to catch it using mitm proxies
Shocker lol.
But should be easy for you to find someone who has caught them red handed, right?
What, are you saying that there is an ASMR or god knows what community that focuses on ear wax?
I never got those ads in my LIFE, until I had a medical need. Have you?
>why does it have to be a horrid ad?
Because I choose horrid ads to mess with my friends? You could try for adult teletubbies, lord knows that might exist. Whatever floats your boat, I say.
You seem to have some horse in this race, or some larger level of commitment than the simple joy of messing around with this should entail.
And holy hell, I had an example of a medical condition, an ad, in the UK, discussed in a bloody field, with no towers or other devices to listen in, and the other person did not have the same medical condition.
And yet this is not enough. And all you have to do with this, is try it out yourself. Hell - I am even suggesting this in a manner that is open to being a fun lark with friends.
I am by far the largest black hole of joy amongst the stellar folk in my orbit. This converastion is invigorating, in that you are near certainly part of my tribe.
Believe it or not I don’t have thephotographic recall of the ads that I see that you seem to possess.
> You could try for adult teletubbies
Why don’t we both try this and report back in 24 hours when our listening phones have had the time to work their magic.
> And yet this is not enough.
That is correct. Your phone is not listening to you.
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
But look into Alphonso. That's like Shazam but explicitly for covert "content recognition" listening in microphone enabled apps. And it's old.
People who say it's too expensive or impractical to do bulk listening for ad-tech just aren't paying attention.
That's interesting. Although can and does are very different things - appears to be a feature you turn on yourself. Upon a surface level research, I also found it to rely on an offline music fingerprint database, suggesting it doesn't retain and send off the audio it records, or metadata it extracted from them.
> Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
This is again a can vs. does difference.
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
>- Any Android smartphone on Lineage or /e/OS
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
Either way, Google can only collect limited data on those distributions, and you have control over them. Concerning tracking applications, yes, some hygiene and good practices are necessary, the OS can only go so far.
???
What information are they getting their hands on in the first place, aside from geoip data?
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
Me: "I would go watch Deadpool with my best friend Z if he was in town today".
Me: "Did you hear they have a Deadpool dog? Dogpool!" (saw the trailer from my desktop at work)
Wife: "I don't care about a Deadpool dog. You should definitely go see it with Z."
About 2 hours later. Ads for Deadpool litter her Facebook. Deadpool had been out for 2 weeks. Why now? Because we talked about it in the car while she was on Facebook. I've worked in Adtech since about 2005. It's the phone and or the app. Our Google TV does the same thing, except Youtube doesn't seem to be affected by conversation. So that's something.
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
The commute time from SF to Cupertino is certainly not constant.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
They did, and found no listening being done. It’s in the article under “The data doesn't add up”.
That test has been done. It is explained at length in the article under the heading “The data doesn't add up”.
Your TV though… that IS listening and the TV even has options to disable it. It’s on every TV shipped in at least the last 5 years, maybe 10.
I am astonished that nobody had ever done a reverse engineering research yet.
That would be an awful plan. Low tech people are the ones who most frequently complain of this because they have no basis to think it wouldn’t happen.
> I am astonished that nobody had ever done a reverse engineering research yet.
They have. It’s described in the article.
https://www.reuters.com/legal/apple-pay-95-million-settle-si...
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
(1) https://www.reuters.com/legal/apple-pay-95-million-settle-si...
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
maybe. just thinking outloud.
On more than one occasion, I would be in a conversation with a friend of mine and things would turn political, and if I spouted just the right combination of anti-left rhetoric/keywords, our connection would drop right away -- boom.
Now why would Voice do this when other Google properties don't? I mean, they don't filter Gmail or Docs or Photos looking for subversive content and censoring it. YouTube comments, maybe.
But I figured that if they wanted, it was completely possible. Because they have proven and deployed live-transcription, and they're best at English. Not to mention, Voice is sort of a deprecated product that they don't really support. So why not throw a little havoc in there for miscreants?
The reason I was using Voice was to place phone calls from a SIM-less tablet. It seems that Voice insists on using my real phone now for routing any sort of call. So I haven't had opportunity to test the boundaries for years now. Nevertheless, I was not sorry about the possibility of censorship, I was duly chastened, and sorry I've been so brainwashed to lapse into mindless talking-point rhetoric.
simonw•2d ago
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
nickpsecurity•2d ago
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
simonw•2d ago