Does Your Phone Eavesdrop On You? It Can but Not Necessarily Does
Humans have a thing for patterns. Occasionally, our brains see things that aren’t there or miss out on something in plain sight. In fact, there’s a curious list of cognitive biases that play part in false conclusions, poor decisions, and occasional conspiracy theories. When it comes to privacy and spyware controversies, the challenge is especially apparent. Speaking of spying, have you ever wondered if your phone listens in when it’s not supposed to?
In this piece, we explore the suggestion that smartphones are eavesdropping on people’s conversations to target ads or worse, summarize the reasoning on both sides of the argument, and share some conclusions.
Smartphones Have Tools to Threaten Our Privacy
There is a fair share of controversy surrounding the matter and the evidence is largely anecdotal. Still, our phones have more than enough tech built-in to spy on what people say.
With their phone nearby, a user has a private conversation with somebody about buying a set of silly hats for a friend’s birthday. The phone listens in with a microphone or other means and pushes information from the conversation to a remote server somewhere on the internet. The information gets to advertising networks, which use it to learn more about the user’s needs and behavior. This knowledge then can be used to serve targeted headgear-related ads to the user.
Overview of the smartphone eavesdropping threat model. Source: Conference paper by Jacob Leon Kröger and Philip Raschke
Smartphones come with microphones and most of them have motion sensors. In terms of hardware, this is plenty.
The part about using a microphone to record conversations isn’t surprising as all the magic is in the software. Using gyroscopes and accelerometers for the purpose is less intuitive, these tools are meant to tell the phone’s rotation and movements, not really to capture sound.
To tell the rotation, gyroscopes in modern smartphones use the same methods as flies, which are known for their aerobatic prowess. Both come with tiny vibrating structures: flies have club-like organs called halteres on their back and MEMS gyroscopes have a piece of material wiggling inside an enclosure. A pendulum swinging back and forth will resist forces trying to make swing side to side. You can measure and interpret this behavior to tell the rate of rotation.
Smartphone accelerometers also typically include a frame with a springy bit. The bit stays still when the phone isn’t moving and will try to stay still when you move the phone. A similar effect can be observed when somebody leaves a coffee cup on the roof of their car and drives off: inertia makes the cup reluctant to accelerate with the rest of the car, especially when full of coffee. Respectively, you can interpret the relative motion of the springy bit inside the accelerometer to tell the phone’s acceleration in space.
Both tools aren’t made for sound, but they do register vibrations, which are sound when the frequency is right. Over the past several years researches have shown that it is possible to get readable speech samples with gyroscopes, with accelerometers, and with both simultaneously. The reported quality tends to be bad and the studies were limited, but the capabilities are there.
When it comes to the software, German researchers Kröger and Raschke point out three layers, at which an attack can be pulled off: the operating system level, the application level, and the library level. This means that OS providers like Google and Apple have the means to access the hardware and manage recordings, but so do apps and even particular third-party libraries strapped onto them.
Normally, apps have to get the user’s initial permission to use the phone’s sensors. The problem is that an app can do whatever it needs with that piece of hardware after that single permission is given. An app may refuse to work without certain permissions and users tend to choose the benefits of a new app over privacy precautions. The actual permission requested may not even be relevant to the functions of the app. A user may simply grant the initial permissions to an app without paying much attention allowing a random calendar app to access cameras, messages, and microphones with zero hesitation. On top of that, there are ways to circumvent the permission system at least in Android devices.
Given all that, it’s not much of a stretch to assume that some big bad companies, government agents may be using people’s mobile devices to serve targeted ads and justice.
But They Aren’t Necessarily Eavesdropping
There is no clear community consensus as to whether our phones are eavesdropping for the benefit of advertising networks. No evidence of hidden recording and data transmission have been found yet.
One of the arguments against the spying smartphones assumption is that there are numerous other ways to do profiling that doesn’t involve listening to private conversations. Website cookies, online trackers, invisible pixels, and many other means of monitoring users’ behavior are nothing new. Algorithms can process the information from our digital footprint to learn quite a lot about us. This can potentially explain why people occasionally get those spooky ads that coincide with a previous conversation but are seemingly irrelevant to anything they did online.
In addition, for large companies like Google, Apple, or Facebook, it isn’t really feasible to resort to such questionable practices. They already have a lot of data on users and all the analytic capacities to target ads and make profits. There is little apparent reason to risk having reputational and legal problems just to get that extra bit of information.
Another argument is that the coincidences between private conversations and targeted ads can be just that: coincidences. Back in 2015, a researcher concluded that an average person in the U.S. was being exposed to somewhere between 4,000 and 10,000 ads each day. To be fair, that particular study involved all kinds of ads, not just online, and the study was limited to the author himself, but it gives a hint about the scale of ad bombardment. Given that there are about 4 billion internet users, some of them are bound to stumble upon an unnervingly coincidental ad. Falling victim to the selection bias, people may be finding links where there are none.
Considering all of the above, what we’ve got is the fact that our smartphones are very much capable of spying in terms of hardware in software, but there is no proof that they have tapped into that potential. There is also little apparent reason for companies to go for it, given the risks and hassle.
Unfortunately, this doesn’t mean that no spying takes place right now or will take place in the future. It also doesn’t mean that our privacy is protected from all the other perils of surveillance capitalism.
Though It’s Better to Take Reasonable Precautions
While tech companies Google and Apple, as well as independent researchers, screen apps for malicious code, there are many things left to consider on the user’s side.
Using unofficial apps is an obvious risk to avoid. The same goes for giving permissions indiscriminately. Both Android and iOS have a way to show the list of all permissions so the user can check and recall the ones they aren’t sure about. Sadly, if an app had access to the phone’s sensors and memory before, recalling permission isn’t going to help.
Still, search engines, online trackers, internet providers, and websites will be taking notes even if you would physically remove the sensors in your phone. Whichever device you are using, opt for privacy-focused search engines, browsers, and messengers, be considerate of shady links and sites on the web, avoid public wireless networks, and use a VPN. Privacy requires a blanket approach, it’s not just potentially nosey phones.
Subscribe to our Newsletter<
- Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations
- Messenger App Steals User Data and Hacks Their Devices, ESET Research
- UK Supplies Spyware and Telecoms Interception Devices to Countries With Repressive Regimes
- Hacker Group Targeting Fintech Companies and Personal Data Has Been Under Radar For Years, NOD32 Developer Finds
- Stalkerware Usage in on the Rise as Domestic Violence Rates Surge During Lockdown
- Former Yahoo! Engineer Who Hacked 6,000 Email Accounts Looking for Sexually Explicit Media Avoids Jail
- Malware App Fakes Postal Service to Steal User Personal Data and Manipulate SMS Messages
- AT&T Faces Lawsuit Over Alleged SIM Swapping Leading to Massive Cryptocurrency Theft