These Academics Spent The Last Year Testing Whether Your Phone Is Secretly Listening To You

These Academics Spent The Last Year Testing Whether Your Phone Is Secretly Listening To You

It’s the smartphone conspiracy theory that just won’t go away: Many, many people are convinced that their phones are listening to their conversations to target them with ads. Vice recently fuelled the paranoia with an article that declared “Your phone is listening and it’s not paranoia”, a conclusion the author reached based on a five-day experiment where he talked about “going back to uni” and “needing cheap shirts” in front of his phone and then saw ads for shirts and university classes on Facebook.

(For what it’s worth, I also frequently see ads for shirts on Facebook, but I’m past the age of the target audience for back-to-school propaganda.)

Some computer science academics at Northeastern University had heard enough people talking about this technological myth that they decided to do a rigorous study to tackle it.

For the last year, Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson and David Choffnes ran an experiment involving more than 17,000 of the most popular apps on Android to find out whether any of them were secretly using the phone’s mic to capture audio. The apps included those belonging to Facebook, as well as over 8000 apps that send information to Facebook.

Sorry, conspiracy theorists: They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so.

Like good scientists, they refuse to say that their study definitively proves that your phone isn’t secretly listening to you, but they didn’t find a single instance of it happening.

Instead, they discovered a different disturbing practice: Apps recording a phone’s screen and sending that information out to third parties.

Of the 17,260 apps the researchers looked at, over 9000 had permission to access the camera and microphone and thus the potential to overhear the phone’s owner talking about their need for cat litter or about how much they love a certain brand of gelato.

Using 10 Android phones, the researchers used an automated program to interact with each of those apps and then analysed the traffic generated. (A limitation of the study is that the automated phone users couldn’t do things humans could, such as creating usernames and passwords to sign into an account on an app.)

They were looking specifically for any media files that were sent, particularly when they were sent to an unexpected party.

The strange practice they started to see was that screenshots and video recordings of what people were doing in apps were being sent to third party domains.

For example, when one of the phones used an app from GoPuff, a delivery start-up for people who have sudden cravings for junk food, the interaction with the app was recorded and sent to a domain affiliated with Appsee, a mobile analytics company. The video included a screen where you could enter personal information – in this case, their postcode.

This wasn’t a total surprise: Appsee proudly touts its ability to record what users are doing in an app on its website. What bothered the researchers was that it wasn’t evident to the user that their behaviour was being recorded, something which wasn’t disclosed in GoPuff’s privacy policy.

After the researchers contacted GoPuff, it added a disclosure to the policy acknowledging that “ApSee” might receive users PII. “As an added precaution, we also pulled Appsee SDK from the latest Android and iOS builds,” said the start-up’s spokesperson by email.

Appsee meanwhile, claims that it was GoPuff that screwed up. Appsee’s CEO Zahi Boussiba told me that his company’s terms of service “clearly state that our customers must disclose the use of a 3rd party technology, and our terms forbid customers from tracking any personal data with Appsee”.

He said their customers can blacklist sensitive parts of their app to prevent Appsee from recording it, and pointed out that a number of Appsee competitors also offer “full-session replay technology” for both iOS and Android apps.

“In this case it appears that Appsee’s technology was misused by the customer and that our Terms of Service were violated,” said Boussiba in an email. “Once this issue was brought to our attention we’ve immediately disabled tracking capabilities for the mentioned app and purged all recordings data from our servers.”

Appsee wasn’t entirely blameless, though, said a spokesperson for Google, who runs the Play Store through which people get Android apps.

“We always appreciate the research community’s hard work to help improve online privacy and security practices,” a Google spokesperson told me by email.

“After reviewing the researchers’ findings, we determined that a part of AppSee’s services may put some developers at risk of violating Play policy. We’re working closely with them to help ensure developers appropriately communicate the SDK’s functionality with their apps’ end-users.”

The Google Play policy says you must disclose to users how their data will be collected.

GoPuff used Appsee to help optimise performance of its app, so the recording wasn’t unexpected on the company side, but it’s concerning that a third party can record your phone screen with no notice to you.

It illustrates the ease with which a malicious actor could potentially steal information from your phone. A screenshot or video of app interaction could capture private messages, personal information or even passwords being entered, as many apps show the letter inputted before changing it to a black asterisk.

In other words, until smartphone makers notify you when your screen is being recorded or give you the power to turn that ability off, you have a new thing to be paranoid about.

The researchers will be presenting their work at the Privacy Enhancing Technology Symposium Conference in Barcelona next month. (While in Spain, they might want to check out the country’s most popular soccer app, which has given itself permission to access users’ smartphone mics to listen for illegal broadcasts of games in bars.)

The researchers weren’t comfortable saying for sure that your phone isn’t secretly listening to you, in part because there are some scenarios not covered by their study. Their phones were being operated by an automated program, not by actual humans, so they might not have triggered apps the same way a flesh-and-blood user would.

And the phones were in a controlled environment, not wandering the world in a way that might trigger them. For the first few months of the study the phones were near students in a lab at Northeastern University and thus surrounded by ambient conversation, but the phones made so much noise, as apps were constantly being played with on them, that they were eventually moved into a closet. (If the researchers did the experiment again, they would play a podcast on a loop in the closet next to the phones.)

It’s also possible that the researchers could have missed audio recordings of conversations if the app transcribed the conversation to text on the phone before sending it out. So the myth can’t be entirely killed yet.

The level of paranoia people feel about their phones is understandable. We have on our persons at almost all times a little device with myriad sensors that can potentially monitor our behaviour.

The uncanny accuracy of the ads you see, though, almost certainly isn’t the result of the phone literally eavesdropping on you; it’s a combination of good targeting based on the amount of your digital and real world behaviour that is captured via apps, along with the fact that you aren’t as unique as you think you are.

Advertisers know what you’re talking about because other people like you are talking about the same things and buying the same things.

“We didn’t see any evidence that people’s conversations are being recorded secretly,” said David Choffnes, one of the authors of the paper.

“What people don’t seem to understand is that there’s a lot of other tracking in daily life that doesn’t involve your phone’s camera or microphone that give a third party just as comprehensive a view of you.”