This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
LgWoodenBadger 15 hours ago [-]
It’s similar with the TSA facial recognition photos. “We delete your photo immediately” but what they don’t say is that they don’t delete the biometrics from that photo.
bsimpson 15 hours ago [-]
It's a crime that were compelled to concede our 4th Amendment rights in order to travel.
caminanteblanco 8 hours ago [-]
It literally says right on the facial recognition sign that you're free to opt out, just let the TSA employee know
arcfour 7 hours ago [-]
The TSA is - objectively, by their own audits - complete security theater. Why bother to defend them, exactly?
Also, the spirit of the 4th Amendment is most certainly not "here, this is the easy way!" (yes, we are conducting mass surveillance but you can sort of opt out of one piece of it by going through a manual process over here that we will make you feel like you are burdening us by requesting)
93po 1 hours ago [-]
correcting disinformation isn't defending something. do you want to live in a world where we dislike someone and so we just make up random terrible things about them that aren't true, and it's fine and encouraged because they're someone we dislike, and people aren't allowed to say "hey that's not actually true, at all"
spunker540 15 hours ago [-]
Same with drivers licenses and passports having a photo requirement too
hammock 13 hours ago [-]
The TSA photos are worse. They use a stereoscopic camera to take a 3d image of your head, which makes facial recognition up to 10x more accurate.
You can opt out, just say you do (and preferably cover the camera with your hat or bag)
coldtea 39 minutes ago [-]
>You can opt out, just say you do
And then be flagged and 10x more targeted because of that
walterbell 12 hours ago [-]
WiFi 7 Sensing is bringing similar functionality to consumer routers and many laptops, with the bonus of passing through walls.
gruez 14 hours ago [-]
>drivers licenses and passports having a photo requirement too
You're free to take the bus, or hire a chauffeur. A private pilots license doesn't have any pictures either.
hammock 13 hours ago [-]
For better or worse, we didn’t have to make such hard choices for the first 80 years of aviation. And Greyhound etc require photo ID these days as well
That’s not a freedom. That’s a restriction that reduces the amount of choices you have for potentially worse ones.
mulderc 10 hours ago [-]
Depends on the type of travel right? I took Amtrak weekly for several years and never even had to show ID.
dangus 10 hours ago [-]
Literally not compelled in this case, the TSA signage says that the image capture is completely optional.
More generally, having your stuff screened for security to get on a commercial plane isn't a 4th amendment violation, the word "unreasonable" is right there in the amendment for a reason. You're in public in an enclosed flying object bringing your goods onto someone else's plane with 100+ strangers aboard, it is completely reasonable and necessary for the freedoms of everyone involved for the TSA to ensure that your stuff doesn't have dangerous objects aboard.
Don't forget that freedom also involves the freedom of other people to not be negatively impacted by you exercising your "freedom."
teeray 10 hours ago [-]
Image capture is optional, your other option is something possibly unpleasant and may make you miss your flight
dangus 10 hours ago [-]
That is not the other option at all. The other option is essentially just the traditional screening process.
> Standard ID credential verification is in place – Travelers who decide not to participate in the use of facial recognition technology will receive an alternative ID credential check by the TSO at the podium. The traveler will not experience any negative consequences for choosing not to participate. There is no issue and no delay with a traveler exercising their rights to not participate in the automated biometrics matching technology.
My goodness this thread is just the most annoying tinfoil hat thread I've seen all day. Y'all are spending too much time online.
teeray 11 minutes ago [-]
> The other option is essentially just the traditional screening process.
I know that, and you know that, but you have to convince the average traveler that nothing bad will happen if they say no. In the mind of the average traveler, it’s safer to just say “okay” to whatever the TSA wants. There needs to be some kind of neutral ombudsman to placate travelers’ fears of reprisal for opting to preserve their rights.
DrillShopper 14 hours ago [-]
Amtrak and Greyhound do not require those biometrics, nor does renting a car and driving (or driving your own).
kelnos 13 hours ago [-]
Some of us want to be able to cross the country in an afternoon, and not have to spend days on a slow, uncomfortable train to make the same trip. I don't think that's unreasonable.
uoaei 13 hours ago [-]
Certainly not unreasonable. But it does require you to commission your own transport subject to the rules that that private entity seeks to impose. Public entities which indiscriminately service residents and visitors of a given territory would obviate this requirement. But if you're in the US, good luck convincing taxpayers to agree to pay for that.
vel0city 13 hours ago [-]
> subject to the rules that that private entity seeks to impose.
It's not the private entity taking a 3D face scan, nor are they necessarily wanting for that scan to be taken. It's federal laws and regulations being done by federal agents in spaces controlled by the federal government.
DrillShopper 11 hours ago [-]
Private and charter aviation exists and is free from those constraints.
saagarjha 10 hours ago [-]
Some of us are not billionaires.
warkdarrior 9 hours ago [-]
Freedom has never been free.
Spooky23 9 hours ago [-]
You can also walk. Lovers of freedom can walk from Manhattan to LA in 40-50 days. Of course if you look “wrong”, you’ll probably get rounded up in some flyover town.
alpaca128 12 hours ago [-]
> There is so much time spent “debunking” audio recordings being shared
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
strogonoff 5 hours ago [-]
I observed a clean experiment that showed a friend’s Google Pixel phone listening to us and adjusting news stories on Google app’s home screen.
However:
— IIRC the phone was unlocked,
— this only affected the news feed, and
— this was 5–6 years ago.
We 1) noted how Google app shows some selection of news after opening, 2) talked clearly for a minute about a very random and conspicuous topic in presence of the unlocked phone, and 3) demonstrated that the Google app showing an article relevant to the topic within a few minutes. The article was a few days old, too, so it was clearly boosted out of more recent stories.
The only reason it could be something other than the phone microphone is if I was misled by my friend steering us towards a predefined topic. However, that would require some extensive preparation to rule out the story appearing in the first step and would be very atypical for that person.
I recall seeing an article about Google admitting this and changing their policy to stop, but can’t seem to find it now. I imagine it was bad publicity, though to my friend it was a feature to see personalized content.
AtlasBarfed 8 hours ago [-]
Here is an example that just happened today. I talked to my partner about me going to a city directly (via one state) or indirectly (via another state). All I said was "so you want me to go directly to X".
Boom, Illinois tourism ad shows up the next time I hit the internet. Scary thing is I didn't even say the state name, just the destination, and SOMETHING calculated that Illinois is in the middle.
This stuff has now happened far too many times in the last 10 years of my life, it is simply implausible to call it coincidence at this point. You are being listened to by your phone.
Ad firms have no ethical boundaries, and have lied about their data collection over and over.
What is really frightening is that if the ad companies know everything about you, then multiple state actors also know everything about you.
gf000 6 hours ago [-]
> You are being listened to by your phone.
This would simply eat the battery immediately, it's simply not feasible and given all the other, cheap tracking it wouldn't even be beneficial.
rubatuga 7 hours ago [-]
Confirmation bias at its finest
Rastonbury 6 hours ago [-]
Why would that be even be a good targeted ad? Its simpler and more profitable to show you ads about a place you actually plan to go to..
caminanteblanco 8 hours ago [-]
Except for the fact that if you read the debunkings, they go into great detail as to why that is empirically not the case.
dangus 10 hours ago [-]
There is a small list of reasons why it needs to be "debunked:"
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
ipaddr 8 hours ago [-]
That's much worse compared to listening for keywords. You're looking up men's enhancement products and everytime you enter a room all ads on everyone's phone change to those products?
dangus 59 minutes ago [-]
While I don't agree with these sorts of industry practices and believe the US needs a universal data privacy law, I don't see how matching up some relatively impersonal metadata could be considered worse than directly listening in to private conversations.
The advertiser trying to sell my friend appliances didn't really get a lot right about them. They're a renter and the advertiser thought they’d like to buy a major kitchen appliance just because we were in the same location.
If they were able to listen in to our conversations they wouldn't have sent them an advertisement at all.
lazide 1 hours ago [-]
Now this could be a fun adversarial exercise, with more interesting products of course.
lodovic 6 hours ago [-]
This assumes that companies such as TikTok control their timeline up to the individual post, perfectly analyzed in order to extract your unique traits, and they have specifics ads lined up for you.
Where - in my view - their timeline is just a bunch of random submissions. TikTik is just trying to sell ads and will try anything to match your profile to one of their active ad compaigns so they can bill their client more.
dangus 1 hours ago [-]
I'm confused at what you're claiming here. Yes, the submissions are rather random, but TikTok definitely figures out what type of content you like and what advertisements are most effective.
Your feed is almost certainly personalized up to the individual post, but I think if we are making an analogy to human curation it's certainly not working the same way behind the scenes.
kurthr 15 hours ago [-]
I can just say that I knew an entrepreneur in early post Y2K who developed apps to track music played in clubs in SF for folks like ASCAP, BMI, and SESAC. They gave out "free" phones (these were the small expensive candybars and nice flip/slideups) to the influencers of the day. They compressed the audio for orthogonality, and had a huge number of hashes to match. If they got more than a few consecutive matching hashes at a location that wasn't paying royalties, they got an enforcement call.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
LeafItAlone 15 hours ago [-]
>That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
You might have just convinced me that the “phone is listening” is total bunk, because these dedicated devices are just so bad at recognizing the very specific, short, phrases when explicitly directed at them that I can’t imagine they are listening for much more.
Listening to my in-laws try to activate their Alexa and Google Homes is something the CIA might consider for their next torture method.
kurthr 13 hours ago [-]
You expect 95% accuracy matching activation phrases. You don't need that for ads. It only needs to work some of the time for some of the people, especially if it makes $/click.
gf000 5 hours ago [-]
What kind of keywords would you imagine provide an actual, profitable advantage to an ad company? I can't imagine "computer 2", "fridge 3", "egg 4" being all that valuable compared to.. literally my whole browser history and my reaction to other ads/videos (I looked at that short for 10s vs immediately skipping builds a very nice profile). And now add i18n in the picture - even the main AI assistant products suck in anything other than English, so this fancy, advanced technology with low return of value would end up with a low target audience as well.
Also, "Siri" and the like ends up waking the main processor, which is definitely easy to prove/disprove. Just talk to your phone continuously for a long time and see if it wakes.
thinkingemote 5 hours ago [-]
Low, even very low, return of value is not no return. Therefore, given they make some return, and it has some value, that's enough for them to do it.
Ads and ad data are two sides. We are often not the target for an ad, but our data provides stats about how an ad is performing. If more consumers are influenced to spend $1000 on something than not, then it's worth if for them. It's an aggregate cost benefit analysis not how effective it is at the isolated individual level.
Another thing to consider is that we should never fall into the trap of thinking we are immune from influence from advertisers. Firstly, it's basically what advertiser want; it allows more actions like this, more of our data to be sold and secondly because it's easier to influence someone if they think of a decision as their own choice, than if they think they were manipulated into it. We do not remember the ads we see but we can remember that we are all susceptible to influence.
gosub100 13 hours ago [-]
We don't "listen" to your audio, the microphone does, and your phone transcribes it to text on your device. You cannot listen to text. Therefore we don't listen to your phone audio.
Paddywack 13 hours ago [-]
Reminds me of something that a Telco exec once said in jest - “A bank can track which hotel you stayed at last night, the Telco knows who you slept with”
hammock 13 hours ago [-]
The article omits a real, serious source of microphone data though: your smart TV. I know beyond a shadow of a doubt that my TV (a Toshiba Fire TV, although I’m sure many do it) is listening to every conversation I have within earshot, even when I am not using the voice remote, and selling it to ad networks.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
shermantanktop 12 hours ago [-]
Beyond a shadow of a doubt? Can you describe what you’ve experienced?
userbinator 11 hours ago [-]
Who would even want a microphone in a TV?
It's like that old Soviet Russia joke, except it's not a joke.
walterbell 12 hours ago [-]
Privacy-seeking users have physically removed microphones from phones. This should also be possible with laptops and televisions.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
dyauspitr 12 hours ago [-]
Removed microphones from… phones? How do you use the phone then?
detaro 12 hours ago [-]
Most things people use phones for nowadays don't need a microphone. And in the rare case you do, you plug in/connect a headset.
walterbell 11 hours ago [-]
Headset.
api 12 hours ago [-]
I am suspicious of all “smart” devices, much more so than phones because phones have a lot more scrutiny on them.
If your smart toaster, light bulb, or fridge was listening to you, would anyone even notice? Does anyone examine these devices in depth?
mindcrash 21 hours ago [-]
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
patrakov 4 hours ago [-]
Sorry for misrepresenting the functionality of the original cree.py project.
What it does is download all photos that the user shared on Twitter, extract GPS tags from EXIF, and put markers on Google maps, annotated with these photos.
monkeyfun 20 hours ago [-]
Could you link to some of it? Sounds extremely interesting!
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
gruez 14 hours ago [-]
Sounds like they showing geoip for tweets/profiles?
mindcrash 4 hours ago [-]
IP isn't exposed by the Twitter API.
Also, sharing geolocation has been turned off by said user because reasons -- which make sense if you look at the location in the screenshot.
Geolocation has been turned off by me and others aswell.
monkeyfun 18 hours ago [-]
Thanks!
immibis 21 hours ago [-]
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
kace91 12 hours ago [-]
I’m not even sure that’s possible for some sites.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
alpaca128 12 hours ago [-]
Apple secretly linked my account to my >15 year old inactive account as well as another random account that isn't even mine. Nothing happened of it until I let my iPhone sync its settings to a new iPad. The iPad spammed a password input form for my old account that blocked all other UI elements. It didn't accept any password even after a password reset. Took me an hour to make the tablet usable again. The password form still randomly pops up every few weeks and there seems to be no way to fix the mess.
Bonus: the iPad's device name is now "My iPhone" because it also synced the device name from the phone.
celeritascelery 9 hours ago [-]
I had this same issue. About once a week it would prompt me for the password for an old Apple ID. I eventually started over from scratch to work around the issue.
immibis 5 hours ago [-]
That's the modern tech landscape for you. They really want to know who you are because they make more money that way. For a similar experience, try Tor Browser.
TheDong 21 hours ago [-]
I too sell my phone and buy a new one and also get a new phone number each time I get banned
mindcrash 20 hours ago [-]
Someone from X Support replied, basically told me to fuck off and that this would happen after my second or third appeal... so no.
hyperpape 21 hours ago [-]
It's really indefensible to post this without linking to your research to show people what you found.
mindcrash 20 hours ago [-]
Believe it or not, I wrote about it on my now permanently suspended Twitter account.
Here is a remnant from someone who replied at the time:
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
NikkiA 16 hours ago [-]
Tweets were geolocated, with a 'see tweets near me' page until about 14 years ago, so it's entirely feasible that at least some of that infrastructure has survived the feature being removed.
mindcrash 4 hours ago [-]
"Tweets near me" was based on people sharing geolocation with Twitter (one of the things you can opt-out of when setting up your profile).
I didn't share any geolocation with Twitter. At least not voluntarily.
ThinkBeat 23 hours ago [-]
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from
"Your phone isn’t secretly listening to you"
The blog post never attempts to establish that
your phone is not listening to you, just that some
companies may not be going it.
The truth is that your phone may well be listening to you .
There is plenty of malware / spywear that uses exploits
to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources
as well and we must assume that Mossad, NSA, and other major intellitence
agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you.
but probably it is not.
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
dist-epoch 18 hours ago [-]
Phones today show in the status bar if the camera/microphone is active.
9dev 17 hours ago [-]
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
pests 15 hours ago [-]
Apple has moved these indicators into their “exclaves” removing any control or influence from the OS / software running.
gruez 14 hours ago [-]
Source? AFAIK they only have hardware indicators for webcams on cams, and it's not used for microphones.
sroussey 14 hours ago [-]
Different person here, but Apple has tried it multiple times in different ways.
They started in ios14, iOS 17 got new Secure Exclave path that (A18, M4).
Search for “Secure Indicator Light”.
Also searching for “Secure Exclave” will reveal some fun reads.
jeffhuys 1 hours ago [-]
That’s cool, but on iPhones, there is no indicator LIGHT. Only part of the screen indicates it. And if they can trigger stuff on your phone, maybe a daemon that accidentally covers that part with black also appears, and you wouldn’t notice.
ThinkBeat 14 hours ago [-]
I think Snowden worked with someone to create a bulky,
apparatus that you could put your iphone into and it would
measure if any signals at all were coming from it.
user_of_the_wek 13 hours ago [-]
Does that mean the phone will not react to „Hey, Siri“ without a mic icon showing up in the status bar?
jeffhuys 1 hours ago [-]
“Hey Siri” is activated by the mic, which is always listening, but only for the key phrase. It’s not going through the OS in the traditional sense, hence the “light” only comes on when it starts to listen through the OS.
alternatex 49 minutes ago [-]
As an Android user I think there's no way for Google to assist unless directly called upon.
DontchaKnowit 30 minutes ago [-]
And you think that wouldnt be disabled by malware that can turn your microphone on at will? Lmfao
danielrhodes 21 hours ago [-]
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
derefr 18 hours ago [-]
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
Like a smart TV, for example.
hammock 13 hours ago [-]
It is 1000% being done by smart TVs. They listen even when you are not using the voice remote. And the data is used to target ads (anywhere)
milesrout 11 hours ago [-]
Do you have any evidence?
hammock 10 hours ago [-]
Yes of course. You can test it yourself
sroussey 14 hours ago [-]
First thing I do is disable that feature on every TV I buy.
Second thing I do is block the TV access to internet after I do one firmware update.
MobileVet 13 hours ago [-]
It doesn’t need to listen all the time… just grab a few words after you put it down or hit the lock button. Or listen while you are actively using it.
Building a word cloud would be trivial and with minimal battery impact
scrose 20 hours ago [-]
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
abdullahkhalids 13 hours ago [-]
While I think that audio recording is not a thing, your economic argument is not complete.
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
danielrhodes 12 hours ago [-]
I think this is a genuine concern for prominent people. Like if you are Mark Zuckerberg, there is material interest in a bad actor installing malware on his laptop. But for a random person where you get low value data that may or may not let you better target some low value ads? That is much harder to justify. Would have to reevaluate as things change and the cost of compute goes down.
diggernet 1 days ago [-]
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
grishka 1 days ago [-]
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
It does sound believable that third-party advertising/marketing/tracking SDKs, which many apps are chock full of, could be doing this.
daveguy 1 days ago [-]
> It's impossible to use this covertly.
*Unless there's a zero-day that allows it.
grishka 1 days ago [-]
If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?
daveguy 23 hours ago [-]
Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
DrillShopper 14 hours ago [-]
You could do both
simonw 1 days ago [-]
Burning a zero-day like that for targeted advertising seems extremely unlikely to me.
23 hours ago [-]
daveguy 23 hours ago [-]
I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.
quicklime 1 days ago [-]
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
maxlybbert 1 days ago [-]
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
fzzzy 22 hours ago [-]
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
jeroenhd 17 hours ago [-]
If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
badc0ffee 15 hours ago [-]
Is that true, that these apps can capture screenshots of the notification area/clock/chat bubbles?
gruez 14 hours ago [-]
Probably not, but all the information can be obtained via system APIs. There's no shortage of "system info" apps that show all manner of information about your phone (including battery level and network status), and don't require any special permission prompts.
ch4s3 1 days ago [-]
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
vjvjvjvjghv 13 hours ago [-]
As far as permissions go, phones should have a log for when the permissions are actually used and how often.
simonw 1 days ago [-]
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
We’ve reached the state where you can safely presume anything “smart” is violating your privacy.
EasyMark 20 hours ago [-]
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
wrs 14 hours ago [-]
According to the paper, your TV may send snapshots even when it’s in a “dumb” HDMI input mode. So make sure it’s not on the network at all.
Spivak 1 days ago [-]
Anything network connected.
pixl97 23 hours ago [-]
Everyday we seem to step closer and closer to the 'network connected smart dust' as written in some science fiction.
intended 20 hours ago [-]
What rot.
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
sanswork 10 hours ago [-]
Or you told your friend about this horrible ad and they looked it up without thinking and got added to the retargeting list.
jeroenhd 17 hours ago [-]
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
intended 17 hours ago [-]
Sure. But its fun, and we can always replicate, just need a terrible ad.
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
paulcole 16 hours ago [-]
I’m assuming like most friends you and your friends have nothing in common like interests, demographics, etc.?
And I’m assuming you also made them aware of other ads you’d seen recently so they could see if those showed up as well?
intended 7 hours ago [-]
Yep. They 100% do not share an interest in ear wax removal, or had a medical need of that nature.
Why do you think I would put up a comment on HN of all places, with this degree of confidence.
> tested with other ads…
If I knew that this, was going to be needed to study, 5 years into the future, I would have conducted a double blind study. Sadly I could not, however, it’s still fun, so we can always replicate.
The question is, have you found a horrid ad yet? Side note, this was in the UK
paulcole 1 hours ago [-]
I was kidding… Of course you and your friends share some demographics and interests—- making it unsurprising that you’d get similar ads.
> The question is, have you found a horrid ad yet? Side note, this was in the UK
The question is, why does it have to be a horrid ad? Does the phone only listen for things about horrid ads to show you?
You have to know that your phone isn’t listening to you right? That it’s just a coincidence and that when you’re told to be on the lookout for an earwax ad that you’re more likely to see one, right?
jeffhuys 49 minutes ago [-]
You can’t be 100% confident about what you’re saying and it horrifies me that people go through such lengths to protect these… ad companies? Oh you’re just bringing some sense to the situation, right? Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this. Smart tvs, dishwashers that NEED wifi to get full functionality, phones always with me and (especially android) users accepting everything willy nilly…
Your phone might not be listening to you straight out of the box. Might. You don’t know for sure, nobody here does. Why err on the side of blissful ignorance? And then you accept 10 end-user-agreements you don’t read, install dozens of apps you don’t read the small letters of… and you think nobody had been listened to?
It’s a bigger chance it happens than that it doesn’t, in my mind. I haven’t been able to catch it using mitm proxies, but I’m not the best at that, and I haven’t a pretty virgin iphone on purpose.
paulcole 46 minutes ago [-]
> You can’t be 100% confident about what you’re saying
Yeah but I am.
If you tell me a story about your phone listening to you that you absolutely swear is true, I know you love the idea of conspiracy theories and would laugh at someone who believes in astrology. But they’re the same thing.
It’s fun to see coincidences. It’s fun to think you’ve outsmarted the man. But that’s all it is — fun.
It’s not real.
> Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this
OK prove it.
> It’s a bigger chance it happens than that it doesn’t, in my mind
OK, should be easy for someone to prove then.
Is it really more likely that this thing is happening that nobody has been able to prove or that people like to see patterns to explain the weird things in the world?
> I haven’t been able to catch it using mitm proxies
Shocker lol.
But should be easy for you to find someone who has caught them red handed, right?
paulcole 19 hours ago [-]
This is why “my phone is listening and I can prove it” is such a good shibboleth for lack of critical thinking skills.
Can you not see all the biases and fallacies in your own comment?
fmajid 1 days ago [-]
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
They can also store things for later upload. A phone in airplane mode still isn't safe.
macawfish 10 hours ago [-]
Was it Alphonso?
dalf 9 hours ago [-]
This partly explains why the recommendations I receive don't feel like mine.
Multiple times, it's been obvious that the suggestions were pulled from other profiles and I could even tell whose.
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
6 hours ago [-]
benlivengood 1 days ago [-]
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
jancsika 1 days ago [-]
> an obscure new thing that had come up
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
ajb92 21 hours ago [-]
Kind of a weirdly sad, uncharitable assumption to make
lud_lite 14 hours ago [-]
> 4 9s of accuracy predicting click-through rates
Having a hard time parsing what that means.
Lets say the CTR for 1000000 impressions of an add is 24.5898% and the ML predicts 25.1926%. How many 9s of accuracy is that?
bentt 14 hours ago [-]
One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
gruez 14 hours ago [-]
>I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
latexr 14 hours ago [-]
> If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all?
They did, and found no listening being done. It’s in the article under “The data doesn't add up”.
12 hours ago [-]
latexr 14 hours ago [-]
> I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
That test has been done. It is explained at length in the article under the heading “The data doesn't add up”.
sroussey 14 hours ago [-]
It’s too easy to check on your phone if such a thing were happening.
Your TV though… that IS listening and the TV even has options to disable it. It’s on every TV shipped in at least the last 5 years, maybe 10.
tsoukase 14 hours ago [-]
A few times per year I similarly have a conversation with my wife at night (lastly about a hair type) and the next morning a corresponding ad was presented at her at Facebook (shampoo). Only her Android phone was at the room (open, logged in Facebook in Chrome, no app).
I definitely believe they hear us but they trigger the action with care and selectively, so as not to get caught (eg to low tech people, when the ad is very relevant to the need etc).
I am astonished that nobody had ever done a reverse engineering research yet.
saagarjha 10 hours ago [-]
People have! They haven't found anything yet.
sanswork 10 hours ago [-]
And then your wife went and looked them up to see if they do exist and your IP was added for retargeting.
hammock 13 hours ago [-]
Was there a smart tv in the room with you during that conversation?
bentt 10 hours ago [-]
good point!
udev4096 19 hours ago [-]
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
rahen 15 hours ago [-]
These discussions seem to come up frequently lately. Both /e/OS and Lineage with microG provide good enough privacy for those who can't afford high-end smartphones like the Google Pixels.
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
gruez 14 hours ago [-]
>- Pixel on GrapheneOS
>- Any Android smartphone on Lineage or /e/OS
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
rahen 4 hours ago [-]
Those distributions either use neutered Google Play Services through a stub reimplementation (microG), or rely on sandboxing (GOS).
Either way, Google can only collect limited data on those distributions, and you have control over them. Concerning tracking applications, yes, some hygiene and good practices are necessary, the OS can only go so far.
gruez 14 hours ago [-]
>including HN which has an extremely invasive privacy policy
???
What information are they getting their hands on in the first place, aside from geoip data?
Ichthypresbyter 23 hours ago [-]
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
fsmv 23 hours ago [-]
Or just ski ads go out when ski season starts and he only noticed that he saw one because you had the conversation.
lcnPylGDnU4H9OF 23 hours ago [-]
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
trollied 23 hours ago [-]
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
Ichthypresbyter 15 hours ago [-]
How do IP addresses work with cell towers? The WiFi where I work doesn't allow personal devices to connect, but there's reasonable 5G.
rr808 12 hours ago [-]
At my last 3 jobs they've had a public wifi network for staff to use for personal use.
7373737373 5 hours ago [-]
If our popular phone operating systems were worth anything and actually acted as an agent for the user that owned them, they'd allow anyone to easily track and prevent this.
wiseowise 1 days ago [-]
> There is no easy way to close this privacy opening
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
o11c 1 days ago [-]
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
VerdisQuo5678 19 hours ago [-]
Doesnt android already have a "network" permission?
On some roms you can enable it/disable it on install of the app even
djrj477dhsnv 10 hours ago [-]
GrapehenOS has that. It asks every time you install an app if it should have network permissions.
o11c 18 hours ago [-]
No, it has a "full network" permission. It's not at all difficult to bypass it if you control both ends.
gretch 1 days ago [-]
I mean yeah technically the website can’t screenshot, but it can do many functionally equivalent things.
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
Thorrez 1 days ago [-]
Well, blocking javascript would stop that. Noscript is a thing that some people use.
beeburrt 15 hours ago [-]
Ublock origin also has that ability
danaris 1 days ago [-]
For an increasing plurality (possibly even majority at this point) of sites where the purpose is not purely to read text, this is effectively equivalent to saying "you can just not use the site."
zzo38computer 1 days ago [-]
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
MobileVet 13 hours ago [-]
Apple settled a lawsuit about Siri ‘unintentionally’ listening. [1] So, yes, they also can likely predict what you want based on all they do openly track… but we can no longer claim that they aren’t listening.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
Yes my phone is listening. To almost every word, and using that information to serve me ads. I would bet my entire net worth on that, as I'm 100% certain.
simonw 1 days ago [-]
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
nickpsecurity 1 days ago [-]
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
simonw 1 days ago [-]
Thank you for illustrating my point so perfectly.
wsintra2022 13 hours ago [-]
I’ve said it before and will reinforce it cause once again no one brings it up in the comments. People report the phone is listening to them because they talked about <insert> and now they are seeing ads for it. What they may not realise is they are talking about <insert> because subliminally the ad worked they just never noticed it. Now they have. The ad was there first like a little virus worming in your brain and then you bring it up with friends thinking it an original thought.
MobileVet 13 hours ago [-]
Definitely possible… but Apple was successfully sued for unintentionally’ listening. They didn’t admit guilt but settled.
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
HWR_14 21 hours ago [-]
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
viraptor 21 hours ago [-]
> how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
kevinsync 21 hours ago [-]
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
viraptor 21 hours ago [-]
If you have specific situations where it's reproducible, you can record your DNS and connections on local network and try again. You can only prove/disprove that with enough experiments.
anenefan 1 days ago [-]
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
steve_adams_86 1 days ago [-]
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
brody_hamer 1 days ago [-]
Location location location.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
simonw 1 days ago [-]
How would your ISP connect that data if every search engine uses HTTPS now, so there's no way for the ISP to see what you were searching for?
IggleSniggle 1 days ago [-]
DNS lookups are still frequently in the clear, and even if they're not, that just means you're trusting some DNS-over-HTTPS provider. The incentives are perverse.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
simonw 1 days ago [-]
Exactly. Google or Meta can correlate behavioral data like this. Your ISP cannot do that by intercepting your searches.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
jeroenhd 17 hours ago [-]
For what it's worth, the ISP may not know the search terms entered, but it can see "google.com" followed by "itchybuttcream.net" when people click the first results. The data will grow more granular over time as users click the second or even third result on Google.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
gruez 14 hours ago [-]
They can still get the hostname of the server you're connecting to through SNI, and that's far harder to hide. Most sites aren't using eSNI/ECH.
briankelly 1 days ago [-]
Yeah, it's Google and Facebook - not the ISP.
anenefan 22 hours ago [-]
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
nickpsecurity 1 days ago [-]
That's true. I had to rule that out by only counting instances when my friends and I were alone. If not, or Wifi is open, then who knows.
marcusb 1 days ago [-]
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
wzdd 1 days ago [-]
It could also be that YouTube started recommending this video to people for whatever reason, which was why it was on this guy’s mind.
marcusb 1 days ago [-]
Anything is possible, but he didn't start the conversation about cheating. Someone else brought up something to the effect of they thought game shows were fake, then he told his story and a third person the table searched for and showed the video.
Argonaut998 20 hours ago [-]
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this:
1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed.
2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
JadeNB 1 days ago [-]
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
Searching for that phrase now shows your blog post as the top reference, and the AI overview now says it's a "nonsensical phrase used to illustrate how search engines can generate misleading or fabricated explanations for arbitrary inputs"! :O
anenefan 12 hours ago [-]
lol so it's getting that bad. Assigning meaning to random phrases is BS. If it keeps on going it'll start attributing meaning to misspelled words.
LLMs are only as good or bad as they are created - or their function / parameters? Google got real sad mid 00s - it's all about the money now isn't it.
Isn't this how proverbs come to life?
"Bobs your uncle" - all these proverbs are made up...
alganet 1 days ago [-]
It is irrelevant. The suggestion that spying is for advertisement makes no difference.
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
alganet 1 days ago [-]
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
Ferret7446 1 days ago [-]
Sounds like the age old adage: if it's too good to be true, it is.
alganet 1 days ago [-]
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
sadeshmukh 1 days ago [-]
If it sounds too good to be true, it probably is. Otherwise it's just a tautology.
ivape 1 days ago [-]
[flagged]
alganet 1 days ago [-]
There is a list of things I keep under profound consideration always.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
1 days ago [-]
zghst 8 hours ago [-]
Never trust these people, always know that something is going on somewhere.
NemoNobody 23 hours ago [-]
That was a stupid study. Phones know if they are being used - the phones for 3 days around ads is meaningless.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
xg15 22 hours ago [-]
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
jeroenhd 17 hours ago [-]
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
xg15 16 hours ago [-]
Good points. Though I there are other options - e.g. build a proof-of-concept in a closed environment, e.g. as an university project, demonstrate it with a small (but still sufficiently large) group of people, so you have witnesses and publish a paper about it.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.
16 hours ago [-]
macawfish 20 hours ago [-]
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
perching_aix 19 hours ago [-]
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
macawfish 10 hours ago [-]
Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
But look into Alphonso. That's like Shazam but explicitly for covert "content recognition" listening in microphone enabled apps. And it's old.
People who say it's too expensive or impractical to do bulk listening for ad-tech just aren't paying attention.
perching_aix 5 hours ago [-]
> Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
That's interesting. Although can and does are very different things - appears to be a feature you turn on yourself. Upon a surface level research, I also found it to rely on an offline music fingerprint database, suggesting it doesn't retain and send off the audio it records, or metadata it extracted from them.
> Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
weare138 16 hours ago [-]
This fact is important, because if an app were accessing a microphone and sending the audio to a cloud server for analysis there would be detectable traces of data consumption.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
kjkjadksj 19 hours ago [-]
Keep thinking its merely correlation while the US military bans phones from the SCIF…
polskibus 23 hours ago [-]
Do iOS apps also take screenshots of activity in other apps without consent? Does the platform allow it to, if yes then is there a way to block it?
trollied 23 hours ago [-]
They cannot.
quijoteuniv 19 hours ago [-]
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
kjkjadksj 19 hours ago [-]
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
wormius 18 hours ago [-]
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
BenjiWiebe 17 hours ago [-]
Did the roommate use the same WiFi network as you, and your roommate used the WiFi to research it?
Supermancho 7 hours ago [-]
Well, since my data comes from my wife and I (we have nobody else) and we didn't look up Deadpool (ever) because she doesn't care and I don't talk to her about it because I know she doesn't care. We see Deadpool advertised playing at a theater on the marqui, so I call it out
Me: "I would go watch Deadpool with my best friend Z if he was in town today".
Me: "Did you hear they have a Deadpool dog? Dogpool!" (saw the trailer from my desktop at work)
Wife: "I don't care about a Deadpool dog. You should definitely go see it with Z."
About 2 hours later. Ads for Deadpool litter her Facebook. Deadpool had been out for 2 weeks. Why now? Because we talked about it in the car while she was on Facebook. I've worked in Adtech since about 2005. It's the phone and or the app. Our Google TV does the same thing, except Youtube doesn't seem to be affected by conversation. So that's something.
twoodfin 17 hours ago [-]
But why did you mention it at all?
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
cbogie 8 hours ago [-]
it’s just ai llm snooping amd doing big ol compute just like we have access to now. but advertisers had it years ago cuz they paid and at large, ads sold.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
maybe. just thinking outloud.
nonameiguess 22 hours ago [-]
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
ivape 1 days ago [-]
Doesn't it have to listen to everything to capture the wake word "hey siri"? How else is it done?
simonw 1 days ago [-]
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
leumon 19 hours ago [-]
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
tiltowait 19 hours ago [-]
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
sampullman 1 days ago [-]
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
Am4TIfIsER0ppos 1 days ago [-]
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Supermancho 1 days ago [-]
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
simonw 1 days ago [-]
If it works like that, why aren't the app companies describing exactly how it works to advertisers in order to earn their business?
They describe how everything else they do works in great detail if you're someone who buys ads.
Narkov 1 days ago [-]
What makes you think the raw audio stream needs to be sent anywhere. Modern phones are capable of doing keyword extraction on-device.
simonw 1 days ago [-]
This conspiracy theory has been around for a lot longer than phone hardware has been capable of doing that.
Supermancho 1 days ago [-]
The Chrome Browser can transcribe audio into text, with what I consider good accuracy. It's well out of the realm of a conspiracy theory when it's been demonstrable for a couple decades.
simonw 1 days ago [-]
Don't forget energy usage. The phone would need to be on high power mode all the time to run those kinds of algorithms. There's a reason "Hey Siri" has dedicated low-power hardware - it means it can work without burning through the battery.
Supermancho 20 hours ago [-]
> it can work without burning through the battery.
It can work by burning through the battery. When you have a browser open or any number of apps, some of them are certainly detecting.
Am4TIfIsER0ppos 1 days ago [-]
You need to know what keywords to listen for before discarding the audio data. An advertising giant might know but a government doesn't.
adolph 1 days ago [-]
If that were true why are cell phone voice calls still so terrible?
daneel_w 21 hours ago [-]
Because cellular carriers keep the same pace as a snail on vacation.
keybored 19 hours ago [-]
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
huntsman 16 hours ago [-]
Some places, including the Bay Area where this feature was probably created, have significant variance in commute times depending on the traffic of the day so this can be a useful feature.
The commute time from SF to Cupertino is certainly not constant.
ACV001 20 hours ago [-]
bs article paid for by those big corporations.
karaterobot 20 hours ago [-]
I'm not going to ask if you actually read the article. My recommendation is to read the second half of the headline.
segezdino 14 hours ago [-]
[dead]
psyclobe 15 hours ago [-]
Tl;dr it’s not the microphone… it’s screenshots.
Rendered at 13:09:41 GMT+0000 (Coordinated Universal Time) with Vercel.
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
https://www.mcsweeneys.net/articles/calm-down-your-phone-isn...
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
Also, the spirit of the 4th Amendment is most certainly not "here, this is the easy way!" (yes, we are conducting mass surveillance but you can sort of opt out of one piece of it by going through a manual process over here that we will make you feel like you are burdening us by requesting)
You can opt out, just say you do (and preferably cover the camera with your hat or bag)
And then be flagged and 10x more targeted because of that
You're free to take the bus, or hire a chauffeur. A private pilots license doesn't have any pictures either.
More generally, having your stuff screened for security to get on a commercial plane isn't a 4th amendment violation, the word "unreasonable" is right there in the amendment for a reason. You're in public in an enclosed flying object bringing your goods onto someone else's plane with 100+ strangers aboard, it is completely reasonable and necessary for the freedoms of everyone involved for the TSA to ensure that your stuff doesn't have dangerous objects aboard.
Don't forget that freedom also involves the freedom of other people to not be negatively impacted by you exercising your "freedom."
> Standard ID credential verification is in place – Travelers who decide not to participate in the use of facial recognition technology will receive an alternative ID credential check by the TSO at the podium. The traveler will not experience any negative consequences for choosing not to participate. There is no issue and no delay with a traveler exercising their rights to not participate in the automated biometrics matching technology.
My goodness this thread is just the most annoying tinfoil hat thread I've seen all day. Y'all are spending too much time online.
I know that, and you know that, but you have to convince the average traveler that nothing bad will happen if they say no. In the mind of the average traveler, it’s safer to just say “okay” to whatever the TSA wants. There needs to be some kind of neutral ombudsman to placate travelers’ fears of reprisal for opting to preserve their rights.
It's not the private entity taking a 3D face scan, nor are they necessarily wanting for that scan to be taken. It's federal laws and regulations being done by federal agents in spaces controlled by the federal government.
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
However:
— IIRC the phone was unlocked,
— this only affected the news feed, and
— this was 5–6 years ago.
We 1) noted how Google app shows some selection of news after opening, 2) talked clearly for a minute about a very random and conspicuous topic in presence of the unlocked phone, and 3) demonstrated that the Google app showing an article relevant to the topic within a few minutes. The article was a few days old, too, so it was clearly boosted out of more recent stories.
The only reason it could be something other than the phone microphone is if I was misled by my friend steering us towards a predefined topic. However, that would require some extensive preparation to rule out the story appearing in the first step and would be very atypical for that person.
I recall seeing an article about Google admitting this and changing their policy to stop, but can’t seem to find it now. I imagine it was bad publicity, though to my friend it was a feature to see personalized content.
Boom, Illinois tourism ad shows up the next time I hit the internet. Scary thing is I didn't even say the state name, just the destination, and SOMETHING calculated that Illinois is in the middle.
This stuff has now happened far too many times in the last 10 years of my life, it is simply implausible to call it coincidence at this point. You are being listened to by your phone.
Ad firms have no ethical boundaries, and have lied about their data collection over and over.
What is really frightening is that if the ad companies know everything about you, then multiple state actors also know everything about you.
This would simply eat the battery immediately, it's simply not feasible and given all the other, cheap tracking it wouldn't even be beneficial.
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
The advertiser trying to sell my friend appliances didn't really get a lot right about them. They're a renter and the advertiser thought they’d like to buy a major kitchen appliance just because we were in the same location.
If they were able to listen in to our conversations they wouldn't have sent them an advertisement at all.
Your feed is almost certainly personalized up to the individual post, but I think if we are making an analogy to human curation it's certainly not working the same way behind the scenes.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
You might have just convinced me that the “phone is listening” is total bunk, because these dedicated devices are just so bad at recognizing the very specific, short, phrases when explicitly directed at them that I can’t imagine they are listening for much more. Listening to my in-laws try to activate their Alexa and Google Homes is something the CIA might consider for their next torture method.
Also, "Siri" and the like ends up waking the main processor, which is definitely easy to prove/disprove. Just talk to your phone continuously for a long time and see if it wakes.
Another thing to consider is that we should never fall into the trap of thinking we are immune from influence from advertisers. Firstly, it's basically what advertiser want; it allows more actions like this, more of our data to be sold and secondly because it's easier to influence someone if they think of a decision as their own choice, than if they think they were manipulated into it. We do not remember the ads we see but we can remember that we are all susceptible to influence.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
It's like that old Soviet Russia joke, except it's not a joke.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
If your smart toaster, light bulb, or fridge was listening to you, would anyone even notice? Does anyone examine these devices in depth?
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
Let's say nothing surprises me anymore.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
What it does is download all photos that the user shared on Twitter, extract GPS tags from EXIF, and put markers on Google maps, annotated with these photos.
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
Also, sharing geolocation has been turned off by said user because reasons -- which make sense if you look at the location in the screenshot.
Geolocation has been turned off by me and others aswell.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
Bonus: the iPad's device name is now "My iPhone" because it also synced the device name from the phone.
Here is a remnant from someone who replied at the time:
https://xcancel.com/kpcuk/status/601451439215353857
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
I didn't share any geolocation with Twitter. At least not voluntarily.
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from "Your phone isn’t secretly listening to you"
The blog post never attempts to establish that your phone is not listening to you, just that some companies may not be going it.
The truth is that your phone may well be listening to you . There is plenty of malware / spywear that uses exploits to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources as well and we must assume that Mossad, NSA, and other major intellitence agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you. but probably it is not.
¹
https://www.bloomberg.com/news/features/2023-01-24/nso-group... https://www.britannica.com/topic/Pegasus-spyware https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
https://newatlas.com/computers/smartphone-listening-conversa...
https://www.bloomberg.com/news/features/2023-01-24/nso-group...
They started in ios14, iOS 17 got new Secure Exclave path that (A18, M4).
Search for “Secure Indicator Light”.
Also searching for “Secure Exclave” will reveal some fun reads.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
Like a smart TV, for example.
Second thing I do is block the TV access to internet after I do one firmware update.
Building a word cloud would be trivial and with minimal battery impact
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
It does sound believable that third-party advertising/marketing/tracking SDKs, which many apps are chock full of, could be doing this.*Unless there's a zero-day that allows it.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
[0] https://dl.acm.org/doi/10.1145/3646547.3689013
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
And I’m assuming you also made them aware of other ads you’d seen recently so they could see if those showed up as well?
Why do you think I would put up a comment on HN of all places, with this degree of confidence.
> tested with other ads… If I knew that this, was going to be needed to study, 5 years into the future, I would have conducted a double blind study. Sadly I could not, however, it’s still fun, so we can always replicate.
The question is, have you found a horrid ad yet? Side note, this was in the UK
> The question is, have you found a horrid ad yet? Side note, this was in the UK
The question is, why does it have to be a horrid ad? Does the phone only listen for things about horrid ads to show you?
You have to know that your phone isn’t listening to you right? That it’s just a coincidence and that when you’re told to be on the lookout for an earwax ad that you’re more likely to see one, right?
Your phone might not be listening to you straight out of the box. Might. You don’t know for sure, nobody here does. Why err on the side of blissful ignorance? And then you accept 10 end-user-agreements you don’t read, install dozens of apps you don’t read the small letters of… and you think nobody had been listened to?
It’s a bigger chance it happens than that it doesn’t, in my mind. I haven’t been able to catch it using mitm proxies, but I’m not the best at that, and I haven’t a pretty virgin iphone on purpose.
Yeah but I am.
If you tell me a story about your phone listening to you that you absolutely swear is true, I know you love the idea of conspiracy theories and would laugh at someone who believes in astrology. But they’re the same thing.
It’s fun to see coincidences. It’s fun to think you’ve outsmarted the man. But that’s all it is — fun.
It’s not real.
> Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this
OK prove it.
> It’s a bigger chance it happens than that it doesn’t, in my mind
OK, should be easy for someone to prove then.
Is it really more likely that this thing is happening that nobody has been able to prove or that people like to see patterns to explain the weird things in the world?
> I haven’t been able to catch it using mitm proxies
Shocker lol.
But should be easy for you to find someone who has caught them red handed, right?
Can you not see all the biases and fallacies in your own comment?
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
https://www.pcworld.com/article/424417/ad-tracking-tech-uses...
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
Having a hard time parsing what that means.
Lets say the CTR for 1000000 impressions of an add is 24.5898% and the ML predicts 25.1926%. How many 9s of accuracy is that?
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
They did, and found no listening being done. It’s in the article under “The data doesn't add up”.
That test has been done. It is explained at length in the article under the heading “The data doesn't add up”.
Your TV though… that IS listening and the TV even has options to disable it. It’s on every TV shipped in at least the last 5 years, maybe 10.
I am astonished that nobody had ever done a reverse engineering research yet.
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
>- Any Android smartphone on Lineage or /e/OS
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
Either way, Google can only collect limited data on those distributions, and you have control over them. Concerning tracking applications, yes, some hygiene and good practices are necessary, the OS can only go so far.
???
What information are they getting their hands on in the first place, aside from geoip data?
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
(1) https://www.reuters.com/legal/apple-pay-95-million-settle-si...
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
https://www.reuters.com/legal/apple-pay-95-million-settle-si...
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this: 1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed. 2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
https://www.sfchronicle.com/bayarea/article/apple-siri-priva...
LLMs are only as good or bad as they are created - or their function / parameters? Google got real sad mid 00s - it's all about the money now isn't it.
Topic recently [1] re Google A.I. BSing.
[1] https://news.ycombinator.com/item?id=43748171 ('Epistemological Slop: Lies, Damned Lies, and Google' - <newcartographies.com>)
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
But look into Alphonso. That's like Shazam but explicitly for covert "content recognition" listening in microphone enabled apps. And it's old.
People who say it's too expensive or impractical to do bulk listening for ad-tech just aren't paying attention.
That's interesting. Although can and does are very different things - appears to be a feature you turn on yourself. Upon a surface level research, I also found it to rely on an offline music fingerprint database, suggesting it doesn't retain and send off the audio it records, or metadata it extracted from them.
> Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
This is again a can vs. does difference.
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
Me: "I would go watch Deadpool with my best friend Z if he was in town today".
Me: "Did you hear they have a Deadpool dog? Dogpool!" (saw the trailer from my desktop at work)
Wife: "I don't care about a Deadpool dog. You should definitely go see it with Z."
About 2 hours later. Ads for Deadpool litter her Facebook. Deadpool had been out for 2 weeks. Why now? Because we talked about it in the car while she was on Facebook. I've worked in Adtech since about 2005. It's the phone and or the app. Our Google TV does the same thing, except Youtube doesn't seem to be affected by conversation. So that's something.
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
maybe. just thinking outloud.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
https://machinelearning.apple.com/research/voice-trigger
https://machinelearning.apple.com/research/hey-siri
until it isn't. anything apple is proprietary and any feature could silently change at any time even for only specific devices/user.
https://web.archive.org/web/20250415140321/https://www.thegu...
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
They describe how everything else they do works in great detail if you're someone who buys ads.
It can work by burning through the battery. When you have a browser open or any number of apps, some of them are certainly detecting.
The commute time from SF to Cupertino is certainly not constant.