This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
It’s similar with the TSA facial recognition photos. “We delete your photo immediately” but what they don’t say is that they don’t delete the biometrics from that photo.
Literally not compelled in this case, the TSA signage says that the image capture is completely optional.
More generally, having your stuff screened for security to get on a commercial plane isn't a 4th amendment violation, the word "unreasonable" is right there in the amendment for a reason. You're in public in an enclosed flying object bringing your goods onto someone else's plane with 100+ strangers aboard, it is completely reasonable and necessary for the freedoms of everyone involved for the TSA to ensure that your stuff doesn't have dangerous objects aboard.
Don't forget that freedom also involves the freedom of other people to not be negatively impacted by you exercising your "freedom."
That is not the other option at all. The other option is essentially just the traditional screening process.
> Standard ID credential verification is in place – Travelers who decide not to participate in the use of facial recognition technology will receive an alternative ID credential check by the TSO at the podium. The traveler will not experience any negative consequences for choosing not to participate. There is no issue and no delay with a traveler exercising their rights to not participate in the automated biometrics matching technology.
My goodness this thread is just the most annoying tinfoil hat thread I've seen all day. Y'all are spending too much time online.
> The other option is essentially just the traditional screening process.
I know that, and you know that, but you have to convince the average traveler that nothing bad will happen if they say no. In the mind of the average traveler, it’s safer to just say “okay” to whatever the TSA wants. There needs to be some kind of neutral ombudsman to placate travelers’ fears of reprisal for opting to preserve their rights.
Did this change? Last time I tried to take them (ten+ years ago, because my license expired) they refused my ticket purchase because my id was expired.
For better or worse, we didn’t have to make such hard choices for the first 80 years of aviation. And Greyhound etc require photo ID these days as well
The TSA is - objectively, by their own audits - complete security theater. Why bother to defend them, exactly?
Also, the spirit of the 4th Amendment is most certainly not "here, this is the easy way!" (yes, we are conducting mass surveillance but you can sort of opt out of one piece of it by going through a manual process over here that we will make you feel like you are burdening us by requesting)
correcting disinformation isn't defending something. do you want to live in a world where we dislike someone and so we just make up random terrible things about them that aren't true, and it's fine and encouraged because they're someone we dislike, and people aren't allowed to say "hey that's not actually true, at all"
Yup,people are really good about it in my experience too. I just stand off to the side of the camera, and say "no biometrics please". They take a minute to check my documents and it's done. Try it.
I trust the TSA agents brain to not get hacked in the next 24 hours, a database run by them, not so much.
The purpose is to gather biometric data on people that will be used for future surveillance in our incipient fascist state with the implicit statement that opting out is suspicious and will lead to greater scrutiny.
Some of us want to be able to cross the country in an afternoon, and not have to spend days on a slow, uncomfortable train to make the same trip. I don't think that's unreasonable.
Certainly not unreasonable. But it does require you to commission your own transport subject to the rules that that private entity seeks to impose. Public entities which indiscriminately service residents and visitors of a given territory would obviate this requirement. But if you're in the US, good luck convincing taxpayers to agree to pay for that.
> subject to the rules that that private entity seeks to impose.
It's not the private entity taking a 3D face scan, nor are they necessarily wanting for that scan to be taken. It's federal laws and regulations being done by federal agents in spaces controlled by the federal government.
TSA is absolutely a government organization, it's a part of the Department of Homeland Security. It was created by an act of Congress, the Aviation and Transportation Security Act. You might as well argue the IRS or FBI or the US Marshalls aren't a government organization. What about absolutely absurd thing to suggest.
> The Transportation Security Administration (TSA) is an agency of the United States Department of Homeland Security (DHS) that has authority over the security of transportation systems within and connecting to the United States.
You can also walk. Lovers of freedom can walk from Manhattan to LA in 40-50 days. Of course if you look “wrong”, you’ll probably get rounded up in some flyover town.
Depends on where you walk the US is amazingly poorly situated for long walks outside of major cities. Sidewalks disappear first then lighting then one is liable to run into major stretches with no safe affordance for walking whatsoever where one is either inches from cars or in a ditch.
Not saying this is true, but the amount of time and effort put into saying "no one is listening to you" could be attributed to the novel 1984, where the government is actively listening to its citizens. Enough people could associate the novel with government surveillance that it's what people interpret as the most likely surveillance happening - and enough people don't understand tech that it's lost on them that a) the tech to actively listen to millions of people constantly doesn't exist at the appropriate level to be effective b) there are significantly more and far more effective ways to monitor people with current tech than via microphone. It's truly unfortunate people don't understand tech to realize what's actually possible and what is actively happening vs what they imagine could be happening
Download OtterAI. Or run voice memos all day, load it into NotebookLM and it about your day. Hell, setup whisper on your MacBook and you can chug away at pretty significant quantities of audio.
I’ve seen solutions that process audio from hundreds of multi-party meetings and can do all sorts of analysis. In one case, it can do realtime sentiment analysis and alert security when an encounter is getting tense.
> There is so much time spent “debunking” audio recordings being shared
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
I observed a clean experiment that showed a friend’s Google Pixel phone listening to us and adjusting news stories on Google app’s home screen.
However:
— IIRC the phone was unlocked,
— this only affected the news feed, and
— this was 5–6 years ago.
We 1) noted how Google app shows some selection of news after opening, 2) talked clearly for a minute about a very random and conspicuous topic in presence of the unlocked phone, and 3) demonstrated that the Google app showing an article relevant to the topic within a few minutes. The article was a few days old, too, so it was clearly boosted out of more recent stories.
The only reason it could be something other than the phone microphone is if I was misled by my friend steering us towards a predefined topic. However, that would require some extensive preparation to rule out the story appearing in the first step and would be very atypical for that person.
I recall seeing an article about Google admitting this and changing their policy to stop, but can’t seem to find it now. I imagine it was bad publicity, though to my friend it was a feature to see personalized content.
How often does someone look at their phone over 5-6 years?
Having one incidence where you’re talking about something and then you also see that something on your phone out of 2000 days of using a phone is definitely more likely to be coincidence.
How often do you think this person did experiments? It is a study with n=1 but the unrelated metric of how many times something else happens does not influence the likelihood of a false positive
Only did it once. The likelihood of coincidence is low, because the topic was specific and unusual.
Here’s something relevant in Google’s current support KB[0], where the combination of the following further supports that the experiment did not have be staged (emphasis mine):
> Web & App Activity saves your searches and activity
from other Google services in your Google Account.
You may get more personalized experiences,
like: <…>
Content recommendations
> When Web & App Activity is on, you can include audio recordings from your interactions with Google Search, Assistant, and Maps as part of your activity.
Let’s now go back to the experiment. Given the phone was unlocked, voice activity was enabled, and Google app or search widget was on Google Pixel’s screen (I am certain at least the latter was true) during the experiment, could talking near the phone be counted as “interaction”? If the answer is “yes” then it seems very reasonable for us[1] to expect, per that KB, that the app would listen more actively than what’s required for assistant activation, and that recorded snippets would count as your “activity” designed to affect content recommendations (including the article feed Google app showed to us on its app’s main screen).
No tinfoil hat required.
***
Note that it does not mention ads among personalized experiences[2], and we had not observed any change in the ads either. I didn’t see what exactly counts as “interaction” or whether this blazing-fast content personalization used to include ads previously, but in line with the “move fast” culture of mid-2010s Silicon Valley it could well have been much more lax at some point. If so, I do not envy all the people who have observed it only to be gaslit and mocked by peers and media.
***
As to the article I was vaguely remembering in my original comment, the above makes me think that it was merely about the change of the default to opt-in, which it is as of today:
> This voice and audio activity setting is off unless you choose to turn it on.
[1] Us tech people; this might not at all align with the intuition of other people.
[2] I rather suspect that ToS and possibly some other KB article would indicate that your activity would, in fact, affect your interest profile and by extension ads, but probably in a much less obvious and more gradual fashion.
Here is an example that just happened today. I talked to my partner about me going to a city directly (via one state) or indirectly (via another state). All I said was "so you want me to go directly to X".
Boom, Illinois tourism ad shows up the next time I hit the internet. Scary thing is I didn't even say the state name, just the destination, and SOMETHING calculated that Illinois is in the middle.
This stuff has now happened far too many times in the last 10 years of my life, it is simply implausible to call it coincidence at this point. You are being listened to by your phone.
Ad firms have no ethical boundaries, and have lied about their data collection over and over.
What is really frightening is that if the ad companies know everything about you, then multiple state actors also know everything about you.
> Not really. 99% of the time it's someone claiming that it happens.
It’s never packet captures, reverse engineering of the app, or one of the tens of thousands of employees working for these companies blowing the whistle.
Nobody can even show that their phone app is using background CPU when they talk, utilizing the microphone, or sending packets from that app. All of which are in reach for anyone with Android and some basic skills.
It’s always an anecdote about someone who said something out loud and then saw ad for it later. That’s it. That’s the entire basis for the conspiracy. Yet it persists.
It’s a very good litmus test for people who don’t understand technology as well as they claim to.
On the other hand it might point to something more serious, that the level of tracking Facebook and Google use lets them loosely predict what you are going to think about.
So maybe the microphones are safe and pristine, but we should be worried and appalled the same as if they were actually listening.
I like to think about it sorta thermodynamically: consider your behaviour under the blurred lens of interests, what you buy, what you read, how you react to news, etc, in this model humana have, let's say, n bits of entropy; how many of those bits can Facebook decode?
We don't "listen" to your audio, the microphone does, and your phone transcribes it to text on your device. You cannot listen to text. Therefore we don't listen to your phone audio.
There is a small list of reasons why it needs to be "debunked:"
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
That's much worse compared to listening for keywords. You're looking up men's enhancement products and everytime you enter a room all ads on everyone's phone change to those products?
While I don't agree with these sorts of industry practices and believe the US needs a universal data privacy law, I don't see how matching up some relatively impersonal metadata could be considered worse than directly listening in to private conversations.
The advertiser trying to sell my friend appliances didn't really get a lot right about them. They're a renter and the advertiser thought they’d like to buy a major kitchen appliance just because we were in the same location.
If they were able to listen in to our conversations they wouldn't have sent them an advertisement at all.
This assumes that companies such as TikTok control their timeline up to the individual post, perfectly analyzed in order to extract your unique traits, and they have specifics ads lined up for you.
Where - in my view - their timeline is just a bunch of random submissions. TikTik is just trying to sell ads and will try anything to match your profile to one of their active ad compaigns so they can bill their client more.
Think of it like an attacker (the app) would breach a cryptographic target (you and every other user of the app). The attacker starts to send random messages or try to mess around with signatures/tokens/APIs and listens for errors, timeouts, spam filters, possible side channels until it learns enough to figure out how to predict how the system will behave and maybe even to influence it.
Both in the analogy and with the timeline out does not matter if you mix a few random messages between a test and another as long as you comprehensively keep track of how the target behaves.
Every interaction is a data point, some data points are more useful than others but none is useless
I'm confused at what you're claiming here. Yes, the submissions are rather random, but TikTok definitely figures out what type of content you like and what advertisements are most effective.
Your feed is almost certainly personalized up to the individual post, but I think if we are making an analogy to human curation it's certainly not working the same way behind the scenes.
I can just say that I knew an entrepreneur in early post Y2K who developed apps to track music played in clubs in SF for folks like ASCAP, BMI, and SESAC. They gave out "free" phones (these were the small expensive candybars and nice flip/slideups) to the influencers of the day. They compressed the audio for orthogonality, and had a huge number of hashes to match. If they got more than a few consecutive matching hashes at a location that wasn't paying royalties, they got an enforcement call.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
>That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
You might have just convinced me that the “phone is listening” is total bunk, because these dedicated devices are just so bad at recognizing the very specific, short, phrases when explicitly directed at them that I can’t imagine they are listening for much more.
Listening to my in-laws try to activate their Alexa and Google Homes is something the CIA might consider for their next torture method.
You expect 95% accuracy matching activation phrases. You don't need that for ads. It only needs to work some of the time for some of the people, especially if it makes $/click.
> So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious.
I also knew an entrepreneur who tried this same thing, but with TV shows.
Fingerprinting specific audio is a different algorithm problem entirely. You only need to sample a short section of audio every few minutes and then process the spectral peaks, which are fingerprinted against a database of known samples.
This is how apps that name a song work. It’s not the same as constant full speech to text.
But you’re skipping the key part of the story: They had to hand out phones specifically for this because you can’t get constant audio background processing from installing an app on a modern phone OS without the user noticing.
> That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
Again, wake word monitoring is a different algorithm. Monitoring for a wake word is a much simpler problem. They’re not processing everything you say, concerting it to text, and then doing a string compare for the wake word. It’s a very tiny learning model trained to match on a very specific phrase, which might run at a hardware level.
I agree it's a different algorithm, but not a higher powered one. You don't need to know context to get HELOC, Bariatric, or DUI. You also don't need 95%+ accuracy for 95% of the population. You're just doing advertising.
Doing 100 different matches updated frequently is an entirely different problem than matching a single wake word that isn’t changing.
Regardless, this would require so much coordination, network traffic, and on-device code that could be reverse engineered that you’re implying that nobody has every found a hint of it existing and no employees of these companies have ever leaked any hints of it existing.
It’s very much in the domain of conspiracy theories.
Well, actually when you're hash based doing 100 different matches is the easy part. I'm not sure you know how steep FAR/FRR curves are for >99%/95% singe word accuracy, but having seen wake word development it's easily 100x harder than 95%/90% accuracy and none of the heavy calculation other than voice compression needs to be done locally or in a short time period. The network traffic is literally a few hundred hashes downloaded and hundreds of bits of hash matches a day (~1kB).
Even in the article there are multiple reports of it that are dismissed, and even though reverse engineering larger apps on iPhone/Android is certainly possible, with obfuscation searching for yet another hash table matching or simple voice compression is also quite difficult. Where are all the other articles reporting on the reverse engineering the very screencap apps this article talked about? Are they also just more well documented conspiracy theories?
Frankly, your best argument is that nobody is selling this as a product. So maybe there are easier more effective methods, but not because it can't or hasn't been done (since it literally has and it's been reported). It's kinda the opposite of a conspiracy theory. You have to assume that everyone capable with a vested interest won't do it, or that all of them will be caught, or that making money with ads becomes unpopular.
What kind of keywords would you imagine provide an actual, profitable advantage to an ad company? I can't imagine "computer 2", "fridge 3", "egg 4" being all that valuable compared to.. literally my whole browser history and my reaction to other ads/videos (I looked at that short for 10s vs immediately skipping builds a very nice profile). And now add i18n in the picture - even the main AI assistant products suck in anything other than English, so this fancy, advanced technology with low return of value would end up with a low target audience as well.
Also, "Siri" and the like ends up waking the main processor, which is definitely easy to prove/disprove. Just talk to your phone continuously for a long time and see if it wakes.
Low, even very low, return of value is not no return. Therefore, given they make some return, and it has some value, that's enough for them to do it.
Ads and ad data are two sides. We are often not the target for an ad, but our data provides stats about how an ad is performing. If more consumers are influenced to spend $1000 on something than not, then it's worth if for them. It's an aggregate cost benefit analysis not how effective it is at the isolated individual level.
Another thing to consider is that we should never fall into the trap of thinking we are immune from influence from advertisers. Firstly, it's basically what advertiser want; it allows more actions like this, more of our data to be sold and secondly because it's easier to influence someone if they think of a decision as their own choice, than if they think they were manipulated into it. We do not remember the ads we see but we can remember that we are all susceptible to influence.
Return of value is with respect to the costs of it. A lawsuit/brand value loss from illegally recording every communication you make (which we would have definite proof if it were happening, given that there our more phones than people on Earth) would far outweigh the tiny benefit (if any? I'm not convinced you would get any extra information in the general case compared to the tracking of the regular usage of your phone)
Also, I don't see the relevance of your second paragraph. The baseline is not "no ads", the baseline is "ads supported by all the tracking that Meta/Google currently does".
Reminds me of something that a Telco exec once said in jest - “A bank can track which hotel you stayed at last night, the Telco knows who you slept with”
The article omits a real, serious source of microphone data though: your smart TV. I know beyond a shadow of a doubt that my TV (a Toshiba Fire TV, although I’m sure many do it) is listening to every conversation I have within earshot, even when I am not using the voice remote, and selling it to ad networks.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
Privacy-seeking users have physically removed microphones from phones. This should also be possible with laptops and televisions.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
Sorry for misrepresenting the functionality of the original cree.py project.
What it does is download all photos that the user shared on Twitter, extract GPS tags from EXIF, and put markers on Google maps, annotated with these photos.
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
Tweets were geolocated, with a 'see tweets near me' page until about 14 years ago, so it's entirely feasible that at least some of that infrastructure has survived the feature being removed.
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
Apple secretly linked my account to my >15 year old inactive account as well as another random account that isn't even mine. Nothing happened of it until I let my iPhone sync its settings to a new iPad. The iPad spammed a password input form for my old account that blocked all other UI elements. It didn't accept any password even after a password reset. Took me an hour to make the tablet usable again. The password form still randomly pops up every few weeks and there seems to be no way to fix the mess.
Bonus: the iPad's device name is now "My iPhone" because it also synced the device name from the phone.
I had this same issue. About once a week it would prompt me for the password for an old Apple ID. I eventually started over from scratch to work around the issue.
That's the modern tech landscape for you. They really want to know who you are because they make more money that way. For a similar experience, try Tor Browser.
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from
"Your phone isn’t secretly listening to you"
The blog post never attempts to establish that
your phone is not listening to you, just that some
companies may not be going it.
The truth is that your phone may well be listening to you .
There is plenty of malware / spywear that uses exploits
to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources
as well and we must assume that Mossad, NSA, and other major intellitence
agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you.
but probably it is not.
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
That’s cool, but on iPhones, there is no indicator LIGHT. Only part of the screen indicates it. And if they can trigger stuff on your phone, maybe a daemon that accidentally covers that part with black also appears, and you wouldn’t notice.
I think Snowden worked with someone to create a bulky,
apparatus that you could put your iphone into and it would
measure if any signals at all were coming from it.
“Hey Siri” is activated by the mic, which is always listening, but only for the key phrase. It’s not going through the OS in the traditional sense, hence the “light” only comes on when it starts to listen through the OS.
That seems unlikely, the code to do that would be part of the OS or maybe even part of the hardware, not really trivial things to hack.
Plus, what could a hacker really do with voice recordings that they couldn't do more easily with keylogging? It's not exactly common for people to say their credit card info or passwords aloud, much more common to type it
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?
Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
Probably not, but all the information can be obtained via system APIs. There's no shortage of "system info" apps that show all manner of information about your phone (including battery level and network status), and don't require any special permission prompts.
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
While I think that audio recording is not a thing, your economic argument is not complete.
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
I think this is a genuine concern for prominent people. Like if you are Mark Zuckerberg, there is material interest in a bad actor installing malware on his laptop. But for a random person where you get low value data that may or may not let you better target some low value ads? That is much harder to justify. Would have to reevaluate as things change and the cost of compute goes down.
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Yep. They 100% do not share an interest in ear wax removal, or had a medical need of that nature.
Why do you think I would put up a comment on HN of all places, with this degree of confidence.
> tested with other ads…
If I knew that this, was going to be needed to study, 5 years into the future, I would have conducted a double blind study. Sadly I could not, however, it’s still fun, so we can always replicate.
The question is, have you found a horrid ad yet? Side note, this was in the UK
I was kidding… Of course you and your friends share some demographics and interests—- making it unsurprising that you’d get similar ads.
> The question is, have you found a horrid ad yet? Side note, this was in the UK
The question is, why does it have to be a horrid ad? Does the phone only listen for things about horrid ads to show you?
You have to know that your phone isn’t listening to you right? That it’s just a coincidence and that when you’re told to be on the lookout for an earwax ad that you’re more likely to see one, right?
You can’t be 100% confident about what you’re saying and it horrifies me that people go through such lengths to protect these… ad companies? Oh you’re just bringing some sense to the situation, right? Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this. Smart tvs, dishwashers that NEED wifi to get full functionality, phones always with me and (especially android) users accepting everything willy nilly…
Your phone might not be listening to you straight out of the box. Might. You don’t know for sure, nobody here does. Why err on the side of blissful ignorance? And then you accept 10 end-user-agreements you don’t read, install dozens of apps you don’t read the small letters of… and you think nobody had been listened to?
It’s a bigger chance it happens than that it doesn’t, in my mind. I haven’t been able to catch it using mitm proxies, but I’m not the best at that, and I haven’t a pretty virgin iphone on purpose.
> You can’t be 100% confident about what you’re saying
Yeah but I am.
If you tell me a story about your phone listening to you that you absolutely swear is true, I know you love the idea of conspiracy theories and would laugh at someone who believes in astrology. But they’re the same thing.
It’s fun to see coincidences. It’s fun to think you’ve outsmarted the man. But that’s all it is — fun.
It’s not real.
> Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this
OK prove it.
> It’s a bigger chance it happens than that it doesn’t, in my mind
OK, should be easy for someone to prove then.
Is it really more likely that this thing is happening that nobody has been able to prove or that people like to see patterns to explain the weird things in the world?
> I haven’t been able to catch it using mitm proxies
Shocker lol.
But should be easy for you to find someone who has caught them red handed, right?
man, without getting into the specifics, the vast difference in medical habits because of gender, activity levels, and the fact that I had an unusual condition which caused me to look into this, ITS EARWAX removal for fs sake.
What, are you saying that there is an ASMR or god knows what community that focuses on ear wax?
I never got those ads in my LIFE, until I had a medical need. Have you?
>why does it have to be a horrid ad?
Because I choose horrid ads to mess with my friends? You could try for adult teletubbies, lord knows that might exist. Whatever floats your boat, I say.
You seem to have some horse in this race, or some larger level of commitment than the simple joy of messing around with this should entail.
And holy hell, I had an example of a medical condition, an ad, in the UK, discussed in a bloody field, with no towers or other devices to listen in, and the other person did not have the same medical condition.
And yet this is not enough. And all you have to do with this, is try it out yourself. Hell - I am even suggesting this in a manner that is open to being a fun lark with friends.
I am by far the largest black hole of joy amongst the stellar folk in my orbit. This converastion is invigorating, in that you are near certainly part of my tribe.
She wouldn't because she has much better things to do in life. Matter of fact, its an ad you would never look at, just because you don't even have a need for it.
She just spent time in the park listening to you shout about it for an extended period. And she's on YouTube enough for her to be annoyed by it so it's not like she doesn't have the opportunity.
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
>I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
>One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
Your wife probably googled them as soon as you were done talking about them and then you using the same network got an ad for them.
A few times per year I similarly have a conversation with my wife at night (lastly about a hair type) and the next morning a corresponding ad was presented at her at Facebook (shampoo). Only her Android phone was at the room (open, logged in Facebook in Chrome, no app).
I definitely believe they hear us but they trigger the action with care and selectively, so as not to get caught (eg to low tech people, when the ad is very relevant to the need etc).
I am astonished that nobody had ever done a reverse engineering research yet.
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
This fact is important, because if an app were accessing a microphone and sending the audio to a cloud server for analysis there would be detectable traces of data consumption.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
This partly explains why the recommendations I receive don't feel like mine.
Multiple times, it's been obvious that the suggestions were pulled from other profiles and I could even tell whose.
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
These discussions seem to come up frequently lately. Both /e/OS and Lineage with microG provide good enough privacy for those who can't afford high-end smartphones like the Google Pixels.
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
Those distributions either use neutered Google Play Services through a stub reimplementation (microG), or rely on sandboxing (GOS).
Either way, Google can only collect limited data on those distributions, and you have control over them. Concerning tracking applications, yes, some hygiene and good practices are necessary, the OS can only go so far.
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
For an increasing plurality (possibly even majority at this point) of sites where the purpose is not purely to read text, this is effectively equivalent to saying "you can just not use the site."
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
DNS lookups are still frequently in the clear, and even if they're not, that just means you're trusting some DNS-over-HTTPS provider. The incentives are perverse.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
Exactly. Google or Meta can correlate behavioral data like this. Your ISP cannot do that by intercepting your searches.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
For what it's worth, the ISP may not know the search terms entered, but it can see "google.com" followed by "itchybuttcream.net" when people click the first results. The data will grow more granular over time as users click the second or even third result on Google.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
It's not the ISP that's connecting you together, it's google. If two people are on the same network and one of them is searching for something, it's going to affect the other person's ads too.
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
I’m basing my reasoning on the assumption that advertisers (such as google, meta, tictoc) are aware of your location at all times. (See: https://news.ycombinator.com/item?id=42909921)
Based on this assumption, it wouldn’t be necessary for any of your friends to search for the topic during an evening together.. it would simply be enough that one of the friends showed some interest in the topic prior to the hangout (searched for something, read a blog, stopped for too long on an instagram reel).
Then, during an evening together, your phones all share the same location (and possibly movement). That’s enough for advertisers to suspect there’s some relationship there. Enough of an association to attempt an ad placement (or instagram reel) for a particular obscure topic.
I'd agree on assuming that certain apps do or try as best they can with an aim to track not only location but presence of other wifi bluethooth device ids with time stamps, to help build patterns and a unique fingerprint for marketing purposes - on the basis it can once the app is given (accidentally perhaps) the necessary permissions.
As such, if location or device id data were available to build a larger picture, for any sort of common topic I'd agree the advertising could easily be a result of data analysis of various subsets of phones in a given region, applying algorithms and feeding it back into search results.
However like I said, the stuff was apparently way way out there zany - he ensured me he would ever bother searching for it. So zany in fact no one would ever bother. For all I know he may have ruled out other people and have just been talking to his pet dog and various other tame native animals that hang around his verandah. I would tend to believe way way out there as after a small smoke around me he's dribbling worthless bs. There's no low bar on my part either - something like if polka dot dogs exist I could accept as something that might / could be searched the next day by anyone who was involved in such a out there conversation, and as a result skew search results.
Any how I'm settled on it's one of the many worthless apps on his phone that exists because a website is not desktop friendly - as they say if the service is free, you're the product ...
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
Anything is possible, but he didn't start the conversation about cheating. Someone else brought up something to the effect of they thought game shows were fake, then he told his story and a third person the table searched for and showed the video.
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this:
1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed.
2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
Searching for that phrase now shows your blog post as the top reference, and the AI overview now says it's a "nonsensical phrase used to illustrate how search engines can generate misleading or fabricated explanations for arbitrary inputs"! :O
man google's ai uses context clues better than some people I know. I kinda wish it wouldn't though, because it gives somewhat real sounding answers to things like that that actually have a different meaning because of historical and cultural context that it's not aware of. it should let you know when it's making something up using it's limited awareness of word meanings vs something that's an actual phrase that people use.
lol so it's getting that bad. Assigning meaning to random phrases is BS. If it keeps on going it'll start attributing meaning to misspelled words.
LLMs are only as good or bad as they are created - or their function / parameters? Google got real sad mid 00s - it's all about the money now isn't it.
Yes people are creative and time to time come up with phrases, comments or sayings that catch on. It's how popular jokes start out as well.
I'm not sure if you first thought it up or just repeated the term - as I see simonw meaning-slop link was posted as a separate post at HN 2 days ago.
However it's certainly bad when some piss poor LLM starts flogging some nonce as a meaning. For example when using less well documented idioms or terminology - google sadly isn't that great any more at finding stuff, so ... not good if it just makes stuff up instead. New creative stuff, sometimes people can get the gist of it but all the same no one wants the likes of a search assistant vomiting all over it.
It is irrelevant. The suggestion that spying is for advertisement makes no difference.
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
If "the truth is more disturbing", then why do people seem to care about "secretly listening" but not about "the truth" (data collection). Perhaps because the US has state and federal laws against wiretapping. Perhaps the difference is consent. Arguably so-called "tech" companies have obtained consent to collect data ("the truth"). But have they obtained consent to "secretly listen" to private conversations.
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
> Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
That's interesting. Although can and does are very different things - appears to be a feature you turn on yourself. Upon a surface level research, I also found it to rely on an offline music fingerprint database, suggesting it doesn't retain and send off the audio it records, or metadata it extracted from them.
> Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
If you have specific situations where it's reproducible, you can record your DNS and connections on local network and try again. You can only prove/disprove that with enough experiments.
Apple settled a lawsuit about Siri ‘unintentionally’ listening. [1] So, yes, they also can likely predict what you want based on all they do openly track… but we can no longer claim that they aren’t listening.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
There is a list of things I keep under profound consideration always.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
The Chrome Browser can transcribe audio into text, with what I consider good accuracy. It's well out of the realm of a conspiracy theory when it's been demonstrable for a couple decades.
Don't forget energy usage. The phone would need to be on high power mode all the time to run those kinds of algorithms. There's a reason "Hey Siri" has dedicated low-power hardware - it means it can work without burning through the battery.
I’ve said it before and will reinforce it cause once again no one brings it up in the comments. People report the phone is listening to them because they talked about <insert> and now they are seeing ads for it. What they may not realise is they are talking about <insert> because subliminally the ad worked they just never noticed it. Now they have. The ad was there first like a little virus worming in your brain and then you bring it up with friends thinking it an original thought.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
Good points. Though I there are other options - e.g. build a proof-of-concept in a closed environment, e.g. as an university project, demonstrate it with a small (but still sufficiently large) group of people, so you have witnesses and publish a paper about it.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.
If our popular phone operating systems were worth anything and actually acted as an agent for the user that owned them, they'd allow anyone to easily track and prevent this.
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
Well, since my data comes from my wife and I (we have nobody else) and we didn't look up Deadpool (ever) because she doesn't care and I don't talk to her about it because I know she doesn't care. We see Deadpool advertised playing at a theater on the marqui, so I call it out
Me: "I would go watch Deadpool with my best friend Z if he was in town today".
Me: "Did you hear they have a Deadpool dog? Dogpool!" (saw the trailer from my desktop at work)
Wife: "I don't care about a Deadpool dog. You should definitely go see it with Z."
About 2 hours later. Ads for Deadpool litter her Facebook. Deadpool had been out for 2 weeks. Why now? Because we talked about it in the car while she was on Facebook. I've worked in Adtech since about 2005. It's the phone and or the app. Our Google TV does the same thing, except Youtube doesn't seem to be affected by conversation. So that's something.
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
it’s just ai llm snooping amd doing big ol compute just like we have access to now. but advertisers had it years ago cuz they paid and at large, ads sold.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
Some places, including the Bay Area where this feature was probably created, have significant variance in commute times depending on the traffic of the day so this can be a useful feature.
The commute time from SF to Cupertino is certainly not constant.
Yes my phone is listening. To almost every word, and using that information to serve me ads. I would bet my entire net worth on that, as I'm 100% certain.
A few years ago, I was fairly convinced that Google Voice was listening and punishing me for hitting "political third rail" keywords during phone calls.
On more than one occasion, I would be in a conversation with a friend of mine and things would turn political, and if I spouted just the right combination of anti-left rhetoric/keywords, our connection would drop right away -- boom.
Now why would Voice do this when other Google properties don't? I mean, they don't filter Gmail or Docs or Photos looking for subversive content and censoring it. YouTube comments, maybe.
But I figured that if they wanted, it was completely possible. Because they have proven and deployed live-transcription, and they're best at English. Not to mention, Voice is sort of a deprecated product that they don't really support. So why not throw a little havoc in there for miscreants?
The reason I was using Voice was to place phone calls from a SIM-less tablet. It seems that Voice insists on using my real phone now for routing any sort of call. So I haven't had opportunity to test the boundaries for years now. Nevertheless, I was not sorry about the possibility of censorship, I was duly chastened, and sorry I've been so brainwashed to lapse into mindless talking-point rhetoric.
This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
https://www.mcsweeneys.net/articles/calm-down-your-phone-isn...
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
It’s similar with the TSA facial recognition photos. “We delete your photo immediately” but what they don’t say is that they don’t delete the biometrics from that photo.
It's a crime that were compelled to concede our 4th Amendment rights in order to travel.
Literally not compelled in this case, the TSA signage says that the image capture is completely optional.
More generally, having your stuff screened for security to get on a commercial plane isn't a 4th amendment violation, the word "unreasonable" is right there in the amendment for a reason. You're in public in an enclosed flying object bringing your goods onto someone else's plane with 100+ strangers aboard, it is completely reasonable and necessary for the freedoms of everyone involved for the TSA to ensure that your stuff doesn't have dangerous objects aboard.
Don't forget that freedom also involves the freedom of other people to not be negatively impacted by you exercising your "freedom."
Image capture is optional, your other option is something possibly unpleasant and may make you miss your flight
That is not the other option at all. The other option is essentially just the traditional screening process.
> Standard ID credential verification is in place – Travelers who decide not to participate in the use of facial recognition technology will receive an alternative ID credential check by the TSO at the podium. The traveler will not experience any negative consequences for choosing not to participate. There is no issue and no delay with a traveler exercising their rights to not participate in the automated biometrics matching technology.
My goodness this thread is just the most annoying tinfoil hat thread I've seen all day. Y'all are spending too much time online.
> The other option is essentially just the traditional screening process.
I know that, and you know that, but you have to convince the average traveler that nothing bad will happen if they say no. In the mind of the average traveler, it’s safer to just say “okay” to whatever the TSA wants. There needs to be some kind of neutral ombudsman to placate travelers’ fears of reprisal for opting to preserve their rights.
No, the TSA actively threatens you with unspecified additional hassle/delay if you express a desire to opt out.
They are also running facial recognition on all of those round just-above-eye-level camera pods all up and down the concourse.
It's not; I flew every week for months, and across ALL airports, I got an indifferent "OK" from the TSA agent, and was waved along.
Depends on the type of travel right? I took Amtrak weekly for several years and never even had to show ID.
Did this change? Last time I tried to take them (ten+ years ago, because my license expired) they refused my ticket purchase because my id was expired.
I don’t remember ever having to show ID with Amtrak.
Less than 6 months ago I was able to buy a ticket online and board without showing any ID and have done that for 10+ years with no problem.
Same with drivers licenses and passports having a photo requirement too
The TSA photos are worse. They use a stereoscopic camera to take a 3d image of your head, which makes facial recognition up to 10x more accurate.
You can opt out, just say you do (and preferably cover the camera with your hat or bag)
>You can opt out, just say you do
And then be flagged and 10x more targeted because of that
Not how it works
Oh, sweet summer child
WiFi 7 Sensing is bringing similar functionality to consumer routers and many laptops, with the bonus of passing through walls.
>drivers licenses and passports having a photo requirement too
You're free to take the bus, or hire a chauffeur. A private pilots license doesn't have any pictures either.
For better or worse, we didn’t have to make such hard choices for the first 80 years of aviation. And Greyhound etc require photo ID these days as well
A US pilot certificate itself does not include a photo, but you must have a photo ID to use it. https://www.ecfr.gov/current/title-14/part-61/section-61.3#p...
That’s not a freedom. That’s a restriction that reduces the amount of choices you have for potentially worse ones.
It literally says right on the facial recognition sign that you're free to opt out, just let the TSA employee know
The TSA is - objectively, by their own audits - complete security theater. Why bother to defend them, exactly?
Also, the spirit of the 4th Amendment is most certainly not "here, this is the easy way!" (yes, we are conducting mass surveillance but you can sort of opt out of one piece of it by going through a manual process over here that we will make you feel like you are burdening us by requesting)
correcting disinformation isn't defending something. do you want to live in a world where we dislike someone and so we just make up random terrible things about them that aren't true, and it's fine and encouraged because they're someone we dislike, and people aren't allowed to say "hey that's not actually true, at all"
Yup,people are really good about it in my experience too. I just stand off to the side of the camera, and say "no biometrics please". They take a minute to check my documents and it's done. Try it.
I trust the TSA agents brain to not get hacked in the next 24 hours, a database run by them, not so much.
The purpose is to gather biometric data on people that will be used for future surveillance in our incipient fascist state with the implicit statement that opting out is suspicious and will lead to greater scrutiny.
Amtrak and Greyhound do not require those biometrics, nor does renting a car and driving (or driving your own).
Some of us want to be able to cross the country in an afternoon, and not have to spend days on a slow, uncomfortable train to make the same trip. I don't think that's unreasonable.
Certainly not unreasonable. But it does require you to commission your own transport subject to the rules that that private entity seeks to impose. Public entities which indiscriminately service residents and visitors of a given territory would obviate this requirement. But if you're in the US, good luck convincing taxpayers to agree to pay for that.
> subject to the rules that that private entity seeks to impose.
It's not the private entity taking a 3D face scan, nor are they necessarily wanting for that scan to be taken. It's federal laws and regulations being done by federal agents in spaces controlled by the federal government.
TSA is not a government organization. Neither is Boeing nor any of the airline carriers.
TSA is absolutely a government organization, it's a part of the Department of Homeland Security. It was created by an act of Congress, the Aviation and Transportation Security Act. You might as well argue the IRS or FBI or the US Marshalls aren't a government organization. What about absolutely absurd thing to suggest.
> The Transportation Security Administration (TSA) is an agency of the United States Department of Homeland Security (DHS) that has authority over the security of transportation systems within and connecting to the United States.
https://en.m.wikipedia.org/wiki/Transportation_Security_Admi...
TSA is not government organization as much as Pentagon is not :)
Private and charter aviation exists and is free from those constraints.
Some of us are not billionaires.
You don't have to be to fly charter or private.
Freedom has never been free.
That’s not what that means
You can also walk. Lovers of freedom can walk from Manhattan to LA in 40-50 days. Of course if you look “wrong”, you’ll probably get rounded up in some flyover town.
I wonder what the chances of surviving that trip is, based on walking pedestrian fatalities on highways.
Depends on where you walk the US is amazingly poorly situated for long walks outside of major cities. Sidewalks disappear first then lighting then one is liable to run into major stretches with no safe affordance for walking whatsoever where one is either inches from cars or in a ditch.
Not saying this is true, but the amount of time and effort put into saying "no one is listening to you" could be attributed to the novel 1984, where the government is actively listening to its citizens. Enough people could associate the novel with government surveillance that it's what people interpret as the most likely surveillance happening - and enough people don't understand tech that it's lost on them that a) the tech to actively listen to millions of people constantly doesn't exist at the appropriate level to be effective b) there are significantly more and far more effective ways to monitor people with current tech than via microphone. It's truly unfortunate people don't understand tech to realize what's actually possible and what is actively happening vs what they imagine could be happening
Sure it does. You just haven’t seen it.
Download OtterAI. Or run voice memos all day, load it into NotebookLM and it about your day. Hell, setup whisper on your MacBook and you can chug away at pretty significant quantities of audio.
I’ve seen solutions that process audio from hundreds of multi-party meetings and can do all sorts of analysis. In one case, it can do realtime sentiment analysis and alert security when an encounter is getting tense.
> There is so much time spent “debunking” audio recordings being shared
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
I observed a clean experiment that showed a friend’s Google Pixel phone listening to us and adjusting news stories on Google app’s home screen.
However:
— IIRC the phone was unlocked,
— this only affected the news feed, and
— this was 5–6 years ago.
We 1) noted how Google app shows some selection of news after opening, 2) talked clearly for a minute about a very random and conspicuous topic in presence of the unlocked phone, and 3) demonstrated that the Google app showing an article relevant to the topic within a few minutes. The article was a few days old, too, so it was clearly boosted out of more recent stories.
The only reason it could be something other than the phone microphone is if I was misled by my friend steering us towards a predefined topic. However, that would require some extensive preparation to rule out the story appearing in the first step and would be very atypical for that person.
I recall seeing an article about Google admitting this and changing their policy to stop, but can’t seem to find it now. I imagine it was bad publicity, though to my friend it was a feature to see personalized content.
This was a coincidence.
That’s why it’s something you observed one time 5-6 years ago, not something that happens repeatedly in a testable way.
Isn’t it more likely it’s not a coincidence though?
How often does someone look at their phone over 5-6 years?
Having one incidence where you’re talking about something and then you also see that something on your phone out of 2000 days of using a phone is definitely more likely to be coincidence.
How often do you think this person did experiments? It is a study with n=1 but the unrelated metric of how many times something else happens does not influence the likelihood of a false positive
Only did it once. The likelihood of coincidence is low, because the topic was specific and unusual.
Here’s something relevant in Google’s current support KB[0], where the combination of the following further supports that the experiment did not have be staged (emphasis mine):
> Web & App Activity saves your searches and activity from other Google services in your Google Account. You may get more personalized experiences, like: <…> Content recommendations
> When Web & App Activity is on, you can include audio recordings from your interactions with Google Search, Assistant, and Maps as part of your activity.
Let’s now go back to the experiment. Given the phone was unlocked, voice activity was enabled, and Google app or search widget was on Google Pixel’s screen (I am certain at least the latter was true) during the experiment, could talking near the phone be counted as “interaction”? If the answer is “yes” then it seems very reasonable for us[1] to expect, per that KB, that the app would listen more actively than what’s required for assistant activation, and that recorded snippets would count as your “activity” designed to affect content recommendations (including the article feed Google app showed to us on its app’s main screen).
No tinfoil hat required.
***
Note that it does not mention ads among personalized experiences[2], and we had not observed any change in the ads either. I didn’t see what exactly counts as “interaction” or whether this blazing-fast content personalization used to include ads previously, but in line with the “move fast” culture of mid-2010s Silicon Valley it could well have been much more lax at some point. If so, I do not envy all the people who have observed it only to be gaslit and mocked by peers and media.
***
As to the article I was vaguely remembering in my original comment, the above makes me think that it was merely about the change of the default to opt-in, which it is as of today:
> This voice and audio activity setting is off unless you choose to turn it on.
[0] https://support.google.com/websearch/answer/54068?hl=en&co=G...
[1] Us tech people; this might not at all align with the intuition of other people.
[2] I rather suspect that ToS and possibly some other KB article would indicate that your activity would, in fact, affect your interest profile and by extension ads, but probably in a much less obvious and more gradual fashion.
Here is an example that just happened today. I talked to my partner about me going to a city directly (via one state) or indirectly (via another state). All I said was "so you want me to go directly to X".
Boom, Illinois tourism ad shows up the next time I hit the internet. Scary thing is I didn't even say the state name, just the destination, and SOMETHING calculated that Illinois is in the middle.
This stuff has now happened far too many times in the last 10 years of my life, it is simply implausible to call it coincidence at this point. You are being listened to by your phone.
Ad firms have no ethical boundaries, and have lied about their data collection over and over.
What is really frightening is that if the ad companies know everything about you, then multiple state actors also know everything about you.
Confirmation bias at its finest
Why would that be even be a good targeted ad? Its simpler and more profitable to show you ads about a place you actually plan to go to..
> You are being listened to by your phone.
This would simply eat the battery immediately, it's simply not feasible and given all the other, cheap tracking it wouldn't even be beneficial.
Not in 2025. I often record long duration meetings and working sessions with iOS voice memos. There’s no noticeable impact.
You could easily record and do a fast voice transcription to gather keywords from a hardware perspective.
> Not really. 99% of the time it's someone claiming that it happens.
It’s never packet captures, reverse engineering of the app, or one of the tens of thousands of employees working for these companies blowing the whistle.
Nobody can even show that their phone app is using background CPU when they talk, utilizing the microphone, or sending packets from that app. All of which are in reach for anyone with Android and some basic skills.
It’s always an anecdote about someone who said something out loud and then saw ad for it later. That’s it. That’s the entire basis for the conspiracy. Yet it persists.
It’s a very good litmus test for people who don’t understand technology as well as they claim to.
On the other hand it might point to something more serious, that the level of tracking Facebook and Google use lets them loosely predict what you are going to think about.
So maybe the microphones are safe and pristine, but we should be worried and appalled the same as if they were actually listening.
I like to think about it sorta thermodynamically: consider your behaviour under the blurred lens of interests, what you buy, what you read, how you react to news, etc, in this model humana have, let's say, n bits of entropy; how many of those bits can Facebook decode?
Except for the fact that if you read the debunkings, they go into great detail as to why that is empirically not the case.
We don't "listen" to your audio, the microphone does, and your phone transcribes it to text on your device. You cannot listen to text. Therefore we don't listen to your phone audio.
There is a small list of reasons why it needs to be "debunked:"
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
That's much worse compared to listening for keywords. You're looking up men's enhancement products and everytime you enter a room all ads on everyone's phone change to those products?
While I don't agree with these sorts of industry practices and believe the US needs a universal data privacy law, I don't see how matching up some relatively impersonal metadata could be considered worse than directly listening in to private conversations.
The advertiser trying to sell my friend appliances didn't really get a lot right about them. They're a renter and the advertiser thought they’d like to buy a major kitchen appliance just because we were in the same location.
If they were able to listen in to our conversations they wouldn't have sent them an advertisement at all.
Now this could be a fun adversarial exercise, with more interesting products of course.
This assumes that companies such as TikTok control their timeline up to the individual post, perfectly analyzed in order to extract your unique traits, and they have specifics ads lined up for you. Where - in my view - their timeline is just a bunch of random submissions. TikTik is just trying to sell ads and will try anything to match your profile to one of their active ad compaigns so they can bill their client more.
Nope, there is no need for this.
Think of it like an attacker (the app) would breach a cryptographic target (you and every other user of the app). The attacker starts to send random messages or try to mess around with signatures/tokens/APIs and listens for errors, timeouts, spam filters, possible side channels until it learns enough to figure out how to predict how the system will behave and maybe even to influence it.
Both in the analogy and with the timeline out does not matter if you mix a few random messages between a test and another as long as you comprehensively keep track of how the target behaves.
Every interaction is a data point, some data points are more useful than others but none is useless
I'm confused at what you're claiming here. Yes, the submissions are rather random, but TikTok definitely figures out what type of content you like and what advertisements are most effective.
Your feed is almost certainly personalized up to the individual post, but I think if we are making an analogy to human curation it's certainly not working the same way behind the scenes.
I can just say that I knew an entrepreneur in early post Y2K who developed apps to track music played in clubs in SF for folks like ASCAP, BMI, and SESAC. They gave out "free" phones (these were the small expensive candybars and nice flip/slideups) to the influencers of the day. They compressed the audio for orthogonality, and had a huge number of hashes to match. If they got more than a few consecutive matching hashes at a location that wasn't paying royalties, they got an enforcement call.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
>That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
You might have just convinced me that the “phone is listening” is total bunk, because these dedicated devices are just so bad at recognizing the very specific, short, phrases when explicitly directed at them that I can’t imagine they are listening for much more. Listening to my in-laws try to activate their Alexa and Google Homes is something the CIA might consider for their next torture method.
You expect 95% accuracy matching activation phrases. You don't need that for ads. It only needs to work some of the time for some of the people, especially if it makes $/click.
>You expect 95% accuracy matching activation phrases.
At this point I don’t even expect 50% (trying twice), and I’m still disappointed.
>It only needs to work some of the time for some of the people, especially if it makes $/click.
So where can one find this market? We know the price of traditional ad clicks. Surely we’d see a market for “voice-driven” ads with higher rates?
> So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious.
I also knew an entrepreneur who tried this same thing, but with TV shows.
Fingerprinting specific audio is a different algorithm problem entirely. You only need to sample a short section of audio every few minutes and then process the spectral peaks, which are fingerprinted against a database of known samples.
This is how apps that name a song work. It’s not the same as constant full speech to text.
But you’re skipping the key part of the story: They had to hand out phones specifically for this because you can’t get constant audio background processing from installing an app on a modern phone OS without the user noticing.
> That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day.
Again, wake word monitoring is a different algorithm. Monitoring for a wake word is a much simpler problem. They’re not processing everything you say, concerting it to text, and then doing a string compare for the wake word. It’s a very tiny learning model trained to match on a very specific phrase, which might run at a hardware level.
I agree it's a different algorithm, but not a higher powered one. You don't need to know context to get HELOC, Bariatric, or DUI. You also don't need 95%+ accuracy for 95% of the population. You're just doing advertising.
Doing 100 different matches updated frequently is an entirely different problem than matching a single wake word that isn’t changing.
Regardless, this would require so much coordination, network traffic, and on-device code that could be reverse engineered that you’re implying that nobody has every found a hint of it existing and no employees of these companies have ever leaked any hints of it existing.
It’s very much in the domain of conspiracy theories.
Well, actually when you're hash based doing 100 different matches is the easy part. I'm not sure you know how steep FAR/FRR curves are for >99%/95% singe word accuracy, but having seen wake word development it's easily 100x harder than 95%/90% accuracy and none of the heavy calculation other than voice compression needs to be done locally or in a short time period. The network traffic is literally a few hundred hashes downloaded and hundreds of bits of hash matches a day (~1kB).
Even in the article there are multiple reports of it that are dismissed, and even though reverse engineering larger apps on iPhone/Android is certainly possible, with obfuscation searching for yet another hash table matching or simple voice compression is also quite difficult. Where are all the other articles reporting on the reverse engineering the very screencap apps this article talked about? Are they also just more well documented conspiracy theories?
Frankly, your best argument is that nobody is selling this as a product. So maybe there are easier more effective methods, but not because it can't or hasn't been done (since it literally has and it's been reported). It's kinda the opposite of a conspiracy theory. You have to assume that everyone capable with a vested interest won't do it, or that all of them will be caught, or that making money with ads becomes unpopular.
What kind of keywords would you imagine provide an actual, profitable advantage to an ad company? I can't imagine "computer 2", "fridge 3", "egg 4" being all that valuable compared to.. literally my whole browser history and my reaction to other ads/videos (I looked at that short for 10s vs immediately skipping builds a very nice profile). And now add i18n in the picture - even the main AI assistant products suck in anything other than English, so this fancy, advanced technology with low return of value would end up with a low target audience as well.
Also, "Siri" and the like ends up waking the main processor, which is definitely easy to prove/disprove. Just talk to your phone continuously for a long time and see if it wakes.
Low, even very low, return of value is not no return. Therefore, given they make some return, and it has some value, that's enough for them to do it. Ads and ad data are two sides. We are often not the target for an ad, but our data provides stats about how an ad is performing. If more consumers are influenced to spend $1000 on something than not, then it's worth if for them. It's an aggregate cost benefit analysis not how effective it is at the isolated individual level.
Another thing to consider is that we should never fall into the trap of thinking we are immune from influence from advertisers. Firstly, it's basically what advertiser want; it allows more actions like this, more of our data to be sold and secondly because it's easier to influence someone if they think of a decision as their own choice, than if they think they were manipulated into it. We do not remember the ads we see but we can remember that we are all susceptible to influence.
Return of value is with respect to the costs of it. A lawsuit/brand value loss from illegally recording every communication you make (which we would have definite proof if it were happening, given that there our more phones than people on Earth) would far outweigh the tiny benefit (if any? I'm not convinced you would get any extra information in the general case compared to the tracking of the regular usage of your phone)
Also, I don't see the relevance of your second paragraph. The baseline is not "no ads", the baseline is "ads supported by all the tracking that Meta/Google currently does".
Reminds me of something that a Telco exec once said in jest - “A bank can track which hotel you stayed at last night, the Telco knows who you slept with”
The article omits a real, serious source of microphone data though: your smart TV. I know beyond a shadow of a doubt that my TV (a Toshiba Fire TV, although I’m sure many do it) is listening to every conversation I have within earshot, even when I am not using the voice remote, and selling it to ad networks.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
Beyond a shadow of a doubt? Can you describe what you’ve experienced?
I am suspicious of all “smart” devices, much more so than phones because phones have a lot more scrutiny on them.
If your smart toaster, light bulb, or fridge was listening to you, would anyone even notice? Does anyone examine these devices in depth?
Who would even want a microphone in a TV?
It's like that old Soviet Russia joke, except it's not a joke.
Privacy-seeking users have physically removed microphones from phones. This should also be possible with laptops and televisions.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
Removed microphones from… phones? How do you use the phone then?
Most things people use phones for nowadays don't need a microphone. And in the rare case you do, you plug in/connect a headset.
Headset.
Another source of audio data is the accelerometer, which often has laxer permissions
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
Let's say nothing surprises me anymore.
Is this your experiment? https://github.com/jkakavas/creepy https://www.geocreepy.com/
Mine was even creepier.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
Sorry for misrepresenting the functionality of the original cree.py project.
What it does is download all photos that the user shared on Twitter, extract GPS tags from EXIF, and put markers on Google maps, annotated with these photos.
Could you link to some of it? Sounds extremely interesting!
See screenshot: https://xcancel.com/kpcuk/status/601451439215353857
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
Sounds like they showing geoip for tweets/profiles?
IP isn't exposed by the Twitter API.
Also, sharing geolocation has been turned off by said user because reasons -- which make sense if you look at the location in the screenshot.
Geolocation has been turned off by me and others aswell.
Thanks!
It's really indefensible to post this without linking to your research to show people what you found.
Believe it or not, I wrote about it on my now permanently suspended Twitter account.
Here is a remnant from someone who replied at the time:
https://xcancel.com/kpcuk/status/601451439215353857
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
Tweets were geolocated, with a 'see tweets near me' page until about 14 years ago, so it's entirely feasible that at least some of that infrastructure has survived the feature being removed.
"Tweets near me" was based on people sharing geolocation with Twitter (one of the things you can opt-out of when setting up your profile).
I didn't share any geolocation with Twitter. At least not voluntarily.
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
I’m not even sure that’s possible for some sites.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
Apple secretly linked my account to my >15 year old inactive account as well as another random account that isn't even mine. Nothing happened of it until I let my iPhone sync its settings to a new iPad. The iPad spammed a password input form for my old account that blocked all other UI elements. It didn't accept any password even after a password reset. Took me an hour to make the tablet usable again. The password form still randomly pops up every few weeks and there seems to be no way to fix the mess.
Bonus: the iPad's device name is now "My iPhone" because it also synced the device name from the phone.
I had this same issue. About once a week it would prompt me for the password for an old Apple ID. I eventually started over from scratch to work around the issue.
That's the modern tech landscape for you. They really want to know who you are because they make more money that way. For a similar experience, try Tor Browser.
I too sell my phone and buy a new one and also get a new phone number each time I get banned
Someone from X Support replied, basically told me to fuck off and that this would happen after my second or third appeal... so no.
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from "Your phone isn’t secretly listening to you"
The blog post never attempts to establish that your phone is not listening to you, just that some companies may not be going it.
The truth is that your phone may well be listening to you . There is plenty of malware / spywear that uses exploits to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources as well and we must assume that Mossad, NSA, and other major intellitence agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you. but probably it is not.
¹
https://www.bloomberg.com/news/features/2023-01-24/nso-group... https://www.britannica.com/topic/Pegasus-spyware https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
https://newatlas.com/computers/smartphone-listening-conversa...
https://www.bloomberg.com/news/features/2023-01-24/nso-group...
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
Phones today show in the status bar if the camera/microphone is active.
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
Apple has moved these indicators into their “exclaves” removing any control or influence from the OS / software running.
Source? AFAIK they only have hardware indicators for webcams on cams, and it's not used for microphones.
Different person here, but Apple has tried it multiple times in different ways.
They started in ios14, iOS 17 got new Secure Exclave path that (A18, M4).
Search for “Secure Indicator Light”.
Also searching for “Secure Exclave” will reveal some fun reads.
That’s cool, but on iPhones, there is no indicator LIGHT. Only part of the screen indicates it. And if they can trigger stuff on your phone, maybe a daemon that accidentally covers that part with black also appears, and you wouldn’t notice.
Nope, it interfaces directly with the display driver and overwrites anything from user land or the OS.
That's actually amazing, didn't know that. Do you have an article with some more info on it? Love to read about this stuff.
Here’s an article with further links:
https://9to5mac.com/2024/09/11/iphone-16-privacy-feature-m4-...
I couldn’t find a more technical article but this was when it was released.
I think Snowden worked with someone to create a bulky, apparatus that you could put your iphone into and it would measure if any signals at all were coming from it.
Does that mean the phone will not react to „Hey, Siri“ without a mic icon showing up in the status bar?
“Hey Siri” is activated by the mic, which is always listening, but only for the key phrase. It’s not going through the OS in the traditional sense, hence the “light” only comes on when it starts to listen through the OS.
As an Android user I think there's no way for Google to assist unless directly called upon.
And you think that wouldnt be disabled by malware that can turn your microphone on at will? Lmfao
That seems unlikely, the code to do that would be part of the OS or maybe even part of the hardware, not really trivial things to hack.
Plus, what could a hacker really do with voice recordings that they couldn't do more easily with keylogging? It's not exactly common for people to say their credit card info or passwords aloud, much more common to type it
BTW, "smart" TVs send screenshots too. [0]
[0] https://dl.acm.org/doi/10.1145/3646547.3689013
We’ve reached the state where you can safely presume anything “smart” is violating your privacy.
Anything network connected.
Everyday we seem to step closer and closer to the 'network connected smart dust' as written in some science fiction.
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
According to the paper, your TV may send snapshots even when it’s in a “dumb” HDMI input mode. So make sure it’s not on the network at all.
yeah, to be on my home network you need a password. there are no "guest" networks. good point though
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
It does sound believable that third-party advertising/marketing/tracking SDKs, which many apps are chock full of, could be doing this.> It's impossible to use this covertly.
*Unless there's a zero-day that allows it.
If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?
Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
You could do both
Burning a zero-day like that for targeted advertising seems extremely unlikely to me.
I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
Is that true, that these apps can capture screenshots of the notification area/clock/chat bubbles?
Probably not, but all the information can be obtained via system APIs. There's no shortage of "system info" apps that show all manner of information about your phone (including battery level and network status), and don't require any special permission prompts.
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
As far as permissions go, phones should have a log for when the permissions are actually used and how often.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
Like a smart TV, for example.
It is 1000% being done by smart TVs. They listen even when you are not using the voice remote. And the data is used to target ads (anywhere)
Do you have any evidence?
Yes of course. You can test it yourself
First thing I do is disable that feature on every TV I buy.
Second thing I do is block the TV access to internet after I do one firmware update.
Why bother with one firmware update?
Why both with any once it’s working fine?
I figure they will reset my no microphone preferences mostly, or make it only work when online someday.
Anyhow, ain’t broke, don’t fix it!
It doesn’t need to listen all the time… just grab a few words after you put it down or hit the lock button. Or listen while you are actively using it.
Building a word cloud would be trivial and with minimal battery impact
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
While I think that audio recording is not a thing, your economic argument is not complete.
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
I think this is a genuine concern for prominent people. Like if you are Mark Zuckerberg, there is material interest in a bad actor installing malware on his laptop. But for a random person where you get low value data that may or may not let you better target some low value ads? That is much harder to justify. Would have to reevaluate as things change and the cost of compute goes down.
[dead]
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
What rot.
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Sure. But its fun, and we can always replicate, just need a terrible ad.
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
I’m assuming like most friends you and your friends have nothing in common like interests, demographics, etc.?
And I’m assuming you also made them aware of other ads you’d seen recently so they could see if those showed up as well?
Yep. They 100% do not share an interest in ear wax removal, or had a medical need of that nature.
Why do you think I would put up a comment on HN of all places, with this degree of confidence.
> tested with other ads… If I knew that this, was going to be needed to study, 5 years into the future, I would have conducted a double blind study. Sadly I could not, however, it’s still fun, so we can always replicate.
The question is, have you found a horrid ad yet? Side note, this was in the UK
I was kidding… Of course you and your friends share some demographics and interests—- making it unsurprising that you’d get similar ads.
> The question is, have you found a horrid ad yet? Side note, this was in the UK
The question is, why does it have to be a horrid ad? Does the phone only listen for things about horrid ads to show you?
You have to know that your phone isn’t listening to you right? That it’s just a coincidence and that when you’re told to be on the lookout for an earwax ad that you’re more likely to see one, right?
You can’t be 100% confident about what you’re saying and it horrifies me that people go through such lengths to protect these… ad companies? Oh you’re just bringing some sense to the situation, right? Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this. Smart tvs, dishwashers that NEED wifi to get full functionality, phones always with me and (especially android) users accepting everything willy nilly…
Your phone might not be listening to you straight out of the box. Might. You don’t know for sure, nobody here does. Why err on the side of blissful ignorance? And then you accept 10 end-user-agreements you don’t read, install dozens of apps you don’t read the small letters of… and you think nobody had been listened to?
It’s a bigger chance it happens than that it doesn’t, in my mind. I haven’t been able to catch it using mitm proxies, but I’m not the best at that, and I haven’t a pretty virgin iphone on purpose.
> You can’t be 100% confident about what you’re saying
Yeah but I am.
If you tell me a story about your phone listening to you that you absolutely swear is true, I know you love the idea of conspiracy theories and would laugh at someone who believes in astrology. But they’re the same thing.
It’s fun to see coincidences. It’s fun to think you’ve outsmarted the man. But that’s all it is — fun.
It’s not real.
> Ad companies are the sleaziest of them all and I would not be surprised if they did stuff like this
OK prove it.
> It’s a bigger chance it happens than that it doesn’t, in my mind
OK, should be easy for someone to prove then.
Is it really more likely that this thing is happening that nobody has been able to prove or that people like to see patterns to explain the weird things in the world?
> I haven’t been able to catch it using mitm proxies
Shocker lol.
But should be easy for you to find someone who has caught them red handed, right?
man, without getting into the specifics, the vast difference in medical habits because of gender, activity levels, and the fact that I had an unusual condition which caused me to look into this, ITS EARWAX removal for fs sake.
What, are you saying that there is an ASMR or god knows what community that focuses on ear wax?
I never got those ads in my LIFE, until I had a medical need. Have you?
>why does it have to be a horrid ad?
Because I choose horrid ads to mess with my friends? You could try for adult teletubbies, lord knows that might exist. Whatever floats your boat, I say.
You seem to have some horse in this race, or some larger level of commitment than the simple joy of messing around with this should entail.
And holy hell, I had an example of a medical condition, an ad, in the UK, discussed in a bloody field, with no towers or other devices to listen in, and the other person did not have the same medical condition.
And yet this is not enough. And all you have to do with this, is try it out yourself. Hell - I am even suggesting this in a manner that is open to being a fun lark with friends.
I am by far the largest black hole of joy amongst the stellar folk in my orbit. This converastion is invigorating, in that you are near certainly part of my tribe.
> I never got those ads in my LIFE, until I had a medical need. Have you?
Believe it or not I don’t have thephotographic recall of the ads that I see that you seem to possess.
> You could try for adult teletubbies
Why don’t we both try this and report back in 24 hours when our listening phones have had the time to work their magic.
> And yet this is not enough.
That is correct. Your phone is not listening to you.
This is why “my phone is listening and I can prove it” is such a good shibboleth for lack of critical thinking skills.
Can you not see all the biases and fallacies in your own comment?
Or you told your friend about this horrible ad and they looked it up without thinking and got added to the retargeting list.
She wouldn't because she has much better things to do in life. Matter of fact, its an ad you would never look at, just because you don't even have a need for it.
She just spent time in the park listening to you shout about it for an extended period. And she's on YouTube enough for her to be annoyed by it so it's not like she doesn't have the opportunity.
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
Probably something along these lines
https://www.pcworld.com/article/424417/ad-tracking-tech-uses...
I guess hackernews has an aversion to this topic: https://news.ycombinator.com/item?id=43809203
They can also store things for later upload. A phone in airplane mode still isn't safe.
Was it Alphonso?
One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
>I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
> If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all?
They did, and found no listening being done. It’s in the article under “The data doesn't add up”.
>One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
Your wife probably googled them as soon as you were done talking about them and then you using the same network got an ad for them.
> I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
That test has been done. It is explained at length in the article under the heading “The data doesn't add up”.
It’s too easy to check on your phone if such a thing were happening.
Your TV though… that IS listening and the TV even has options to disable it. It’s on every TV shipped in at least the last 5 years, maybe 10.
A few times per year I similarly have a conversation with my wife at night (lastly about a hair type) and the next morning a corresponding ad was presented at her at Facebook (shampoo). Only her Android phone was at the room (open, logged in Facebook in Chrome, no app). I definitely believe they hear us but they trigger the action with care and selectively, so as not to get caught (eg to low tech people, when the ad is very relevant to the need etc).
I am astonished that nobody had ever done a reverse engineering research yet.
> but they trigger the action with care and selectively, so as not to get caught (eg to low tech people
That would be an awful plan. Low tech people are the ones who most frequently complain of this because they have no basis to think it wouldn’t happen.
> I am astonished that nobody had ever done a reverse engineering research yet.
They have. It’s described in the article.
>I am astonished that nobody had ever done a reverse engineering research yet.
They have, what you think is happening has been disproven tons of times. You just don't want to believe it.
People have! They haven't found anything yet.
Was there a smart tv in the room with you during that conversation?
good point!
And then your wife went and looked them up to see if they do exist and your IP was added for retargeting.
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
> an obscure new thing that had come up
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
Kind of a weirdly sad, uncharitable assumption to make
> 4 9s of accuracy predicting click-through rates
Having a hard time parsing what that means.
Lets say the CTR for 1000000 impressions of an add is 24.5898% and the ML predicts 25.1926%. How many 9s of accuracy is that?
This fact is important, because if an app were accessing a microphone and sending the audio to a cloud server for analysis there would be detectable traces of data consumption.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
This partly explains why the recommendations I receive don't feel like mine. Multiple times, it's been obvious that the suggestions were pulled from other profiles and I could even tell whose.
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
These discussions seem to come up frequently lately. Both /e/OS and Lineage with microG provide good enough privacy for those who can't afford high-end smartphones like the Google Pixels.
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
>- Pixel on GrapheneOS
>- Any Android smartphone on Lineage or /e/OS
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
Those distributions either use neutered Google Play Services through a stub reimplementation (microG), or rely on sandboxing (GOS).
Either way, Google can only collect limited data on those distributions, and you have control over them. Concerning tracking applications, yes, some hygiene and good practices are necessary, the OS can only go so far.
>including HN which has an extremely invasive privacy policy
???
What information are they getting their hands on in the first place, aside from geoip data?
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
Or just ski ads go out when ski season starts and he only noticed that he saw one because you had the conversation.
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
How do IP addresses work with cell towers? The WiFi where I work doesn't allow personal devices to connect, but there's reasonable 5G.
At my last 3 jobs they've had a public wifi network for staff to use for personal use.
> There is no easy way to close this privacy opening
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
Doesnt android already have a "network" permission? On some roms you can enable it/disable it on install of the app even
No, it has a "full network" permission. It's not at all difficult to bypass it if you control both ends.
GrapehenOS has that. It asks every time you install an app if it should have network permissions.
I mean yeah technically the website can’t screenshot, but it can do many functionally equivalent things.
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
Well, blocking javascript would stop that. Noscript is a thing that some people use.
For an increasing plurality (possibly even majority at this point) of sites where the purpose is not purely to read text, this is effectively equivalent to saying "you can just not use the site."
Ublock origin also has that ability
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
Thank you for illustrating my point so perfectly.
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
Location location location.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
How would your ISP connect that data if every search engine uses HTTPS now, so there's no way for the ISP to see what you were searching for?
DNS lookups are still frequently in the clear, and even if they're not, that just means you're trusting some DNS-over-HTTPS provider. The incentives are perverse.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
Exactly. Google or Meta can correlate behavioral data like this. Your ISP cannot do that by intercepting your searches.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
For what it's worth, the ISP may not know the search terms entered, but it can see "google.com" followed by "itchybuttcream.net" when people click the first results. The data will grow more granular over time as users click the second or even third result on Google.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
They can still get the hostname of the server you're connecting to through SNI, and that's far harder to hide. Most sites aren't using eSNI/ECH.
It's not the ISP that's connecting you together, it's google. If two people are on the same network and one of them is searching for something, it's going to affect the other person's ads too.
Yeah, it's Google and Facebook - not the ISP.
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
I’m basing my reasoning on the assumption that advertisers (such as google, meta, tictoc) are aware of your location at all times. (See: https://news.ycombinator.com/item?id=42909921)
Based on this assumption, it wouldn’t be necessary for any of your friends to search for the topic during an evening together.. it would simply be enough that one of the friends showed some interest in the topic prior to the hangout (searched for something, read a blog, stopped for too long on an instagram reel).
Then, during an evening together, your phones all share the same location (and possibly movement). That’s enough for advertisers to suspect there’s some relationship there. Enough of an association to attempt an ad placement (or instagram reel) for a particular obscure topic.
I'd agree on assuming that certain apps do or try as best they can with an aim to track not only location but presence of other wifi bluethooth device ids with time stamps, to help build patterns and a unique fingerprint for marketing purposes - on the basis it can once the app is given (accidentally perhaps) the necessary permissions.
As such, if location or device id data were available to build a larger picture, for any sort of common topic I'd agree the advertising could easily be a result of data analysis of various subsets of phones in a given region, applying algorithms and feeding it back into search results.
However like I said, the stuff was apparently way way out there zany - he ensured me he would ever bother searching for it. So zany in fact no one would ever bother. For all I know he may have ruled out other people and have just been talking to his pet dog and various other tame native animals that hang around his verandah. I would tend to believe way way out there as after a small smoke around me he's dribbling worthless bs. There's no low bar on my part either - something like if polka dot dogs exist I could accept as something that might / could be searched the next day by anyone who was involved in such a out there conversation, and as a result skew search results.
Any how I'm settled on it's one of the many worthless apps on his phone that exists because a website is not desktop friendly - as they say if the service is free, you're the product ...
That's true. I had to rule that out by only counting instances when my friends and I were alone. If not, or Wifi is open, then who knows.
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
It could also be that YouTube started recommending this video to people for whatever reason, which was why it was on this guy’s mind.
Anything is possible, but he didn't start the conversation about cheating. Someone else brought up something to the effect of they thought game shows were fake, then he told his story and a third person the table searched for and showed the video.
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this: 1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed. 2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
https://www.sfchronicle.com/bayarea/article/apple-siri-priva...
I attempted to debunk that one here (an admittedly impossible task but I can't help myself trying): https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not...
A swan can't stop a hurricane
OK wow that actually fits here. https://simonwillison.net/2025/Apr/23/meaning-slop/
Searching for that phrase now shows your blog post as the top reference, and the AI overview now says it's a "nonsensical phrase used to illustrate how search engines can generate misleading or fabricated explanations for arbitrary inputs"! :O
man google's ai uses context clues better than some people I know. I kinda wish it wouldn't though, because it gives somewhat real sounding answers to things like that that actually have a different meaning because of historical and cultural context that it's not aware of. it should let you know when it's making something up using it's limited awareness of word meanings vs something that's an actual phrase that people use.
lol so it's getting that bad. Assigning meaning to random phrases is BS. If it keeps on going it'll start attributing meaning to misspelled words.
LLMs are only as good or bad as they are created - or their function / parameters? Google got real sad mid 00s - it's all about the money now isn't it.
Topic recently [1] re Google A.I. BSing.
[1] https://news.ycombinator.com/item?id=43748171 ('Epistemological Slop: Lies, Damned Lies, and Google' - <newcartographies.com>)
Isn't this how proverbs come to life? "Bobs your uncle" - all these proverbs are made up...
Yes people are creative and time to time come up with phrases, comments or sayings that catch on. It's how popular jokes start out as well.
I'm not sure if you first thought it up or just repeated the term - as I see simonw meaning-slop link was posted as a separate post at HN 2 days ago.
However it's certainly bad when some piss poor LLM starts flogging some nonce as a meaning. For example when using less well documented idioms or terminology - google sadly isn't that great any more at finding stuff, so ... not good if it just makes stuff up instead. New creative stuff, sometimes people can get the gist of it but all the same no one wants the likes of a search assistant vomiting all over it.
I read it two days ago and found it fitting :)
I see your point - when LLMs just make stuff if to be helpful.
It is irrelevant. The suggestion that spying is for advertisement makes no difference.
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
He is right, all modern phone brands are surveillance devices furnished to provide the OEM with identifying data: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
Keep thinking its merely correlation while the US military bans phones from the SCIF…
Doesn't it have to listen to everything to capture the wake word "hey siri"? How else is it done?
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
https://machinelearning.apple.com/research/voice-trigger
https://machinelearning.apple.com/research/hey-siri
>pick up "Hey Siri" exclusively
until it isn't. anything apple is proprietary and any feature could silently change at any time even for only specific devices/user.
https://web.archive.org/web/20250415140321/https://www.thegu...
If "the truth is more disturbing", then why do people seem to care about "secretly listening" but not about "the truth" (data collection). Perhaps because the US has state and federal laws against wiretapping. Perhaps the difference is consent. Arguably so-called "tech" companies have obtained consent to collect data ("the truth"). But have they obtained consent to "secretly listen" to private conversations.
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
But look into Alphonso. That's like Shazam but explicitly for covert "content recognition" listening in microphone enabled apps. And it's old.
People who say it's too expensive or impractical to do bulk listening for ad-tech just aren't paying attention.
> Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
That's interesting. Although can and does are very different things - appears to be a feature you turn on yourself. Upon a surface level research, I also found it to rely on an offline music fingerprint database, suggesting it doesn't retain and send off the audio it records, or metadata it extracted from them.
> Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
This is again a can vs. does difference.
Shazam only records when you open it.
Not necessarily: https://lifehacker.com/shazam-can-now-automatically-identify...
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
> how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
If you have specific situations where it's reproducible, you can record your DNS and connections on local network and try again. You can only prove/disprove that with enough experiments.
Apple settled a lawsuit about Siri ‘unintentionally’ listening. [1] So, yes, they also can likely predict what you want based on all they do openly track… but we can no longer claim that they aren’t listening.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
(1) https://www.reuters.com/legal/apple-pay-95-million-settle-si...
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
Sounds like the age old adage: if it's too good to be true, it is.
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
If it sounds too good to be true, it probably is. Otherwise it's just a tautology.
[flagged]
There is a list of things I keep under profound consideration always.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
If it works like that, why aren't the app companies describing exactly how it works to advertisers in order to earn their business?
They describe how everything else they do works in great detail if you're someone who buys ads.
What makes you think the raw audio stream needs to be sent anywhere. Modern phones are capable of doing keyword extraction on-device.
You need to know what keywords to listen for before discarding the audio data. An advertising giant might know but a government doesn't.
This conspiracy theory has been around for a lot longer than phone hardware has been capable of doing that.
The Chrome Browser can transcribe audio into text, with what I consider good accuracy. It's well out of the realm of a conspiracy theory when it's been demonstrable for a couple decades.
Don't forget energy usage. The phone would need to be on high power mode all the time to run those kinds of algorithms. There's a reason "Hey Siri" has dedicated low-power hardware - it means it can work without burning through the battery.
> it can work without burning through the battery.
It can work by burning through the battery. When you have a browser open or any number of apps, some of them are certainly detecting.
If that were true why are cell phone voice calls still so terrible?
Because cellular carriers keep the same pace as a snail on vacation.
I’ve said it before and will reinforce it cause once again no one brings it up in the comments. People report the phone is listening to them because they talked about <insert> and now they are seeing ads for it. What they may not realise is they are talking about <insert> because subliminally the ad worked they just never noticed it. Now they have. The ad was there first like a little virus worming in your brain and then you bring it up with friends thinking it an original thought.
Definitely possible… but Apple was successfully sued for unintentionally’ listening. They didn’t admit guilt but settled.
https://www.reuters.com/legal/apple-pay-95-million-settle-si...
It is in fact listening to you, at least if you have an iPhone: https://www.lemonde.fr/en/pixels/article/2025/02/14/apple-ta...
That was a stupid study. Phones know if they are being used - the phones for 3 days around ads is meaningless.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
Good points. Though I there are other options - e.g. build a proof-of-concept in a closed environment, e.g. as an university project, demonstrate it with a small (but still sufficiently large) group of people, so you have witnesses and publish a paper about it.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.
If our popular phone operating systems were worth anything and actually acted as an agent for the user that owned them, they'd allow anyone to easily track and prevent this.
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
Do iOS apps also take screenshots of activity in other apps without consent? Does the platform allow it to, if yes then is there a way to block it?
They cannot.
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
Did the roommate use the same WiFi network as you, and your roommate used the WiFi to research it?
Well, since my data comes from my wife and I (we have nobody else) and we didn't look up Deadpool (ever) because she doesn't care and I don't talk to her about it because I know she doesn't care. We see Deadpool advertised playing at a theater on the marqui, so I call it out
Me: "I would go watch Deadpool with my best friend Z if he was in town today".
Me: "Did you hear they have a Deadpool dog? Dogpool!" (saw the trailer from my desktop at work)
Wife: "I don't care about a Deadpool dog. You should definitely go see it with Z."
About 2 hours later. Ads for Deadpool litter her Facebook. Deadpool had been out for 2 weeks. Why now? Because we talked about it in the car while she was on Facebook. I've worked in Adtech since about 2005. It's the phone and or the app. Our Google TV does the same thing, except Youtube doesn't seem to be affected by conversation. So that's something.
But why did you mention it at all?
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
Never trust these people, always know that something is going on somewhere.
it’s just ai llm snooping amd doing big ol compute just like we have access to now. but advertisers had it years ago cuz they paid and at large, ads sold.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
maybe. just thinking outloud.
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
Some places, including the Bay Area where this feature was probably created, have significant variance in commute times depending on the traffic of the day so this can be a useful feature.
The commute time from SF to Cupertino is certainly not constant.
Yes my phone is listening. To almost every word, and using that information to serve me ads. I would bet my entire net worth on that, as I'm 100% certain.
A few years ago, I was fairly convinced that Google Voice was listening and punishing me for hitting "political third rail" keywords during phone calls.
On more than one occasion, I would be in a conversation with a friend of mine and things would turn political, and if I spouted just the right combination of anti-left rhetoric/keywords, our connection would drop right away -- boom.
Now why would Voice do this when other Google properties don't? I mean, they don't filter Gmail or Docs or Photos looking for subversive content and censoring it. YouTube comments, maybe.
But I figured that if they wanted, it was completely possible. Because they have proven and deployed live-transcription, and they're best at English. Not to mention, Voice is sort of a deprecated product that they don't really support. So why not throw a little havoc in there for miscreants?
The reason I was using Voice was to place phone calls from a SIM-less tablet. It seems that Voice insists on using my real phone now for routing any sort of call. So I haven't had opportunity to test the boundaries for years now. Nevertheless, I was not sorry about the possibility of censorship, I was duly chastened, and sorry I've been so brainwashed to lapse into mindless talking-point rhetoric.
bs article paid for by those big corporations.
I'm not going to ask if you actually read the article. My recommendation is to read the second half of the headline.
[dead]
Tl;dr it’s not the microphone… it’s screenshots.