This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
https://www.mcsweeneys.net/articles/calm-down-your-phone-isn...
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
Let's say nothing surprises me anymore.
Could you link to some of it? Sounds extremely interesting!
See screenshot: https://xcancel.com/kpcuk/status/601451439215353857
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
It's really indefensible to post this without linking to your research to show people what you found.
Believe it or not, I wrote about it on my now permanently suspended Twitter account.
Here is a remnant from someone who replied at the time:
https://xcancel.com/kpcuk/status/601451439215353857
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from "Your phone isn’t secretly listening to you"
The blog post never attempts to establish that your phone is not listening to you, just that some companies may not be going it.
The truth is that your phone may well be listening to you . There is plenty of malware / spywear that uses exploits to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources as well and we must assume that Mossad, NSA, and other major intellitence agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you. but probably it is not.
¹
https://www.bloomberg.com/news/features/2023-01-24/nso-group... https://www.britannica.com/topic/Pegasus-spyware https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
https://newatlas.com/computers/smartphone-listening-conversa...
https://www.bloomberg.com/news/features/2023-01-24/nso-group...
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
Phones today show in the status bar if the camera/microphone is active.
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
Like a smart TV, for example.
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
getWindow().getDecorView().draw(new Canvas(bitmap));
> It's impossible to use this covertly.
*Unless there's a zero-day that allows it.
If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?
Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
Burning a zero-day like that for targeted advertising seems extremely unlikely to me.
I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
BTW, "smart" TVs send screenshots too. [0]
We’ve reached the state where you can safely presume anything “smart” is violating your privacy.
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
What rot.
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Sure. But its fun, and we can always replicate, just need a terrible ad.
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
This is why “my phone is listening and I can prove it” is such a good shibboleth for lack of critical thinking skills.
Can you not see all the biases and fallacies in your own comment?
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
Or just ski ads go out when ski season starts and he only noticed that he saw one because you had the conversation.
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
> an obscure new thing that had come up
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
> how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
If you have specific situations where it's reproducible, you can record your DNS and connections on local network and try again. You can only prove/disprove that with enough experiments.
> There is no easy way to close this privacy opening
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
Doesnt android already have a "network" permission? On some roms you can enable it/disable it on install of the app even
No, it has a "full network" permission. It's not at all difficult to bypass it if you control both ends.
I mean yeah technically the website can’t screenshot, but it can do many functionally equivalent things.
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
Well, blocking javascript would stop that. Noscript is a thing that some people use.
For an increasing plurality (possibly even majority at this point) of sites where the purpose is not purely to read text, this is effectively equivalent to saying "you can just not use the site."
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
Did the roommate use the same WiFi network as you, and your roommate used the WiFi to research it?
But why did you mention it at all?
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
Keep thinking its merely correlation while the US military bans phones from the SCIF…
That was a stupid study. Phones know if they are being used - the phones for 3 days around ads is meaningless.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
Location location location.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
How would your ISP connect that data if every search engine uses HTTPS now, so there's no way for the ISP to see what you were searching for?
DNS lookups are still frequently in the clear, and even if they're not, that just means you're trusting some DNS-over-HTTPS provider. The incentives are perverse.
And of course whoever you are performing your search with, like, oh, an ad company like Google, Meta, or Facebook? They just might use that search data for something.
Exactly. Google or Meta can correlate behavioral data like this. Your ISP cannot do that by intercepting your searches.
I care about accuracy when it comes to privacy conversations. I don't want people wasting their time on theories that aren't true when they should be focusing on the real issues at stake.
For what it's worth, the ISP may not know the search terms entered, but it can see "google.com" followed by "itchybuttcream.net" when people click the first results. The data will grow more granular over time as users click the second or even third result on Google.
On WiFi you control this risk can be mitigated (force DNS to your own server that uses ODoH or similar) but for most people ISPs are still sitting on data gold mines obtained from passively observing DNS.
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
That's true. I had to rule that out by only counting instances when my friends and I were alone. If not, or Wifi is open, then who knows.
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
It could also be that YouTube started recommending this video to people for whatever reason, which was why it was on this guy’s mind.
Anything is possible, but he didn't start the conversation about cheating. Someone else brought up something to the effect of they thought game shows were fake, then he told his story and a third person the table searched for and showed the video.
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this: 1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed. 2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
He is right, all modern phone brands are surveillance devices furnished to provide the OEM with identifying data: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
https://www.sfchronicle.com/bayarea/article/apple-siri-priva...
I attempted to debunk that one here (an admittedly impossible task but I can't help myself trying): https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not...
A swan can't stop a hurricane
It is irrelevant. The suggestion that spying is for advertisement makes no difference.
That idea only exists to create fake two-dimensional anti-capilist rethoric, which is a rethoric easier to put down than the fact that privacy does not exist anymore.
So, I am supposed to do this. To "correct you" and look very lunatic.
It serves, however, a very specific goal. First, it cannot be copied en masse. If this behavior is copied (even as a meme), it implies doom to the more easier to defeat anti-capitalist rethoric and the birth of a true 3D anti-capitalist rethoric. It can only be mocked (smoking guy pointing to a conspiracy board), but that mockery is getting real serious real fast now.
Can I dive deeper into the mechanics of how this is gonna go?
We had so many chances, of doing good. You all had so many chances.
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
It is in fact listening to you, at least if you have an iPhone: https://www.lemonde.fr/en/pixels/article/2025/02/14/apple-ta...
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
Doesn't it have to listen to everything to capture the wake word "hey siri"? How else is it done?
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
>pick up "Hey Siri" exclusively
until it isn't. anything apple is proprietary and any feature could silently change at any time even for only specific devices/user.
https://web.archive.org/web/20250415140321/https://www.thegu...
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
Sounds like the age old adage: if it's too good to be true, it is.
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
If it sounds too good to be true, it probably is. Otherwise it's just a tautology.
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
If it works like that, why aren't the app companies describing exactly how it works to advertisers in order to earn their business?
They describe how everything else they do works in great detail if you're someone who buys ads.
What makes you think the raw audio stream needs to be sent anywhere. Modern phones are capable of doing keyword extraction on-device.
You need to know what keywords to listen for before discarding the audio data. An advertising giant might know but a government doesn't.
This conspiracy theory has been around for a lot longer than phone hardware has been capable of doing that.
The Chrome Browser can transcribe audio into text, with what I consider good accuracy. It's well out of the realm of a conspiracy theory when it's been demonstrable for a couple decades.
Don't forget energy usage. The phone would need to be on high power mode all the time to run those kinds of algorithms. There's a reason "Hey Siri" has dedicated low-power hardware - it means it can work without burning through the battery.
> it can work without burning through the battery.
It can work by burning through the battery. When you have a browser open or any number of apps, some of them are certainly detecting.
bs article paid for by those big corporations.
I'm not going to ask if you actually read the article. My recommendation is to read the second half of the headline.