That was a stupid study. Phones know if they are being used - the phones for 3 days around ads is meaningless.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
Good points. Though I there are other options - e.g. build a proof-of-concept in a closed environment, e.g. as an university project, demonstrate it with a small (but still sufficiently large) group of people, so you have witnesses and publish a paper about it.
I know the prevailing wisdom is to always publish your code with a paper, to ensure maximum reproducibility, but this would be a valid case where you DON'T want to make reproducibility easy.
It's essentially the same dilemma that security research already has today: You want active research into vulnerabilities to be able to close them, at the same time you don't want people abusing your research to exploit them.
There is also the point of how feasible such a system would be to deploy on new phones. E.g. if you require a rooted phone and a custom Android image, chances are relatively slim your system will be used in the wild.