This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
It’s similar with the TSA facial recognition photos. “We delete your photo immediately” but what they don’t say is that they don’t delete the biometrics from that photo.
> There is so much time spent “debunking” audio recordings being shared
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
Not saying this is true, but the amount of time and effort put into saying "no one is listening to you" could be attributed to the novel 1984, where the government is actively listening to its citizens. Enough people could associate the novel with government surveillance that it's what people interpret as the most likely surveillance happening - and enough people don't understand tech that it's lost on them that a) the tech to actively listen to millions of people constantly doesn't exist at the appropriate level to be effective b) there are significantly more and far more effective ways to monitor people with current tech than via microphone. It's truly unfortunate people don't understand tech to realize what's actually possible and what is actively happening vs what they imagine could be happening
We don't "listen" to your audio, the microphone does, and your phone transcribes it to text on your device. You cannot listen to text. Therefore we don't listen to your phone audio.
There is a small list of reasons why it needs to be "debunked:"
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
I can just say that I knew an entrepreneur in early post Y2K who developed apps to track music played in clubs in SF for folks like ASCAP, BMI, and SESAC. They gave out "free" phones (these were the small expensive candybars and nice flip/slideups) to the influencers of the day. They compressed the audio for orthogonality, and had a huge number of hashes to match. If they got more than a few consecutive matching hashes at a location that wasn't paying royalties, they got an enforcement call.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
Reminds me of something that a Telco exec once said in jest - “A bank can track which hotel you stayed at last night, the Telco knows who you slept with”
The article omits a real, serious source of microphone data though: your smart TV. I know beyond a shadow of a doubt that my TV (a Toshiba Fire TV, although I’m sure many do it) is listening to every conversation I have within earshot, even when I am not using the voice remote, and selling it to ad networks.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
Privacy-seeking users have physically removed microphones from phones. This should also be possible with laptops and televisions.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
Tweets were geolocated, with a 'see tweets near me' page until about 14 years ago, so it's entirely feasible that at least some of that infrastructure has survived the feature being removed.
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from
"Your phone isn’t secretly listening to you"
The blog post never attempts to establish that
your phone is not listening to you, just that some
companies may not be going it.
The truth is that your phone may well be listening to you .
There is plenty of malware / spywear that uses exploits
to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources
as well and we must assume that Mossad, NSA, and other major intellitence
agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you.
but probably it is not.
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
While I think that audio recording is not a thing, your economic argument is not complete.
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
I think this is a genuine concern for prominent people. Like if you are Mark Zuckerberg, there is material interest in a bad actor installing malware on his laptop. But for a random person where you get low value data that may or may not let you better target some low value ads? That is much harder to justify. Would have to reevaluate as things change and the cost of compute goes down.
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
She wouldn't because she has much better things to do in life. Matter of fact, its an ad you would never look at, just because you don't even have a need for it.
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
This partly explains why the recommendations I receive don't feel like mine.
Multiple times, it's been obvious that the suggestions were pulled from other profiles and I could even tell whose.
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
This fact is important, because if an app were accessing a microphone and sending the audio to a cloud server for analysis there would be detectable traces of data consumption.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
>I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
A few times per year I similarly have a conversation with my wife at night (lastly about a hair type) and the next morning a corresponding ad was presented at her at Facebook (shampoo). Only her Android phone was at the room (open, logged in Facebook in Chrome, no app).
I definitely believe they hear us but they trigger the action with care and selectively, so as not to get caught (eg to low tech people, when the ad is very relevant to the need etc).
I am astonished that nobody had ever done a reverse engineering research yet.
>One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
Your wife probably googled them as soon as you were done talking about them and then you using the same network got an ad for them.
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
These discussions seem to come up frequently lately. Both /e/OS and Lineage with microG provide good enough privacy for those who can't afford high-end smartphones like the Google Pixels.
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this:
1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed.
2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
There is a list of things I keep under profound consideration always.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
Apple settled a lawsuit about Siri ‘unintentionally’ listening. [1] So, yes, they also can likely predict what you want based on all they do openly track… but we can no longer claim that they aren’t listening.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
If "the truth is more disturbing", then why do people seem to care about "secretly listening" but not about "the truth" (data collection). Perhaps because the US has state and federal laws against wiretapping. Perhaps the difference is consent. Arguably so-called "tech" companies have obtained consent to collect data ("the truth"). But have they obtained consent to "secretly listen" to private conversations.
I’ve said it before and will reinforce it cause once again no one brings it up in the comments. People report the phone is listening to them because they talked about <insert> and now they are seeing ads for it. What they may not realise is they are talking about <insert> because subliminally the ad worked they just never noticed it. Now they have. The ad was there first like a little virus worming in your brain and then you bring it up with friends thinking it an original thought.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
If our popular phone operating systems were worth anything and actually acted as an agent for the user that owned them, they'd allow anyone to easily track and prevent this.
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
A few years ago, I was fairly convinced that Google Voice was listening and punishing me for hitting "political third rail" keywords during phone calls.
On more than one occasion, I would be in a conversation with a friend of mine and things would turn political, and if I spouted just the right combination of anti-left rhetoric/keywords, our connection would drop right away -- boom.
Now why would Voice do this when other Google properties don't? I mean, they don't filter Gmail or Docs or Photos looking for subversive content and censoring it. YouTube comments, maybe.
But I figured that if they wanted, it was completely possible. Because they have proven and deployed live-transcription, and they're best at English. Not to mention, Voice is sort of a deprecated product that they don't really support. So why not throw a little havoc in there for miscreants?
The reason I was using Voice was to place phone calls from a SIM-less tablet. It seems that Voice insists on using my real phone now for routing any sort of call. So I haven't had opportunity to test the boundaries for years now. Nevertheless, I was not sorry about the possibility of censorship, I was duly chastened, and sorry I've been so brainwashed to lapse into mindless talking-point rhetoric.
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
Yes my phone is listening. To almost every word, and using that information to serve me ads. I would bet my entire net worth on that, as I'm 100% certain.
it’s just ai llm snooping amd doing big ol compute just like we have access to now. but advertisers had it years ago cuz they paid and at large, ads sold.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
Some places, including the Bay Area where this feature was probably created, have significant variance in commute times depending on the traffic of the day so this can be a useful feature.
The commute time from SF to Cupertino is certainly not constant.
This article reminds me of this excellent tongue-in-cheek piece of writing by Jonathan Zeller in McSweeney's:
Calm Down—Your Phone Isn’t Listening to Your Conversations. It’s Just Tracking Everything You Type, Every App You Use, Every Website You Visit, and Everywhere You Go in the Physical World
https://www.mcsweeneys.net/articles/calm-down-your-phone-isn...
There is so much time spent “debunking” audio recordings being shared with various entities it makes me more suspicious.
Just like Facebook’s “we never sell your data (we just stalk you and sell ads using your data)”. I’m sure there’s a similar weasel excuse… “we never listen to your audio (but we do analyze it to improve quality assurance)”
It’s similar with the TSA facial recognition photos. “We delete your photo immediately” but what they don’t say is that they don’t delete the biometrics from that photo.
43 replies →
> There is so much time spent “debunking” audio recordings being shared
Not really. 99% of the time it's someone claiming that it happens.
And it's always an anecdote, never clear proof that it happened. Let alone that it happened because of the audio and not web activity. And that the conversation was actually the cause for the ad and not the other way around.
Is it technically possible? Sure. But if so many people are so certain that it definitely happens, why didn't dozens of people already prove it with a fresh Google/Apple account and phone?
13 replies →
Not saying this is true, but the amount of time and effort put into saying "no one is listening to you" could be attributed to the novel 1984, where the government is actively listening to its citizens. Enough people could associate the novel with government surveillance that it's what people interpret as the most likely surveillance happening - and enough people don't understand tech that it's lost on them that a) the tech to actively listen to millions of people constantly doesn't exist at the appropriate level to be effective b) there are significantly more and far more effective ways to monitor people with current tech than via microphone. It's truly unfortunate people don't understand tech to realize what's actually possible and what is actively happening vs what they imagine could be happening
1 reply →
We don't "listen" to your audio, the microphone does, and your phone transcribes it to text on your device. You cannot listen to text. Therefore we don't listen to your phone audio.
Except for the fact that if you read the debunkings, they go into great detail as to why that is empirically not the case.
There is a small list of reasons why it needs to be "debunked:"
1. Your phone is gathering data that you don't realize that it gathers.
One of the biggest examples of this is real-time location data that is brokered by cellular carriers and sold as aggregated marketing data. You don't have to give your apps permission to do anything like that because your cellular carrier can get that data regardless of your phone's OS.
2. Your phone is gathering data that you gave it permission to gather, perhaps gathering it in a way you didn't think it would do.
For example, let's say you give an app permission to read your entire photo library so that you can upload a photo. But since you gave it that permission on the OS level, it might be uploading more images than you explicitly select. Another example used to be clipboard data before the OSes asked permission for use of the clipboard. One last example is text that you enter but do not submit.
Another big aspect of this is that people don't realize how these ad networks work in real time. It's not a slow thing for an advertising company to learn something about you and react accordingly, it can happen in a few short seconds.
2. The average person doesn't have any comprehension of how easy it is for data science practices to uncover information about you based on metadata that seems benign or that you don't know exists.
Most people don't understand how your behavior in an app can be used to tell the company things you like and dislike. The TikTok algorithm is a great example, it can tell what you like just by extremely subtle inputs, how you swipe, how long you watch the video. A lot of people don't realize how many things about them aren't particularly unique and how many preferences can be tied to a really specific persona that you fall into.
A real world example of all of this put together is that I was spending a lot of time browsing appliances because I just bought one, and I went to physically visit a friend. We were talking about my new appliance, and later they got ads for that specific appliance. So, the person's reaction would naturally be "it was listening to us!!" but in reality, it is more likely that our cellular carrier or carriers knew we were physically in the same place and reported that piece of information to some kind of data broker. Consider how there are a limited amount of cellular carriers, that location data may not have needed to even exit the cellular carrier to sell this data to someone. I.e., if we both have the same cellular carrier , our company already has that information and it isn't selling it to another company, it's perhaps just telling a data broker that Person A and Person B interact with each other.
Just note that I'm not claiming this is exactly how it all works as I'm not in that industry, but the general ideas here apply. The general takeaway is that literally recording audio with a microphone just isn't necessary to derive hyper-specific things about people.
6 replies →
I can just say that I knew an entrepreneur in early post Y2K who developed apps to track music played in clubs in SF for folks like ASCAP, BMI, and SESAC. They gave out "free" phones (these were the small expensive candybars and nice flip/slideups) to the influencers of the day. They compressed the audio for orthogonality, and had a huge number of hashes to match. If they got more than a few consecutive matching hashes at a location that wasn't paying royalties, they got an enforcement call.
So the idea that it takes a huge amount of computing resources, battery life, permissions, or bandwidth to do matching of keywords is hilarious. That's what "siri", "hey google", "alexa" etc are all doing 24 hours a day. Just add another hundred and report them once an hour. You don't need low latency. It's just another tool in the bag!
Of course the cat food example is bad, because if they weren't looking for that you wouldn't get a response. Who would be willing to pay big for clicks on cat food. Now bariatric surgery? DUI? HELOC? Those pay.
10 replies →
Reminds me of something that a Telco exec once said in jest - “A bank can track which hotel you stayed at last night, the Telco knows who you slept with”
The article omits a real, serious source of microphone data though: your smart TV. I know beyond a shadow of a doubt that my TV (a Toshiba Fire TV, although I’m sure many do it) is listening to every conversation I have within earshot, even when I am not using the voice remote, and selling it to ad networks.
And of course it is also doing screen recognition (the kind of stuff OP article mentions), but that is not what I’m talking about. I’m talking about microphone data picking up live conversation from people in the room.
I am suspicious of all “smart” devices, much more so than phones because phones have a lot more scrutiny on them.
If your smart toaster, light bulb, or fridge was listening to you, would anyone even notice? Does anyone examine these devices in depth?
Beyond a shadow of a doubt? Can you describe what you’ve experienced?
Who would even want a microphone in a TV?
It's like that old Soviet Russia joke, except it's not a joke.
Privacy-seeking users have physically removed microphones from phones. This should also be possible with laptops and televisions.
If Toshiba Fire TV is related to Amazon Fire TV, then it may include Alexa for voice recognition, which could be optionally disabled. In theory, Alexa is only activated after on-device recognition of the configured wake word.
3 replies →
Another source of audio data is the accelerometer, which often has laxer permissions
Way back then I exposed massive data collection from Twitter by Google which made it possible to plot locations at which you used Twitter in Google Maps by simply putting your Twitter handle into the search field. Somehow they knew about these locations even when you opted out of sharing location data with Twitter (I checked) -- so this was only possible by Twitter privately providing this information to Google.
This "experiment" has since then been shut down, but exposing this and many other other forms of activism permanently has cost me my Twitter account, to the point that asking to reinstate it several times because I was permanently suspended for no valid reason led to X Support directly rerouting every attempt to appeal this decision into the digital trash can.
Let's say nothing surprises me anymore.
Is this your experiment? https://github.com/jkakavas/creepy https://www.geocreepy.com/
Mine was even creepier.
This one used data shared by the user (opt-in on sharing geolocation in the app or browser), which then is publically exposed through the API (like this feature says it would).
Mine doesn't give a shit, geolocation was shared even when turned off by the user in Twitter.
1 reply →
Could you link to some of it? Sounds extremely interesting!
See screenshot: https://xcancel.com/kpcuk/status/601451439215353857
Do note that at first it was assumed just Chrome was involved, but then people started to message me that they also saw it when using the apps, Firefox, Safari and other browsers aswell.
3 replies →
It's really indefensible to post this without linking to your research to show people what you found.
Believe it or not, I wrote about it on my now permanently suspended Twitter account.
Here is a remnant from someone who replied at the time:
https://xcancel.com/kpcuk/status/601451439215353857
By the way: somewhat later we (thanks to a group effort) figured out it wasn't "just" Chrome as mentioned, and this basically led to the strong assumption there was some serious data sharing involved.
And yes that screenshot from this person is 100% real; my pins for example were sprinkled all across Brighton in the UK near places with Wifi access (I recently went on a city trip there at the time), and my home town in the Netherlands.
Tweets were geolocated, with a 'see tweets near me' page until about 14 years ago, so it's entirely feasible that at least some of that infrastructure has survived the feature being removed.
1 reply →
Doesn't every site route every support request for every reason into the digital trash can? You're supposed to just make a new account, using as many mechanisms as possible to make sure the site can't link it to your old account.
I’m not even sure that’s possible for some sites.
A few years ago I tried to create a separate digital footprint from scratch (just an experiment out of boredom when my isp offered a second number for free). I used an ultra cheap never before used android phone and set it up outside my home.
Google went nuts. All sorts of captchas, security checks and attempts to link me to other information popping up on every step. Eventually it wouldn’t let me use the phone unless I provided a credit card number.
3 replies →
I too sell my phone and buy a new one and also get a new phone number each time I get banned
Someone from X Support replied, basically told me to fuck off and that this would happen after my second or third appeal... so no.
At the time I am typing this, the title on the page is:
""Your phone isn’t secretly listening to you, but the truth is more disturbing""
Which is presently also the title on this post.
Then as I read it becomes clear that it is merely focusing on Facebook.
However the confusion that may stem from "Your phone isn’t secretly listening to you"
The blog post never attempts to establish that your phone is not listening to you, just that some companies may not be going it.
The truth is that your phone may well be listening to you . There is plenty of malware / spywear that uses exploits to achieve it.
Like the NSO group¹.
Tools to do so can be bouught on the malware market from other sources as well and we must assume that Mossad, NSA, and other major intellitence agencies have tools that exceed what you can buy on the open market.
You phone may aboslutely be listening to you. but probably it is not.
¹
https://www.bloomberg.com/news/features/2023-01-24/nso-group... https://www.britannica.com/topic/Pegasus-spyware https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
https://newatlas.com/computers/smartphone-listening-conversa...
https://www.bloomberg.com/news/features/2023-01-24/nso-group...
In aggregate, your phone is not listening to you, but if you are of great interest to a powerful adversary, it very well might be. But at that point, I would wager that's one of the smaller things on your plate.
Phones today show in the status bar if the camera/microphone is active.
If you can’t trust the software, why would you trust the software? Am I supposed to rely on the hope that an attacker can take over some part of the OS, but not the one rendering a tiny blob in the status bar?
8 replies →
Does that mean the phone will not react to „Hey, Siri“ without a mic icon showing up in the status bar?
2 replies →
And you think that wouldnt be disabled by malware that can turn your microphone on at will? Lmfao
1 reply →
BTW, "smart" TVs send screenshots too. [0]
[0] https://dl.acm.org/doi/10.1145/3646547.3689013
We’ve reached the state where you can safely presume anything “smart” is violating your privacy.
Anything network connected.
1 reply →
yeah, I liked the simplicity of having things on my tv, but I gave up and got an apple tv box. I was getting way too many "I was just talking about that!" ads on some of the "free" services i was watching old tv shows and movies on. I'm a pretty frugal guy for the most part but buying a separate box that doesn't sell everything you do and say to advertisers is worth it.
2 replies →
> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
It does sound believable that third-party advertising/marketing/tracking SDKs, which many apps are chock full of, could be doing this.
> It's impossible to use this covertly.
*Unless there's a zero-day that allows it.
6 replies →
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
4 replies →
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
As far as permissions go, phones should have a log for when the permissions are actually used and how often.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?
People seem to ignore the cost and accuracy aspects of a phone listening to you 24/7. At least with today’s constraints, it is highly unlikely to be happening.
First, the cost to transcribe audio is not free. It is computationally expensive. Any ad network or at scale service would not be able to afford it, especially in orgs where they are concerned about unit economics.
Secondly, the accuracy would be horrible. Most of the time, your phone is in your pocket and would pick up almost nothing. More over, it’s not like you are talking about anything of value to advertisers in most cases. Google is a money printing machine because people search with an intent to buy. The SNR of normal conversation is much much much lower. That makes the unit economics of doing this gets much worse.
Third, it would be pretty hard to not notice this was happening. Your phone would get hot, your battery would deplete very quickly, and you’d be using a lot of data. Moreover on iOS you could see the mic is being used and the OS would likely kill the app if it was using too many resources in the background.
So until we find an example of this actually happening, it’s not worth worrying about.
For all of these reasons, audio snooping is much more likely to be something done by wired, stationary devices that maybe have a decent amount of RAM + a fair bit of usually-idle processing capacity (to run the transcription model locally and just push the resulting text), and which are expected to draw a decent amount of power and use the Internet at vaguely-arbitrary times.
Like a smart TV, for example.
It is 1000% being done by smart TVs. They listen even when you are not using the voice remote. And the data is used to target ads (anywhere)
2 replies →
First thing I do is disable that feature on every TV I buy.
Second thing I do is block the TV access to internet after I do one firmware update.
2 replies →
It doesn’t need to listen all the time… just grab a few words after you put it down or hit the lock button. Or listen while you are actively using it.
Building a word cloud would be trivial and with minimal battery impact
These are all points that were brought up in the article as to why voice recording is less useful than all of the other tracking mechanisms advertisers have available
While I think that audio recording is not a thing, your economic argument is not complete.
What if only the audio of "high value" targets is recorded. Meaning people who buy a lot of stuff. So it might be worthwhile to only record their sounds. Which will explain why random testing (usually with new/clean phones) is never successful in detecting a recording event.
I think this is a genuine concern for prominent people. Like if you are Mark Zuckerberg, there is material interest in a bad actor installing malware on his laptop. But for a random person where you get low value data that may or may not let you better target some low value ads? That is much harder to justify. Would have to reevaluate as things change and the cost of compute goes down.
[dead]
Television, not phone, but YouTube sure intrigued me at minimum yesterday. First, it revealed pretty clearly that even with history turned off, it will use the history of other accounts accessed from the same IP to serve recommendations anyway. Without history, it turns off the home page recommendations, but when I ran a search, it showed me completely unrelated videos from a rock climbing channel my wife had watched on another account. I have never watched any rock climbing content on this account.
The second incident was the "listening to you thing," though. Not on the phone, but on a smart television. Exterminator was there to do the quarterly spray of my house and I was showing him scars from when I fell off a skateboard trying to bomb a hill I couldn't handle late last year, talking about what happened, and not five minutes later I turn on the television, open YouTube, and the very first recommendation on my wife's account is a video of a guy falling off his longboard at 50 MPH. Not like it's some kind of secret that we both skate and I watch a lot of downhill videos on this account, but I have never once specifically searched for, watched, or even been recommended a video of a crash, until they decide to do so five minutes after I was talking about it in front of that television.
What rot.
Here’s a simple experiment I ran and still works.
Back in the day there was a truly ghastly add for ear wax removal that showed up on YouTube in the UK.
In an experiment, and prank, I told two of my close friends about this, and how this horrid advert would kill my appetite when it came up.
And then I made it a point to repeat “ear wax removal” loudly several times.
Sure enough. A day later my dear friend messaged me with something on the lines of “I hate you”
Their phones were Android and iOS. I believe it was the Android user suffered.
If what you're talking about is the source of the ad, why did you see the ad yourself? Were you shouting about ear wax removal at your phone?
There are millions of ways the adware running on your phones could've correlated your profile and spread the "infection" to your friend. Basic location access being the most important one, but sharing an IP address (your friends' WiFi?), being near the same Bluetooth beacons, having the same stored SSIDs, or mere coincidence that your friend saw the same ad targeting a wide demographic are much more probable than "my phone is listening 24/7".
Sure. But its fun, and we can always replicate, just need a terrible ad.
Do note, this was tested in a park, so no shared WiFi, no Bluetooth beacons/devices. Also, this ad doesn’t/didn’t show up for others, ever.
7 replies →
This is why “my phone is listening and I can prove it” is such a good shibboleth for lack of critical thinking skills.
Can you not see all the biases and fallacies in your own comment?
Or you told your friend about this horrible ad and they looked it up without thinking and got added to the retargeting list.
She wouldn't because she has much better things to do in life. Matter of fact, its an ad you would never look at, just because you don't even have a need for it.
1 reply →
You and your friends only saw this ad in the first place because you were all targeted for it. That would’ve been simple demographic targeting.
Likely you all ignored it in week 1 of the 4 week campaign and by week 4 you’d seen it so many times it stuck in your head.
The thing is, it's not even people doing the correlations. Just like transformers can learn most of human knowledge just by trying to predict tokens, I would not be surprised if the ad-serving machine learning systems have learned about people in similar detail.
State of the art about 10 years ago was 4 9s of accuracy predicting click-through rates from the available context (features for user profile, current website, keywords, etc.), which I interpreted as requiring a fairly accurate learned model of human behavior. I got out of that industry so I don't know what current SOTA is for adtech, but I can only imagine it is better. The models were trained on automatically labelled data (GB/s of it) based on actual recent click-through rates so the amount of training data was roughly comparable to small LLMs.
Recent anecdote; three of us were sitting around the kitchen table with our phones out chatting about an obscure new thing that had come up; it appeared in one of our FB ad streams pretty quickly.
My top guesses about how this is possible today;
1) Apps routinely link many third-party data gathering and advertising libraries. Any of these libraries could be gathering enough contextual data and reselling it to make a correlation possible. It's not just obscure thing A that triggers an ad, it's highly correlated mixtures of normal things X, Y and Z that can imply A.
2) other friends may have talked about the obscure thing recently and social network links implied we would be aware of it through them.
Distant 3) the models are actually good enough to infer speech from weird side-channels like the accelerometer when people wave their hands when they talk, etc. Accelerometer sample rate is < 1KHz but over 100Hz which may be enough, especially when you throw giant models at it.
> an obscure new thing that had come up
Since you've provided no explicit counter-evidence, I'm gonna go ahead and say I have four nines of accuracy in predicting that your smartphone was squarely in the dependency chain of any "obscure new thing" you could have imagined discussing.
Edit: wording
Kind of a weirdly sad, uncharitable assumption to make
> 4 9s of accuracy predicting click-through rates
Having a hard time parsing what that means.
Lets say the CTR for 1000000 impressions of an add is 24.5898% and the ML predicts 25.1926%. How many 9s of accuracy is that?
At one of my previous companies we made a moderately popular mobile app SDK that app developers would embed in their apps. We were approached by a company that claimed they had a MIT developed (or was it Bell Labs?) audio recognition technology similar to Shazam, but orders of magnitude more efficient, that would be used to recognize audio from ads and record when a user was exposed to a TV or radio ad for tracking purposes.
I don’t remember the name, that was at least 10 years ago before Apple started enforcing permissions on microphone access and showing an orange dot, but they wanted to do a revenue-share deal in exchange for us quietly bundling their SDK inside ours.
Needless to say we turned them down so we never learned more or tested the veracity of their claims, but there are some really sleazy companies out there. Modern smartphones have sufficient horsepower to do the audio processing on-device so the argument that this would show up in network traffic does not hold.
Probably something along these lines
https://www.pcworld.com/article/424417/ad-tracking-tech-uses...
I guess hackernews has an aversion to this topic: https://news.ycombinator.com/item?id=43809203
They can also store things for later upload. A phone in airplane mode still isn't safe.
Was it Alphonso?
This partly explains why the recommendations I receive don't feel like mine. Multiple times, it's been obvious that the suggestions were pulled from other profiles and I could even tell whose.
My hypothesis
* The algorithms have linked my account to some others.
* They then serve me the embeddings extracted from those profiles. The near-real-time nature of this has crossed my mind more than once.
It's really unsettling, and afterwards I feel uneasy about any recommendations (all Google services, Netflix seems problematic too, not Amazon).
YouTube seems to have some hidden knobs for tuning this behaviour: after multiple negative feedbacks, the problematic content disappeared from my front page. However, the recommendations on the right-hand side of individual videos remain problematic, and the automatic playlists of YouTube Music are still strangely disturbing (even after multiple negative feedbacks).
This fact is important, because if an app were accessing a microphone and sending the audio to a cloud server for analysis there would be detectable traces of data consumption.
Because that's not how it works and companies like Meta know this when misleading it's users about their privacy.
Speech-to-text transcription is handled on your device. They never transmit the raw audio, there's no need to. A compressed text transcription of your conversation would only generate a few kilobytes of data. You would never notice it.
And the mic needs to be active in order to receive legitimate voice commands. If it can respond to your voice, the microphone is on and listening. That's the only way it can work.
One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
>I don't believe that my phone is not listening to me and I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
The person making the claim should be responsible for furnishing the proof. If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all? At the very least, it'd move us beyond vague anecdotes on social media.
> If it's really so simple to prove, why hasn't anyone done a carefully controlled experiment proving this once and for all?
They did, and found no listening being done. It’s in the article under “The data doesn't add up”.
1 reply →
> I challenge you to choose a random word out of the dictionary and say it 100 times in front of your phone.
That test has been done. It is explained at length in the article under the heading “The data doesn't add up”.
It’s too easy to check on your phone if such a thing were happening.
Your TV though… that IS listening and the TV even has options to disable it. It’s on every TV shipped in at least the last 5 years, maybe 10.
A few times per year I similarly have a conversation with my wife at night (lastly about a hair type) and the next morning a corresponding ad was presented at her at Facebook (shampoo). Only her Android phone was at the room (open, logged in Facebook in Chrome, no app). I definitely believe they hear us but they trigger the action with care and selectively, so as not to get caught (eg to low tech people, when the ad is very relevant to the need etc).
I am astonished that nobody had ever done a reverse engineering research yet.
> but they trigger the action with care and selectively, so as not to get caught (eg to low tech people
That would be an awful plan. Low tech people are the ones who most frequently complain of this because they have no basis to think it wouldn’t happen.
> I am astonished that nobody had ever done a reverse engineering research yet.
They have. It’s described in the article.
People have! They haven't found anything yet.
>I am astonished that nobody had ever done a reverse engineering research yet.
They have, what you think is happening has been disproven tons of times. You just don't want to believe it.
Was there a smart tv in the room with you during that conversation?
good point!
>One time my wife and I had a random conversation, utterly random, about cat hamster wheels. Like, why doesn't that exist? I got an ad for it the next day (it exists).
Your wife probably googled them as soon as you were done talking about them and then you using the same network got an ad for them.
And then your wife went and looked them up to see if they do exist and your IP was added for retargeting.
> User permissions for a large number of apps were all enabled
This says it all. Privacy is not by default, because of souless mega corporations, including HN which has an extremely invasive privacy policy. If you don't actively take steps to improve your privacy, they will continue to exploit it. Use GrapheneOS, it is the most private and secure mobile operating system. Nothing happens without your explicit permission, the way it should have been from the beginning
These discussions seem to come up frequently lately. Both /e/OS and Lineage with microG provide good enough privacy for those who can't afford high-end smartphones like the Google Pixels.
The ranking would probably be:
- Pixel on GrapheneOS
- Any Android smartphone on Lineage or /e/OS
- iPhone on recent iOS (the best choice for technically illiterate people)
People concerned with privacy should avoid stock Android phones. Additionally, software only goes so far in protecting privacy. Some hygiene is also required, especially with iOS, where everything is sent to iCloud by default and E2E encryption is either not enabled by default or not available at all in some countries.
When it comes to hardware, nothing really compares to the Titan and T2 chips found in Pixels and iPhones though.
>- Pixel on GrapheneOS
>- Any Android smartphone on Lineage or /e/OS
None of those operating systems does anything for tracking/advertising SDKs in apps, which is most of where the data leaks are coming from, not google/apple. Moreover unless you're willing to go no proprietary apps (ie. most apps people actually use), you'll need google play services, which means google can still collect data on you.
2 replies →
>including HN which has an extremely invasive privacy policy
???
What information are they getting their hands on in the first place, aside from geoip data?
>Not only does the system know exactly where you are at every moment, it knows who your friends are, what they are interested in, and who you are spending time with
This actually makes sense of an anecdote a colleague uses to say that he thinks his phone is listening to him.
I am a keen skier. He used to ski a lot, but hasn't been for several years. Around the start of ski season this year, we talked about my plans to go skiing that weekend, and later that day he started seeing skiing-related ads.
He thinks it's because his phone listened into the conversation, but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas.
Or just ski ads go out when ski season starts and he only noticed that he saw one because you had the conversation.
> but it could just as easily have been that it was spending more time near my phone (I had only recently started at that job) on which I regularly search for skiing-related things like conditions reports and directions to ski areas
Bingo! This is most certainly what happened.
I’ve spent time trying to convince my friends that their phone’s microphone is not constantly listening and running sounds through voice recognition software to isolate their voice (so the individual who owns the phone can be advertised to), then through sentiment analysis software (to inform advertisement bids), all without meaningfully affecting battery life. That is usually an uphill battle but explaining location services and the fact they don’t know what I’ve searched gets the point across better. (It is actually creepier.)
You were probably in the same place using the same IP address, and both browsed - doesn’t matter which sites you both visited, the trackers have you. You might have shown him where you were going. Ad trackers thought “I’ll serve ski ads to people that were on that IP address because somebody else looked at xyz”.
How do IP addresses work with cell towers? The WiFi where I work doesn't allow personal devices to connect, but there's reasonable 5G.
1 reply →
> There is no easy way to close this privacy opening
Sure there is.
Hide screenshot taking behind permission and slap down hard apps that refuse to operate without them.
It says "screenshots of themselves". The application is responsible for rendering the screen in the first place so it fundamentally doesn't need a permission.
Now, what could reasonably be a permission is "access the internet", but our overlords don't approve of that thought.
(Contrast this to web pages, which do not render themselves and thus can sensibly be blocked from screenshotting)
Doesnt android already have a "network" permission? On some roms you can enable it/disable it on install of the app even
2 replies →
I mean yeah technically the website can’t screenshot, but it can do many functionally equivalent things.
For example, it can capture the entire DOM and send it off, including the contents of input fields that have not been submitted.
That DOM capture can be replayed on a browser to show what the user sees. So what’s the difference?
3 replies →
All I/O (including timing, date/time, internet, and everything else) should be behind permissions (although some may be permitted by default, they should still be overridable). Furthermore, all I/O should allow the user to program proxy capabilities (which can be used for testing error conditions, as well as for privacy and security, and for finer permissions, and logging, and other stuff).
However, if an app wants to make a screenshot of itself, then it could do so by emulation of itself (so no permission is needed), as long as everything it displays is rendered by its own code rather than calling other functions in the system to do so.
> As far as anyone could understand, the proposed CMG system wasn't listening through a phone's microphone 24/7, instead it was using those small slivers of voice data that are recorded and uploaded to the cloud in the moments after you activate your voice assistant with a "Hey Google" or "Hey Siri" command.
That's not quite accurate. The CMG thing was very clearly a case of advertising sales people getting over-excited and thinking they could sell vaporware to customers who had bought into the common "your phone listens to you and serves you ads" conspiracy theory. They cut that out the moment it started attracting attention from outside of their potential marks. Here's a rant about that I originally posted as a series of comments elsewhere: https://simonwillison.net/2024/Sep/2/facebook-cmg/
The "Hey Google" / "Hey Siri" thing is a slightly different story. Apple settled a case out of court for $95m where the accusation was that snippets of text around the "Hey Siri" wake word had been recorded on their servers and may have been listened to by employees (or contractors) who were debugging and improving Siri's performance: https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-...
The problem with that lawsuit is that the original argument included anecdotal notes about "eerily accurate targeted ads that appeared after they had just been talking about specific items". By settling, Apple gave even more fuel to those conspiracy theories.
I wrote about this a few months ago: https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not... - including a note about that general conspiracy theory and how "Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
... all of that said, I 100% agree with the general message of this article - the "truth is more disturbing" bit. Facebook can target you ads spookily well because they have a vast amount of data about you collected by correlating your activity across multiple sources. If they have your email address or phone number they can use that to match up your behaviour from all sorts of other sources. THAT's the creepy thing that people need to understand is happening.
"Convincing people of this is basically impossible. It doesn’t matter how good your argument is, if someone has ever seen an ad that relates to their previous voice conversation they are likely convinced and there’s nothing you can do to talk them out of it."
It sounds more like we have evidence of what we believe, you think we should toss the evidence for your counter-theory, and people won't do that. We also have an effect where tons of people experienced this. You want us to toss that, too.
"You don’t notice the hundreds of times a day you say something and don’t see a relevant advert a short time later. You see thousands of ads a day, can you remember what any of them are?"
On Facebook, during one period this happened, they were only showing me adds for Hotworx and a massage place every time. Trying to stay pure minded following Jesus Christ means I avoid such ads. So, it was strange that it's all they showed me. Then, strange the only break from the pattern was showing unlikely topics we just talked about in person.
So, I'm going to stick with the theory that they were listening since it best fit the evidence. I don't know why they'd do it. Prior reports long ago said they used to use ML (computer vision) to profile people outside of the platform who showed up in your pics.
I'll note another explanation. Instead of always listening, they could have done it to a random segment of people who were rarely clicking ads. Just occasionally, too. We wouldn't see the capability in use all the time. A feature tested or used on a subset of users.
Also, these companies keep saying on us in increasingly creative and dishonest ways. If anyone is to be blamed, it's them.
Thank you for illustrating my point so perfectly.
My younger bro is convinced phones are eavesdropping on conversations and got particularly paranoid (I thought) a year or so back in regard to talking in earshot of his phone.
His evidence is empirical - Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
So I have an understanding of how much tracking is going on so I pressed him on that. But he assured me it was stuff he would not even bother to look up in a clearer mindset and of course smoking recreationally for a very long time knows not to go near some tools that could land himself trouble or awkward explanations. That's probably true he says a lot of stuff that a half decent search would put him straight. In the end I just figured loose permissions of one of the many apps he's installed and that's how they (the app) make their money, selling illegally obtained data to more legal sources.
Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
Something I discovered when going down this rabbit hole is that if you had that conversation in your house and your visitors have access to your wifi, it may be that they performed the search without you knowing, and your ISP connected that data to you and sold it (as they do).
Location location location.
- User 1 shows an interest in <topic>.
- User 1 visits the same location, for the same period of time, as user 2.
- So I show an ad for <topic> to user 2.
How would your ISP connect that data if every search engine uses HTTPS now, so there's no way for the ISP to see what you were searching for?
6 replies →
His phone would have to be running a hotspot for any visitors (in many parts of the rural area in my locale, mobile data is it for the internet) but if any visitors were with the same carrier network, visitors could have searched. However it's entirely improbable any of his buddies would be on their phone while they're there unless it was a legit interest. Secondly this is stuff from what I gathered, some of is stuff that no one would really even think exists - it's shit talk speculation that's out past the black stump - no one once they're back to earth is ever going to bother to look up even a small aspect of it.
In his case a realistic answer falls towards loose or sneaky permissions in regard of an app that have slipped through that have allowed a weird conversation to influence suggestions in internet activity later on.
However for more grounded subject matters, the more probable strange coincidences falls to queries and visits to the net being scraped by external API and content (fonts scripts etc) providers. I've no idea how much meaningful info would normally be shared between the site and third party providers that seemingly need to be contacted while a site loads.
2 replies →
That's true. I had to rule that out by only counting instances when my friends and I were alone. If not, or Wifi is open, then who knows.
> Apparently he gets pretty high with friends and shit talks - but when when the search started to suggest some pretty way out things along the same lines, he landed that their conversations weren't private any more.
I had an experience like this several years ago. I was having dinner with a customer, and one of the guys brought up this story about how he went to school with someone who got caught cheating on Who Wants to be a Millionaire. Later, back at my hotel, I pulled up YouTube and the first recommended video was of the guy who got caught cheating on the game show. I had not searched for this during the conversation (or prior) nor do I watch game show videos on YouTube, or cheating scandal videos on YouTube.
Here's what I think happened: somebody at the dinner googled it, and the video got recommended based either on geo-location data (we were in close proximity) or because the person who googled it was in my phone contacts, or maybe both. But, I don't think Google/Youtube was recording anyone's conversation to make that recommendation.
It could also be that YouTube started recommending this video to people for whatever reason, which was why it was on this guy’s mind.
1 reply →
> Permissions are the problem with android phones - there needs to be a specific install route for users, one that the app starts asking for things it should not need have access to, the installer refuses to install and suggests the user look for something better. Camera apps for example really don't need access to communication channels, if it's updates it's need, it can ask - one time access.
I definitely don't want my phone making those decisions for me; I want my phone enabling me to make decisions. The app asks for permissions, I say no, and, rather than ratting me out to the app, my phone does its best to pretend to the app that it (the app) has the permission it wants, say by giving an empty contact book or whatever. (I know rooted phones can do this, but it shouldn't have to be something I have to fight my phone for.)
This matches up with my exact thoughts too. My old phone was an Android, and it was quite old in that the manufacturer hadn't updated it in a while. There were times when speaking about something would give me ads relating to it on Google, or posts in Instagram's case.
Then I got an iPhone and it stopped completely. My wife has a newer Android phone and the same things happen to her.
Now, I swear I read a few years ago that Facebook have teams to deliberately look for vulnerabilities to exploit, as well as things such as this: https://x.com/ashk4n/status/1070349123516170240.
So my personal conclusion(s) is this: 1. There are vulnerabilities in older (if not current) Android versions which companies like Meta exploit to eavesdrop at all times, or at least while the app is not closed. 2. Most people just provide the 'While using the App' or 'Always allow' permissions for the microphone/camera, so this basically gives permission for them to do that regardless, even if it's not what those permissions were requested for (sending a voice message, taking a picture to post etc), BUT now there are status lights for when apps are using the microphone/camera which I never noticed been activated on my wife's phone when using it, unless for the correct reasons.
Between all the apps people use daily which is pretty much Instagram/Twitter/TikTok/WhatsApp, microphone permissions tend to be enabled, and if they are, then most of someone's screen time is on an app with those permissions. Not to mention the 'Google' app on Android phones which seems to have every single permission enabled at all times that perpetually runs.
Sorry, but I'm not buying the "someone else in your home searched something similar" or "ads are so advanced that they can predict what you want" etc excuses. I'm extremely careful with what I search. I have never experienced this once I switched to an iPhone, but I have experienced it too many times when on Android.
He’s right and everyone knows it. It's pretty blatant and there have been lawsuits settle rather than go to a trial that would surely reveal the extent to which this thing that’s obviously happening is happening
https://www.sfchronicle.com/bayarea/article/apple-siri-priva...
I attempted to debunk that one here (an admittedly impossible task but I can't help myself trying): https://simonwillison.net/2025/Jan/2/they-spy-on-you-but-not...
9 replies →
He is right, all modern phone brands are surveillance devices furnished to provide the OEM with identifying data: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
Doesn't it have to listen to everything to capture the wake word "hey siri"? How else is it done?
The iPhone has dedicated low-power on-device hardware that is trained to pick up "Hey Siri" exclusively. It only wakes up the rest of the device and captures additional audio after that wake word has been triggered.
https://machinelearning.apple.com/research/voice-trigger
https://machinelearning.apple.com/research/hey-siri
>pick up "Hey Siri" exclusively
until it isn't. anything apple is proprietary and any feature could silently change at any time even for only specific devices/user.
https://web.archive.org/web/20250415140321/https://www.thegu...
Keep thinking its merely correlation while the US military bans phones from the SCIF…
Pretty much every time I add a new contact to my phone I start to get really strange ads online. I figured it out when I added a guy who's retiring for the army. I started getting retirement ads for soldiers.
Then, I add a guy I loosely know and what do I start seeing? Cocaine rehab ads. I shit you not. It's not hard to argue that this is more than a minor privacy violation.
There's a nation proud of overspinning enrichment turbines with a complicated computer virus that can even work offline. No conspiracy, that's just StuxNet.
So, when you start learning about tech, you get paranoid. If you're not, it's even weirder.
The fact that someone can target you, individually, is undisputable. Whether it will or not, that's another question.
What I can recommend if you think you are being observed, is to avoid the common pitfalls:
Don't go full isolationist living without technology. That is a trap. There is nowhere to hide anyway.
Strange new friends who are super into what you do? Trap.
You were never good with girls but one is seemingly into you, despite you being an ugly ass dirty computer nerd? That is a trap. Specially online but not limited to it.
Go ahead, be paranoid. When an article comes to probe how paranoid you are, go ahead and explain exactly how paranoid you have become.
But live a normal life nonetheless, unaffected by those things. Allow yourself to laugh, and be cool with it.
Hundreds of clone accounts doxxing me? Well, thanks for the free decoys.
Constant surveillance? Well, thank you for uploading my soul free of charge to super protected servers.
Dodgy counter arguments in everything in care to discuss? Sounds like training.
The paranoid optimist is quite an underrated character. I don't see many of those around.
Sounds like the age old adage: if it's too good to be true, it is.
I also tend to be very skeptical towards popular sayings. Sometimes, they fail.
"true" in the sense you used here. Have you thought about what it means in that context?
We live in an age full of fear of missing out baits and reversed versions of such. There is no sense of "oh, this is good for me" that can be relied upon (implied in the original comment, you are going to find it), although there are sayings.
If it sounds too good to be true, it probably is. Otherwise it's just a tautology.
[flagged]
There is a list of things I keep under profound consideration always.
Information that travels backwards in time is one of them. I have a pretty good idea on how it could be possible and who would have the resources to do it.
God is also another. However, I am a very unorthodox student of religion. I deeply respect anyone that uses it to foster a good behavior. Whoever uses it to trick others, I tend to see more as an act of hostility towards innocent believers. Like, if someone tries to put me into a religion mindset just to fuck with me, it's a dick move.
What I know for sure is that God would not make mistakes. Whatever monitors me, does. It did so many times. I know it embarrasses them. It's delightful in that sense. So, yeah. God might exist, but I ain't talking about it when I describe paranoia.
Another thing that is quite recent in my studies is psychology and how we are all so vulnerable to it. I started to despise it a little bit. How come it never solved so many issues? How come it seems to put them to evidence but not fix them, and by putting them to evidence, make them worse?
Anyway. Do you want even more paranoia? If you like it, I should be supposed to charge for it, you know.
1 reply →
I get all the proximity-based aggregation, and creating graphs of relationships to leak content between personal "algorithms" (dislike that wording but that's the colloquial usage), and tracking between sites + social networks, and all the basic stuff ... but can somebody explain how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
I also have a couple distinct memories of getting served ads for products I've never searched for or never bought before, after I either bought it in a store or, even weirder, literally just picked it up, looked at it, and put it back on the shelf in a store?
I can craft some kind of super-surveillance-state theory as to how you could achieve that, but it feels very unlikely to be deployed at a small CVS lol
Anyways, these might just be coincidences but still perplexing to understand how it's done.
My guess on iMessages is that the ads are actually tracking your friend (or other person at your location) looking up details/a link to use in the iMessage conversation. And that only works some percentage of the time, but that's the percent you notice.
> how I immediately get served ads relevant to text typed into (presumably-encrypted) iMessage conversations?
Are you using a third party keyboard? Or any apps you don't 100% trust if you sent the message from a Mac?
Nope, regular iOS/macOS on all ends. Literally just stock Apple Messages on devices. I just notice sometimes topics will come up (what appears to me to be randomly) and then relevant ads and/or content will appear on Instagram or web.
I guess it's possible that, to me, it appears "organic" (ex. somebody just mentions Taco Bell or whatever) but they had actually been searching on their device, and since our digital proximities are known, the next thing you know I'm Living Más lol
1 reply →
I seem to recall that state of the art audio encoding can compress voice to 8kbit/s which is a single packet per second, insignificant compared to how chatty your device is. Trivial to buffer and send during a period of activity. It sums to 1.7MB over the 30 minute window in the article graphs which should be visible if it is actually counted. Why would apple or google actually make it count though? They want to spy on you either for their own benefit or because the government forces them to. You say you found it taking screenshots and phoning them home. Of course! It is a surveillance device. Is it worse? Maybe. You should consider it sends everything home. Every keystroke, every touch of the screen, every sample of the accelerometers, every sample of audio. Perhaps only the sheer quantity of data in video prevents them from sending it all. Might be "remedied" with 5G bandwidth.
Audio, screenshots, and some of the other stuff I can believe, but I think batteries need a big upgrade before the data snatchers can get away with streaming video, even at a low bitrate.
I'm also not sure how easy keylogging is these days, is there even a permission that allows it? I supposed there's ways to do it with custom keyboards. Google/Apple doing it themselves would be a pretty big deal.
I think everyone acknowledges that chrome sends every keystroke in the address bar home. I don't keep up with the spyware so perhaps it is now every keystroke in the rest of the browser. It isn't much of a leap further that their operating system does the same.
Knowing how digital advertising works, it's more likely that a payload is delivered to the phone in some app or by os or by browser that has a dictionary of keywords paid for to be associated with specific ad campaigns. If the device detects that term (via sound, search, or media) it triggers a message home as an analytics to target you and your device now calls for those campaigns.
If it works like that, why aren't the app companies describing exactly how it works to advertisers in order to earn their business?
They describe how everything else they do works in great detail if you're someone who buys ads.
What makes you think the raw audio stream needs to be sent anywhere. Modern phones are capable of doing keyword extraction on-device.
You need to know what keywords to listen for before discarding the audio data. An advertising giant might know but a government doesn't.
This conspiracy theory has been around for a lot longer than phone hardware has been capable of doing that.
3 replies →
If that were true why are cell phone voice calls still so terrible?
Because cellular carriers keep the same pace as a snail on vacation.
The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
What are they matching against? Against key "content".
To check if the fingerprints from your phone mic match the "content" they have to do some kind of nearest neighbor search. What if the fingerprints aren't super close but they're somewhat close? To "content" related to certain products? Should we send the ad?
What if employees at Alphonso and Shazam _know_ that the fingerprints from your phone aren't quite close enough to have been generated from key monetizable samples of the "content", but also know that they are close enough to be effective? At targeting potential buyers?
Who decides how close is close enough? What's the ethical threshold here? And what's the most profitable threshold?
> The phone is listening. Services like Shazam and Alphonso are constantly fingerprinting audio from the mics and sending these fingerprints up for "matching".
Could you please provide a source for this?
Just on the outset this sounds pretty wild if true. In the settings I do not see any permissions associated with Shazam, and only when I open it do I see the usual microphone indicator light up.
I will say though, it is weird that it doesn't have associated permissions listed, because clearly it can access the mic at least when it's open.
Edit: nevermind, found it, was just super hidden. But yeah, says it can only access it when the app is "in use". Now can it auto launch? Apparently also yes, after boot. Otherwise idk. It's further interesting I cannot tweak any of these permissions.
Edit #2: now it says that notifications are enabled for it, but then i check, and they aren't. i exercise the toggle, now it doesn't say that anymore, and the mic permissions are no longer hidden? Samsung please...
No amount of years in tech will rid me of tech pains it seems.
Pixel phones have a built in background audio fingerprinting service called "Now Playing" which can operate constantly.
Shazam has an "auto shazam" feature you can enable for constant background listening, since 2016 at least!
But look into Alphonso. That's like Shazam but explicitly for covert "content recognition" listening in microphone enabled apps. And it's old.
People who say it's too expensive or impractical to do bulk listening for ad-tech just aren't paying attention.
1 reply →
Shazam only records when you open it.
Not necessarily: https://lifehacker.com/shazam-can-now-automatically-identify...
Apple settled a lawsuit about Siri ‘unintentionally’ listening. [1] So, yes, they also can likely predict what you want based on all they do openly track… but we can no longer claim that they aren’t listening.
Based on the lawsuit and other sources, my guess is the phones build a word cloud that is then used for targeted advertising. Apple at el aren’t recording and selling the actual audio… but they are listening.
(1) https://www.reuters.com/legal/apple-pay-95-million-settle-si...
If "the truth is more disturbing", then why do people seem to care about "secretly listening" but not about "the truth" (data collection). Perhaps because the US has state and federal laws against wiretapping. Perhaps the difference is consent. Arguably so-called "tech" companies have obtained consent to collect data ("the truth"). But have they obtained consent to "secretly listen" to private conversations.
I’ve said it before and will reinforce it cause once again no one brings it up in the comments. People report the phone is listening to them because they talked about <insert> and now they are seeing ads for it. What they may not realise is they are talking about <insert> because subliminally the ad worked they just never noticed it. Now they have. The ad was there first like a little virus worming in your brain and then you bring it up with friends thinking it an original thought.
Definitely possible… but Apple was successfully sued for unintentionally’ listening. They didn’t admit guilt but settled.
https://www.reuters.com/legal/apple-pay-95-million-settle-si...
It is in fact listening to you, at least if you have an iPhone: https://www.lemonde.fr/en/pixels/article/2025/02/14/apple-ta...
That was a stupid study. Phones know if they are being used - the phones for 3 days around ads is meaningless.
Tracking isn't all the time - that would be tough. They do record stuff when you doing certain things tho...
It's not impossible at all, actually it's rather easy if you have access to their actual online activity too.
I think it would be interesting to try to do a "constructive debunking" - try to build a system yourself that uses a tampered phone and constantly records and transcribes all audio around it, without being obviously detectable by battery drain, CPU usage or network traffic.
Variants/difficulty levels could be about: capture everything, or just keywords? What if you have a million keywords? Transcribe on-device or in the cloud? Can you do it just inside an app or do you need OS support/root access? Etc etc.
Would be interesting to see what can be done at all and how easy or difficult it would be to detect.
Comparing a small project like that with the vast cyberstalking industry we call advertising today isn't going to yield similar results if the conspiracy theory is true. I can make a full tracker that drains the battery like crazy but that doesn't mean the smartypants who know when women are pregnant weeks before they do themselves can't come up with a system that's more efficient with acceptable data granularity.
Worst case scenario you succeed, and you've built yourself the torment nexus. If you publish your results, you'll have to publish the torment nexus to prove you don't have anything up your sleeve, making the world slightly worse for everyone else now that there's an accessible torment nexus ready to go. If you don't publish your torment nexus, nobody will believe you. Hell, if you succeed, you might've actually invented the thing! At best, the result of your success is knowing for sure you _could_ be spied upon any time, anywhere.
There's probably a much easier method to know for sure: work for advertising companies and learn their secrets.
2 replies →
Does anyone recall the national discussions surrounding what constituted metadata following 9/11 when ThinThread and Trailblazer were brought to public attention?
I also recall reading about members of the TIA "Total Information Awareness" program leaving to join advisory boards for rising social media platforms, Facebook most notably. These weren't tinfoil opeds in fringe outlets, but regular reporting by journalists published in trusted local newspapers.
Are there any outlets left who aren't part of consolidated media groups that can or do still track and report on movements like this? I've having trouble finding original articles that haven't been "revised for historical accuracy" or hidden behind paywalls of the few entities that remain.
Edit: For context, I was looking for the earliest articles about Google citing legal justification for scanning the contents of emails under a favorable interpretation of metadata that allowed for tokenization by an automated process (ie- the contents were not read by a human or made personally identifiable, which met the letter of the law). It follows that the same justification is not limited to any source or data type, but I couldn't recall any more recent reporting or statements from companies over the last 10-15 years, or, the "don't break Google" era.
If our popular phone operating systems were worth anything and actually acted as an agent for the user that owned them, they'd allow anyone to easily track and prevent this.
Do iOS apps also take screenshots of activity in other apps without consent? Does the platform allow it to, if yes then is there a way to block it?
They cannot.
« The article posits that the uncanny relevance of some ads is due to sophisticated data collection methods. Companies analyze user behavior, online activity, and social interactions to predict interests, making it seem as though devices are listening.
In essence, while smartphones may not be actively eavesdropping, the depth and breadth of data analytics employed by tech companies can create the illusion of such practices.»
There has definitely been cases where I have not looked up an idea at all on my devices, only mentioned it in speech at home, and the highly targeted at shows up on mobile the next day or even that day. I would take the correlation theory if I actually left data to correlate.
This... I have had on at least 2 occasions explicitly where I know for a fact I hadn't searched or looked up this topic on any system, and I brought up a topic and talked to my roommate and within the next 12 hours FB served me ads or content relating to the topic.
I get the idea that an "always on" monitoring system would be problematic (even if you discarded the data itself and only retained/filtered relevant bits for a short period of time). But ... I have no other way to explain events like this.
I suppose some weird correlation of user has x,y,z and they searched for a,b,c in the past, and other users search for D, then we show D at exactly the 12 hour time they searched for it.
Yes I am aware of recency bias, and how perhaps it was shown other times without recognizing it. But it's... hard to shake that feeling, and I am (well less so now) a skeptic...
If it's anything it's like AI that's eerily creepy like "intelligence" but not it, just like this is "like listening" but isn't. Both use statistical models to do creepy ass shit.
2 replies →
But why did you mention it at all?
That’s the point the article makes: That some idea is on your mind is essentially always correlated with any number of signals, some of which are visible or inferable by adtech.
A few years ago, I was fairly convinced that Google Voice was listening and punishing me for hitting "political third rail" keywords during phone calls.
On more than one occasion, I would be in a conversation with a friend of mine and things would turn political, and if I spouted just the right combination of anti-left rhetoric/keywords, our connection would drop right away -- boom.
Now why would Voice do this when other Google properties don't? I mean, they don't filter Gmail or Docs or Photos looking for subversive content and censoring it. YouTube comments, maybe.
But I figured that if they wanted, it was completely possible. Because they have proven and deployed live-transcription, and they're best at English. Not to mention, Voice is sort of a deprecated product that they don't really support. So why not throw a little havoc in there for miscreants?
The reason I was using Voice was to place phone calls from a SIM-less tablet. It seems that Voice insists on using my real phone now for routing any sort of call. So I haven't had opportunity to test the boundaries for years now. Nevertheless, I was not sorry about the possibility of censorship, I was duly chastened, and sorry I've been so brainwashed to lapse into mindless talking-point rhetoric.
Never trust these people, always know that something is going on somewhere.
> Even though these ad algorithms are not nearly perfect (try to pay attention to how often you are served ads that are entirely irrelevant to your interests), the simple fact that they are so eerily correct even some of the time is the real conspiracy here.
This could be intentional. Having too many accurate ads is having a bad effect, because you then enter the uncanny valley of noticing what the data collectors all know about you.
Amazon often tries to show me a dress store. I’m a guy, and I’ve never bought women’s clothing. On the surface, the ad makes no sense and is irrelevant—but what if I end up wanting to buy a dress for someone else? Then I might remember that Amazon dress shop.
This (or simple error) seems more likely to me than a conspiracy to appear less creepy, though I suppose all three could be in play.
Yes my phone is listening. To almost every word, and using that information to serve me ads. I would bet my entire net worth on that, as I'm 100% certain.
it’s just ai llm snooping amd doing big ol compute just like we have access to now. but advertisers had it years ago cuz they paid and at large, ads sold.
became so prevalent no differentiable value so the algos etc sought new omg human public users. magic baby. but just hungry ip sw gobbling up new worlds.
maybe. just thinking outloud.
iPhone will tell me that I have a 25m drive to get to work. Literally why? I know where I work and how long it takes. I have done it enough times for it to learn what I do at 07:30 in the morning. Is it just flexing repeapetedly that it did a simple inference?
Some places, including the Bay Area where this feature was probably created, have significant variance in commute times depending on the traffic of the day so this can be a useful feature.
The commute time from SF to Cupertino is certainly not constant.
As a mere hick I’m sometimes oblivious to the lived experience of the ~~~~ SC crowd.
bs article paid for by those big corporations.
I'm not going to ask if you actually read the article. My recommendation is to read the second half of the headline.
[dead]
Tl;dr it’s not the microphone… it’s screenshots.