Important: your phone really is eavesdropping on you

I’ve seen a lot of conspiracy theories that Facebook or Google are eavesdropping on our conversations.

And there’s been a lot of mockery over the privacy concerns about people putting the Amazon Echo into their living room.

But at the same time people seem totally fine with carrying a camera and microphone around with them literally everywhere they go, at all times. Your phone isn’t as obvious a target, but it’s a much more real privacy risk.

And so, inevitably:

These apps, once downloaded onto a smartphone, have the ability to keep tabs on the viewing habits of their users [by] collecting TV-viewing data for advertisers. Using a smartphone’s microphone, Alphonso’s software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. […] Alphonso has a deal with the music-listening app Shazam, which has microphone access on many phones. Alphonso is able to provide the snippets it picks up to Shazam, he said, which can use its own content-recognition technology to identify users and then sell that information to Alphonso. [emphasis mine]

Do you have a phone? Do you have Shazam installed? I know I did until about ten minutes ago.


Because of the obvious risks, the companies putting those things in your living room are seriously concerned about privacy. As an Amazon employee I know more about the Echo than its competitors, but I know that the Echo only “listens” when triggered (it is aware of sound at all times, but only records after being triggered), and lets users audit and delete (see items #3 and #4 here) any recordings they don’t want stored.

About dondo

3 thoughts on “Important: your phone <i>really is</i> eavesdropping on you

  1. A) Anyone can say the trigger word on an Amazon device — as I think I’ve demonstrated — shortcutting a critical layer of security. Good security is shutting down all attack surfaces, since you can’t predict all attack vectors. This is one step better than dropping a pre-configured Fire on my doorstep in Oakland with my credit card info on it, but not a huge step.

    B) Think about e.g. how cookies were initially presented … anyone saying “this seems invasive” were derisively shouted down, as the technology was “safe” and companies were to be “trusted.” Compare that to how cookies are used now (with several sites not even working without enabling 3rd-party-cookies, which is a major security hole). I’d say a voice fingerprint/audio access would be even more tempting for abuse. Make the technology available, and it will be abused. Show me even one counter-example where tech hasn’t been subverted for profit or privacy invasion … if not Amazon, then NSA/CIA or state hackers will do something evil and unintended. Or is your engineering team better at internet security than, say, Cisco?

    C) Unless you designed the unit, you can’t tell me you know what your company inserted into the design; is your company more reputable than, say, Samsung?
    … and you can’t promise that there aren’t bugs that expose conversations; are you more technically apt than Google?
    I have seen Amazon do questionably ethical things when a profit opportunity arises, and reply with “well, what did you expect?”, so you can’t say that’s out of the realm of possibility.

    I agree that phones are basically walking eavesdropping devices, and are an order of magnitude more of a concern. But putting your trust in corporate America — especially in an era of lax regulation, and especially a company run by someone who wants to Rule the World — seems, well, naive. So much of the loss of privacy is people trading off security for convenience, coupled with corporations (and their proxies) reassuring folks that these technologies will be used for good before profit. Please don’t add to the problem by shillin’ for the (possibly unintended) villians, and don’t write off as comical anyone with security concerns about any non-open-source technology. YMMV. -lovebuggy.

    1. Hey, Buggy. Thanks for your thoughts.

      (A) Quick reminder: the topic of this post was about people using personal electronics to eavesdrop. Yes, the device allows someone with physical access to order something (to be delivered to your address). That’s risk vector, but a very different risk. Also, not a huge one.
      (B) Yes, there is real risk that audio signals will be abused. Amazon has explicitly designed this device in ways that should help mitigate the risks you’re describing; those other devices, not so much. Does that mean that it won’t happen? I can’t make that assurance, not for all devices, especially not for third-party devices. But I did not actually intend to be defending Amazon per se.
      (C) I did not design the device, but I have personal relationships with people who did. They are both impressively competent and very focused on privacy and security. I’m confident that the Echo is a more difficult and less tempting target than your phone. Is the Echo impermeable? I can’t make that claim. But unless you wrote your comment on paper and mailed it to someone else to type in, the device you used has a microphone, too. Is the microphone physically disabled when not in use? Do you have the camera on your computer and phone covered when you’re not using them? Those are even more tempting targets, have proven and really unpleasant examples of abuse. So, given your enlightened awareness of security, have you taken the basic security precautions on those devices?

      In conclusion:
      Yes, I unreservedly believe that Amazon is better at security than Cisco.
      Yes, I think Amazon is more reputable than Samsung.
      No, I don’t think Amazon is more “technically apt” than Google.
      I’m not sure how any of that is relevant.

      You seem to think I’m defending a defenseless corporation, or that I’m suggesting there is no risk from having another device with another microphone in your living room. That’s not remotely what I’m saying. But the howling screams of privacy invasion focused on the Echo that people are typing in… on their phones that they carry with them everywhere… or into their computers that they leave lying around their living room with an open microphone at all times… are perhaps misfocused. I’m not writing off people with security concerns as “comical;” I just find their focus somewhat lopsided at times. You use a smartphone, a computer, you use Facebook, you use Google, you use Samsung, you probably can’t avoid having your data pass through Cisco routers. There are cameras taking pictures of you as you drive down the freeway; your car sends GPS signal to satellites pretty much all the time. Your credit card leaves a trail of activity behind every purchase; you can’t really avoid scrawling your digital signature on electronic devices wherever you use money.

      Is adding the Echo to your living room really the big risk you should be howling at?

  2. Points all taken, but. It’s data aggregation that scares me the most … not someone listening to a specific convo, but rather massive hoovers of data — even meta-data — being combined in unsuspected ways to tell more about you than you maybe even know about yourself. To this end, the NSA has gotten very interested in voice *identification*:

    and large businesses — who are not immune to subpoenas and gag orders — are building these data sets for them:

    Both Google’s and Amazon’s “smart speakers” have recently introduced speaker recognition systems that distinguish between the voices of family members. “Once the companies have it,” Williams said, “law enforcement, in theory, will be able to get it, so long as they have a valid legal process.”

    Notably, the recent loosening of the requirements on warrantless search (basically any internet traffic the NSA can force-route in and out of US jurisdiction, which they already easily do to justify US-originated “foreign” data slurping) makes this “legal” loss of protection more of a concern. No amount of security is going to help against the NSA, and you can’t train machines without storing huge data sets, and that’s an inherent risk. I’d say comparable to choosing to use Siri (which I generally don’t do), rather than having a hot mic on your laptop (assuming they’re not just using that data for aggregation purposes). That paranoia-math flips (for me) if I have reason to believe I’m a specific person of interest. YMMV.

    Thanks for the thoughtful thoughts. I think we’re all too lazy for our own security and privacy, and if we don’t mandate techno rights by law, that ship will sail, soon, for good. Given that no one cares, and America will soon be great again, I’m not optimistic.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you a spambot? *