Are Phones and Smart Speakers Listening to You? Cox Media Group Claims They Can

[-] Septimaeus@infosec.pub 48 points 9 months ago* (last edited 8 months ago)

I usually wear the tin foil hat in these debates, but I must concede in this case: the eavesdropping phone theory in particular is difficult to substantiate, from a technical standpoint.

For one, a user can check this themselves today with basic local network traffic monitors or packet sniffing tools. Even heavily compressed audio data will stand out in the log, no matter how it’s encrypted, streamed, batched or what have you.

To get a sense of what I mean, run wireshark and give a wake phrase command to see what that looks like. Now imagine trying to obfuscate that type of transmission for audio longer than 2 seconds, and repeatedly throughout a day.

Even assuming local audio inference and processing on a completely compromised device (rooted/jailbroken, disabled sandboxing/SIP, unrestricted platform access, the works) most phones will just struggle to do that recording and processing indeterminately without a noticeable impact on energy and data use.

I’m sure advertising companies would love to collect that much raw candid data. It would seem quite a challenge to do so quietly, however, and given the apparent lack of evidence, is thus unlikely to have been implemented at any kind of scale.

[-] admiralteal@kbin.social 23 points 9 months ago

There's also a totally plausible and far more insidious answer to what's going on with the experiences people have of the ads matching their conversations.

That explanation is advertising works. And worse, it works subconsciously. That you're seeing the ads and don't even notice you're seeing them and then they're worming their way into your conversations at which point you become more aware of them and then start noticing the ads.

Which does comport with the billions of dollars spent on advertising every year. It would be very weird if an entire ad industry that's at least a century old was all a complete nonsense waste of money this whole time.

To me, this whole narrative is just another parable about why we need to do everything possible to limit our own exposure to ads to avoid being manipulated.

[-] Septimaeus@infosec.pub 7 points 9 months ago* (last edited 8 months ago)

Damn, I hadn’t thought of that. The chicken egg question of spooky ad relevance. Insidious indeed.

I feel like the idea of some person or group having enough info to psychologically manipulate or predict should be way scarier than the black helicopter stuff, especially given that it’s one of the few conspiracy theories we actually have a bunch of high quality evidence for, just in marketing and statistics textbooks alone.

But here we are. Government surveillance is the hot button, not the fact that marketers would happily sock puppet you given the chance.

[-] WetBeardHairs@lemmy.ml 14 points 9 months ago

That is glossing over how they process the data and transmit it to the cloud. The assistant wake word for "Hey Google" invokes an audio stream to an off site audio processor in order to handle the query. So that is easy to identify via traffic because it is immediate and large.

The advertising-wake words do not get processed that way. They are limited in scope and are handled by the low power hardware audio processor used for listening for the assistant wake word. The wake word processor is an FPGA or ASIC - specifically because it allows the integration of customizable words to listen for in an extremely low power raw form. When an advertising wake word is identified, it sends an interrupt to the CPU along with an enumerated value of which word was heard. The OS then stores that value and transmits a batch of them to a server at a later time. An entire day's worth of advertising wake word data may be less than 1 kb in size and it is sent along with other information.

Good luck finding that on wireshark.

[-] Septimaeus@infosec.pub 8 points 9 months ago* (last edited 9 months ago)

Hmm, that’s outside my wheelhouse. So you’re saying phone hardware is designed to listen for not just one but multiple predefined or reprogrammable bank of wake words? I hadn’t read about that yet but it sounds more feasible than the constant livestream idea.

The echo had the capacity for multiple wake words IIRC, but I hadn’t heard of that for mobile devices. I’m curious how many of these key words can they fit?

load more comments (1 replies)

[-] Zerush@lemmy.ml 9 points 9 months ago* (last edited 9 months ago)

Smartphones by definition are Spyware, at least if you use the OS as is, because in them all aspects are controlled and logged, either by Google on Android or by Apple on iOS. Adding the default apps that cannot be uninstalled on a mobile that is not rooted. As COX alleges, they also use third-party logs and therefore can track and profile the user very well, even without using this technology that they claim to have.

Although they feel authorized by the user's consent to the TOS and PP, the legality depends directly on the legislation of each country. TOS and PP itself, to be a legal contract, must comply in all its points with local legislation to be applicable to the user. For this reason, I think that these practices are very different in the EU from those in the US, where legislation regarding privacy is conspicuous by its absence, that is, that US users should take these COX statements very seriously in their devices, although in the EU they must also be clear that Google and Apple know exactly what they do and where users live, although they are limited from selling this data to third parties.

Basics:

-- READ ALWAYS TOS AND PP

Review the permissions of each app, leaving only the most essential ones
Desactivate GPS if not used
Review in Android every app with Exodus Privacy, maybe Lookout or MyCyberHome in iOS (Freemium apps !!!)
Use as less possible apps from the store
Be aware of discount apps from the Supermarket or Malls
Don't store important data in the Phone (Banking, Medical...)

load more comments (3 replies)

[-] Fungah@lemmy.world 9 points 9 months ago

My own theory is that they tokenize key words and phrases with an AI so that they're not sending the actual audio data. Then it's stored in a form some AI can parse but isn't technically user data so they can skirt legislation around that.

A tokenized collection of key phrases omitting delimiters in text format is going be much, much less than audio, or a transcript.

[-] ben_dover@lemmy.world 12 points 9 months ago

as someone who has played around with offline speech recognition before - there is a reason why ai assistants only use it for the wake word, and the rest is processed in the cloud: it sucks. it's quite unreliable, you'd have to pronounce things exactly as expected. so you need to "train" it for different accents and ways to pronounce something if you want to capture it properly, so the info they could siphon this way is imho limited to a couple thousand words. which is considerable already, and would allow for proper profiling, but couldn't capture your interest in something more specific like a mazda 323f.

but offline speech recognition also requires a fair amount of compute power. at least on our phones, it would inevitably drain the battery

load more comments (8 replies)

[-] andrew_bidlaw@sh.itjust.works 8 points 9 months ago

most phones will just struggle to record and process audio indeterminately without a noticeable impact on energy and data use.

I mean, it's still a valid concern for a commoner. Why my phone has twice the ram and twice the cores and is as slow as my previous one? I'd love to fuel this conspiracy into OS, app makers to do their fucking job.

There's no reason an app can weight more than 50mb on clean install*, and many socials, messengers fail to fit in. A client I use to write this is only 30+, and that's one person doing that for donations.

If there could be a raging theory that apps are selling your data to, like, China, there would be a push to decline it and optimize apps to fit that image.

* I obviously exclude games, synths, editors of any kind with their textures and templates.

[-] WetBeardHairs@lemmy.ml 4 points 9 months ago

The filesize of most binaries is dominated by text strings and images. Modern applications are loaded with them. Lemmy is atypical in that it doesn't need tons of built in images or text.

load more comments (1 replies)

[-] Cheradenine@sh.itjust.works 5 points 9 months ago

Fucking thank you. As I said in another reply, if this was true my firewall logs would be full, or my data cap blown in a week.

[-] library_napper@monyet.cc 5 points 9 months ago* (last edited 9 months ago)

What if the processing is done locally and the only thing they send back home is keywords for marketable products?

[-] Septimaeus@infosec.pub 5 points 9 months ago* (last edited 9 months ago)

Yeah they’d have to it seems, but real time transcription isn’t free. Even late model devices with better inference hardware have limited battery and energy monitoring. I imagine it’d be hard to conceal that behavior especially for an app recording in the background.

WetBeardHairs@lemmy.ml mentioned that mobile devices use the same hardware coprocessing used for wake word behavior to target specific key phrases. I don’t know anything about that, but it’s one way they could work around the technical limitations.

Of course, that’s a relatively bespoke hardware solution that might also be difficult to fully conceal, and it would come with its own limitations. Like in that case, there’s a preset list of high value key words that you can tally, in order to send company servers a small “score card” rather than a heavy audio clip. But the data would be far less rich than what people usually think of with these flashy headlines (your private conversations, your bowel movements, your penchant for musical theater, whatever).

load more comments (1 replies)

[-] Goun@lemmy.ml 4 points 9 months ago

I agree.

What could be possible, would be maybe send tiny bits. For example, a device could categorize some places or times, detect out of pattern behaviours and just record a couple of seconds here and there, then send it to the server when requesting something else to avoid being suspicious. Or just pretend it's a "false positive" or whatever and say "sorry, I didn't get that."

I don't think they're listening to everything, but they could technically get something if they wanted to target you.

load more comments (1 replies)

[-] LemmyIsFantastic@lemmy.world 29 points 9 months ago* (last edited 9 months ago)

And yet thousands of security researchers can't find a shed of evidence. This shit is tiresome and counter productive. The general public is weary of hearing this made up bullshit.

The technical practice isn't hard. That's the claim. The reality is nobody is buying shit doing this and this is just another repost from the same 404 article months ago.

[-] Saik0Shinigami@lemmy.saik0.com 11 points 9 months ago* (last edited 9 months ago)

The advertisement literally tells you that they're doing it... The fuck are talking about it's made up? (https://www.cmglocalsolutions.com/blog/active-listening-an-overview as an example)

from the same 404 article months ago.

Dec 14, 2023 (https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/) is months ago? Shit man... What the fuck are you high on?

[-] Dr_Toofing@programming.dev 16 points 9 months ago

I still wouldn't believe it. Even the 404 article does not confirm anything and the ad company does not provide any details.

This whole thing feels like marketing, claiming something outrageous to get people talking about your company.

[-] Saik0Shinigami@lemmy.saik0.com 5 points 9 months ago

That's entirely possible. But they did say it themselves on their own site. Look at the link I've posted in response to the other guy.

Even if they're just joking about it they deserve all the negative press they'll get.

[-] Cheradenine@sh.itjust.works 10 points 9 months ago

The company added that it does not "listen to any conversations or have access to anything beyond a third-party aggregated, anonymized and fully encrypted data set that can be used for ad placement" and "regret[s] any confusion."

https://arstechnica.com/gadgets/2023/12/no-a-marketing-firm-isnt-tapping-your-device-to-hear-private-conversations/

load more comments (7 replies)

load more comments (4 replies)

[-] LainOfTheWired@lemy.lol 19 points 9 months ago

Of course they do. It's just they're no longer afraid of telling us they are

[-] Saik0Shinigami@lemmy.saik0.com 21 points 9 months ago* (last edited 9 months ago)

It’s just they’re no longer afraid of telling us they are

They're also lying to themselves...

https://web.archive.org/web/20231214235444/https://www.cmglocalsolutions.com/blog/active-listening-an-overview

Is Active Listening Legal?

We know what you're thinking. Is this even legal? The short answer is: yes. It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page terms of use agreement somewhere in the fine print, Active Listening is often included.

They believe that just because the phone's owner agrees that it's legal. If my wife accepts a ToS that allows them to monitor her, and her phone is in my room listening to me... That's definitely NOT legal. This really needs to hit court sooner rather than later. This is wiretapping, this is illegal REGARDLESS of the ToS/EULA nonsense they want to claim covers them.

Edit: Even in one-party consent states this is illegal.

[-] DarkDarkHouse@lemmy.sdf.org 16 points 9 months ago* (last edited 9 months ago)

Let's also remember that these phones are sold worldwide, and it's foolish to declare something globally legal.

[-] neuracnu@lemmy.blahaj.zone 16 points 9 months ago

As originally reported over a week ago by 404 Media: https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/

They’ve actually posted several follow up articles and a podcast about it since then.

[-] library_napper@monyet.cc 12 points 9 months ago* (last edited 9 months ago)

Very surprised by all the advertising and data broker company boot lickers that are ITT

[+] electro1@infosec.pub 7 points 9 months ago

[deleted]

[-] Vinegar@kbin.social 22 points 9 months ago* (last edited 9 months ago)

Companies DO analyze what you say to smart speakers, but only after you have said "ok google, siri, alexa, etc." (or if they mistake something like "ok to go" as "ok google"). I am not aware of a single reputable source claiming smart speakers are always listening.

The reality is that analyzing a constant stream of audio is way less efficient and accurate than simply profiling users based on information such as internet usage, purchase history, political leanings, etc. If you're interested in online privacy device fingerprinting is a fascinating topic to start understanding how companies can determine exactly who you are based solely on information about your device. Then they use web tracking to determine what your interests are, who you associate with, how you spend your time, what your beliefs are, how you can be influenced, etc.

Your smart speaker isn't constantly listening because it doesn't need to. There are far easier ways to build a more accurate profile on you.

[-] ryannathans@aussie.zone 5 points 9 months ago

A recent study found these devices incorrectly activate like 80 times per day on average

load more comments (3 replies)

load more comments (8 replies)

[-] iAmTheTot@kbin.social 8 points 9 months ago

Got any evidence of that?

load more comments (7 replies)

[-] set_secret@lemmy.world 6 points 9 months ago

no they don't.

load more comments (1 replies)

[-] datavoid@lemmy.ml 6 points 9 months ago

Does anyone know of a good wireshark alternative for android?

[-] Zerush@lemmy.ml 3 points 9 months ago

Maybe https://github.com/emanuele-f/PCAPdroid

[-] rainerloeten@lemmy.world 3 points 9 months ago

Imagine it's guerilla marketing haha.

Privacy

A place to discuss privacy and freedom in the digital world.

Some Rules

Related communities

Chat rooms