Blog :: Security Operations

There Are A Thousand Apps Listening


Let’s consider a hypothetical scenario. An entity you know nothing about has the power to listen to everything you say, and you have no way of knowing when that power is active. But the entity tells you not to worry about it, because it doesn’t ever use the power. Are you okay with this?

Are your smartphone apps listening?

Sapna Maheshwari, writing for The New York Times, recently Are your smartphone apps listening?wrote about Alphonso, “a start-up that collects TV-viewing data for advertisers.” Its software uses a smartphone’s microphone to identify audio signals in TV ads and shows, thereby tracking what you’re watching. Sometimes it can also match the places you visit. This data then goes toward ad tracking and analysis.

There are thought to be over 1,000 apps listening using the Alphonso software, including 250 games on the Google Play store. Many of these games are for children.

Yes, it’s legal

Alphonso has stated that its software does not record human speech, and that the app descriptions and privacy policies clearly explain that users have to agree to let the software access the microphone and location data. These disclosures comply with Federal Trade Commission guidelines.

An in-app message does request permission to access the microphone. It states, “this app uses audio to detect TV ads and content and shows appropriate mobile ads.” But I wonder how many people press “OK” without reading? Why do some games prohibit you from playing if you don’t grant access, even if the microphone is irrelevant to the gameplay? How often are children at the wheel when the app requests permission?

The in-app message is certainly clearer about the software’s purpose than requests for access I’ve seen before. But it doesn’t (or doesn’t have room to) fully explain how and when the software is active. For example, you’d need to read the privacy policy to realize that the apps will listen even if running in the background. And speaking from personal experience using an iPhone, the way to close an app is not intuitive. Before I learned how, I could have apps running for days or weeks.

The privacy policy problem

The common advice, which I admit to giving as well, is to read the privacy policy. But according to a study from Carnegie Mellon, the median length of a privacy policy is 2,514 words—how many of those do you have time to read? We confront so many privacy policies, that it would take 25 round-the-clock days each year to fully read each one from each website visited. That’s 53.8 billion hours for the nation.

The Carnegie Mellon researchers also figured out a hypothetical nationwide cost for reading every privacy policy: $781 billion.

Is it enough for companies to be legally innocent? Isn’t it time to be more upfront about the things users might be uncomfortable with, like apps listening in? As Dave Morgan, the founder and chief of executive of Simulmedia, says: “It’s not what’s legal. It is what’s not creepy.”

For further reading on smart devices and privacy, you may enjoy these blogs: