Note: this article was updated on June 13 to clarify that apps like Facebook don't automatically have access to your data.
A couple years ago, something strange happened. A friend and I were sitting at a bar, iPhones in pockets, discussing our recent trips in Japan and how we’d like to go back. The very next day, we both received pop-up ads on Facebook about cheap return flights to Tokyo. It seemed like just a spooky coincidence, but then everyone seems to have a story about their smartphone listening to them. So is this just paranoia, or are our smartphones actually listening?
According to Dr. Peter Hannay—The senior security consultant for cybersecurity firm Asterisk, and former lecturer and researcher at Edith Cowan University—the short answer is yes, but perhaps in a way that's not as diabolical as it sounds.
For your smartphone to actually pay attention and record you, there needs to be a trigger, like Hey Siri or Okay Google for example . Without these triggers, there's no recording, with just some general metrics being sent to your service provider. This might not seem a cause for an alarm, but when it comes to apps like Facebook, no one knows what the triggers are. In fact, there could be thousands.
“From time to time, snippets of audio do go back to [other apps like Facebook’s] servers but there’s no official understanding what the triggers for that are,” explains Peter. “Whether it’s timing or location-based or usage of certain functions, [apps] are certainly pulling those microphone permissions and using those periodically. All the internals of the applications send this data in encrypted form, so it’s very difficult to define the exact trigger.”
He goes on to explain that apps like Facebook or Instagram could have thousands of triggers. An ordinary conversation with a friend about needing a new pair of jeans could be enough to activate it. Although, the key word here is “could,” because although the technology is there, companies like Facebook vehemently deny listening to our conversations.
“Seeing Google are open about it, I would personally assume the other companies are doing the same.” Peter tells me. “Really, there’s no reason they wouldn’t be. It makes good sense from a marketing standpoint, and their end-use agreements and the law both allow it, so I would assume they’re doing it, but there’s no way to be sure.”
With this in mind, I decided to try an experiment. Twice a day for five days, I tried saying a bunch of phrases that could theoretically be used as triggers. Phrases like I’m thinking about going back to uni and I need some cheap shirts for work. Then I carefully monitored the sponsored posts on Facebook for any changes.
The changes came literally overnight. Suddenly I was being told mid-semester courses at various universities, and how certain brands were offering cheap clothing. A private conversation with a friend about how I’d run out of data led to an ad about cheap 20 GB data plans. And although they were all good deals, the whole thing was eye-opening and utterly terrifying.
Peter told me that although no data is guaranteed to be safe for perpetuity, he assured me that in 2018 no company is selling their data directly to advertisers. But as we all know, advertisers don’t need our data for us to see their ads.
“Rather than saying here’s a list of people who followed your demographic, they say Why don’t you give me some money, and I’ll make that demographic or those who are interested in this will see it. If they let that information out into the wild, they’ll lose that exclusive access to it, so they’re going to try to keep it as secret as possible.
Peter went on to say that just because tech companies value our data, it doesn’t keep it safe from governmental agencies. As most tech companies are based in the US, the NSA or perhaps the CIA can potentially have your information disclosed to them, whether it’s legal in your home country or not.
So yes, our phones are listening to us and anything we say around our phones could potentially be used against us. But, according to Peter at least, it’s not something most people should be scared of.
Because unless you’re a journalist, a lawyer, or have some kind of role with sensitive information, the access of your data is only really going to advertisers. If you’re like everyone else, living a really normal life, and talking to your friends about flying to Japan, then it’s really not that different to advertisers looking at your browsing history.
“It’s just an extension from what advertising used to be on television,” says Peter. Only instead of prime time audiences, they’re now tracking web-browsing habits. It’s not ideal, but I don’t think it poses an immediate threat to most people.”
Follow Sam on Twitter
Still freaked out about all this? Check out our series Internet Hygiene for information on protecting yourself online.