As the world becomes more dependent on technology, the novelty of carrying a tiny highly-powered computer everywhere we go has thoroughly worn off. But with the advent of the smartphone has come a heightened awareness of how interconnected our IRL and our URL lives are. For instance, some people report being served ads for products that they've talked about within earshot of their phone, and it's cause for a lot of privacy concerns. So how can you tell if your phone is listening to you? And better yet, how can you protect your privacy if it is?
Telephone surveillance is hardly a new issue. Wiretapping has been a part of the official police arsenal in the United States since the 1890s, and intercepted telegrams containing military intelligence were regularly given to Abraham Lincoln during the Civil War. But the smartphone, and the technologies associated with it — from apps to cell towers — have created new weaknesses, and new legal grey areas for people who protest against monitoring by others.
The biggest concern for privacy advocates tends to be surveillance by the state; the UK passed laws in 2017 known as the Snooper's Charter that allow the state to hack phones, and the chaos of the FBI's leadership in the United States has distracted from the fact that the agency has been also getting more power to snoop through your smartphone. But smartphone surveillance goes beyond mysterious spooks listening in to suspicious characters; it's an entire industry, and has some very high-tech gadgetry at its disposal.
Eavesdropping & Targeted Ads
No, you're not crazy if you think your phone is listening to you to serve you ads. An app released in 2014, SilverPush, got into a whole heap of trouble when it started to do something new: Produce inaudible tones that meant ads on computers and phones could "hear" one another and communicate across devices. Privacy expert Violet Blue explained the technology at Engadget:
"If you're online and come across a SilverPush advertiser, while the ad drops its tracking cookie on your computer, it also emits an (inaudible) Audio Beacon sound. If your phone or tablet has any app that uses the SilverPush software development kit on it, your device will be "listening" for the advertiser's Audio Beacon. If you're watching TV, commercials from SilverPush's ad partners will also emit their own identifying tones for your devices to hear."
The result? Ads that target you turning up on devices that are completely unconnected from one another, leaving you completely paranoid if you don't know what's going on. SilverPush, after a furor among privacy advocates, promised to remove this Audio Beacon function from its devices after a Federal Trade Commission investigation, but a German study in May 2017 found that there were 234 Android apps currently available that have the same technology embedded in them. The top five most popular, including a Krispy Kreme app, have been downloaded up to 11 million times.
Many apps don't make it obvious that this is part of their make-up, for obvious reasons. The BBC investigated the possibility of ads turning up in response to vocal prompts (you saying something near your phone), and found that it's entirely possible, because if apps include "record audio" permissions and users don't notice that in the fine print, they're technically allowing them to use their smartphone audio. Google and Facebook have both denied that either of their apps use this functionality. If you're worried, make sure you review the permissions very carefully on every new app on your phone, and watch for new developments; an app was developed in 2016 that attempts to block ultrasonic communications on your smartphone that happen without your knowledge, and better protections may well be on the way.
Apps To Do The Spying
Companies trying to serve ads are one thing, but it's also entirely possible, in today's marketplace, to get ahold of technology that allows you to monitor the communications of another individual's smartphone. Most of these apps are marketed as parental tools to monitor children, or as products for company phones to improve the productivity of workers. From a legal perspective, all are meant to be visible to the owners of the phones, so that they know that they're being watched. However, there are other possibilities for less scrupulous people to spy on others using their smartphones, and they should worry any smartphone user.
One product, DDI Utilities, is marketed towards security services, but is purchasable by private individuals for about $70, and it's capable of huge privacy violations without 'jailbreaking' the phone (altering its settings and getting past its privacy protocols). It does require access to the other person's phone to install it, but once it's there, it runs quietly — and copies all text messages and phone calls, sees the phone's GPS location, monitors all emails and social media visits, and can take a photo using the phone's camera. It can even listen to the phone's surroundings and record what it hears.
The implications for this sort of spyware are legion, but one particular problem is its usage by abusive partners and spouses. Spyware can be used to covertly or explicitly control people, monitor their movements, and harass them. A survey by Women's Aid, a UK domestic violence charity, in 2014 found that 41 percent of domestic violence victims had experienced targeting via spyware. Products are often explicitly marketed to "catch a cheating wife or girlfriend," and offer features as diverse as IM recording and Whatsapp and Skype monitoring (which is concerning, as Whatsapp has end-to-end encryption that means this should be extremely difficult to do). Some can be installed remotely, without needing to interfere with the phone itself. (And yes, listening-in facilities that use the microphone to record your life, like apps that use the microphone to help target ads to you, are standard with these products.)
The legitimate purposes of these apps for employees and children mean that they're not blocked from the market (though it can be legally problematic to install them without the person's knowledge). In the meantime, detecting spyware can be tricky. An easily drained phone or overheated battery can be signs, but using a spyware detection app is possibly the only real way to make sure.
Technically, using these apps illicitly and without consent is against the law: The Wiretap Act says that it's illegal to intentionally intercept, disclose, or use any wire, electronic or oral communication through the use of a device. Though the act was cited in a lawsuit that brought against spyware app Stealthgenie in 2014, forcing the developer to pay $500,000, these sorts of cases are still thin on the ground, and arresting individuals or developers for spyware use on phones is rare. Is the developer on the hook for producing something that has licit uses and not preventing people from using it illegally? Or is it all the consumer's responsibility? Legal questions of these kinds are still unanswered, and in the meantime, spyware's still on the market.
SS7 & Stingrays
There are ways of hacking into mobile phones for data and listening in to their communications beyond apps — and some of them have become full-blown scandals. One is a vulnerability in mobile phone communication networks: a set of protocols known as SS7, or Signaling System 7. It's designed for official telecoms to communicate about where a user might be (remember Serial?), but hackers can get access and pretend to be official without much difficulty. Joseph Cox at The Daily Beast explains:
"The underlying issue with SS7 ... is that the network believes whatever you tell it: anyone with access to the SS7 network can send a message, and the network may not check where the message is coming from, or whether a legitimate telecoms company sent it."
SS7's security problems have been known since at least the late '90s. CBS hacked into Congressman Ted Lieu's calls and listened to them in 2016 to demonstrate how easy the backdoor was to access. It's even been used to drain German bank accounts in 2017, according to German law enforcement. Trying to figure out how to stop the SS7 problem has got tech experts arguing about firewalls and encryption. As of now, though, the problem remains unsolved, and can be manipulated by unscrupulous actors.
Pretending to be legitimate is a key aspect of another surveillance technique involving mobile phones. Called a "stingray," it impersonates a real cellphone tower and convinces phones to connect to it and reveal information, like its location and data from calls and texts. Unfortunately, apps designed to detect the use of stingrays on phones were found in a study in 2016 to be pretty useless, and a scandal in 2015 in Norway revealed that even official police departments can find it difficult to track stingrays; Independent investigators reported that numerous stingrays were set up around Oslo's central political district, but the police denied it and the perpetrators are unclear.
Companies And The State Are Interested In Your Data
The big deal with both SS7 and stingrays is that they're not really technically meant for private individuals: they're designed for use by bigger fish, like companies or the state. WIRED has long catalogued U.S. police departments' usage of stingrays and the legal problems surrounding their use under U.S. privacy law, while Citylab reports that protestors at Black Lives Matter marches experienced phone problems matching patterns of stingray interference. And companies across the world market SS7-backdoor technology to security firms, intelligence departments and anti-terrorism initiatives. For a price, they'll find the location and data of basically any phone on the planet.
State surveillance of phones is also big business: Android devices sold by Blu were taken off the worldwide market in early 2017 after it was revealed they were sending huge swathes of their personal data to servers in China, which led experts to think that sort of spyware usage is likely standard on Chinese mobile handsets. In February, it was also revealed that Kenyan telecommunications companies were being ordered to install monitoring equipment on their network, ostensibly to "battle counterfeit phones." In other countries, technology companies are less cooperative; in August, Verizon and a collection of high-profile tech giants, including Apple, filed a suit in the United States to make it harder for the government to demand access to private data on phones in lawsuits.
So what can you do if you think your phone is listening to you? Get an anti-spyware app, never leave your phone around anywhere or open suspicious text messages, and find a tech-savvy lawyer if you suspect you're being recorded by an individual. SS7 problems are, alas, largely undetectable, and stingray detectors need to be considerably amped up before they're actually useful. For the moment, vigilance can help you, but if in doubt, turn your phone off and put it in another room entirely.