It started as a rumour two years ago on a Reddit chat room when one user, who worked in a store that had Mumford and Sons on loop, flipped open his smartphone on the way home and found Google Play had recommended he buy a Mumford and Sons song.
“I’ve never mentioned this song on social media or Google,” he said. “Is Google listening to my phone 24/7?” Over the next few months, more and more people noticed similar things — leaving your smartphone on the sofa while a foreign film played meant you started receiving ads in Spanish, chatting about books meant they popped up in a ‘recommended for you’.
One woman was doing some ironing when her mum told her a family friend had been killed in a road accident in Thailand.
Her phone was on the worktop behind her — and the next time she used the search engine, up came the name of her friend and the words, “Motorbike accident, Thailand” in the suggested text below the search box.
It’s something that I’ve wondered about frequently over the past six months — and when I posted my worries on Facebook there were many comments from friends saying they thought the same thing happened to them. People had been discussing holidays or even headaches and found ads waiting when they fired up their phone.
And it isn’t just our phones either.
Last week, WikiLeaks revealed that the CIA’s Weeping Angel programme provided agency hackers with access to Samsung Smart TVs, allowing a television’s built-in voice control microphone to be remotely enabled while the TV was switched off.
“The problem with this method is that it required implanting a TV with malware — and it has to be done in person, meaning the CIA are in your house if they want to do that,” explains Dr Gus Hussain, executive director at rights watchdog Privacy International.
“Spooks have been breaking into people’s houses to film and record them for ages. It’s not right, but it’s nothing new. What is new is that Samsung itself can — and has been caught — listening to everything you say if you’re in the room with one of its smart TVs.”
Personal assistants like Apple’s Siri and Amazon’s Alexa are designed to listen out for keywords to switch on. Although both companies insist your voice is not recorded, in March 2017 police in Arkansas collected a murder victim’s Echo speaker (which works with Alexa) as they believed it captured fragments of audio from the murder scene while listening for commands.
Companies record what we say
“Are companies recording what we say? The simple answer is yes,” says Jacob Silverman, author of Terms of Service: Social Media and the Price of Constant Connection.
“Always-on, internet-connected devices could be recording us at almost any time. We simply don’t know what data is collected, where it goes, how it’s passed on, or to whom it’s sold.”
Mike Gilkes, senior electronics editor at US consumer organisation Consumer Reports, points out: “The sticking point — what makes smartphones smart is because they do know a lot about you. It knows where’s the local eatery, where’s the traffic jam, it knows you’re late and it knows who you call frequently. But the apps that bring this to you ask for privileges that some people don’t deem necessary.”
The range of apps that ask access to our microphone and camera, for instance, is surprising.
Twitter and Instagram request access to your wifi information, your camera and mic, your photos, your SMS, your location, your contacts and your calendar — meaning the apps can take photos, videos and use your mic, access everyone you know, read your messages, remove accounts and track your every movement.
Facebook requests all of the above plus device ID and call info, your identity and device and app history. Facebook has issued a firm online rebuttal to accusations that it listens to its users’ conversations — and referred the Daily Telegraph to that statement.
“Facebook does not use your phone’s microphone to inform ads or to change what you see in News Feed,” it states. “We only access your microphone if you have given our app permission and if you are actively using a specific feature that requires audio.”
Which may well be true, says Renate Samson, CEO at Big Brother Watch, but “we know companies sell your data to data brokers in a fraction of a second. These faceless data brokers sit in the background — we think when we engage online only Amazon and our credit card company know what we’re doing. But data brokers know everything you’ve bought and, with identity data, what sort of person you are. They can figure out who we are and what we’re doing, which is profoundly disturbing.”
This is even more alarming when it comes to smart home devices and wearable accessories connected online. This year, Samsung debuted its Family Hub fridge that can play music from Spotify and become a TV screen, all operated by voice control, while Ford announced it would equip cars with Amazon’s Alexa.
There’s voice-controlled smart functionality in everything from baby monitors to door locks and heating controls. In May 2016, however, researchers at the University of Michigan discovered they could pull off disturbing tricks with these devices — from triggering a smoke detector to planting a backdoor PIN code in a digital lock that offers silent access to your home.
“If these apps are controlling non-essential things like window shades, I’d be fine with that. But users need to consider whether they’re giving up control of safety-critical devices,” says Earlence Fernandes, one of the University of Michigan researchers.
“The worst-case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock.”
Intimate information at stake
And intimate information is also at stake. Health wearables are a booming market — and with these devices recording sleeping patterns, heartbeat, body temperature and health information you’d want to hope the data was being kept safe.
In September 2015, however, researchers at Imperial College London and Ecole Polytechnique CNRS, France, subjected 79 health apps to security checks and found that around a third were sending personal details about health and lifestyle — such as body-weight — over the internet with no encryption.
In February 2016, Canadian-based Citizen Lab and the Munk School of Global Affairs examined eight popular fitness wearables and found seven leaked personal data while giving themselves broad rights to use — and in some cases, sell — consumer’s health data.
One in six also sent information to third parties such as advertisers, despite privacy policies not mentioning this could happen.
“I worry about what happens when these devices “understand” almost everything we’re saying,” Silverman adds. “When automated systems can understand what you’re saying at all times, and potentially nudge you with all sorts of offers and suggestions, how can we feel in control?”
The greatest defence we have in the digital age is the off button. To stop apps accessing those parts of your phone you’d prefer them not to, here’s what to do now.
For Android phones, go to Manage Applications or Applications under Settings. Make sure the All Apps tab is selected. Scroll down and click on the app you wish to change. This menu also contains the Uninstall button, which will delete the app. Click on Permissions. Switch off permissions that seem unnecessary.
For iPhones, open Settings. Scroll down to your app. Click on it to open its permissions menu. Switch off any permissions that seem unnecessary.
— The Telegraph Group Limited, London, 2017
Stephen Armstrong is a columnist.