Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Let’s jump right into this week’s question.
Dear DST,
I was talking to my partner about getting some new shoes, and then I started receiving advertisements for new shoes. This really creeped me out, and once I started noticing it happening all the time. I have to know, is my phone really always listening to me?
Signed,
Mic Drop
–
Dear Mic Drop, this is such a great question. The short answer is “yes, but.” If you use an AI assistant, your microphone is always listening for specific words (e.g., “Hey Siri!” or “OK Google!”). But these magic words are only processed on the device. Only after you say them, will your device beam your requests (e.g., “What’s the weather like today?”) to Apple or Google for processing. So technically, your phone is always listening for an activation command, but it’s unlikely what you say will be sent anywhere unless you explicitly ask for it to be sent.
Of course, it’s possible there are dodgy permissions on your apps or even malware on your device, but there’s a lot we can do to prevent these possibilities. Chances are, then, the ads you’re seeing are likely not related to your microphone but, instead, behavioral tracking software built into the apps you use every day.
Let’s unpack all of this, starting first with AI assistants. The AI assistant built into your smartphone has two listening modes: one is low-powered and functionally asleep until “woken up” with a certain trigger word, and the other is wide-awake, conducts more advanced processing, and may send off requests to the service provider (in this case Apple or Google). When you activate the first mode with the trigger word, the second mode fulfills your request.
Your phone is probably not deriving targeted ads from your microphone — there are lots of other places to collect data. Many of the apps and websites you browse will closely track the things you open and click on, and sometimes sell this data to third parties. Those third parties may sell to yet more third parties and … you get the idea.
When companies begin aggregating these patterns, they will use them to try to predict buying habits when serving ads. These interest-based profiles are extremely valuable to marketers, who will serve ads that respond to your clicks. Often, their predictions are simply wrong, and we don’t think twice about it. But when they’re right, it’s creepy how they seemed to know, almost like they were listening to our conversations.
Behind the scenes, most practical tracking just focuses on clicks. Examples of tracking tools useful for marketers to determine an identity online include cookies and advertising IDs. Some of this is hard to avoid, but it’s easy to disable advertising IDs in your settings to slow down some tracking on your mobile device. To dive deep on this topic, check out this resource from the Electronic Frontier Foundation.
Finally, malware can enable your microphone without your permission, but malware is much more for running fraud schemes and — in rarer high-risk cases — governments monitoring individuals. While state-sponsored surveillance like this is a real threat for some journalists, the most common risks remain behavioral tracking by marketing firms.
To minimize potential risk associated with behavioral tracking and other forms of surveillance, we always recommend journalists remove unnecessary apps and regularly review app permissions. You can check which apps have access to your microphone — as well as your location, camera, photos, and so on — and decide whether or not you think they really need that access. For example, does your weather app really need access to your camera, microphone, and contacts?
In terms of malware, the best way to deal with potentially malicious software on your device is to:
1) Only download apps from official distributors and reputable developers, and
2) Simply keep your phone up to date! Software updates frequently contain security patches and fixes to other vulnerabilities.
If you’re looking for more in-depth guidance on how to prevent your device from being surveilled, read our guide to securing your mobile device.
Meanwhile, hope you enjoy the new shoes!
Securely yours,
Martin Shelton
