Sign In

Communications of the ACM

ACM News

Spies in Our Pockets

View as: Print Mobile App Share:
Where are all the data going?

Over the last few years, companies have been caught covertly tracking people's behavior through smartphones, headphones, connected devices, web beacons, and possibly even smart television sets and children's toys.

Credit: nmedia via

People have always found ways to spy on other people. From peepholes and dumpster-diving to electronic beacons and covertly commandeering computer webcams, the desire to know what neighbors, strangers, customers, competitors, enemies, and foreign governments are doing in private has proved irresistible.

Yet in the digital age, the stakes are growing and the methods being used are becoming more difficult to detect. "The ability to exploit technologies people use for everyday purposes--including a smartphone camera or microphone--can deliver an unimaginable treasure trove of information," states Peter Swire, a professor of law at the Georgia Institute of Technology and an authority on privacy and cybersecurity.

Over the last few years, companies have been caught covertly tracking people's behavior through smartphones, headphones, connected devices, web beacons, and possibly even smart television sets and children's toys. Recently, researchers in Germany reported that Android apps were using ultrasonic beacons to track user behavior and activities--often surreptitiously.

Says Daniel Arp, a graduate student who participated in the research at Technische Universität Braunschweig's Institute of System Security, "These techniques may seem like science fiction, but they are very real."

Secret Agents

One thing that makes snooping increasingly difficult to detect and prevent is that it often takes place using legitimate features on devices, including microphones, cameras, accelerometers, and GPS. There's no need to insert a special chip or add any dedicated electronics to a phone or computer; the perpetrator typically exploits an existing feature by tweaking or adding software. Alternatively, a device may ask for permission to use a microphone or camera, but not fully disclose how it will be used.

Consider: Between December 2015 and February 2017, Arp and fellow researchers discovered that 234 Android apps used ultrasonic eavesdropping--and few of these apps had requested permission or notified users. By emitting inaudible tones from devices in billboards and retailers, Web pages, TVs, and other locations, and using the smartphone microphone to detect them, they discovered that companies could track a person's location and even know what Websites they have viewed or what activity they are engaged in at a particular moment.

"It's possible to create a highly detailed consumer profile," Arp says. The research team, which received funding from the German Federal Ministry of Education and Research, also found that the technology was being used both legitimately and illegitimately. Their paper, Privacy Threats through Ultrasonic Side Channels on Mobile Devices, noted that several companies, including McDonald's, Krispy Kreme, and a mobile rewards app called Shopkick, had begun to explore ways to track user habits and activities with the ultrasonic beacons, which operate in the 18–20 kHz frequency range.

McDonald's and Krispy Kreme had inserted code from SilverPush, a San Francisco company that sells cross-device tracking software, into apps in the Philippines; however, they said, the eavesdropping feature had been disabled. Shopkick, which used the ultrasonic beacons to track shoppers and provide rewards to them, later pulled the plug on the technology and replaced it with conventional beacons. Meanwhile, Google made the technology a moot point--at least for now--by banning apps using the SilverPush SDK in May 2017.

Dive into Data

Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative, believes electronic snooping is increasingly out of bounds. "There's an extraordinary amount of surveillance, data gathering, and analysis going on--and much of it does not occur knowingly. There's probably never been a time when there's been more intrusion into people's private behavior. We're past the point where a reasonably intelligent user of the Internet can express surprise that they're being monitored, and yet companies continue to do it."

In fact, the use of ultrasonic beacons to eavesdrop is no aberration. Over the years, reports have documented spying through webcams, baby cameras, and smart TVs. In April 2017, headphone manufacturer Bose found itself the target of a lawsuit that alleged the firm had used an app to track the listening habits of users and sell their profile information to third parties. The complaint noted that a person's choices--things like listening to a Muslim prayer service or a podcast about living with HIV/AIDS--could have severe consequences if that private information became public knowledge.

Speech recognition services such as Siri, Alexa, and Cortana push the envelope further. Last December, Amazon admitted its Echo device is always listening. "The Internet of Things and connected sensors and devices introduce more opportunities for surveillance," Swire says.

Meanwhile, government entities are continuing to push the electronic envelope on eavesdropping. In late August, The Nation reported the U.S. Department of Homeland Security is experimenting with a surveillance system that uses tones to grab social media data from smartphones.

Concludes Weitzner: "Today's technology, including passive mechanisms like one-by-one pixels and ultrasonic beacons, represent a level of privacy risk that has never before existed. Increasingly, eavesdropping techniques are designed to evade the user's attention, and it's becoming more difficult to exercise control over them."

Samuel Greengard is an author and journalist based in West Linn, OR.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account