Facebook and Instagram can target ads so accurately that some people find it creepy. As Gayle King put it when she interviewed Instagram head Adam Mosseri last October:

    “I can be having a private conversation with someone about something I'm interested in seeing or buying... and an advertisement for that will pop up on my Instagram feed. I haven't searched for it, I haven't talked to anybody about it. I swear I think you guys are listening.”

    Many of us may have heard similar stories or had a similar experience, which raises a few questions: Could Facebook, and other tech companies, listen to our conversations through our cell phones and smart devices? Are they? Should they?

    The short answers are: Yes. Probably not. And NO!

    Could our devices listen? Yes.

    When you carry a cell phone, you are also carrying a suite of sophisticated sensors controlled by buggy software - you should expect that a sufficiently motivated and capable hacker could access the sensors. How hard could it be for a reasonably capable tech company to listen in on your conversations? 

    Two German researchers recently looked into that question and concluded that “we cannot rule out the possibility of sophisticated large-scale eavesdropping attacks succeeding without detection.” It may be possible to record speech using applications installed on the cell phone, third-party libraries included in those apps, or by controlling or compromising the phone’s operating system.

    Obviously, the easiest way to eavesdrop is to use the microphone. Apps do have to request user permission to access the microphone, but users are generally willing to agree. Research suggests that about 40% of apps may request microphone access and only 19% or users will refuse to install an app over a permission request. In other words, any company with a useful app, stands a good chance of getting microphone access if they ask. 

    Even if microphone access permission becomes harder to get, an unscrupulous developer might be able to gain access to the microphone without user permission. Google was notified last year that Android apps with storage permission, which is one of the most commonly requested permissions, were able to take control of the camera app to take photos and record video even if the screen were locked or turned off. Google and Samsung have issued patches for this particular vulnerability, but when it comes to software, it’s safest to assume that other vulnerabilities are still out there, just waiting to be found. 

    Apps may also be able to capture audio information using motion sensors. The gyroscopes and accelerometers in smartphones are sensitive enough to pick up sound vibrations. It’s not as simple as using the microphone, but through a combination of signal processing and machine learning, researchers have been able to “identify speaker information and even parse speech.”  Neither iOS nor Android currently require an app to get user permission before accessing these sensor signals.   

    Additionally, the German researchers pointed out that most apps commonly use third-party code libraries for analytics and advertising capabilities. These libraries share the same user permissions granted to the apps. It is entirely possible that a library could contain malicious code able to exploit sensor or microphone access, without the knowledge of either the user or the app developer using the library.  And of course, Apple or Google could almost certainly use their own mobile operating systems to access audio data without alerting the phone’s owner. 

    The bottom line is that it is technically possible for tech companies to eavesdrop on your conversations through your smartphone. 

    Are devices listening? Probably not.

    Suppose you heard a version of Gayle King’s story, that went like this:: 

    When I took my son to a playdate at a friend’s house, she told me about a company she really liked. Minutes later, an ad for that company showed up in my Facebook news feed. Facebook had to be listening to our conversation. 

    It sounds like she could be right, especially given Facebook’s reputation for lax privacy controls. It’s no coincidence these stories started to catch on after Facebook rolled out an audio discovery feature that could, with user permission, use a smartphone’s  microphone to identify the music, television show, or movie the user was listening to. The feature was introduced in May 2014, and dropped in 2016, perhaps because Facebook got tired of having to deny accusations of eavesdropping. But the damage was done and the suspicion remains.

    Mark Zuckerberg has repeatedly said that Facebook does not listen to private conversations, and that he does not know of any other tech companies that eavesdrop either. He says these events are coincidences. People often talk about things they’ve seen on the Internet or interacted with on Facebook. Their online behavior is used to show them ads based on what they’ve seen, and they’re more likely to notice ads for a product when they were just talking about it. 

    It’s a reasonable explanation. In our playdate story, for example, the moms have children about the same age and are probably Facebook friends. A clever ad targeting algorithm, with access to Facebook data, might know that they were spending time together in the same place and choose to show each mom products that her friend interacts with on Facebook. One mom might coincidentally check her news feed and see an ad for a product right after her friend has told her about it.

    Selective recall clearly plays a role as well. Most people are very adept at ignoring on-line advertising. They might be exposed to hundreds of ads a day, but they’re hard pressed to remember even one. They are much more likely, though, to notice and remember an ad for something they were just thinking about. And, if that ad is connected, in any way, with a company they already distrust, they are probably even more likely to remember the incident. 

    It is (hopefully) unlikely that a reputable tech company would choose to eavesdrop on private conversations just for the sake of targeting ads. People are generally willing to give the tech companies all the information they need to target ads accurately, but would be certain to object to allowing any company to listen in on every conversation. 

    Facebook, Google, Apple, and Amazon are probably not listening to every word you say near your smartphone, or any device controlled by Siri or Alexa. But they could be. 

    Should our devices listen? No!

    In the first place, it may be illegal. In the United States, for example, federal law makes recording a conversation illegal unless at least one party to the conversation consents, and some state laws require all parties to the conversation to consent. It’s unlikely that granting Facebook access to your microphone would be considered blanket consent to record and analyze any conversation your smartphone can overhear. Secondly, even if it were legal, most users would probably object. Any public relations experts, reading these stories and hearing the questions asked by Congress, would probably agree it’s a bad idea to eavesdrop on private conversations, particularly for something like ad targeting, which can be done quite effectively without eavesdropping.

    Handle your devices (and your data) with care

    Most of us would be unwilling to let the government force us to carry around a sophisticated sensor package that would allow them to listen to our conversations, track our movements, and monitor who we spend time with and what we read and write. For the moment, we are willing to trust smartphone and app developers with that capability, but if it is abused badly enough or often enough, that could change. 

    The vast quantities of data that tech companies can collect from their websites or mobile apps gives them great power to profile their users. But as both Spiderman and Winston Churchill knew, with great power comes great responsibility. Even the data you use with your customers’ consent can do tremendous harm if it is used for the wrong purpose. Trust—and being trustworthy—is everything

    Tech companies are responsible for protecting the personal data they collect and process from their customers and users. That responsibility extends to making sure that any third parties with access to the data are also protecting and using it for a purpose that the users have agreed to.  Consider the Cambridge Analytica scandal: Facebook’s lax privacy controls were certainly part of the problem, but the app developer’s choice to violate Facebook’s policies by sharing users’ data with a third-party, Cambridge Analytica, also caused significant damage to Facebook’s reputation.  

    If people believe a company is actually eavesdropping on them, that company will likely face serious legal, financial, and social consequences, and those consequences will almost certainly spill over onto any other companies associated with them. 

    Whether they think organizations are eavesdropping or simply letting customer data slip into the hands of the wrong third-party tool, consumers are more skeptical than ever. The good news is, a company who does earn—and deserve—consumer trust will quickly stand out from the competition. 

    Photo by Math on Unsplash.

    Karen Martin

    Written by Karen Martin