FTC Warns Android App Developers About Use of Audio-Tracking Code

Reader Trailrunner7 writes: The Federal Trade Commission is warning dozens of developers about some code they've included in their apps that can surreptitiously listen to unique audio signals from TVs in the background and build detailed profiles of what consumers are watching. The technology, produced by a company called SilverPush, is used to track users across devices and the FTC warned the developers that if they don't disclose the use of the code to consumers, they could be violating the FTC Act. The commission sent the letter to 12 app developers whose apps are in the Google Play Store, and warned them that not disclosing the use of SilverPush's Unique Audio Beacon could be a problem. "For example, the code is configured to access the device's microphone to collect audio information even when the application is not in use. Moreover, your application requires permission to access the mobile device's microphone prior to install, despite no evident functionality in the application that would require such access," the letter says.

Reasons why I don't like the Internet of Things.

[Anonymous Coward]

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could listen to me while I sleep.

2) Internet of Things devices could listen to me while I pee.

3) Internet of Things devices could listen to me while I make kaka.

4) Internet of Things devices could listen to me while I pleasure myself.

5) Internet of Things devices could listen to me while I wash my body in the shower.

6) Internet of Things devices could listen to me while I relax in the tub.

7) Internet of Things dev

Re:

[Rob MacDonald]

You forgot #61. Lists with more than 3 items. Jesus

Re:

[geekprime]

Says the guy posting as Anonymous Coward, on a site that dosen't verify any identity you care to assume.

You have been unintentionally hilarious. And done a good deal towards MAKING his point.

Re:

[GrumpySteen]

That lengthy list captures that idea perfectly.

... and ensures that almost nobody will actually read it, defeating the suggested purpose of posting it.

What you're doing is just as pointless as any other meme that gets spammed on /. and scrolled past by the users.

Re:

[KGIII]

It's not even a remotely original comment. You, or someone, posts the same damned list at least a half-dozen times every month. Sadly, some people have short memories so you might just as well as keep reposting it but don't, please, pretend it's original. It's probably not even your original post. I first saw it ages and ages ago.

Re: Reasons why I don't like the Internet of Thing

[jsh1972]

62. ??? 63. Profit!

Re: Nice to see FTC actually protecting consumers

[Anonymous Coward]

Why are they not charged and jailed? If I hide a wireless microphome in someones appartment, is a polite mail from FTC what I should expect?

This technology could be used to catch

[mmiscool]

This technology could be used to catch the unscrupulous people doing unlicensed performances of songs in public places and help protect us all from terrorists.

FYI app list

[maestroX]

A list of apps using Silverpush is available at: https://public.addonsdetector.... [addonsdetector.com]
I'm in no way affiliated with this site.

Re:

[mlw4428]

Most OSes do this. On smartphones, services are used by apps to do things like notifications (Facebook/Instagram/Twitter/etc), keep critical things running (Alarm clocks, timers, etc), and other functions (yes even spying on you). This is done by design, because there's not really a better way of doing it. iOS does it (to some degree) as does Windows Mobile and Blackberry OS. What Google could have done is reviewed such apps and recognized the security risk and demanded disclosure, but the act of having a "

Re:

[NatasRevol]

AC said 'allowing apps' not 'allowing services'. ie Google *should* be reviewing apps before they're allowed into Google App Store.

Re:

[mlw4428]

AC said "allowing apps to have always running services." I was replying to that...there isn't an alternative to "always running services" that makes sense, given what these apps do and that even iOS allows apps to have services (at least to some degree).

Re:

[bkr1_2k]

Or they could just require apps to allow users to turn off unwanted/unnecessary capabilities like this. Why does my GPS app need access to my mail or my songs or my photos? (These are just random examples not specific things from specific apps.) Shit like this should be required to be user configurable.

Re:

[Harlequin80]

Latest android does this

Re:

[Darinbob]

There are some apps that let us turn off notifications which is the only thing they need services for.

Re:

[Darinbob]

I wouldn't mind turning all of these off. I don't need notifications for anything except my calendar. If I want to know if there is new email then I will open up the email app. The only other things that send me notifications are built in undeleteable and unwanted apps that keep reminding me to please use them and I'd love to infect whatever developers thought that was a good idea with my head cold.

Re:

[KGIII]

Why, in the name of fuck, would you want an OS that does *not* allow services to run in the background?

Tell me you're not seriously hoping for a blackbox with less control? You know what? Accept some responsibility for yourselves and learn to use your devices and keep them secure. Don't install stupid shit. It really is, for the most part, that fucking easy.

Read the options menu during install. Read it carefully. If you do not understand it, do not say "fuck it" and install it anyways. Don't install a bunch

Re:

[arth1]

The interesting find on that list is the McDonald's Phillipines delivery app.
I wonder what McD has to say about this?

Re:

[KGIII]

I wonder what McD has to say about this?

The Hamburgler did it!

*fat purple thing runs away*

robble robble robble

Re:

[Darinbob]

The apps do this for the same reason that web sites sign up for third party app services - it's free money for zero work on their behalf, and they don't give a shit if it pisses off their users. We're just monetization units to them.

Re:

[subk]

A list of apps using Silverpush is available at: https://public.addonsdetector.... [addonsdetector.com] I'm in no way affiliated with this site.

Slashdotted! It's been a while since I've seen that!

Which apps?

[Anonymous Coward]

Why doesn't anyone list the apps? (or I missed it in reading)

No surreptitious eavesdropping....

[cogeek]

...the government hates competition.

Re:

[Coisiche]

I would have felt like that trojan lady who knew her city was about to fall, and all the women in the city raped, all the men killed, all the houses burned, but nobody believed her because it was a curse from the gods.

Known as Cassandra and I would have thought the name was fairly common knowledge given that is was used to name the Cassandra Complex.

Re:

[KGIII]

You don't have to pull it out. That's the whole point of a Trojan.

Re:

[Darinbob]

Oh they probably believed Cassandra but they weren't about to let something like that stop them from using all their favorite phone apps!

Re:

[UnderCoverPenguin]

Actually, this is businesses ignoring regulations.

Re:

[Anonymous Coward]

Hence the FTC telling them that it isn't legal.

Re:

[Anonymous Coward]

Or have Google prevent background processes from accessing the microphone... DUH!

FTC is dissembling

[mveloso]

"this could constitute a violation of the Federal Trade Commission Act"

What exactly would constitute a violation of the FTC act? Their footnote states

"Specifically, Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts or practices in or affecting commerce"

What about using SilverPush would be unfair or deceptive?

The FTC is attempting to assert jurisdiction, but there's nothing here to regulate. Why is the FTC attempting to regulate apps? Why don't they do something useful and regu

Re:

[Anonymous Coward]

It's deceptive that they place you under audio surveillance without making it clear in their privacy policy.

Re:

[ole_timer]

Yep. The basis of most settlements with the FTC. Consumer, by the way, includes employees.

Re:

[Darinbob]

How is it not deceptive? It's listening to what television you watch and then reporting that to some backoffice all without telling you.

cut the hard line, neo

[Anonymous Coward]

I guess now we need a switch that physically disconnects the microphone.

Re:

[Anonymous Coward]

That switch should also physically disconnect the camera.

Re:

[UnderCoverPenguin]

Definitely. Also should have better sandboxing of apps, like finer grain permissions, proxy handling and the ability to substitute alternate resources. For example, a few apps might really make sense to let them see you on-call status, but they don't strictly need more than that. Other apps only need audio mute or attenuation. That could be handled in the audio services rather than by the apps. Then sometimes, one might have a good reason to use an app that request more permissions than one is willing to gr

Re:

[arth1]

That switch should also physically disconnect the camera.

I'm not so worried about someone getting a real close-up of my nipple, but anything using the camera or mic or accelerometer or GPS or IP connectivity when not in the foreground should require an explicit authorization from the user, every time. Google really needs to give users a way to block this. A barndoor wide acceptance without specifics at install time is not good enough.

Looks like a preemptive warning

[Andy Dodd]

It appears based on maestroX's post above (which lists Silverpush-using apps) that nearly all of the offending apps on the market are clearly targeted at foreign users - primarily it seems Southeast Asian markets.

Which is consistent with the FTC's letter saying that no USA programming features the broadcast component of this technology.

Seems like this is a preemptive "US advertisers had better not use this" warning.

Also - most of the developers will likely just ignore the FTC due to lack of jurisdiction, as

Illegal Anyway?

[Luthair]

Seems like it would always be illegal in 2-party states (as people around you aren't consenting) or if the user isn't told about it.

Re:

[BradleyUffner]

Seems like it would always be illegal in 2-party states (as people around you aren't consenting) or if the user isn't told about it.

It might also be considered copyright infringement against the tv shows, especially if the audio is stored for any length of time.

Re:

[cogeek]

I'm sure it's in the TOU you agree to when you click Install

Re:

[PPH]

I suspect that these apps don't actually record audio. They detect the unique embedded signatures (audio watermarks, etc.) and just forward that data to their servers. This may or may not be legal. But it has yet to be court tested.

Re:

[subk]

They detect the unique embedded signatures (audio watermarks, etc.)

Which is all poppycock. Neilsen's "psychoacoustic" chirp tones do not work reliably. I am a broadcast engineer. I am blacklisted from being a Neilsen Home. But my mate a few blocks away is not. He signed up, and we played with the device. I won't go into specifics, but you can tell when it hears a tone because it goes about phoning home the telemetry. If it does not catch them, it is basically reporting that you aren't watching the tube. We observed the unit and found it was only catching our statio

Is the issue limited to Android?

[u19925]

I am using Android for more than 2 years so I am not anti-Android. However, things like this scare me on Android. Google has very little control on apps, not even to prevent someone violating laws. Up until Android 6, it was not even possible to revoke app permissions. You had to grant all permissions that app requested in order to install it. Many apps used to create fake reasons why they need some permissions. Why do radio app need to dial international number? In iOS, you can configure. On my iOS, I didn

Re:

[Locke2005]

I bought an S7 to replace my S5. My observations: 1) Finger print scanner is much, much better 2) S7 has no Infrared blaster 3) S7 case is really slippery, meaning adding a plastic case for protection/grip is a necessity 4) iPhone 6S still isn't waterproof and still doesn't have wireless charging; if you want an iPhone, perhaps the iPhone 7 will fix these flaws. Also, currently the S7 has a much faster processor than the A9 in the iPhone 6; we are still waiting to see if the A10 will leapfrog the Snapdragon

Re:

[subk]

The answer there, AC, is calm down. And buy a used phone. It's all good, bro. See, you and I are a lot alike. We have the same (basic) needs. But don't cut off your nose to spite your face... Let the Fat, Lazy, Drooling Sacks of Shit who can afford to drop $1000 iPhones in their champagne do so!! It makes the cheaper phones better. You can't tell me there aren't $250 new AND used options that don't fit your basic needs.

I won't claim it's a direct analogy, but take halo cars for example. Just becau

Re:

[Anonymous Coward]

Android from 6.0 has a permission system, so you can just remove anything you don't want the app to access, so your "take it or leave it" no longer applies. Never (at least since a long time) applied to CyanogenMod for example.
Sure, might make the app crash if it really needs it for example, but if you are on this site I expect you'll be able to handle that and figuring out which permissions are reasonable to give to an app.
Plus, you can stick to OpenSource apps (possibly even via F-Droid) for a lot of thin

Re:

[Alumoi]

It's doable in Android. Root, install a firewall and DisableService (handy little program which disables services in apps).

Modern collective nouns

[Threni]

The Federal Trade Commission is warning ***a dozen of developers*** about some code they've included in their apps