Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Music Privacy Bug Communications Desktops (Apple) Security Software Technology

Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off (vice.com) 126

An anonymous reader quotes a report from Motherboard: What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to. When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better. Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off." Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday. James Pearson, VP of global communications for Shazam, said in a statement to Motherboard: "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.' If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
This discussion has been archived. No new comments can be posted.

Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off

Comments Filter:
  • by SeaFox ( 739806 ) on Monday November 14, 2016 @08:06PM (#53286085)

    For the security researcher who discovered that the mic is always on, it's a bug that users should know about.

    I see what you did there.

  • by Anonymous Coward

    It does sound like a legitimate reason rather than something nefarious. When someone uses a program like Shazam, they probably want it to start analyzing the song as soon as possible in case they only catch it at the end. If the initialization process takes too long, there might not be enough song information available before the track finishes. I've had the same issue with a slower phone which took to long to load Shazam before the song ran out. For this reason, keeping the mic buffer available is probably

    • Re:Sounds legit (Score:5, Insightful)

      by Sowelu ( 713889 ) on Monday November 14, 2016 @08:13PM (#53286123)

      It's a great legitimate reason, but that doesn't mean it's not a big problem, too. Just because they're not actually bugging it, doesn't mean that it's okay behavior...it makes malicious behavior harder to spot. Engineering would be so much easier if we never had to worry about unintended consequences or inconvenient best practices.

      • Re:Sounds legit (Score:4, Insightful)

        by Sowelu ( 713889 ) on Monday November 14, 2016 @08:18PM (#53286157)

        (Also, it eats up battery life.)

        • by dgatwood ( 11270 )

          This. There's a reason you're supposed to shut down the audio processing chain completely and tear down the hardware when not in use. Any time you have the audio hardware active, you're using a nontrivial amount of power.

          That's not to say that it should necessarily tear it down instantly. If powering up the hardware incurs a significant delay, then it probably makes sense to keep it hot if the app thinks that it is likely to need to capture audio again within a few seconds. But after a reasonable timeo

      • Re:Sounds legit (Score:4, Insightful)

        by MadKeithV ( 102058 ) on Tuesday November 15, 2016 @04:00AM (#53287793)
        It's potentially a good legitimate reason made very very suspect by having an "off" option that doesn't actually work.
    • I cannot believe anybody would defend this, but these are mad times!

    • Re:Sounds legit (Score:4, Insightful)

      by Anonymous Coward on Monday November 14, 2016 @09:36PM (#53286549)

      Had they labeled the setting "Ignore Mic" then it would be a legitimate reason. But because they lied about what the setting does you should assume the worst as they've already shown themselves to be untrustworthy.

    • by Anonymous Coward

      The past three times I've launched Shazam, it puts up this bullshit message about doing housekeeping and there's a wait of at least a few seconds. If it's going to make use wait for that crap, I don't see the problem waiting half a second for the mike to turn on.

    • It does not sound reasonable at all. Why would a user specifically shut off an app just prior to wanting to use it? If a user shuts down a program, then the program should not continue to operate just in case the user did not mean to shut it down.

      I cannot think of any reason why a user should expect a program to operate while it is turned off. But I can think of many reasons why that user SHOULD complain when the app continues to operate after it was told to stop.

  • by wbr1 ( 2538558 ) on Monday November 14, 2016 @08:12PM (#53286119)
    Google has its own 'what's this song' feature, but for a while I sued sound hound. Initially it was the only one, and it had better features like lyrics search. Then I found that unless I force closed the app (app switching or closing did not work), the mic was unavailable for ok google searches. Forcing the app closed released the mic. Bug or intentional, I don't know. The last time I used the app was a year or more so it could have changed, but this behavior no longer surprises me.
  • by XeXeN ( 48797 ) on Monday November 14, 2016 @08:21PM (#53286179)

    The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."

    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Monday November 14, 2016 @09:00PM (#53286361) Homepage

      Disclosure is no substitute for software freedom. It's so easy to disclose something, give the user a bogus UI for "controlling" the program, and then do whatever the proprietor really wants done (which could include covertly recording audio from unsuspecting users who believe they control their computer's mic). There's no substitute for being free to run, share, inspect, and modify the program at any time for any reason. Software freedom is the only thing that will keep proprietors from taking advantage of computer users because when the proprietors don't know who is inspecting the code, improving the code, or distributing improved versions they know they can be caught.

      • by Kjella ( 173770 )

        Disclosure is no substitute for software freedom.

        Software freedom is no substitute for jail time and massive fines for covert surveillance, which is exactly what should happen when you intentionally pretend the microphone is off. Not to mention this should get you yanked from any serious app store as malware. Don't get me wrong I like open source, but when an application goes from user-unfriendly to plain out deceptive that should be outright illegal.

        • by Anonymous Coward

          jail time and massive fines for covert surveillance

          Couldn't agree more. As long as they don't get punished with nothing more than a slap on the wrist, they will only keep getting bolder.

          There was another example a few days ago, with WOT [slashdot.org]. After they were caught selling personally identifiable users' data without consent, they simply got kicked out of the major browsers' add-on stores. No criminal investigation, no nothing.

        • by jbn-o ( 555068 )

          I too wouldn't mind seeing deceptive practices properly punished, but punishments won't inherently bring software freedom. Jailing amazon.com's leaders for taking away (of all books) "1984" from some legal purchasers of that eBook on the amazon DRM-riddled eBook device won't grant those readers what they need—DRM-free copies of the books they purchase and fully free software eBook reader source code. I think big organizations will eventually come to realize (if they don't already) that letting some hi

    • by MobyDisk ( 75490 )

      I'm not sure I buy it. How long does it take to "turn on" the microphone? What's the difference between a microphone that is "on" and one that is "off?" There's no shutter to open. No capacitor to charge. This seems like an operation that should take...microseconds? Would it even be milliseconds?

      • I think you nailed it. Someone should test this to see how long we are talking about. Somehow, seems unlikely to be very long at all- nice thing about their reason is we could test it.
        • by Sowelu ( 713889 )

          On my Android it's about a quarter of a second, which isn't insignificant from a user interface perspective.

          • When you are talking about listening to a piece of music to identify it a quarter of a second is completely insignificant.
            • by dgatwood ( 11270 )

              But with a Bluetooth headset, that balloons to potentially a couple of entire seconds, during which the app probably thinks that it is receiving audio, but is actually getting silence. Plus the whole Bluetooth device rediscovery/handshake likely incurs a nonzero power penalty.

          • by MobyDisk ( 75490 )

            Why would it take so long? I can imagine 10-20ms before the app actually gets the data, due to audio latency. But latency doesn't matter here since it doesn't matter when the data arrives, it matters when the audio starts recording.

    • The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."

      You use the word "opt-in" as if anyone actually reads the EULA when installing apps, or questions why an application serving one particular need also needs access to your camera, microphone, contact list, notes, pictures, and grandmas secret cookie recipe.

      Disclosure is pointless when the EULA takes a week and a legal degree to dissect.

      Disclosure also assumes people actually give a shit about privacy anymore.

  • by Dunbal ( 464142 ) * on Monday November 14, 2016 @08:23PM (#53286201)

    it's a bug that users should know about.

    That's what it is. A bug. But not a coding error.

    • by sconeu ( 64226 )

      Requirements defect. Carried forward into design, etc...

    • it's a bug that users should know about.

      That's what it is. A bug. But not a coding error.

      Allow me to quote TFS:

      "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.'..."

      It's neither a bug or a coding error according to the VP of the company making it. It's a design feature.

      And there won't be enough Shazam users who give a shit about privacy for them to bother changing it.

      • by Vastad ( 1299101 )

        Not disagreeing with your point. It's more about why isn't this declared up front? If you need to keep the mic on so you always have a buffer for the last 10, 20 30 seconds of audio, then just say so. I imagine the same users you've categorised would still not give a shit.

        For me though it would be an instant uninstall. As for Google listening to me all the time....not much I can do about that, I have chosen that os ecosystem.

  • If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."

    Well of course the company owning the app would like everything to be fast for their one particular purpose, devil may care what other malicious or incompetent shit it does, or who other than their target users might object to it.

    Malware / spam trying to sell you could similarly argue that they're making the user experience great for their customers to buy their Viagra / porn, who cares whether the side effect is your computer being hijacked or flooded with spam.

  • by Snotnose ( 212196 ) on Monday November 14, 2016 @08:49PM (#53286307)
    I was the Sun sysadmin for maybe 17 workstations in a Windows shop. Sun came out with workstations that had a mic. I told my boss I needed to open every box up and cut a wire. He didn't believe me. Told him to call his secretary and talk to her for a minute or two. When he hung up I went into his office and replayed the audio I'd recorded off his workstation.

    Spent maybe an hour cutting a wire in every workstation we'd bought. Ahhh, the days of usenet, otherwise I'd have never thought of it.

    / why yes, the camera on my laptop has tape over it
    // why do you ask?
    /// did you think I was just bored one day, or something?
    • I take it that the microphone wasn't recording all the time, but that you ssh'd in and cat'd /dev/audio or something?

    • And what is the equivalent for Windows 10 and the always-on wi-fi card LED? I think thy are using 10Gz band, but tell no one about it.
  • You are a spy (Score:5, Insightful)

    by PPH ( 736903 ) on Monday November 14, 2016 @09:04PM (#53286379)

    ... for the RIAA. The ability to sample and identify music has existed for years. It is used by the RIAA to sample radio broadcasts and enforce fee collection. But until now, it has been difficult to conduct this same level of surveillance on businesses like bars, restaurants and shops that play background music. And owe fees for doing so. But now, install the phone Shazam app and collect location data and the money will roll in.

    It's just a shame they don't pay the phone users a cut of the take.

  • by slincolne ( 1111555 ) on Monday November 14, 2016 @09:06PM (#53286391)
    If they need the microphone to be on at all times, why do they provide a 'sham' feature that gives their users the impression that the microphone can be turned off ?

    If the requirement to be listening permanently is reasonable, then surely their users would understand and accept this as part of using their application?

  • and we know how lame the new OSX are
  • by swb ( 14022 ) on Monday November 14, 2016 @09:50PM (#53286627)

    It wouldn't surprise me if they just decided that since people are willingly putting permanent audio listeners in their house, nobody would care if they kept the computer mic on too.

    I'm a conspiracist, but I'm also something a fatalist and in many cases I kind of shrug my shoulders at the latest privacy dustup. But I really can't grasp why someone would buy an audio device capable of listening in their house all the time and sending it back to who knows where.

    • by hughbar ( 579555 ) on Tuesday November 15, 2016 @06:18AM (#53288101) Homepage
      I'm not actually really or deeply a conspiracist, but I like something that Susan George: https://www.amazon.co.uk/Fate-... [amazon.co.uk] wrote a while ago. Simply put, if a set of agendas converge, there may not be a conspiracy but the outcome may be roughly the same. In this case, a general undifferentiated thirst for 'data' and 'big data' as the new oil and competitive advantage. To hell with privacy, discretion etc., until there's a data breach, of course.

      The second part of this is that I hate apps, they mean fragmented and conflicting architectures and 'no-choice' relationships with your local or global data thief in exchange for some eye candy and special offers or a stupid game. Even if they aren't actively nefarious, they are badly written with some of all (this is an example/sample) turned on: READ_CALENDAR, WRITE_CALENDAR, CAMERA, READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, RECORD_AUDIO, READ_PHONE_STATE, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, BODY_SENSORS. That's apart from all the documented problems with Android, I'm not sure about the others.

      Bottom line for me, this is the same as 'loyalty cards', it's not a very good bargain and one in which I choose not to participate.
  • by C3ntaur ( 642283 ) <panystrom@gmai l . c om> on Monday November 14, 2016 @10:49PM (#53286899) Journal
    Every device with a microphone should have a physical, hardwired switch with an indicator that tells when it's enabled or disabled.
    • by gweihir ( 88907 )

      Indeed. Some laptops have these switches, but you are never sure whether it is something controlled in firmware or actually "hard wired", i.e. sabotage is not possible by way of software. I think I will start to physically disconnect these microphones in the future.

  • by gweihir ( 88907 ) on Monday November 14, 2016 @11:26PM (#53287029)

    Cameras are easy: A bit of quality black electrical tape, easily removed later, and they are blind. Microphones are far more difficult. You basically have to blind them with excessive noise or disconnect them. Since the internal microphones of laptops are never very good, I will start doing that for mine, no loss. And the microphone on my main computer is only plugged in when I use it.

    Smartphones, on the other hand, are a problem here. I still have one with a removable battery (only way to be really sure it is off), and I will keep it that way as long as possible.

  • This news doesn't surprise me at all. On Android, I uninstalled Shazam soon after installing it, because it wanted way too many permissions on my phone, most of which made no sense. Why on earth, for example, did it want access to my address book? NO!

    It reminds me of RealAudio, which was once king of computer audio, but then became such an advertising nuisance that it became unbearable.

    Besides, any Android device has music identification built in. Just say "OK Google...What song is this?" It responds by lis

  • Your {device} loads a data stream that when decoded and sent through whatever audio hardware/software combination, thence to the speaker/s, makes noise - spoken word, music, whatever.

    Then the device's microphone "listens" to this audio, re-converts it to a digital stream that then gets sent off to a company who presumably run it past a big database of recorded music, to match it up, and report back to you that the audio is named "Purple Rain" recorded by the artist formerly blah blah blah.

    Doesn't anyone loo

    • The audio waveform being analysed does not have to come necessarily from the device itself.
      • by dwywit ( 1109409 )

        That's my point. Why go through the whole stream>audio>speakers>microphone>stream process when you could feed the stream straight to the server doing the comparison?

        • Because, for example, you hear the song on the radio. Or it's playing during a commercial on TV. Or in any of various other situations where the audio is originating from a place that the device isn't connected to.

    • by Knuckles ( 8964 )

      Shazam can identify music that's not being played by your device, hence must be recorded by the mic.

    • Doesn't anyone look at tags anymore? You know, the metadata? Or didn't anyone think to um, bypass the whole conversion to actual sound waves and back to digital stream.

      When it was taped off-air by your father in 1972 and you're trying to figure out what it is, the tags aren't exactly going to be helpful. That said, it would be nice to just play the MP3 or WAV off local storage instead of having to stick a tablet it next to the speaker.

      When this sort of thing works, it can be really, really useful. For example, Michael Garrison's "In the regions of sunreturn", which I'd been trying to identify for nearly 20 years. Probably taped off a record borrowed in the early 1980s.

    • You don't know what Shazam is used for, do you...
  • by rnturn ( 11092 ) on Tuesday November 15, 2016 @12:58AM (#53287333)

    ... the security implications?

    ``If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify.''

    What if they'd actually turned off the microphone instead of fooling the end-user into thinking it was off. And, then, if user's complained about missing the first 0.25s (or whatever) of the tune, Shazam responded to the users that there was a slight delay but that it was necessary to protect them from potentially being eavesdropped on? How many users would have found that reasonable and been fine with that? Well, we'll never know because Shazam didn't, apparently, care too much about the end user's privacy. But making sure they could identify an effin' song? Well, that's of paramount importance!

    • But making sure they could identify an effin' song? Well, that's of paramount importance!

      To Shazam it is... that's their entire product. If they fail at the one thing they actually do they might as well pack up and go home!

    • Well, that's of paramount importance!

      It kind of is, actually - since that's the entirety of what their application does.

    • Better would have been to offer three settings. On. Microphone ready. Off. Then there would be no confusion. I can't think of any non-creepy reason to do it this way.
  • Said a million users as they deleted the app from their phones and computers.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...