Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off

An anonymous reader quotes a report from Motherboard: What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to. When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better. Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off." Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday. James Pearson, VP of global communications for Shazam, said in a statement to Motherboard: "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.' If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."

Re:

[cayenne8]

Bye Bye Shazam.....deleting NOW.....

Re:

[TwentyCharsIsNotEnou]

Please do that. A lot of users uninstalling Shazam in the days following this news coming out WILL actually send them a message - it's far more direct and measurable. Rest assured, they'll know you uninstalled it, they'll have made sure of that!

Re:

[davester666]

It takes how long to start the mic working? a few 10ths of a second maybe. yeah, that would be HORRIBLE to miss that audio. end of the world bad.

Always on puns.

[SeaFox]

For the security researcher who discovered that the mic is always on, it's a bug that users should know about.

I see what you did there.

Re:Always on puns.

[Miamicanes]

Probably the same kind of programming logic that causes a computer with a quadcore 3GHz+ i7 running Windows to grind to a complete halt for several seconds whenever something triggers UAC...

Or the logic that causes my three LCD monitors to take longer to finish waking up (one... by... one...) after the screensaver puts them to sleep than it used to take me to COLD-BOOT GODDAMN WINDOWS 7 from my first SSD ~5 years ago.

Re:

[Chris Katko]

Your logic doesn't actually refute the previous post.

There is nothing in the list of examples that you mentioned, which were physical constraints, and intentionally single-threaded modal menus, that have anything to do with turning on a pre-amplifier and DAC (
You may be entirely correct, but your post does nothing to achieve that.

Re:

[Chris Katko]

Something malformed my post.

Pre-amp and DAC will take less than 50 milliseconds to warm up.

Re:

[amalcolm]

a DAC is no use with a microphone - you need an ADC

Re:

[AmiMoJo]

If UAC causes your machine to grind, there are two possibilities:

1. Your graphics driver isn't hardware accelerating the screen dimming, so the CPU has to do it.

2. You are low on memory and Windows is paging like crazy.

Re:

[TheRaven64]

It probably doesn't, but it does take time if you're doing speech recognition to get enough data in the buffer that you can begin recognising. If you can use the previous second or two of audio (for calibrating levels, if nothing else) then it's likely that you can respond faster.

Sounds legit

[Anonymous Coward]

It does sound like a legitimate reason rather than something nefarious. When someone uses a program like Shazam, they probably want it to start analyzing the song as soon as possible in case they only catch it at the end. If the initialization process takes too long, there might not be enough song information available before the track finishes. I've had the same issue with a slower phone which took to long to load Shazam before the song ran out. For this reason, keeping the mic buffer available is probably

Re:Sounds legit

[Sowelu]

It's a great legitimate reason, but that doesn't mean it's not a big problem, too. Just because they're not actually bugging it, doesn't mean that it's okay behavior...it makes malicious behavior harder to spot. Engineering would be so much easier if we never had to worry about unintended consequences or inconvenient best practices.

Re:Sounds legit

[Sowelu]

(Also, it eats up battery life.)

Re:

[dgatwood]

This. There's a reason you're supposed to shut down the audio processing chain completely and tear down the hardware when not in use. Any time you have the audio hardware active, you're using a nontrivial amount of power.

That's not to say that it should necessarily tear it down instantly. If powering up the hardware incurs a significant delay, then it probably makes sense to keep it hot if the app thinks that it is likely to need to capture audio again within a few seconds. But after a reasonable timeo

Re: Sounds legit

[Anonymous Coward]

Thanks for the wrong-headed rant. People are complaining about information, some deeply personal, being transmitted back to base without consent, transparency, security or an ability to opt out. In this case there's an Off switch which leaves the microphone on. Who would want that?

Re:

[Anonymous Coward]

If this was as completely innocuous as Shazam claims, why have they hidden this continuing monitoring condition, even when explicitly switched off, until confronted?
It should be right there in the EULA or something: "In order to provide seamless interaction, Shazam continuously monitors the microphone for background sounds and analyzes them. Shazam does not compile information on its users or shares that inform... he... hehe... Haha...HAHAHAHAHAHAHAHAHA...."

http://www.investopedia.com/articles/personal-fina

Re:

[the_B0fh]

Apparently giving the user a choice, and letting users decide where they want the privacy/functionality bar to set is not something your mentality can deal with.

Why shouldn't I decided whether I want telemetry or not? Why shouldn't I decide whether I want to send a bug report or not?

Fuck you and your high horse.

Re:Sounds legit

[MadKeithV]

It's potentially a good legitimate reason made very very suspect by having an "off" option that doesn't actually work.

Re:

[fustakrakich]

I cannot believe anybody would defend this, but these are mad times!

Re:

[Anonymous Coward]

You don't have a clue what you are talking about. IRQ and DMA was set up via jumpers, thus they were always hardwired to the same settings.

I used to do a lot of recording in DOS on everything from a Sound Blaster 1.0 through to a GUS and AWE32. There was never a noticeable delay to begin recording anything and environment variables almost never mattered except for a few of the earliest late-80s programs that used audio. And no, you couldn't crash DOS by having unset variables either. Don't talk about things

Re:Sounds legit

[Anonymous Coward]

Had they labeled the setting "Ignore Mic" then it would be a legitimate reason. But because they lied about what the setting does you should assume the worst as they've already shown themselves to be untrustworthy.

Re: Sounds legit

[Anonymous Coward]

The past three times I've launched Shazam, it puts up this bullshit message about doing housekeeping and there's a wait of at least a few seconds. If it's going to make use wait for that crap, I don't see the problem waiting half a second for the mike to turn on.

Re:

[peawormsworth]

It does not sound reasonable at all. Why would a user specifically shut off an app just prior to wanting to use it? If a user shuts down a program, then the program should not continue to operate just in case the user did not mean to shut it down.

I cannot think of any reason why a user should expect a program to operate while it is turned off. But I can think of many reasons why that user SHOULD complain when the app continues to operate after it was told to stop.

Same with SoundHound on android

[wbr1]

Google has its own 'what's this song' feature, but for a while I sued sound hound. Initially it was the only one, and it had better features like lyrics search. Then I found that unless I force closed the app (app switching or closing did not work), the mic was unavailable for ok google searches. Forcing the app closed released the mic. Bug or intentional, I don't know. The last time I used the app was a year or more so it could have changed, but this behavior no longer surprises me.

Re: Same with SoundHound on android

[subk]

I have resorted to installing / uninstalling Soundhound for each use. If I can't get it running in time to scan the song, fuck it. I'll try again next time I hear it.

Re:

[wbr1]

I thought that too.. I ran it on 4, 5 and 6 on different phones. Same. Have not tried on 7 yet, probably wont.

Re: Same with SoundHound on android

[bestweasel]

How about Shazam on Android - does that listen all the time? Is there anything to prevent any Android app from listening all the time once you give it permission?

Disclosure would have been nice.

[XeXeN]

The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."

Proprietary software never discloses the truth.

[jbn-o]

Disclosure is no substitute for software freedom. It's so easy to disclose something, give the user a bogus UI for "controlling" the program, and then do whatever the proprietor really wants done (which could include covertly recording audio from unsuspecting users who believe they control their computer's mic). There's no substitute for being free to run, share, inspect, and modify the program at any time for any reason. Software freedom is the only thing that will keep proprietors from taking advantage of computer users because when the proprietors don't know who is inspecting the code, improving the code, or distributing improved versions they know they can be caught.

Re:

[Kjella]

Disclosure is no substitute for software freedom.

Software freedom is no substitute for jail time and massive fines for covert surveillance, which is exactly what should happen when you intentionally pretend the microphone is off. Not to mention this should get you yanked from any serious app store as malware. Don't get me wrong I like open source, but when an application goes from user-unfriendly to plain out deceptive that should be outright illegal.

Re:

[Anonymous Coward]

jail time and massive fines for covert surveillance

Couldn't agree more. As long as they don't get punished with nothing more than a slap on the wrist, they will only keep getting bolder.

There was another example a few days ago, with WOT [slashdot.org]. After they were caught selling personally identifiable users' data without consent, they simply got kicked out of the major browsers' add-on stores. No criminal investigation, no nothing.

Re:

[jbn-o]

I too wouldn't mind seeing deceptive practices properly punished, but punishments won't inherently bring software freedom. Jailing amazon.com's leaders for taking away (of all books) "1984" from some legal purchasers of that eBook on the amazon DRM-riddled eBook device won't grant those readers what they need—DRM-free copies of the books they purchase and fully free software eBook reader source code. I think big organizations will eventually come to realize (if they don't already) that letting some hi

Re:

[Anonymous Coward]

Ok, so where is it? Where's your Shazam-like free software? I'm not writing it, so get to work. If you're not writing it, then who the hell are you talking to?

Pretty much.

Free software advocates (or zealots if you will) criticize proprietary software to no end, but when it comes to actual FOSS alternatives they are often either lacking in features or, in the case of real-time music fingerprinting and analysis software, totally non existent. People eventually tire of the tirades of hate towards proprietary s

Re:

[MobyDisk]

I'm not sure I buy it. How long does it take to "turn on" the microphone? What's the difference between a microphone that is "on" and one that is "off?" There's no shutter to open. No capacitor to charge. This seems like an operation that should take...microseconds? Would it even be milliseconds?

Re:

[e432776]

I think you nailed it. Someone should test this to see how long we are talking about. Somehow, seems unlikely to be very long at all- nice thing about their reason is we could test it.

Re:

[Sowelu]

On my Android it's about a quarter of a second, which isn't insignificant from a user interface perspective.

Re:

[gravewax]

When you are talking about listening to a piece of music to identify it a quarter of a second is completely insignificant.

Re:

[dgatwood]

But with a Bluetooth headset, that balloons to potentially a couple of entire seconds, during which the app probably thinks that it is receiving audio, but is actually getting silence. Plus the whole Bluetooth device rediscovery/handshake likely incurs a nonzero power penalty.

Re:

[MobyDisk]

Why would it take so long? I can imagine 10-20ms before the app actually gets the data, due to audio latency. But latency doesn't matter here since it doesn't matter when the data arrives, it matters when the audio starts recording.

Re:

[geekmux]

The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."

You use the word "opt-in" as if anyone actually reads the EULA when installing apps, or questions why an application serving one particular need also needs access to your camera, microphone, contact list, notes, pictures, and grandmas secret cookie recipe.

Disclosure is pointless when the EULA takes a week and a legal degree to dissect.

Disclosure also assumes people actually give a shit about privacy anymore.

Re:

[Anonymous Coward]

It's bitztream, the autism-hating, custom EpiPen-hating Slashdot troll!

Teehee. Yeah. Right.

[Dunbal]

it's a bug that users should know about.

That's what it is. A bug. But not a coding error.

Re:

[sconeu]

Requirements defect. Carried forward into design, etc...

Re:

[geekmux]

it's a bug that users should know about.

That's what it is. A bug. But not a coding error.

Allow me to quote TFS:

"There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.'..."

It's neither a bug or a coding error according to the VP of the company making it. It's a design feature.

And there won't be enough Shazam users who give a shit about privacy for them to bother changing it.

Re:

[Vastad]

Not disagreeing with your point. It's more about why isn't this declared up front? If you need to keep the mic on so you always have a buffer for the last 10, 20 30 seconds of audio, then just say so. I imagine the same users you've categorised would still not give a shit.

For me though it would be an instant uninstall. As for Google listening to me all the time....not much I can do about that, I have chosen that os ecosystem.

lame excuse

[supernova87a]

If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."

Well of course the company owning the app would like everything to be fast for their one particular purpose, devil may care what other malicious or incompetent shit it does, or who other than their target users might object to it.

Malware / spam trying to sell you could similarly argue that they're making the user experience great for their customers to buy their Viagra / porn, who cares whether the side effect is your computer being hijacked or flooded with spam.

Re:

[Motherfucking Shit]

Some songs don't have lyrics. Can you tell me the music they're using in the Lexus commercials that came out last week? I *think* the artist is Justice (Cadillac used them a few years ago) but I don't know. I'm not about to install Shazam to find out, either, but it can't be looked up by the lyrics.

Re:

[stealth_finger]

Can you tell me the music they're using in the Lexus commercials that came out last week?

I'm sure google can.

Circa 90/91

[Snotnose]

I was the Sun sysadmin for maybe 17 workstations in a Windows shop. Sun came out with workstations that had a mic. I told my boss I needed to open every box up and cut a wire. He didn't believe me. Told him to call his secretary and talk to her for a minute or two. When he hung up I went into his office and replayed the audio I'd recorded off his workstation.

Spent maybe an hour cutting a wire in every workstation we'd bought. Ahhh, the days of usenet, otherwise I'd have never thought of it.

/ why yes, the camera on my laptop has tape over it
// why do you ask?
/// did you think I was just bored one day, or something?

Re:

[snookiex]

Some months ago, the fan of my laptop died and to fix it, I had to disconnect many things and I forgot to reconnect the sound card. When I realized my error, it was too late and I was too lazy to open the case again, so I left it that way and now I connect my bluetooth speaker/headset instead of using the built-in audio. Call it a workaround if you are paranoid enough.

Re:

[gustygolf]

I take it that the microphone wasn't recording all the time, but that you ssh'd in and cat'd /dev/audio or something?

Re:

[syntotic]

And what is the equivalent for Windows 10 and the always-on wi-fi card LED? I think thy are using 10Gz band, but tell no one about it.

You are a spy

[PPH]

... for the RIAA. The ability to sample and identify music has existed for years. It is used by the RIAA to sample radio broadcasts and enforce fee collection. But until now, it has been difficult to conduct this same level of surveillance on businesses like bars, restaurants and shops that play background music. And owe fees for doing so. But now, install the phone Shazam app and collect location data and the money will roll in.

It's just a shame they don't pay the phone users a cut of the take.

Questionable behaviour by Shazam

[slincolne]

If they need the microphone to be on at all times, why do they provide a 'sham' feature that gives their users the impression that the microphone can be turned off ?

If the requirement to be listening permanently is reasonable, then surely their users would understand and accept this as part of using their application?

10.10+ only

[elcor]

and we know how lame the new OSX are

Alexa/OK Google devices

[swb]

It wouldn't surprise me if they just decided that since people are willingly putting permanent audio listeners in their house, nobody would care if they kept the computer mic on too.

I'm a conspiracist, but I'm also something a fatalist and in many cases I kind of shrug my shoulders at the latest privacy dustup. But I really can't grasp why someone would buy an audio device capable of listening in their house all the time and sending it back to who knows where.

Re:Alexa/OK Google devices

[hughbar]

I'm not actually really or deeply a conspiracist, but I like something that Susan George: https://www.amazon.co.uk/Fate-... [amazon.co.uk] wrote a while ago. Simply put, if a set of agendas converge, there may not be a conspiracy but the outcome may be roughly the same. In this case, a general undifferentiated thirst for 'data' and 'big data' as the new oil and competitive advantage. To hell with privacy, discretion etc., until there's a data breach, of course.

The second part of this is that I hate apps, they mean fragmented and conflicting architectures and 'no-choice' relationships with your local or global data thief in exchange for some eye candy and special offers or a stupid game. Even if they aren't actively nefarious, they are badly written with some of all (this is an example/sample) turned on: READ_CALENDAR, WRITE_CALENDAR, CAMERA, READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, RECORD_AUDIO, READ_PHONE_STATE, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, BODY_SENSORS. That's apart from all the documented problems with Android, I'm not sure about the others.

Bottom line for me, this is the same as 'loyalty cards', it's not a very good bargain and one in which I choose not to participate.

Every device with a microphone

[C3ntaur]

Every device with a microphone should have a physical, hardwired switch with an indicator that tells when it's enabled or disabled.

Re:

[gweihir]

Indeed. Some laptops have these switches, but you are never sure whether it is something controlled in firmware or actually "hard wired", i.e. sabotage is not possible by way of software. I think I will start to physically disconnect these microphones in the future.

Time to remove those...

[gweihir]

Cameras are easy: A bit of quality black electrical tape, easily removed later, and they are blind. Microphones are far more difficult. You basically have to blind them with excessive noise or disconnect them. Since the internal microphones of laptops are never very good, I will start doing that for mine, no loss. And the microphone on my main computer is only plugged in when I use it.

Smartphones, on the other hand, are a problem here. I still have one with a removable battery (only way to be really sure it is off), and I will keep it that way as long as possible.

Too many permissions required

[Tony Isaac]

This news doesn't surprise me at all. On Android, I uninstalled Shazam soon after installing it, because it wanted way too many permissions on my phone, most of which made no sense. Why on earth, for example, did it want access to my address book? NO!

It reminds me of RealAudio, which was once king of computer audio, but then became such an advertising nuisance that it became unbearable.

Besides, any Android device has music identification built in. Just say "OK Google...What song is this?" It responds by lis

So let me get this straight....

[dwywit]

Your {device} loads a data stream that when decoded and sent through whatever audio hardware/software combination, thence to the speaker/s, makes noise - spoken word, music, whatever.

Then the device's microphone "listens" to this audio, re-converts it to a digital stream that then gets sent off to a company who presumably run it past a big database of recorded music, to match it up, and report back to you that the audio is named "Purple Rain" recorded by the artist formerly blah blah blah.

Doesn't anyone loo

Re:

[Cochonou]

The audio waveform being analysed does not have to come necessarily from the device itself.

Re:

[dwywit]

That's my point. Why go through the whole stream>audio>speakers>microphone>stream process when you could feed the stream straight to the server doing the comparison?

Re:

[thePowerOfGrayskull]

Because, for example, you hear the song on the radio. Or it's playing during a commercial on TV. Or in any of various other situations where the audio is originating from a place that the device isn't connected to.

Re:

[Knuckles]

Shazam can identify music that's not being played by your device, hence must be recorded by the mic.

Re:

[Tapewolf]

Doesn't anyone look at tags anymore? You know, the metadata? Or didn't anyone think to um, bypass the whole conversion to actual sound waves and back to digital stream.

When it was taped off-air by your father in 1972 and you're trying to figure out what it is, the tags aren't exactly going to be helpful. That said, it would be nice to just play the MP3 or WAV off local storage instead of having to stick a tablet it next to the speaker.

When this sort of thing works, it can be really, really useful. For example, Michael Garrison's "In the regions of sunreturn", which I'd been trying to identify for nearly 20 years. Probably taped off a record borrowed in the early 1980s.

Re:

[TheConway]

You don't know what Shazam is used for, do you...

Did Shazam ever stop to consider...

[rnturn]

... the security implications?

``If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify.''

What if they'd actually turned off the microphone instead of fooling the end-user into thinking it was off. And, then, if user's complained about missing the first 0.25s (or whatever) of the tune, Shazam responded to the users that there was a slight delay but that it was necessary to protect them from potentially being eavesdropped on? How many users would have found that reasonable and been fine with that? Well, we'll never know because Shazam didn't, apparently, care too much about the end user's privacy. But making sure they could identify an effin' song? Well, that's of paramount importance!

Re:

[wildstoo]

But making sure they could identify an effin' song? Well, that's of paramount importance!

To Shazam it is... that's their entire product. If they fail at the one thing they actually do they might as well pack up and go home!

Re:

[thePowerOfGrayskull]

Well, that's of paramount importance!

It kind of is, actually - since that's the entirety of what their application does.

Re:

[Ed Tice]

Better would have been to offer three settings. On. Microphone ready. Off. Then there would be no confusion. I can't think of any non-creepy reason to do it this way.

Well that was easy

[Righ]

Said a million users as they deleted the app from their phones and computers.