Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off (vice.com)

Posted by BeauHD on from the always-listening dept.

An anonymous reader quotes a report from Motherboard: What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to. When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better. Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off." Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday. James Pearson, VP of global communications for Shazam, said in a statement to Motherboard: "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.' If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."

24 of 126 comments (clear)

  1. Always on puns. by SeaFox · · Score: 5, Funny

    For the security researcher who discovered that the mic is always on, it's a bug that users should know about.

    I see what you did there.

    1. Re:Always on puns. by Miamicanes · · Score: 4, Interesting

      Probably the same kind of programming logic that causes a computer with a quadcore 3GHz+ i7 running Windows to grind to a complete halt for several seconds whenever something triggers UAC...

      Or the logic that causes my three LCD monitors to take longer to finish waking up (one... by... one...) after the screensaver puts them to sleep than it used to take me to COLD-BOOT GODDAMN WINDOWS 7 from my first SSD ~5 years ago.

    2. Re:Always on puns. by ckatko · · Score: 2

      Your logic doesn't actually refute the previous post.

      There is nothing in the list of examples that you mentioned, which were physical constraints, and intentionally single-threaded modal menus, that have anything to do with turning on a pre-amplifier and DAC (
      You may be entirely correct, but your post does nothing to achieve that.

    3. Re:Always on puns. by TheRaven64 · · Score: 2

      It probably doesn't, but it does take time if you're doing speech recognition to get enough data in the buffer that you can begin recognising. If you can use the previous second or two of audio (for calibrating levels, if nothing else) then it's likely that you can respond faster.

      --
      I am TheRaven on Soylent News
  2. Same with SoundHound on android by wbr1 · · Score: 5, Interesting

    Google has its own 'what's this song' feature, but for a while I sued sound hound. Initially it was the only one, and it had better features like lyrics search. Then I found that unless I force closed the app (app switching or closing did not work), the mic was unavailable for ok google searches. Forcing the app closed released the mic. Bug or intentional, I don't know. The last time I used the app was a year or more so it could have changed, but this behavior no longer surprises me.

    --
    Silence is a state of mime.
  3. Re:Sounds legit by Sowelu · · Score: 4, Insightful

    It's a great legitimate reason, but that doesn't mean it's not a big problem, too. Just because they're not actually bugging it, doesn't mean that it's okay behavior...it makes malicious behavior harder to spot. Engineering would be so much easier if we never had to worry about unintended consequences or inconvenient best practices.

  4. Re:Sounds legit by Sowelu · · Score: 3, Insightful

    (Also, it eats up battery life.)

  5. Disclosure would have been nice. by XeXeN · · Score: 5, Insightful

    The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."

  6. Teehee. Yeah. Right. by Dunbal · · Score: 2

    it's a bug that users should know about.

    That's what it is. A bug. But not a coding error.

    --
    Seven puppies were harmed during the making of this post.
  7. Circa 90/91 by Snotnose · · Score: 2

    I was the Sun sysadmin for maybe 17 workstations in a Windows shop. Sun came out with workstations that had a mic. I told my boss I needed to open every box up and cut a wire. He didn't believe me. Told him to call his secretary and talk to her for a minute or two. When he hung up I went into his office and replayed the audio I'd recorded off his workstation.

    Spent maybe an hour cutting a wire in every workstation we'd bought. Ahhh, the days of usenet, otherwise I'd have never thought of it.

    / why yes, the camera on my laptop has tape over it
    // why do you ask?
    /// did you think I was just bored one day, or something?

  8. Proprietary software never discloses the truth. by jbn-o · · Score: 5, Informative

    Disclosure is no substitute for software freedom. It's so easy to disclose something, give the user a bogus UI for "controlling" the program, and then do whatever the proprietor really wants done (which could include covertly recording audio from unsuspecting users who believe they control their computer's mic). There's no substitute for being free to run, share, inspect, and modify the program at any time for any reason. Software freedom is the only thing that will keep proprietors from taking advantage of computer users because when the proprietors don't know who is inspecting the code, improving the code, or distributing improved versions they know they can be caught.

    --
    Digital Citizen
    1. Re:Proprietary software never discloses the truth. by Kjella · · Score: 2

      Disclosure is no substitute for software freedom.

      Software freedom is no substitute for jail time and massive fines for covert surveillance, which is exactly what should happen when you intentionally pretend the microphone is off. Not to mention this should get you yanked from any serious app store as malware. Don't get me wrong I like open source, but when an application goes from user-unfriendly to plain out deceptive that should be outright illegal.

      --
      Live today, because you never know what tomorrow brings
  9. You are a spy by PPH · · Score: 4, Insightful

    ... for the RIAA. The ability to sample and identify music has existed for years. It is used by the RIAA to sample radio broadcasts and enforce fee collection. But until now, it has been difficult to conduct this same level of surveillance on businesses like bars, restaurants and shops that play background music. And owe fees for doing so. But now, install the phone Shazam app and collect location data and the money will roll in.

    It's just a shame they don't pay the phone users a cut of the take.

    --
    Have gnu, will travel.
  10. Questionable behaviour by Shazam by slincolne · · Score: 3, Interesting
    If they need the microphone to be on at all times, why do they provide a 'sham' feature that gives their users the impression that the microphone can be turned off ?

    If the requirement to be listening permanently is reasonable, then surely their users would understand and accept this as part of using their application?

  11. Re:Sounds legit by Anonymous Coward · · Score: 4, Insightful

    Had they labeled the setting "Ignore Mic" then it would be a legitimate reason. But because they lied about what the setting does you should assume the worst as they've already shown themselves to be untrustworthy.

  12. Alexa/OK Google devices by swb · · Score: 4, Insightful

    It wouldn't surprise me if they just decided that since people are willingly putting permanent audio listeners in their house, nobody would care if they kept the computer mic on too.

    I'm a conspiracist, but I'm also something a fatalist and in many cases I kind of shrug my shoulders at the latest privacy dustup. But I really can't grasp why someone would buy an audio device capable of listening in their house all the time and sending it back to who knows where.

    1. Re:Alexa/OK Google devices by hughbar · · Score: 3, Informative

      I'm not actually really or deeply a conspiracist, but I like something that Susan George: https://www.amazon.co.uk/Fate-... wrote a while ago. Simply put, if a set of agendas converge, there may not be a conspiracy but the outcome may be roughly the same. In this case, a general undifferentiated thirst for 'data' and 'big data' as the new oil and competitive advantage. To hell with privacy, discretion etc., until there's a data breach, of course.

      The second part of this is that I hate apps, they mean fragmented and conflicting architectures and 'no-choice' relationships with your local or global data thief in exchange for some eye candy and special offers or a stupid game. Even if they aren't actively nefarious, they are badly written with some of all (this is an example/sample) turned on: READ_CALENDAR, WRITE_CALENDAR, CAMERA, READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS, ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, RECORD_AUDIO, READ_PHONE_STATE, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG, BODY_SENSORS. That's apart from all the documented problems with Android, I'm not sure about the others.

      Bottom line for me, this is the same as 'loyalty cards', it's not a very good bargain and one in which I choose not to participate.

      --
      On y va, qui mal y pense!
  13. Every device with a microphone by C3ntaur · · Score: 4, Informative

    Every device with a microphone should have a physical, hardwired switch with an indicator that tells when it's enabled or disabled.

    --
    Loading...
  14. Time to remove those... by gweihir · · Score: 3, Informative

    Cameras are easy: A bit of quality black electrical tape, easily removed later, and they are blind. Microphones are far more difficult. You basically have to blind them with excessive noise or disconnect them. Since the internal microphones of laptops are never very good, I will start doing that for mine, no loss. And the microphone on my main computer is only plugged in when I use it.

    Smartphones, on the other hand, are a problem here. I still have one with a removable battery (only way to be really sure it is off), and I will keep it that way as long as possible.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Did Shazam ever stop to consider... by rnturn · · Score: 3, Insightful

    ... the security implications?

    ``If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify.''

    What if they'd actually turned off the microphone instead of fooling the end-user into thinking it was off. And, then, if user's complained about missing the first 0.25s (or whatever) of the tune, Shazam responded to the users that there was a slight delay but that it was necessary to protect them from potentially being eavesdropped on? How many users would have found that reasonable and been fine with that? Well, we'll never know because Shazam didn't, apparently, care too much about the end user's privacy. But making sure they could identify an effin' song? Well, that's of paramount importance!

    --
    CUR ALLOC 20195.....5804M
  16. Re:Sounds legit by dgatwood · · Score: 2

    This. There's a reason you're supposed to shut down the audio processing chain completely and tear down the hardware when not in use. Any time you have the audio hardware active, you're using a nontrivial amount of power.

    That's not to say that it should necessarily tear it down instantly. If powering up the hardware incurs a significant delay, then it probably makes sense to keep it hot if the app thinks that it is likely to need to capture audio again within a few seconds. But after a reasonable timeout (no more than 30 seconds), it really should be shutting the hardware down. Anything else is battery abuse (not to mention a serious privacy concern).

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  17. Re: Sounds legit by Anonymous Coward · · Score: 3, Insightful

    If this was as completely innocuous as Shazam claims, why have they hidden this continuing monitoring condition, even when explicitly switched off, until confronted?
    It should be right there in the EULA or something: "In order to provide seamless interaction, Shazam continuously monitors the microphone for background sounds and analyzes them. Shazam does not compile information on its users or shares that inform... he... hehe... Haha...HAHAHAHAHAHAHAHAHA...."

    http://www.investopedia.com/articles/personal-finance/010815/how-shazam-makes-money.asp
    A rundown on how Shazam plans on making money.
    It isn't by selling Apps.

  18. Re:Sounds legit by MadKeithV · · Score: 4, Insightful

    It's potentially a good legitimate reason made very very suspect by having an "off" option that doesn't actually work.

  19. Re:So let me get this straight.... by Tapewolf · · Score: 2

    Doesn't anyone look at tags anymore? You know, the metadata? Or didn't anyone think to um, bypass the whole conversion to actual sound waves and back to digital stream.

    When it was taped off-air by your father in 1972 and you're trying to figure out what it is, the tags aren't exactly going to be helpful. That said, it would be nice to just play the MP3 or WAV off local storage instead of having to stick a tablet it next to the speaker.

    When this sort of thing works, it can be really, really useful. For example, Michael Garrison's "In the regions of sunreturn", which I'd been trying to identify for nearly 20 years. Probably taped off a record borrowed in the early 1980s. The cassette wasn't labelled properly, and the album was completely instrumental. It took an awful lot of attempts with SoundHound to identify, and was made worse by the fact that the synthesizers used became fashionable in techno and I think some hip-hop stuff later, giving many false positives. But I can't think of any other way to find out what it was, short of sticking a clip on youtube and hoping I get a takedown.