Is My Phone Listening To Me? We Asked Cybersecurity Experts
— Updated on 21 October 2022

Is My Phone Listening To Me? We Asked Cybersecurity Experts

— Updated on 21 October 2022
John McMahon
John McMahon

When I woke up last Monday, I felt like a glass of orange juice.

I didn’t voice this out loud, I didn’t add it to my shopping list on my phone, I just thought to myself: Hey, it’s Monday morning, and after drinking 2,000 beers over the weekend, it might be nice to treat my body to a glass of the sweet, sweet nectar that is freshly squeezed OJ.

A short while later as I strolled the aisles of the local Woolies, I said to my girlfriend (out loud), “Oh yeah, how about some orange juice?”

And then, not even 15 minutes after I’d already bought said juice, I was scrolling Instagram stories when I was dealt with an advertisement for Nudie orange juice just three swipes in. You’ve got to be fucking kidding me, I thought to myself. That’s the second time I’d consciously noticed a targeted ad in 24 hours, and the third in a week.

Smartphone in hand

I’m not talking about targeted advertisements sourced from browser cookies or my search habits; that marketing tsunami is a different beast. I’m talking about instances where I’d said something in a private conversation – at a volume that only the two parties present could have heard (or so I naively still think) – to find it only a few taps away the next time I unlock my iPhone.

The day prior to this, I was discussing Daniel Ricciardo’s move to McLaren with a colleague. Half an hour later, a Sky Sports article on the same topic popped up at the top of my ”suggested for you” Facebook feed. Earlier that week during dinner with my housemates, I was talking about a PayPal scam that happened to a friend of mine years ago. Next thing I know, there’s a PayPal ad waiting for me as I enjoyed a quick scroll before bed.

Is my phone listening to me? I’m certain of it. To what extent though, I’ll never know. Some people suspect it, sure, some tech companies have even admitted to it (though not many, and usually after they’ve been caught in the act), but we live in a grey area where not everyone fully realises what’s happening to them. If you aren’t aware of it, then you can’t control it – and that’s where the problem currently lies.

At the risk of sounding like a disgruntled Boomer with a tendency to attack every element of technological progression that I struggle to accept, I can’t help but admit I’m frustrated with the explicit overextension of targeted advertising. And in many ways, the more pissed off I get, the less receptive I am to the brands that are being forced down my throat. Funny that, isn’t it? Somewhat ironic, too, for a guy who works in digital media.

But the worst part is that unless you dust off your OG Motorola flip phone or whip out your Grandad’s typewriter, there’s almost nothing you can do to stop it. I’ve begun to seriously wonder to what extent this is happening, what precautions or tools we have to mitigate it, and, on which side of the law this subject finds itself.

Let’s start with the latter. The short answer is yes, it’s legal because I give permission for it to happen. Not to mention that the legal system is inherently flawed at regulating these rapidly changing capabilities. The problem is also cross-jurisdictional, but that’s another issue entirely.

Despite Facebook consistently denying allegations that it’s always listening to us, chances are you’ve already tapped ‘allow’ when prompted with the request for access to your microphone on all of the company’s popular apps, including WhatsApp and Instagram.

For smart assistant services such as Siri, Google and Alexa to function properly, they explicitly rely on what are known as ‘audio triggers’ to capture specific pieces of data from your conversations. You’re probably familiar with “Hey Siri” and “Okay Google”, but you likely don’t know that there are hundreds – possibly thousands – of triggers, and when it comes to Facebook, nobody actually knows what they are.

The information sourced from these known triggers somehow finds its way back to other networks (like Facebook’s, for example), but anything beyond that is not fully understood. This data is encrypted and only kept deep within the apps themselves, but you can bet on the fact that it’s archived and added to an evolving profile of who you are, what you’re interested in, and what you might be keen to consume.

So the technology is there. If it’s 110% possible that a trigger captured by Google will lead to an acutely targeted advertisement on YouTube (also owned by Google), then it’s not at all impossible that this information ends up elsewhere in the data nexus.

“Seeing as Google are open about it, I would personally assume the other companies are doing the same,” said Dr. Peter Hannay in an interview with Vice in 2018. Apple even issued a public apology a few years back when its employees were caught snooping on private Siri conversations.

“Really, there’s no reason they wouldn’t be. It makes good sense from a marketing standpoint, and their end-use agreements and the law both allow it, so I would assume they’re doing it, but there’s no way to be sure.”

To expand on Hannay’s claims, I turned to Mimecast’s cybersecurity expert Garrett O’Hara, asking him point-blank if he thinks it’s silly to directly link targeted advertisements with our phones listening to us.

“I don’t think it’s silly at all. Every time you think something’s silly these days, it turns out to be true.”

“But I personally don’t think that’s what’s happening here. You could talk about a holiday in Bali dozens of times and nothing happens, so you’re not aware of it, but then one of those times an advertisement might appear just after you’ve spoken about it, and that could actually be the reason you’re linking two and two together.”

“It’s called the ‘Baader-Meinhof’ phenomenon, and I think that’s what could be at play here for the most part. The human mind is just built that way, it plays funny tricks on us all the time.”

“That’s not to say there isn’t a scary thing happening at the moment with smartphones and digital footprints generally. When you triangulate all of your different data sources out there on the internet it’s crazy how accurate they can become. They can predict what you’re going to do next. It’s a bit of a cliché, but they know you better than you know yourself.”

To draw the most likely conclusion from this, I ask Garrett why he thinks we’re quick to pin it on eavesdropping smartphones.

“For most people, comprehending the complexity of digital footprints is so confounding that it’s much easier to just assume that smartphones are listening to us.”

This would also conveniently shift the blame from you or I to corporate goliaths like Facebook; when in reality, the responsibility for our privacy falls squarely on us.

The Social Network & Phones Listening
Sony Pictures

Garrett also cleared up some consumer confusion between ‘always on’ phone listening and isolated instances such as the aforementioned Apple scandal.

‘There are huge technical barriers to ‘always on’ listening. Do you know how many billion smartphones there are? The processing power for any company to always be listening to us just isn’t possible. There’s no realistic way that they, in real-time, are processing your conversations all the time.”

“There is some evidence from what they call ‘network snooping’ to suggest that segments of audio are being sent to Facebook via the cloud – much like the audio triggers you spoke of – and these triggers don’t require as much processing. But that research couldn’t figure out what the triggers were – which is why I don’t think it’s silly – because no one really knows for sure.”

If Facebook’s track record is anything to go by, these hypotheticals probably don’t fall too far from reality.

“Facebook already has a huge question mark over its integrity. Every time they’ve said they’re not doing something, they actually are – it’s a rinse and repeat scenario. Each time they push the boundaries it becomes the new normal.”

In a world that is more digitally opaque by the day, it’s more important than ever to know how these companies collect this information and what we’re willing to just ‘accept’ with blissful ignorance.

Things you can do to get back in control

Think hard about what apps you download onto your devices and connect to your social accounts. Even when they’re deleted, they still have your data and can repurpose it whenever they want for the highest bidder. The more you log-in to websites or services using a Google or Facebook account, the easier it is for them to connect the dots – and you’ve given them further permission to do so.

“I’m not on Facebook, I use an Android phone and I rarely install apps. I personally don’t trust these companies at all,” says Garrett, with a light-hearted aside that he doesn’t want to be seen as the guy with a tinfoil hat.

But if anyone would have the insight to justify wearing one, it’d be him.

“Be very conscious of the permissions you’re granting apps when you download them and make sure they’re appropriate to the app in question. WhatsApp might need your camera and microphone, but does the ‘Face Swap’ app really need access to your microphone? There’s some consumer fatigue here when it comes to managing privacy.”

It’s cases like these that should encourage the average joe to check their microphone settings and location services regularly. Unfortunately, if you want to use any of the common communication apps, you don’t have much of a choice in your microphone being switched on. Regardless, you should make sure that it’s set to ‘only while using the app’ rather than ‘always’, as is the case of iOS.

And while we’ll never really know if that actually achieves anything, comments from Edward Snowden lean even further towards the extreme end of the scale. Take what he said about eavesdropping smartphones in a 2016 episode of Digits, for example.

“TV is a medium that you watch. The Internet is a medium that watches you as you watch it. Everywhere you go, even when you’re not actively using your phone, it’s still listening.”

I bet you didn’t know that your iPhone stores your location data in the depths of its settings, either? It uses it to predict things like weather suggestions, daily alarms, traffic routes home and literally dozens of other targeted pressure points. Amazingly, my phone can tell me how I got home (walked or drove), how long it took for me to get there, and how long I stayed at home for – every day since I inspected my apartment last year on November 21st – which was three weeks before I’d even moved in.

Go to ‘Privacy’ > ‘ Location Services’ > ‘System Services’ > ‘Significant Locations’
I went for a walk to Freshwater last Saturday. Turns out my walk and the 16 minutes I spent at the coffee shop were both logged in the depths of my phone. The Apple Pay transaction I did probably connected the dots, too, understanding that I tend to enjoy an almond croissant and a flat white here on Saturday mornings.

Even just by using cash every now and then (but not during COVID-19 for obvious reasons), rather than card, you can win back a small bit of your privacy. It’s that easy.

And what if I’m wrong?

Before continuing down a very deep and dark rabbit hole that I might not be able to crawl out of in the space of this article, I asked myself – okay, say my phone isn’t listening to me, what other explanation might there be for this increased targeting?

I quickly realised that I’d already answered my own question, with the screenshots above sealing the deal.

Unfortunately, the entire online ecosystem currently revolves around advertisers, not individual users. Data is now a currency, soon to be worth more than oil, gold, and cold hard cash, if not already. We willingly surrender some elements of our privacy and the personal information that’s attached to it to enjoy a more convenient and connected world. I’ve been doing so ever since I joined Facebook in 2009, and likely even before that with the likes of MySpace, MSN, eBay, and just about everything else I’ve ever signed up to. Hell, even my Nintendo 64 probably betrayed me.

It’s an element of life that we’ve had to accept as a society. Our movements, browsing history, spending habits, private messages, interactions, interests, political views, relationships, employment history – literally every single thing that we’ve ever knowingly or unknowingly surrendered to an electronic device is clearly being tracked, stored and sold. We’ve even given companies enough angles of our faces to unlock phones with just a sideways glance. Let’s not forget that we live in an era where elections and referendums can hang in the balance of this information.

So in theory, 11 years worth of data, a pile which I’ve added to via hundreds of touchpoints a day for over 4000 days of my life, could have become so finely tuned to my habits that it predicted on the morning of May 18th, 2020, I’d be slightly hungover and probably in the mood for a glass of orange juice. Just as Garrett had suspected.

It really is possible, that’s the scariest thing about it all.

Could Facebook have really known that, or was it a complete coincidence? Maybe it was just 15 minutes late to the party, another trial and error in a catalogue of targeted trials used to focus its algorithm even further. Only Zuck can give me the answer, but, if true, this question makes the idea of my phone listening to me seem like the least of my worries.

Phone listening with Apple Pay

How concerned do I need to be?

It’s the value of this data that should soften any concerns we have about our phones listening to us. For the big players, at least, the buck stops with the data collectors. After all, Facebook, Google and Apple aren’t going to sell your hard data to third parties when it’s their biggest asset, the lubricant for their unmatchable money-making machines. Rather than flogging it off to the highest bidders, corporate tech companies prefer the model of acting as the intermediaries for advertisers that are keen to get in front of a specific audience – and they’re using our data as the leverage.

But who’s to say that won’t ever change? Each month there’s another report of a big fish getting eaten by an even bigger fish, i.e., a smaller tech giant being acquired by a larger tech giant, fueling the fire even more and monopolising the data game even further.

What happens, then, when the data collection snowball continues to gather so much momentum that it’s more precise, more powerful and more relentless than the consumer can possibly handle? Surely it’ll suffocate the user to a point of no return, a point which I became astutely aware of in aisle 5 of Woolworths the other morning.

But hey, whether your phone is listening to you or not, if, like myself, you’re only just fighting back now, then you’re probably already fucked.

RELATED: Bill Gates Made 15 Predictions Back In 1999 – Here’s How Many Came True

Subscribe to B.H. Magazine

John McMahon
John McMahon is a founding member of the Boss Hunting team who honed his craft by managing content across website and social. Now, he's the publication's General Manager and specialises in bringing brands to life on the platform.


Share the article