Given all the coverage of iPhone, Android, Blackberry and Windows Mobile apps lately, I’m surprised I’ve seen relatively little discussion of the new privacy issues some apps present — particularly when they leverage phone resources such as the microphone. Microphone spying may have been a small issue when many desktops didn’t have microphones or microphones were stuck wherever the computer sat, but the ubiquity and proximity of smartphone microphones opens a new “roving bug” risk that extends beyond the phone owner to anyone nearby.
Let’s start with the definition of a “covert listening device” in Wikipedia:
A covert listening device, more commonly known as a bug or a wire, is usually a combination of a miniature radio transmitter with a microphone. The use of bugs, called bugging, is a common technique in surveillance, espionage and in police investigations.
A bug does not have to be a device specifically designed for the purpose of eavesdropping. For instance, with the right equipment, it is possible to remotely activate the microphone of cellular phones, even when a call is not being made, to listen to conversations in the vicinity of the phone.
As you can see, cellular phone bugging is a natural extension of “bugs” or “wires”, but the references for that article were all before the mobile app explosion. In 2006, Declan McCollagh covered the FBI’s use of cell phone “roving bugs” for legal wiretapping, as did computer security expert Bruce Schneier. The Judge in that case suggested that failed alternatives made a difference in the legality of roving bugs:
The FBI’s “applications made a sufficient case for electronic surveillance,” Kaplan wrote. “They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.”
Most references I saw to this topic harkened back to similar police usage. However, there are also implications unrelated to police usage — specifically wiretapping and eavesdropping laws for citizens. The Reporters Committee for Freedom of the Press provides a nice guide on recording conversations. Some highlights from that guide include:
Thirty-eight states and the District of Columbia permit individuals to record conversations to which they are a party without informing the other parties that they are doing so. These laws are referred to as “one-party consent” statutes, and as long as you are a party to the conversation, it is legal for you to record it….
Twelve states require, under most circumstances, the consent of all parties to a conversation. Those jurisdictions are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Be aware that you will sometimes hear these referred to inaccurately as “two-party consent” laws. If there are more than two people involved in the conversation, all must consent to the taping….
Regardless of the state, it is almost always illegal to record a conversation to which you are not a party, do not have consent to tape, and could not naturally overhear….
Let’s now apply these standards to some of the apps starting to appear like FlexiSpy and ShopKick — if you know other apps listening via smartphone microphones, please share in the comments. FlexiSpy is pretty transparent about the spying of their app, admitting that it “secretly records events that happen on the phone and delivers this information to a web account, where you can view these reports 24×7 from any Internet enabled computer or mobile phone. FlexiSPY PRO-X also allows you to listen to the surroundings of the target mobile , listen to the phone conversation and to know the location of the device.” In fact, they provide this helpful video:
Note, I don’t see anything suggesting these apps work like song-naming app Shazam, that only listens when a user specifically asks it to identify songs it hears. Roving spyware like FlexiSpy, ShopKick and others appear to record via microphone without that phone’s owner tapping a button to record. If we assume that these applications record sounds nearby, then they inevitably hear the phone’s owner, nearby friends and anyone close enough for the smartphone’s microphone to receive. It seems like such wholesale listening would at least conflict with laws that make it “illegal to record a conversation to which you are not a party”, and likely one-party consent statutes as well.
Beyond legality, what do these apps mean for the ongoing balance of privacy and functionality? Do we need to trade off always-on microphone privacy to get what we want from mobile apps. With multiple signal processors in these smartphones, such as wifi, cellular and bluetooth, are there other ways to accomplish the same functional goals without roving microphones? If not, I’ve got plenty of ideas on how to leverage those recordings…
[Disclosure: I have investments in multiple companies with mobile apps, including Grooveshark and IZEA, but I don't believe any of them leverage microphone eavesdropping.]