FlexiSpy, ShopKick, Roving Bugs and a New Breed of Spyware?

Posted by on January 5, 2011 at 4:14 pm.

(credit:Spyware Blockers Pro)

Given all the coverage of iPhone, Android, Blackberry and Windows Mobile apps lately,  I’m surprised I’ve seen relatively little discussion of the new privacy issues some apps present — particularly when they leverage phone resources such as the microphone.  Microphone spying may have been a small issue when many desktops didn’t have microphones or microphones were stuck wherever the computer sat, but the ubiquity and proximity of smartphone microphones opens a new “roving bug” risk that extends beyond the phone owner to anyone nearby.

Let’s start with the definition of a “covert listening device” in Wikipedia:

covert listening device, more commonly known as a bug or a wire, is usually a combination of a miniature radio transmitter with a microphone. The use of bugs, called bugging, is a common technique in surveillanceespionage and in police investigations.

A bug does not have to be a device specifically designed for the purpose of eavesdropping. For instance, with the right equipment, it is possible to remotely activate the microphone of cellular phones, even when a call is not being made, to listen to conversations in the vicinity of the phone.

As you can see, cellular phone bugging is a natural extension of “bugs” or “wires”, but the references for that article were all before the mobile app explosion.  In 2006, Declan McCollagh covered the FBI’s use of cell phone “roving bugs” for legal wiretapping, as did computer security expert Bruce Schneier.  The Judge in that case suggested that failed alternatives made a difference in the legality of roving bugs:

The FBI’s “applications made a sufficient case for electronic surveillance,” Kaplan wrote. “They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.”

Most references I saw to this topic harkened back to similar police usage.  However, there are also implications unrelated to police usage — specifically wiretapping and eavesdropping laws for citizens.  The Reporters Committee for Freedom of the Press provides a nice guide on recording conversations.  Some highlights from that guide include:

Thirty-eight states and the District of Columbia permit individuals to record conversations to which they are a party without informing the other parties that they are doing so. These laws are referred to as “one-party consent” statutes, and as long as you are a party to the conversation, it is legal for you to record it….

Twelve states require, under most circumstances, the consent of all parties to a conversation. Those jurisdictions are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Be aware that you will sometimes hear these referred to inaccurately as “two-party consent” laws. If there are more than two people involved in the conversation, all must consent to the taping….

Regardless of the state, it is almost always illegal to record a conversation to which you are not a party, do not have consent to tape, and could not naturally overhear….


Let’s now apply these standards to some of the apps starting to appear like FlexiSpy and ShopKick — if you know other apps listening via smartphone microphones, please share in the comments.  FlexiSpy is pretty transparent about the spying of their app, admitting that it “secretly records events that happen on the phone and delivers this information to a web account, where you can view these reports 24×7 from any Internet enabled computer or mobile phone. FlexiSPY PRO-X also allows you to listen to the surroundings of the target mobile , listen to the phone conversation and to know the location of the device.”  In fact, they provide this helpful video:

ShopKick, on the other hand, is pretty quiet about the microphone activation they do, when they do it, how long they eavesdrop and exactly what they promise to do with anything their software hears.  Do they listen during calls, in confidential meetings, in the bedroom?  The most concrete reference I found was under Android Settings -> Applications -> Manage Applications -> shopkick -> Permissions -> Hardware controls: record audio, take pictures.  I couldn’t find any reference to their handling of recordings in their Terms of Service or Privacy Policy.

Note, I don’t see anything suggesting these apps work like song-naming app Shazam, that only listens when a user specifically asks it to identify songs it hears.  Roving spyware like FlexiSpy, ShopKick and others appear to record via microphone without that phone’s owner tapping a button to record.  If we assume that these applications record sounds nearby, then they inevitably hear the phone’s owner, nearby friends and anyone close enough for the smartphone’s microphone to receive.  It seems like such wholesale listening would at least conflict with laws that make it “illegal to record a conversation to which you are not a party”, and likely one-party consent statutes as well.


Beyond legality, what do these apps mean for the ongoing balance of privacy and functionality?  Do we need to trade off always-on microphone privacy to get what we want from mobile apps.  With multiple signal processors in these smartphones, such as wifi, cellular and bluetooth, are there other ways to accomplish the same functional goals without roving microphones?  If not, I’ve got plenty of ideas on how to leverage those recordings…

[Disclosure: I have investments in multiple companies with mobile apps, including Grooveshark and IZEA, but I don’t believe any of them leverage microphone eavesdropping.]


  • I see two ways to go with this: Bring down the heat on the makers of unscrupulous apps or outsmart them with detection apps and blacklist the apps. Just don’t bring the government into it.

  • cde says:

    Uh, Shopkick has this little thing called walkin’s, which give you points. They work by your phone listening for a special audio frequency played by shopkick devices installed at certain stores. For the shopkick app to listen, it needs the record audio permission (there is no simple “”listen but don’t record audio”” permission. Makes no sense from a programming standpoint, and any app that needs to hear audio requires that permission). It’s a core feature of the app, on both android and ios. Have you even used the app?

  • dan says:

    @stephanie: I agree, no need for government, just transparent developers on exactly what/when they record, how those recordings are used, and what is done with them after use — resulting in more informed consumers.

    @cde: I understand that recording audio around someone’s smartphone is, in your words, a “core feature of the app”. That’s exactly why it was included in this article. However, they say nothing in their TOS, Privacy Policy or marketing materials about the details of those recordings. For example, do those recordings meet the requirements of state and federal eavesdropping laws? If so, how? If not, how far does the legal risk extend; just the app developer, to the merchant getting walkins, to the user who’s phone is recording conversations? I’m not sure the laws include a “there is no simple ‘listen but don’t record audio’ permission” exception.

  • richardp says:

    Interesting article. You may also want to look into the new Nielsen Media sync app for the iPad which listens to and syncs with a TV programme (technology licensed from Digimarc) – currently working with Grey’s Anatomy on ABC.
    Links here:

    Also Gracenote previewed a new video information system at CES using a similar approach:

    Do any of these apps ask the user for explicit permission? Not that I have seen!

    Oh and it would seem really easy to ‘game’ the Shopkick system with various sites which have posted recordings and scans from participating stores! So any user could fake ‘walk-ins’.

    Still, I am curious how the legal aspect you have covered will impact this type of app.

  • Nick says:

    Interesting ideas, but why take such a cynical view? In my experience with the Shopkick app, there is almost no chance that it can be uploading audio clips to a server somewhere. A bandwidth monitoring app can show you the miniscule amount of data that SK is uploading when it is running, and that once the ShopKick app is no longer running, it is not transferring any data.

Trackbacks / Pingbacks

Leave a Reply

popup close button
Advertisment ad adsense adlogger