Ready for another privacy scare? Sure you are! Let’s jump right into it: it’s been discovered — via Ars Technica — that the Golden State Warriors’ (an NBA team) Android app is using a phone’s microphone to listen to audio in the background. It does so by implementing a technology called “beacons” from a company called Signal360, and it’s doing it without most people’s knowledge.
Before we jump into the most important issue here, it’s worth learning why these apps “need” and use your audio. For basketball teams like the Golden State Warriors, it allows them to listen for inaudible “beacon” signals to trigger some sort of alert on the user’s app, such as a notification for a giveaway or some stadium information. This technique and concept isn’t new and isn’t exclusive to basketball as retailers and even TV advertisers have experimented with this unique style of alerts before.
The problem with the implementation in almost all these cases is that there’s almost no obvious way to know that your device’s microphone is in use, nor does the app make it clear when, exactly, they start listening. The scariest part is that is by design.
The issue was spotted by a woman who had enough clout to lawyer up and slap the developers of the Golden State Warrior app — Yinzcam — with a lawsuit. A 15-page document goes into detail about their findings and how the sports app has major privacy issues, though the biggest theme here is that Yinzcam never alerts the user to their activity within the app.
And they’re right. As a user of one of the three official apps of NBA teams which use Signal360’s technology, the Milwaukee Bucks (and the third being the Atlanta Hawks), it is never mentioned anywhere why that “microphone” access is needed in the permissions list when you first download the app aside from the obvious fact that it records audio.
There’s no pop-up asking you to opt into this potentially obstructive behavior. I’ve looked in the privacy policy, terms of service, every page of the app, the app’s description on Google Pay. Nothing. Going to YinzCam’s website makes one passing mention of beacons, but it doesn’t explain how it works and how it uses your phone’s technology to deliver those experiences.
Yinzcam isn’t shy about their use of beacons, but how do they work?
To back up on my own experiences for a moment here, I first noticed this issue over 1 year ago when an app had been interfering with my ability to use Google Now. I couldn’t use the “OK Google” command from any screen, nor could I initiate a search by pressing the microphone icon, only getting an error message that another app had taken control of my microphone. This happened so frequently and for such an extended period of time on each occurrence that I decided I had enough.
What I did to find the culprit was to open the list of every app currently running on my phone. This list was pretty big considering lots of apps pop into memory every now and then to do their thing in the background. From there, I decided to jump into each third-party app’s permissions to see which ones requested use of the microphone. Almost every app in that list had sensible reasons for using it, except one: that Milwaukee Bucks app which has no visible prompt to launch a microphone action.
Guess what I did? I uninstalled it (I was on Lollipop at the time, so disabling the app’s microphone access wasn’t an option), and voila: my Google Now voice actions were no longer being interfered with. After the witch hunt, I decided to do some research to see if anyone else had similar issues, and that’s when I stumbled across Signal360 . Their efforts have never been secret on their side, but I had to go to lengths far too great to figure out what, exactly, this app was doing without my knowledge.
There’s a great deal of responsibility for this issue that can be shared by multiple parties. On Yinzcam’s part, they’re perhaps legally obligated to be far more transparent about their apps’ behavior than they currently are. A popup, or even an opt-in section under settings, will do. Put a section into your privacy policy about the app’s usage of your microphone, the type of data it collects, where it’s sent, and how it’s used. (Signal360’s technology doesn’t actually upload any audio data, it only triggers an action when the app detects the inaudible signature.)
But perhaps Google has more work to do on the permissions front than we thought. The company has done great work to improve this as of Android 6.0 Marshmallow, with apps targeting that platform (and higher) able to ask the user for specific permissions when needed. The issue is that legacy apps which have yet to be updated for modern times are still given carte blanche.
We can turn those permissions off if we want, but every single permission the app asks for is turned on by default and most users likely won’t know how to deal with that. I had enough knowledge on app permissions and the desire to research my issue to understand what was going on (admittedly I didn’t check the permissions beforehand — I wanted my Bucks news, dammit), but for 1 person like me, there are 10 people who simply downloaded an app.
WhatsApp asks for your permission to use the microphone before it does anything with it, and so should every other app.
One nice solution (even if rudimentary) is to force developers to explain why their app needs a certain permission when uploading that app to Google Play. The permissions list attempts to automate much of this — such as the microphone permission predictably telling users that it’s needed to record audio — but many apps could do with a bit more specificity in this regard.
Google could also require full disclosure of background app behavior somewhere in the app. Most developers already gladly offer this information up in their terms of service or privacy policy documents, but for folks like Yinzcam whose documents could fit onto a napkin, it would go a long way toward earning users’ trust.
Going deeper, perhaps Android could automatically alert a user when their microphone is being accessed in the background by an app with a simple notification. iOS actually does a pretty good job of this by making the status bar turn red whenever the microphone is in use, background or otherwise (this is consistent with the behavior of Signal360 inside the iOS version of the Milwaukee Bucks app).
No matter what, though, this is a great example of why we could stand to use a lot more transparency when it comes to app permissions, because sometimes control simply doesn’t cut it for most folks. In this case, the need for such a technique is not malicious — it’s actually a pretty cool enhancement when used correctly — but it’s a stark reminder that less-than-savory apps could very well be doing much more with your data than they let on.