Silverpush Stops Using Sneaky, Inaudible TV Audio Tracking Beacons After FTC Warning

from the tread-carefully dept

Wed, Apr 13th 2016 2:08pm — Karl Bode

ISPs and cable companies already track and sell your online behavior, your location data, and effectively everything you do on the Internet (to the second). Now broadcasters and app developers are cooking up a new technology that uses so-called "smart audio beacons" emitted during television programs to help track user viewing habits. These tones, inaudible to the human ear, are picked up by applications which use your smartphone or tablet microphone to listen and record them. That data can then be used to build a profile that potentially matches your existing online data with your viewing habits.

While the technology appears to currently only be in use overseas right now, the FTC felt the need to issue a press release recently warning companies using the technology that they too are being watched. The warning accompanied a letter the FTC sent to 12 app developers (pdf) that informs devs that if they use the technology and don't inform consumers, they're potentially violating Section 5 of the FTC Act. The FTC's attention was grabbed after they realized that the apps in question failed completely to inform users they were being tracked, or that they were even using the device microphone:

"...The code is configured to access the device’s microphone to collect audio information even when the application is not in use. Moreover, your application requires permission to access the mobile device’s microphone prior to install, despite no evident functionality in the application that would require such access. Upon downloading and installing your mobile application that embeds Silverpush, we received no disclosures about the included audio beacon functionality — either contextually as part of the setup flow, in a dedicated standalone privacy policy, or anywhere else."

Two days later, the company pioneering this new snooping tech, Silverpush, announced that it had "exited from all UAB (Unique Audio Beacon) based business and shifted to a newer product line" and that it would "appreciate if SilverPush is not associated with UAB based business going forward." The company also seems to be claiming in conversations with the media that this sudden departure had absolutely nothing to do with the FTC's warning:

"When asked by Motherboard why it pivoted away from audio beacons, a SilverPush spokesperson would only say its decision was “a natural process to move to a more evolved product as a part of our business plan” that began almost a year ago, and again insisted that it wasn't responding to privacy concerns. The company spokesperson also said that SilverPush has never partnered with US app developers in the past, and claimed that any apps that integrate its audio beacon tracking code explicitly ask for permission before accessing a device's microphone through a pop-up message within the app itself.

Motherboard was not able to verify these claims, because SilverPush will not identify which apps and companies are using its code. As of April 2015, the company claimed that 67 apps were using its code, allowing it to monitor around 18 million devices."

Much like the boiling frog metaphor, online privacy is eroded one degree at a time, without most people noticing the temperature shift. For example while it would have been controversial fifteen years ago, most people are currently ok with letting companies track absolutely everything we view (ISP deep packet inspection) and everywhere we go (location data tracking and sales). Still, the marketing industry occasionally pushes into territory that just creeps everybody out (like cable boxes that watch you). But what creeps everybody out today can and usually does become the new normal of tomorrow.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: apps, audio becaons, ftc, isps, tracking beacons, tv
Companies: silverpush

27 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 13 Apr 2016 @ 2:15pm

No worries...
we will just pay the fine and still make more money that we would obeying that regulations.
[ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 2:17pm

privacy
and again insisted that it wasn't responding to privacy concerns.

That makes it even worse, not better.
[ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 2:20pm

Well, that's it for me. I'm moving to Gilligan's island and getting all my entertainment from the Professor's coconut radio.
[ link to this | view in chronology ]
NSA, 13 Apr 2016 @ 2:21pm

Pfft. Amateurs.
[ link to this | view in chronology ]
PRMan, 13 Apr 2016 @ 2:22pm

Record shows
Couldn't someone just record TV and search for the beacons?

That's pretty much going to tell you who is using it.
[ link to this | view in chronology ]
- Lurker Keith, 13 Apr 2016 @ 7:10pm
  
  Re: Record shows
  Nielson uses either supersonic or subsonic signals embedded in all TV shows to monitor Ratings. It's most likely their embedded signals being hijacked by others.
  [ link to this | view in chronology ]
- Anonymous Coward, 14 Apr 2016 @ 6:25am
  
  Re: Record shows
  That's what I was thinking. It's easier to listen for a sharply-defined signal they insert themselves, but almost every TV show has its theme music, which is loud and always the same. Same for station IDs and commercials.
  
  Of course, anyone with cable or satellite TV is already monitored through their provider's set-top box...
  
  The thing about all this monitoring is, just because a TV is on, doesn't mean anyone is watching it. As a TV-phobe myself, I've noticed that most people will flip a TV on automatically when they walk into a room, assuming it's not on already. Then it usually seems to exist in some sort of visual blind spot as they ignore it. In my area it's difficult to find a restaurant or business office without at least one TV either gesticulating in silence or trying to blare over attempts at conversation.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 14 Apr 2016 @ 8:00am
    
    Re: Re: Record shows
    "In my area it's difficult to find a restaurant or business office without at least one TV either gesticulating in silence or trying to blare over attempts at conversation."
    
    Wow.
    
    Thank you for reminding me that I live in a truly wonderful part of the country. Where I'm at, the only businesses what do this are bars (and not even all of them).
    
    I also rarely see people leave TVs on if they aren't actually watching them. But they might turn them off when company comes over in order to avoid embarrassment.
    [ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 2:32pm

Norms can go the other way. Very few people are okay with deep packet inspection. Most people don't know what it is.

Don't confuse ignorance for acceptance.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Apr 2016 @ 2:54pm
  
  Re:
  And even if they know what it is they might not know that it's being done to them.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 2:37pm

If these apps are breaking through Google store's security and taking control of the mic without identifying as such, Google should go after the people involved, drag them through the courts for DECADES until they all give up and die homeless and alone or throw themselves off a bridge.
[ link to this | view in chronology ]
- Adrian Cochrane (profile), 13 Apr 2016 @ 7:10pm
  
  Re:
  Why would Google do such a thing? I'm sure some of the tracking revenue comes back to them.
  
  Also given habits on the Google Play Store, I'm not sure these apps are exactly breaking anything. Instead they, like many others, could simply be asking for a range of irrelevent permissions.
  [ link to this | view in chronology ]
- Anonymous Coward, 14 Apr 2016 @ 4:15am
  
  Re:
  You misunderstand. The current version of the Android operating system requires a user to explicitly allow an app to use certain aspects of the device; these permissions are listed at installation and during updates, and must be explicitly allowed by the user.
  The FTC's problem with the software in question is: "your application requires permission to access the mobile device’s microphone prior to install, despite no evident functionality in the application that would require such access" i.e. permission has been granted by the user (leaving Google off the hook, and breaking no functionality of the OS/permissions) but the app isn't offering a function to the user, it's just spying on the user, because the user allowed the app to use the microphone.
  [ link to this | view in chronology ]
- nasch (profile), 14 Apr 2016 @ 8:18am
  
  Re:
  If these apps are breaking through Google store's security and taking control of the mic without identifying as such
  
  That's not a feature of the store, it's a feature of the OS. An app will crash if it tries to use a protected feature it hasn't asked permission for. It sounds to me like the issue is that this app generically asked for permission to use the microphone, but they didn't inform the user that it would be used when the app was not active.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 14 Apr 2016 @ 2:09pm
    
    Re: Re:
    "An app will crash if it tries to use a protected feature it hasn't asked permission for."
    
    Only if the app is badly engineered. What actually happens is that if an app tries to use a system service it hasn't the proper permissions for, then that system service won't work for it. The only way this will cause an app to crash is if it assumed that the service always succeeds.
    
    But this problem does hit on the main problem with Android app security: the granularity of the permissions is far, far too coarse. Apps that want to use a very specific facility often have to ask for permissions that grant them far more access than what they want.
    
    This means that users can't really tell what an app is intending to do or to prevent it from doing nasty things while allowing it to do only what it claims it wants to do.
    [ link to this | view in chronology ]
    - nasch (profile), 14 Apr 2016 @ 2:47pm
      
      Re: Re: Re:
      But this problem does hit on the main problem with Android app security: the granularity of the permissions is far, far too coarse. Apps that want to use a very specific facility often have to ask for permissions that grant them far more access than what they want.
      
      Not an easy problem to solve in a useful way though. I doubt many people pay attention to the permissions an app requests already, and if you make the permission a lot more specific, there will be a much longer list that's harder to understand to the casual user. They'll be even less likely to read or understand it. The new permission model could help with that though.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 14 Apr 2016 @ 4:30pm
        
        Re: Re: Re: Re:
        True, this problem runs smack into the fact that security and convenience are natural enemies.
        
        But for those of us who are very conscious of these things, the existing model is of minimal use. If it were improved -- even along the lines of what CyanogenMod used to do in allowing you to revoke individual fine-grained permissions of already installed apps -- that can only help.
        [ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 2:56pm

Could be more than just a warning stopping the practice, fewer people watching "television programs" would greatly reduce the amount of data being collected or would be expected to be collected.
[ link to this | view in chronology ]
John Fenderson (profile), 13 Apr 2016 @ 3:49pm

Ominous
a SilverPush spokesperson would only say its decision was “a natural process to move to a more evolved product as a part of our business plan”

This sounds like they came up with an improved method of doing the same (or even worse) tracking. Probably one that's harder to notice.
[ link to this | view in chronology ]
- Roger Strong (profile), 13 Apr 2016 @ 11:00pm
  
  Re: Ominous
  Or they spun off the technology to a separate company to protect themselves from any legal fallout when its use is detected.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 14 Apr 2016 @ 8:01am
    
    Re: Re: Ominous
    That seems even more likely, yes.
    [ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2016 @ 5:06pm

Is that legal in a two party state?
[ link to this | view in chronology ]
Ninja (profile), 14 Apr 2016 @ 6:36am

Question to the more enlightened: Can't we build a device to identify such wavelengths and possibly nullify them? I believe it would be quite trivial.
[ link to this | view in chronology ]
- nasch (profile), 14 Apr 2016 @ 8:20am
  
  Re:
  Can't we build a device to identify such wavelengths and possibly nullify them?
  
  Seems like something that just emits noise at those frequencies would defeat it.
  [ link to this | view in chronology ]
Monday (profile), 14 Apr 2016 @ 9:11am

ISPs and cable companies already track and sell your online behavior, your location data, and effectively everything you do on the Internet (to the second).

I am curious. Has anyone ever attempted a suit against one of these entities for selling their information. Is there any kind of inherent trademark or patent to a person's private behaviour or actions online?
It is, after all, your shit that you're doing, and by doing it, it should be naturally guarded / protected under their law.

I'm just wondering. I'm trying not to troll here, but software companies have to get you to "agree" to their terms, and I've never seen something like that from my cable / ISP company sooooo........

:)

Yeah, I know, "Dumb question Monday."
[ link to this | view in chronology ]
Anonymous Coward, 14 Apr 2016 @ 9:18am

a new product - range limiting speakers

btw - is still stealing one line of video and determining what you are watching?
[ link to this | view in chronology ]
limbodog (profile), 14 Apr 2016 @ 11:04am

I think it's time we start regulating privacy for real
I don't mean just telling these companies that they have to be "opt in", because people usually need access to what they have, and everyone will be doing it. So unless you become Amish, you're going to have to opt in.

No, I think it's time we pass some laws that say "No, you can't just record everything someone does 24/7 unless you provide regular details to that person on what was recorded, and with whom you shared that info."
[ link to this | view in chronology ]