Are our iPhones eavesdropping on us? How else would Siri hear us say “Hey, Siri” other than if she were constantly listening?
That’s what Congress wondered, and it wanted Apple to explain. It also wanted to know about how much location data iPhones are storing and handing over about us.
So the US House of Representatives Energy and Commerce Committee sent a letter to Apple CEO Tim Cook on the matter of Apple having recently cracked down on developers whose apps share location data in violation of its policies.
The letter posed a slew of questions about how Apple has represented all this third-party access to consumer data, about its collection and use of audio recording data, and about location data that comes from iPhones.
On Tuesday, Apple responded.
Much of the response letter translates into “We Are Not Google! We Are Not Facebook!” As in, Apple’s business model is different from those of other data-hoovering Silicon Valley companies that rely on selling consumer information to advertisers:
The customer is not our product, and our business model does not depend on collecting vast amounts of personally identifiable information to enrich targeted profiles marketed to advertising.
Timothy Powderly, Apple’s director of federal government affairs, emphasized in the letter that Apple minimizes collection of data and anonymizes what it does collect:
We believe privacy is a fundamental human right and purposely design our products and services to minimize our collection of customer data. When we do collect data, we’re transparent about it and work to disassociate it from the user.
And no, Siri is not eavesdropping. The letter went into specifics about how iPhones can respond to voice commands without actually eavesdropping. It has to do with locally stored, short buffers that only wake up Siri if there’s a high probability that what it hears is the “Hey, Siri” cue.
A buffer is a chunk of audio that’s continually recorded over and thus, by definition, isn’t archived. In short, “always listening” is pretty restricted: an iPhone has only a short amount of recorded audio at any time. That audio is only used to identify the trigger phrase “Hey Siri,” and it’s only stored locally.
Once actual recording takes place after the “Hey, Siri” phrase is uttered, the recording that’s sent to Apple is attached to an anonymous identification number that isn’t tied to an individual’s Apple ID. Users can reset that identification number at any time.
Similar services store voice recordings in ways that are associated with an individual user, Apple said. In other words, in ways that can be linked to an individual who can then be target-marketed.
Third-party apps
When Siri’s listening, an iOS device gives the user a visual indicator. Apple’s Developer Guidelines require that developers display that visual indicator when their apps are recording audio information. Third-party apps are required to obtain explicit user consent when collecting microphone data, as well.
iOS conditions state that third-party apps have to get user permission before accessing the microphone, camera, or location data. They also have to tell users what they’re going to do with that access or information. iOS apps also have to show the visual cue that they’re listening, just as they’re required to do with Siri.
Users can change the settings at any time, Apple said.
Consistent with Apple’s view that privacy is a fundamental human right, we impose significant privacy-related restrictions on apps. Notwithstanding the developer’s responsibilities and direct relationship with customers, Apple requires developers to adhere to privacy principles.
The upshot: if an app is compliant with Apple’s terms, it has to give a visual cue that it’s got access to the microphone, even after a user has granted permission to do so.
But the fact of the matter is that Apple doesn’t constantly monitor apps to make sure they’re always compliant. All apps go through the App Review Process for privacy compliance before getting approved, but that doesn’t equate to Apple keeping an eagle eye on them to make sure they don’t misbehave down the line. At a certain point, what happens to user data comes down to whatever a user has signed off on when agreeing to an app’s terms. From the letter:
Apple does not and cannot monitor what developers do with the customer data they have collected, or prevent the onward transfer of that data, nor do we have the ability to ensure a developer’s compliance with their own privacy policies or local law.
When we have credible information that developer is not acting in accordance with the PLA or App Store Review Guidelines or otherwise violates privacy laws, we will investigate to the extent possible.
In other words, Apple does its damnedest to make sure iPhones aren’t eavesdropping on us, including through privacy policies, short buffer windows, local storage, and app review.
Does any of this ease your worries about eavesdropping iPhones, if you had any such worries to begin with? Please do let us know if you’re still looking at Siri with a hairy eyeball, and if so, why?
reid
I’d like to read a comparative article against “Hey Google” technology. Since Google is in the business of selling personal information.
Matt Boddy
A very good point @brunes, check out my NakedSecurity post just published.
https://nakedsecurity.sophos.com/2018/08/15/are-your-android-apps-listening-to-you/
and video https://www.youtube.com/watch?v=O96F04C2eEk
Matt Boddy
Hey Reid, I’ve just posted a video on me monitoring the “OK Google” function of Android. This shows you when it’s monitoring audio, you can find it here: https://www.youtube.com/watch?v=O96F04C2eEk
If you want to learn how you can do this yourself, please check out my article https://nakedsecurity.sophos.com/2018/08/15/are-your-android-apps-listening-to-you/
brunes (@brunes)
Every single one of the technical mechanisms you described in this article are 100% identical to what Google does with the Google Assistant, Android, and Google Play.
Tom
Not at all, once such example:
>Once actual recording takes place after the “Hey, Siri” phrase is uttered, the recording that’s sent to Apple is attached to an anonymous identification number that isn’t tied to an individual’s Apple ID.
Google stores your voice recordings (for who knows how long) and ties them directly to a personal identifier (your google account).
Tom
Although I’ve always lent myself to the Android OS in terms of customization and features, I’ve made the switch to iPhone just this year. It was all because I had a lack of trust in Google and apple has consistently demonstrated a dedication to user privacy. I wonder, in the future, how much marketing will be dedicated to proving a product respects your privacy over a competitors product. Pretty wild that we’re entering a time where being ethical with your data is a selling point, not a given!
gregoryhagler
Do we assume this also applies to the Apple HomePod?
Lisa Vaas
That’s an excellent question, thank you. My first reaction is Yes, Apple says this applies to all products. But while poking around, I came across reporting—by Nilay Patel at The Verge—regarding another privacy issue with HomePod besides always-listening. As Nilay reported in February, Siri on the HomePod doesn’t recognize different voices. That means that anyone’s voice can trigger it to read, say, your text messages, to anyone who’s on the same Wi-Fi network.
From that article: “Seriously, it’ll just read your texts to anyone if your phone is anywhere on the same Wi-Fi network, which usually reaches far beyond the same room as the HomePod. If your HomePod is in the kitchen and you’re in the basement, anyone can just roll up on the HomePod and have it read your texts. If you have kids, they can just text anyone at will while you’re in the bathroom and you can’t stop it. I tried it with the HomePod behind a closed door and it picked up my voice and it happily read my texts aloud, a nightmare for anyone who lives in a dorm. This is also baffling: iPhones don’t answer to just anyone saying “Hey Siri” once you’ve trained them to your voice, and the HomePod runs a variant of iOS on an A8 chip, which allows for “Hey Siri” on the iPhone 6 when it’s plugged into the wall. I asked Apple about this, and there wasn’t a clear answer apart from noting that the personal requests feature that enables texting can be turned off. I agree: until Apple adds personalized voice recognition to this thing, you should definitely turn personal requests off.”
I’m going to ask Apple whether it’s addressed this yet. I’ll let you know what I hear.
Lisa Vaas
As Duck noticed, also, HomePod runs a kind of lightweight Siri. So I’m also asking Apple whether that entails any security features having been turned off, translating into any lessened security, or whether the less-stuff approach means less ways to screw up privacy.
Lisa Vaas
While I wait for Apple’s response, I see that the answer is likely to be that HomePod is in line with its approach to privacy on other devices. Here’s some recent reporting from NY Mag, which also noted that obey-any-Joe-Schmoe’s-voice thing: “But the biggest privacy difference between the HomePod and its competitors isn’t what it can or can’t do — it’s how the HomePod interacts with Apple’s servers. Like the other speakers, when a HomePod hears a request, it sends it off to Apple to parse and fulfill it. But instead of associating the request with the user’s account, like Google and Amazon do, HomePod requests are anonymous, tied only to a random, rotating ID. Just like a request you might make of Siri on an iPhone, HomePod requests will live on Apple’s servers for six months, associated with that ID, and then another year and a half, unlinked to any ID at all. By contrast, Google and Amazon only delete requests from their servers when asked by the user.”
Paul Ducklin
Of course, how reliable (or specific) the voice recognition actually is doesn’t tell you what happens to the recognised (or not recognised) data afterwards…
gregoryhagler
Thanks, so much, Ducklin and Lisa! I look forward to Apple’s reply and your insight. Thank you, both, for doing such a great job!
Lisa Vaas
Yes, those are two separate questions. I just thought I’d note the voice recognition issue as another thing to keep in mind when thinking of Siri privacy. Apple doesn’t seem to be in the mood to get back to me, by the way.
Anon
Don’t use it, don’t trust it, and never will. Way too many security concerns and not enough benefit. That goes for Siri, Alexa, Cortana, and especially Google.
Marie
Exactly, I agree and also do not use these “services”
realrecords
The article says, in part that a recording is given: “…an anonymous identification number that isn’t tied to an individual’s Apple ID. Users can reset that identification number at any time.” First, there is no explanation why the ID is assigned to each recording or what that information is used for; secondly, since it isn’t tied to an Apple ID, why does the user have the ability to reset the number, why would he/she do so, and how many users are even aware of, or understand the reason for this ID assignment process? Very little useful info in the article about something that seems to jump off the page…almost as if Apple is saying, “We do ID everything, but don’t worry about it as it’s worthless for ID’ing anything.”
Epic_Null
It is possible that Apple’s anonymous ID is more of a “return address”. If you were to ask Siri, say, what color the sky is, Apple then needs to process that question, look up the color of the sky, and then get back to you. The ID might just be used for that and then forgotten and/or reused.
DudeSweet
As a Windows/Android user I believe Apple’s privacy claims and would trust them with my personal data over MS and Google every single time. Unfortunately I’m not a fan of their actual products so I live without Google Assistant and Cortana (Alexa…what else…Bixby?).
Wayne
Not spying. Just observing and recording your every move….
don't be stupid
if you trust them you are a fool
Nemesis
A little exercise to reveal the Machiavellian way Apple CONSTANTLY spies on you.
In this case, macOS 10.13.6:
– Disable Siri (if you were foolish enough to enable it in the first place)
– Go to System Preferences > Sound > Input
– Turn the Input Volume all the way down.
You’d think that would be enough, wouldn’t you? Think again, and continue:
– System Preferences > Keyboard > Dictation
– Switch Dictation off.
Notice the microphone icon to the left? Notice how it captures your every breath? No, it’s not a recursive GIF, it’s a level meter. I use them all the time in recording studios. Try whispering and then increasing your voice, or tap on the keyboard lightly and then incrementally harder. See how it reflects every nuance of the sound you make? That’s because your microphone is ‘live’, recording your every waking hour (yes, even when your computer is ‘sleeping’).
No, you can’t turn it off. Why? Because too many people were turning it off, and Apple weren’t getting the data they were phishing for.
Nah, just kidding., Of course Apple aren’t spying on you. And of course the Moon is made of cheese.
I’d move your laptop into a different room when you go to bed at night. ,-)
john
Humans lie and or misdirect, if siri doesn’t, that doesn’t mean something else isn’t.