Hundreds of Apps Can Listen for Marketing ‘Beacons’ You Can’t Hear
There are plenty of privacy-invading marketing ploys to worry about in life. Some examples are in your face, some are more subtle. And a relatively new kind manages to be outright invisible.
In the most inconspicuous hustle of all, apps have increasingly incorporated ultrasonic tones to track consumers. They ask permission to access your smartphone microphone, then listen for inaudible “beacons” that emanate from retail stores, advertisements, and even websites. If you’re not paying attention to the permissions you grant, you could be feeding marketers information about your online browsing, what stores you go to, and what products you like and dislike without ever realizing it.
There are certainly legitimate uses of “ultrasonic cross-device tracking” technology. Some apps are part of rewards programs that automatically offer customers promotions when they visit particular stores. Others facilitate ticketing at events like sports games.
But plenty of apps deploy it without so clear a use case, at least as far as direct benefits for the person who downloads them. In fact, research presented last week at the IEEE European Symposium on Security and Privacy found 234 current Android applications that incorporate a particular type of ultrasonic listening technology. That doesn’t quite constitute widespread distribution, but the infrastructure to support it has landed in more and more apps every year. And there are many mainstream examples, like the Philippines versions of the McDonald’s and Krispy Kreme apps. That doesn’t mean these apps have the function turned on, necessarily, but they are ready to support it at any time.
Beacon technology is also showing up in more physical locations. While the researchers didn’t find any ultrasonic tones being broadcast out on a sampling of television programming from seven countries, they did find that four of the 35 retail stores they visited around Germany did have beacons installed. “It was really interesting to find beacons at the entrance of some stores in two German cities,” says Erwin Quiring, a privacy and Android security researcher who worked on the study. “It affects all of us if there’s some kind of privacy invasive technique we don’t know about and which runs silently on phones.”
Sound of Silence
It’s also easy to accidentally submit to ultrasonic beacon tracking. All it takes is granting microphone permissions absentmindedly. And because device microphones can “hear” beacons even without a mobile data or Wi-Fi connection, the tracking can work even when you’ve disconnected your phone from the internet.
Not only that, but because these apps could be listening for beacons all the time, there’s also a risk of incidental data collection. Most companies that develop and/or use this “ultrasonic cross-device tracking” technology say that they don’t store any records of audible sound, they’re only listening for particular high-frequency pitches. But as with any “always on” sensing technology, the door is open for misuse.
Fortunately it’s easy to monitor what’s accessing your phone, and stay in control if you’re wary of all this dog whistlin’.
Since you can’t stop beacons from emitting these frequencies around you, the best option is to reduce the chance that your smartphone can listen for them and feed data to a third party. The researchers suggest simply assessing the privileges you’ve granted your apps to make sure they make sense. Skype wants microphone access? Sure! An app for some clothing store? Probably not. Common sense works best here.
On Android 7, navigate to Settings, then to Apps. Tap the gear icon in the upper right, then tap App Permissions to see and edit the privileges you’ve granted each app. And on iOS 10 go to Settings, then Privacy, then Microphone to see which apps have requested access, and which ones you’ve granted it to.
Separately, researchers have also developed a beacon-blocking Chrome extension and sample Android patch in an attempt to give consumers defense tools, and raise awareness of how operating system/browser developers could build protective features. But even without these measures, it’s important that beacon tracking not just be out of earshot, out of mind. By paying attention to what apps ask you for, you can figure out a lot about what’s happening behind the scenes.