The Internet of Things that Talk About You Behind Your Back

French translation

SilverPush is an Indian startup that’s trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones picks up the signals, and then uses cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer.

Your computerized things are talking about you behind your back, and for the most part you can’t stop them­—or even learn what they’re saying.

This isn’t new, but it’s getting worse.

Surveillance is the business model of the Internet, and the more these companies know about the intimate details of your life, the more they can profit from it. Already there are dozens of companies that secretly spy on you as you browse the Internet, connecting your behavior on different sites and using that information to target advertisements. You know it when you search for something like a Hawaiian vacation, and ads for similar vacations follow you around the Internet for weeks. Companies like Google and Facebook make an enormous profit connecting the things you write about and are interested in with companies trying to sell you things.

Cross-device tracking is the latest obsession for Internet marketers. You probably use multiple Internet devices: your computer, your smartphone, your tablet, maybe your Internet-enabled television—­and, increasingly, “Internet of Things” devices like smart thermostats and appliances. All of these devices are spying on you, but the different spies are largely unaware of each other. Start-up companies like SilverPush, 4Info, Drawbridge, Flurry, and Cross Screen Consultants, as well as the big players like Google, Facebook, and Yahoo, are all experimenting with different technologies to “fix” this problem.

Retailers want this information very much. They want to know whether their television advertising causes people to search for their products on the Internet. They want to correlate people’s web searching on their smartphones with their buying behavior on their computers. They want to track people’s locations using the surveillance capabilities of their smartphones, and use that information to send geographically targeted ads to their computers. They want the surveillance data from smart appliances correlated with everything else.

This is where the Internet of Things makes the problem worse. As computers get embedded into more of the objects we live with and use, and permeate more aspects of our lives, more companies want to use them to spy on us without our knowledge or consent.

Technically, of course, we did consent. The license agreement we didn’t read but legally agreed to when we unthinkingly clicked “I agree” on a screen, or opened a package we purchased, gives all of those companies the legal right to conduct all of this surveillance. And the way US privacy law is currently written, they own all of that data and don’t need to allow us to see it.

We accept all of this Internet surveillance because we don’t really think about it. If there were a dozen people from Internet marketing companies with pens and clipboards peering over our shoulders as we sent our Gmails and browsed the Internet, most of us would object immediately. If the companies that made our smartphone apps actually followed us around all day, or if the companies that collected our license plate data could be seen as we drove, we would demand they stop. And if our televisions, computer, and mobile devices talked about us and coordinated their behavior in a way we could hear, we would be creeped out.

The Federal Trade Commission is looking at cross-device tracking technologies, with an eye to regulating them. But if recent history is a guide, any regulations will be minor and largely ineffective at addressing the larger problem.

We need to do better. We need to have a conversation about the privacy implications of cross-device tracking, but—more importantly­—we need to think about the ethics of our surveillance economy. Do we want companies knowing the intimate details of our lives, and being able to store that data forever? Do we truly believe that we have no rights to see the data that’s collected about us, to correct data that’s wrong, or to have data deleted that’s personal or embarrassing? At a minimum, we need limits on the behavioral data that can legally be collected about us and how long it can be stored, a right to download data collected about us, and a ban on third-party ad tracking. The last one is vital: it’s the companies that spy on us from website to website, or from device to device, that are doing the most damage to our privacy.

The Internet surveillance economy is less than 20 years old, and emerged because there was no regulation limiting any of this behavior. It’s now a powerful industry, and it’s expanding past computers and smartphones into every aspect of our lives. It’s long past time we set limits on what these computers, and the companies that control them, can say about us and do to us behind our backs.

This essay previously appeared on Vice Motherboard.

Posted on January 13, 2016 at 5:35 AM87 Comments


Nicholas Bohm January 13, 2016 7:13 AM

What we need, as well perhaps as regulation, are effective methods of self-defence.

I hope that security practitioners will feel motivated to put efforts into providing us all with the help we need.

Mike Gerwitz January 13, 2016 7:48 AM

What we need is more Free Software.

It is not possible to have true security or privacy with proprietary software—it will spy on you, and you cannot do much about it. Users should reject it, and should also reject SaaSS, which does your computing on your behalf.

This is a problem that has long been predicted; Free Software users and those who avoid having servers do their computing for them and store their data do not suffer from many of these problems. People sacrifice privacy for convenience, and would rather have the newest shiny software than freedom.

CallMeLateForSupper January 13, 2016 8:05 AM

Grateful for your resurfacing this can o’ worms; it had slipped my mind. I’d resolved to look into the technology with an eye toward countermeasures. I typically squirrel away such projects for winter, against the day (or week) we get snowed in.

That said, I don’t fancy SilverPush’s chances of nailing my hide to a board: my devices don’t have ears. Also, TV audio is piped to headphones via wire (because my street is noisy beyond all reason).

DoNotTrack January 13, 2016 8:43 AM

I wonder if this represents an opportunity for security researchers to invent better, consumer-grade tech that defeats this type of tracking? Sort of an all-in-one privacy package that just works with the flip of a switch. Something that combines email encryption, VPN, proxy, ad-blockers, firewalls, cookie blockers, script killers, etc., and a support model for updates/upgrades. Currently, all of those things take a bit more fiddling to make work than the average consumer is capable of.

Craig January 13, 2016 9:04 AM

I want to travel back to 1990 and tell all those dumbasses like John Gilmore and John Perry Barlow that the Internet will not make us free and does not “interpret censorship as damage and route around it.” Rather, it is the ultimate platform for surveillance and privacy invasion. It wasn’t intended that way, but that’s what it is, and it’s inherent in the design of the system.

Martin Potter January 13, 2016 9:28 AM

” … embeds inaudible sounds into websites …”
Ha! I hardly ever even turn on the speakers on my computer, or use headphones. They won’t hear much from my browsing except occasional keystrokes.

Clive Robinson January 13, 2016 9:55 AM

@ Bruce,

We accept all of this Internet surveillance because we don’t really think about it.

Actualy we might be waking up to it. Accentura recently did a poll and found that when you looked at the top three concerns people have about The IoT 47% of respondents had such concerns.

Further it appears that, @Hagai Bar-El who appears to be ARM’s VP of Security for their IoT Business Unit reads and posts to this blog, and has his own blog on security,

Perhaps he would care to give some insight into IoT Security.

Will January 13, 2016 9:58 AM

@Martin Potter

They won’t hear much from my browsing except occasional keystrokes.

Acoustic Keyboard Eavesdropping is when an audio recording of your typing is used to recover what you have typed. is full of links to stuff like that.

Avi Rubin’s TED talk is full of other ways to be hacked, including using the accelerometer of a smartphone to reconstruct text typed on a keyboard in the vicinity.

So put aside your apathy, it doesn’t fit with the gist of this blog 😉

r January 13, 2016 9:59 AM

@ Mike Gerwitz,

That’s really not a fair statement, it is possible to have both security and privacy with closed source/proprietary software – it is just easier to trust someone that comes to you open handed.

Maybe that statement wounds me? Some of you may have noticed my previous statements about open source and it may seem that in reality pretty much every closed source software company IS out to get you. But that’s almost certainly not the case. I really doubt that various shareware companies are tracking you with their software, granted that the anti-cracking and drm employed may have the capability but those technologies by themselves wouldn’t scale enough to effectively directly violate your privacy… you choice in using something that dials home is you violating your own sense of ‘privacy’ there. To make a real world point here, don’t expect the power company to not know when you fire up your MIG welder, they can tell: they can prolly tell when your gaming rig is running full-bore too. But as stated above – the EULAgy you sign covers these simple software leaks.

The problem is metrics and advertising, not closed-source proprietary software. The problem is when you download someone’s program and agree to the EULA you are also agreeing to the EULA of every company their binary links against.

But my point is, I don’t think ALL of the smaller software companies would be in it to violate your privacy and security with their software. The problem is the EULA covers their websites and also that the violation of privacy itself has been incentivized.

p.s. you mean free as in open, the gnu definition of /free/ is a little contrived/strict don’t you think? Sure it’s a great ideal, but how well has their IP argument helped them this far – there’s thousands of examples of misuse and repurposing of their stuff with very little reprisal against those who have violated the gpl.

GNU violates your privacy by pushing the GPL label so visibly, nobody needs to know that you don’t support American business models and companies. 🙂

k15 January 13, 2016 10:06 AM

This all sucks when government has the information, and when corporations do. What happens when organized crime gets hold of it?

r January 13, 2016 10:14 AM

@Mike Gerwitz,

to wit: lot’s of open source software companies/sites use metrics and advertising and violate your privacy. so the gnu doesn’t do it, so what? we need more responsible sensible organizations like the gnu.

k15 January 13, 2016 10:23 AM

Bruce, is individual action the way to address this, or would it be better to have an organization? Would that organization be in government, or an NGO? Would it be focused on advocacy, or be more of a Marshall Institute for raising and documenting problems as journalism, or be like Consumer Reports?

paul January 13, 2016 10:34 AM

1) I can just imagine the countermeasures as people find out what signals are being correlated and learn how to spoof them for disinformation purposes.

2) This is a perfect example of the shortsightedness behind Lenin’s remark about capitalists and rope. Companies are building huge soft-target databases that could destroy people’s lives either metaphorically or in fact, and that pose liability nightmares when (not if) the data gets hacked and exposed, all for an increment of profit that is down in the noise of the global economy.

CallMeLateForSupper January 13, 2016 10:39 AM

“They want to correlate people’s web searching on their smartphones with their buying behavior on their computers.”

So the thing to do is to web search on the computer and buy on the fart phone. That’ll flummox those miscreants. ERK-ERK! Does not compute. SYSABEND.

Mike Gerwitz January 13, 2016 11:12 AM

That’s really not a fair statement, it is possible to have both security and privacy with closed source/proprietary software – it is just easier to trust someone that comes to you open handed.

@r: Proprietary software might mean well (privacy/security-wise), but we have no way to inspect that to verify it, so it cannot be trusted. Many privacy and security issues are also not intentional—they may be bugs or naive implementations, for example.

to wit: lot’s of open source software companies/sites use metrics and advertising and violate your privacy.

There is free software that does violate your privacy, yes. But it can be modified to remove those antifeatures, and the community should use that version instead. If the patch will be accepted by the project authors, then all the better.

SaaSS is a separate issue from software freedom; it can track you no matter what.

The problem is metrics and advertising, not closed-source proprietary software.

They’re separate issues. Software does need to report back to someone in order for tracking to be possible. If it’s not essential for the core functionality of the program, then that’s an anti-feature, and can be removed in free software. If it is essential, then its implementation can be studied and perhaps modified so that privacy or security are better preserved.

GNU violates your privacy by pushing the GPL label so visibly, nobody needs to know that you don’t support American business models and companies. 🙂

That statement isn’t constructive, and has nothing to do with privacy. It’s also incorrect.

Winter January 13, 2016 11:24 AM

I am still puzzled about this should work.

Which device is listening and what devices make sound?

I assume the phone is listening as browsers are supposed to ask before listening. Or could flash listen in unannounced. Or maybe that is the real purpose of the speech search interfaces?

And must I install particular apps before my phone will start listening? I suppose so, but do not know.

And with respect to generating sounds. Does flashblock stop that in browsers?

Anonymous (or so I'd like to be) January 13, 2016 11:38 AM

Just like everything else in American politics, it’ll take a “crisis” before anything is done. The only form of crisis I can think of that would actually spur some kind of action is if Anonymous, or a similar group decided to dox members of congress with the data from one of these aggregators. Let’s see how much privacy becomes important when the world can read all about the intimacies and perversions of their lives. Of course, the response won’t be to limit data collection, but increase the surveillance state to try and catch the dox-ers.

David Leppik January 13, 2016 11:49 AM

@ Mike Gerwitz

If I buy a watch, a thermostat, a remote control, or a Wi-Fi enabled T-Shirt (they sell them on ThinkGeek), how am I going to inspect the source code? There’s no keyboard or monitor. There’s no hard disk to remove; everything’s on one chip or soldered to the motherboard. Even if the company tells me it’s open source, how can I verify that? And even if it starts open source, how can I ensure that a software update (or attack posing as an update) doesn’t change that?

SoWhatDidYouExpect January 13, 2016 11:58 AM

In order to be listening to these “inaudible” sounds means having a microphone somewhere that can pick up the sound vibrations, record them, and forward them somewhere.

Thus far, none of my computers have microphones (yes, the laptop does but it gets turned on very little). No smart phones (old flip style devices using only POTS and off most of the time), no smart TV (and if I did get one, it would not have Wi-Fi or internet access). No IoT devices. No Netflix or similar exposure. No in car technology to speak of (that is probably the one microphone we have the least control over unless you disconnect the device antenna or cut some wires.)

Yet, I do access the Internet via DSL so that type of data collection and tracking does happen. But audio…nah!

What all of this engenders (the full picture of data collection across all disciplines using various technologies) is the ‘front’ that this is done to improve your viewing pleasure or satisfaction with the technology. Yet, those that do so almost completely ignore the fact that people DO NOT spend 24 hours a day with those technologies! But, they expect one to do so!

Users of smart phones and in car technologies have the greatest exposure. Yet, data that indicates the car is not occupied or spends 89-95% of its time standing still, seems of limited value (especially when one considers this technology is still not being used to shut down vehicles being pursued by police).

And, if a smart phone user is spending all their time (1/2 of each day or longer) using the smart phone to produce what was once considered “worthless chatter” via texting, even that seems like a great waste of energy. You know, we can ultimately over burden the planet with all of this data collection, if that hasn’t already happened.

It is time to assess the big picture and ultimately view how ludicrous this all is.

r January 13, 2016 12:08 PM

@Mike Gerwitz,

SaaSS as coined by the GNU in your link is right to a point, but there are extreme circumstances where it would not be true. (Tor relay via amazon cloud and a prepaid debit card.)

These specifically are implementation and deployment issues; all of which are based on education, awareness and choice.

@David Leppik,

Your wifi enabled t-shirt may require PROUD a GPL Label or a link to it’s source code that is highly visible. Does someone accessing your t-shirt qualify as a ‘user’ and do YOU have to provide source code for said user in a readily available consumable fashion?

If I walk into court with said wifi+enabled t-shirt the GPL/Wifi logos may be violating my privacy to the choice of t-shirts that I choose to wear. Further more: if I am out shopping is my GPL+WIFI t-shirt going to intermittently randomize the MAC and SSID it’s broadcasting?

Ray Dillinger January 13, 2016 12:55 PM

Remember kids, it IoT doesn’t stand for “Internet of Things.”

It stands for “Internet of Targets.”

Anon January 13, 2016 1:05 PM

The whole “OSS is more secure” is nonsense! Time and again it has been shown to be a totally false statement.

Open source or not, I don’t want ANY software spying on me.

Winter’s questions are a good start – what is listening, what is transmitting, and which software is affected?

Who? January 13, 2016 1:17 PM

The IoT devices should be seen as computers as powerful as a small Sun/DEC/HP/IBM/NeXT workstation was in the 1990s. They run an Internet-connected operating system, but and unmanaged one and, in most cases, unpatched too.

It is not a matter of open source vs closed source, it is not a matter of dishonest manufacturers spying on their users through IoT devices, it is not a matter of reading devices documentation before turning them on, it is not a matter of following sane security practices either.

The whole concept of IoT is broken by design.

Anura January 13, 2016 1:29 PM


Say you use an app on your phone that includes advertising, or maybe just uses a library out of convenience that, unbeknownst to the developer (or possibly beknownst to the developer, but not beconcerning), tracks the user and has access to the microphone.

Now, you have a webpage with an HTML5 audio player that is configured to autoplay audio (I’m not certain Firefox can reliably block this without an add-on like noscript). This plays a tone that you can’t hear, but your phone can. Your computer plays the audio, your phone listens to it and replies back to the server. These devices are then “linked” together for tracking.

Clive Robinson January 13, 2016 2:20 PM

@ K15,

What happens when organized crime gets hold of it?

You might have better security if they are getting it from your IoT devices…

That is because in the past the more sensible crooks on getting into your system “put in their RAT” and payched many of the known vulnerabilities to keep out other crooks…

Fascist Nation January 13, 2016 2:57 PM

Clever. And sneaky. But I don’t mind this much. A company is just going to use the info to direct ads at me towards products I am more likely to want than a random ad. Can bad things arise? Certainly. But for the most part efficiencies result.

BUT the government wants to use all forms of surveillance to control me…because you are either in control or out of control. Can good things arise? I don’t think so.

r January 13, 2016 3:23 PM


How about the alternative scenario…

Your car radio uses GPS/audio based ‘smart’ ad-injection for local businesses.
Think regional/local television advertising spaces, got any passengers?
We could age-correlate them for a louder-than-average mcdonalds commercial 1/2 mile out.

mishehu January 13, 2016 3:59 PM

The thing that saddens me is that anytime I voice similar concerns as Bruce expresses in the essay, I might as well be speaking in Klingon and performing Weird Al’s “Foil” video. The commoner considers me nothing more than the crazy bum on the corner who wears a foil hat and constantly mumbles something about the black helicopters.

BoppingAround January 13, 2016 4:19 PM


This all sucks when government has the information, and when corporations
do. What happens when organized crime gets hold of it?

The government and corporations make another grab of your info in order to
‘protect’ you from organised crime grabbing that information.

Fascist Nation,
Do remember that companies trade the data they have gathered with other
companies. Including various governments.

Sancho_P January 13, 2016 5:38 PM

Call me skeptical here.

The original of the CDT letter mentions 6-7 [that is 6 to 7] apps using SilverPush software, in arstechnica they already “quote” 67 apps.

To back the number of 18 million tracked smartphones the CDT paper links to an “Opinion” at which claims SilverPush would claim to monitor 18 million smartphones (by six-seven apps).

This “Opinion” just talks about TV ads, but the CDT reports about “web ad”, “cookie” and computer (the CDT reference link is broken btw.).
There is a very basic pdf in the Net regarding acoustic coupling of laptops using 18/18.5 kHz but many people would hear that frequency.

Where I live people have their TV on day in day out, even when nobody is watching, the only conclusion one could draw is “the phone listened to the ad”. Is it worth the effort?

Before tinkering with audio in my laptops, monitors or iMacs I’d love to see a link to a website / ad that tries to talk to my cat.

The fact that we have a lot of open (?) microphones around us is frightening, though.

donerkebab January 13, 2016 5:39 PM

“smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush”

Fix this to something more plausible. Even non-technical privacy-oriented readers will know that cookies don’t transmit, and it seems overly specific vs just “the smartphone uses the internet to transmit that information” like this is meant to distract from some other technical error.

GeorgeW January 13, 2016 5:52 PM

Can this technique of embedding inaudible sounds be used to compromise anonymity on TOR?
Or are there bigger things to worry about on TOR?

CallMeLateForSupper January 13, 2016 6:05 PM


I feel your… er… discomfort.

Last spring I became aware that a sister uses an iPhone (spotted the “Sent from my iPhone” splash that the things shamelessly tack onto each email). I recommended that she not say, text or email things that she would not want strangers to know, because cell comms are relatively easy to get into. All signs point to her not understanding and, thereby blind, simply getting on with her iRoulette.

Several days ago I saw, for the first time, the “Sent from..” on a different sibling’s email. And the very next day, on email from yet another sibling. I have a sneaking suspicion that they’re ganging up on their unstable, alarmist brother. One sibling yet to hear from. I am not optimistic.

From time to time I add to an email “Sent from my iYouHeSheIt” or “Sent from my Asus”. That latter one got a response from the sister mentioned above: “Oh! You finally got a cell!” (face-plant)

George H.H. Mitchell January 13, 2016 6:31 PM

It’s time to admit that the Europeans got the law on privacy right and we screwed it up totally. That I don’t own all of the data about me is crazy. It will not be easy to fix, but I think it’s still possible.

ianf January 13, 2016 7:28 PM

@ CallMeLateForSupper

Don’t get mad, get even. Surreptitiously borrow the sister’s iPhone, click the Settings icon, select Mail, Contacts, Calendars menu item, then substitute the content of Signature field with own “Sent from my probation office’s antechamber” or worse.

Repeat with other well-thought mottos for other members of the family.

Alternatively, fake a “Lonely XXXX grrrl looking for action, sis phone#” on a wall, photograph it, then have someone else send it to you “as seen on a bathroom stall at Club Queen B downtown.” Wipe clean the wall.

@ George H.H. Mitchell

The 600M+ Europeans reside in 40-odd countries, some of which have yet to take the leap to modern times; and others, where there are no jurisprudential safeguards of the Anglo Saxon type whatsoever (ask Amanda Knox, 4 years in jail due to the prosecutor’s and judges’ superstition and moral indignation). But, yes, compared to the US, we have had a “taste” of fascism, hence the legislators (if not the public) are generally more wary of the roads already taken and leading into an abyss. Whereas the Yanks seemingly can’t wait to get there.

Sent from Charlene, my iPhone. There are other iPhones like it, but this one is mine.

Buck January 13, 2016 8:04 PM


Is it worth the effort?

I think we can safely ignore that question in this particular context for now… First, consider the financial inertia currently present in the advertising and data-aggregation industries. Then, think about how increased expenses due to additional ads can easily be passed along in the cost to consumers. After that, ask yourself if investors are just waiting for the right algorithms to capitalize on this abundance of seemingly useless data, or if it has already begun..?


Charlene… LOL! You’d better take good care of her! I wonder how fast you can disassemble and reassemble yours. 😉

Matt January 13, 2016 8:21 PM

Adblock. Install it. Commercial TV. Unsubscribe from it.

You can get most of the shows you want via streaming services (or other methods). Get as much advertising out of your life as possible; it’s killing you and you don’t even know it.

maaami January 13, 2016 8:23 PM

Correct me if I’m wrong, but it sounds like the protection against cross-device tracking is the same as against cross-site tracking on the same device. That is, as far as browsers are concerned:
– Use an Ad/Tracker blocking plugin, for example AdBlock
– Use a JavaScript blocking plugin for unneeded third-party scripts, for example NoScript.

(The latter is also installed in the Tor Browser, although “allowing all” by default. So, go ahead and use it. The wider it’s used, the greater the anonymity of each user.)

Because, even if the tracking scope is wider (cross-device, additionally to cross-site), it uses the same principle: third-party scripts listening for tracking input, being that cookies (cross-site) or sounds (cross-device).

Buck January 13, 2016 8:33 PM


I’m genuinely interested in that… Are there any available streaming services (or other methods) not involved in any form of advertising?

Mike Gerwitz January 13, 2016 8:41 PM


The whole “OSS is more secure” is nonsense! Time and again it has been shown to be a totally false statement.

It may or may not be true; that misses the point.

The problem is that you are unable to inspect it, or have someone else do it for you, so any element of trust is fundamentally misplaced—the author(s) of the software have used their position to empower themselves and leave you in the dark, to control you. That in itself suggests reason to mistrust.

You are also unable to makes changes to the software (or have someone else do it on your behalf) if you find that it does something that you distrust.

Just passin thru January 13, 2016 9:09 PM

If I understand this correctly, IOT or Web devices in my home record events inside my house that cannot be discerned from outside.

At least within my home state California, we have a constitutional right to privacy.

I smell a lawsuit. I have given no permission for any device/service/person/WebsiteIHappenToVisit/IOTthingee to record/transmit any information from inside my house, nor permission for <> to emit any such information for retransmission.

Wiretap laws within California are also strong. IANAL, but this is probably beyond just a civil tort, but possibly also a penal one.

And for many viewers of this blog, it should not be hard to gather the evidence if this is going on.

Katniss January 13, 2016 9:20 PM

It’s time for a new app. I’d suggest that it be called Mockingjay, but I’m guessing we’ll have to settle for Mockingbird. It’ll repeat the inaudible sounds it hears. But more importantly, it’ll share with other Mockingbird apps, letting the “songs” spread and travel.

Wael January 13, 2016 9:41 PM


That reminds me! I duck-taped all the cameras on my devices! Another weapon in the Arsenal!

Buck January 13, 2016 11:00 PM

@Just passin thru

Generally, when you unwrap one of these devices, you immediately throw away the fine print that reads something along the lines of

By using this service, the consumer agrees to the following terms and conditions, including but not limited to:

  • Our awsome company will use all of your personal information to give you the greatest user experience anyone could ever conceive of
  • We will give away or sell your personal usage statistics only to the very best companies, or those who are otherwise willing to pay us enough money
  • In no way can we be held responsible for any losses incurred by the devil coming to collect his dues

(We reserve the right to change this agreement at any time, with or without prior notification)

Not impossible, but good luck getting a civil tort lawyer to take that case on pro-bono! 😉

Alien Jerky January 13, 2016 11:32 PM

Well it seems the IoT spying devices interfere with the NSA bugs and cameras they use to spy on me.

camilo January 14, 2016 1:10 AM

I bumped into this little piece ( other day. And although the conclusion is rather exaggerated (“So the trade negotiators have spoken. No point in any more debate. The FBI and NSA are out in the cold, but the chairman of the Securities and Exchange Commission can require companies to cough up their encryption keys.”), in the sense that the current crypto war is over due to the specifics of the TPP, the other part of the conclusion, appears – to me at least – more alarming than a win.

Any comments?


Does anyone have any more information about PrivaTegrity, currently being developed by David Chaum?


Ian January 14, 2016 2:42 AM

Ah the joy of headphones. Like to see them get around that! (I use noise cancelling headphones because of hypersensitivity to background sounds. But that should mean that they can’t use that approach on me.)

So in essence.

Private businesses (and government agencies) think they have the right to:

Invade my home with unauthorized sound-based information (albeit inaudible to me),
Invade my technology with unwanted software,
Steal my information (on preferences) without even offering freebies in return?

In my own home!!!

I’m sure they include it somewhere in 100 pages of small print in some licence [sic, yes, I’m a Brit] agreement?

Anyone have a cave with plentiful supply of fish, game, fresh water and wood available…?

Coyne Tibbets January 14, 2016 2:49 AM

@SchneierWe accept all of this Internet surveillance because we don’t really think about it.”

Ignorance is bliss.

@k15This all sucks when government has the information, and when corporations do. What happens when organized crime gets hold of it?

The most effective organized crime is that which masquerades as ordinary corporations doing ordinary things. As in: they already have it any time they want it. The difficulty is: how can we steal money by knowing when someone turns up the thermostat?

@SoWhatDidYouExpectThus far, none of my computers have microphones (yes, the laptop does but it gets turned on very little).

What makes you think the laptop microphone isn’t on all the time? This goes back to the article on SaaSS given by @Mike Gerwitz: you have no way to know what the software on the laptop is actually doing. It could be listening all the time.

Remember that listening doesn’t mean “transmitting all the time.” With respect to the sounds-compromise-TOR concept discussed on this page: the laptop could be listening specifically for the sounds that identify a TOR connection and transmit nothing in the absence of those.

@Just passin thruI smell a lawsuit. I have given no permission for any device/service/person/WebsiteIHappenToVisit/IOTthingee to record/transmit any information from inside my house, nor permission for > to emit any such information for retransmission.

Your problem is: proving that it is. Assuming it is, that fact is a proprietary trade secret. You can’t get a court order to force disclosure without evidence (you’d have trouble getting one even if you did have evidence).

The real issue with IoT surveillance is that it isn’t possible to know it’s going on. The only thing you can really do is unplug the IoT device.

Clive Robinson January 14, 2016 5:32 AM

@ BrotherChew,

Any radio with quality speakers

No, not required, same as the microphone, any crapy old set of speakers and microphone will do.

I’ve explained why on this blog befor.

Jason Khanlar January 14, 2016 5:53 AM

Technically, there is something that can be done about it.

All frequencies of sound that we cannot audibly hear could be constantly streamed such that any additional specific frequencies produced will be plausibly disrupted or drowned out.

It may affect dogs and other animals however.

Thoth January 14, 2016 6:32 AM

This ability to use audio side channels to spy and exflitrate/infiltrate into systems (even a small start up could pull it off) is the common feature of the future trojans, malwares and backdoors (despite them already existing in Government context deployment).

Brace yourselves for more side channel attacks becoming a reality and something a script kiddy could easily conjure without breaking much sweat.

Higher assurance devices, techniques and algorithms are still classified as controlled “munnitions” (especially with recent revisions of Wassenar Agreement) for the sake of making the population and other Governments easier to penetrate (and also to spread misinformation on actual security assurance techniques and know-hows) and manipulate.

A proper higher assurance setup using physical switches in between circuits of physical peripherals (e.g. microphone, audio jack, webcams …etc…) and a security microkernel that allows you to explicitly assign/deny access to device drivers and logical daemons hosted in microkernel compartments would have quite easily negated the above threat and many others that follow.

What failed is the current state of community driven security efforts to push out higher security assurance devices, techniques and algorithms in a practical format despite these higher security assurance techniques and methodologies existed in the wild for quite sometime (from published papers and running projects). Part of the blame could be leveraged at Governments for their efforts to stamp out higher security assurance for the masses in exchange for easier surveillance and population control (a.k. Echelon National Security).

Silver punch to the nuts January 14, 2016 7:05 AM

SilverPush is an Indian startup that’s trying to figure out all the different computing devices you own.

Don’t own any except for a computer. Good luck Silverpush.

It embeds inaudible sounds into the webpages you read and the television commercials you watch.

Why watch the idiot box – it is simply mind-numbing, bread and circuses propaganda anyhow.

Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush.

Don’t own a tablet or spy-phone either. Better luck next time.

The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make.

It has nothing to correlate with (random exit IP) TOR use. Try again Stasi f**kers.

It can link the things you do on your tablet with the things you do on your work computer.

Wrong. You win if you don’t play with the i-gadgets, period.

As other commentators note, open source is the key – software / hardware and everything else.

We want experts to inspect everything and VERIFY. No more models of trust can be allowed for companies that will continue to abuse your personal data at whim. These Indian gits are just the latest example.

Re: the computer spying on your ass – time to invest in a Libre 13/15 laptop and run it in combination with Qubes.

This project is getting somewhere, with Purism only using free/libre and open source software in the kernel, OS, and all software. If you care about this important project, then support it with your hard-earned $. Plus, it looks polished, unlike the Novena which is simply UGLY.

Purism offers the first high-end privacy and freedom-respecting laptops by manufacturing the motherboard and sourcing daughter cards, where all chips are designed to run free software. Purism laptops are completely free from the bootloader through the kernel (with no mystery code, binary blobs, or firmware blobs), including the operating system and all software. We have yet to free the Intel FSP binary and ME binary from within the coreboot BIOS to move us toward FSF RYF endorsement. We are working diligently to free the BIOS, but our goal is to go further than that: Purism also intends to free the firmware within HDDs and SSDs.

Check out the Purism roadmap below. Note they have almost completely freed the BIOS.

r January 14, 2016 10:40 AM



ScitzoDuck huh?


I prefer the latter, although i’m starting to wonder about search engines like startpage that outsource and scrub their query’s because of their backend…

TLS is padded right?

r January 14, 2016 10:55 AM

@ GeorgeW,

Yes, of course this could be applied over tor.

We (personally) have to use Tor to access ebay, amazon, etc…
We also have to use Tor to access youtube and facebook – these would be where you would have to be especially careful if you’re so inclined. I’m fairly certain these signals could readily be overlaid into existing audio/video streams rather than deployment as independant ads.

If you do use hidden services, I wouldn’t think you’re as vulnerable to this type of modulation but i wouldn’t put it past the fbi to embed something like this next time they take down something like torservers.

David A January 14, 2016 11:00 AM

Surely the bigger issue is the increasing user acceptance of software that is recording all sound (and, perhaps, video) nearby. Irrespective of whether it successfully links two user profiles together, it’s a privacy-invading spy in your pocket. Advertising software could avoid the whole complex mess of trying to tie your TV-watching habits to your smartphone Internet searches, simply by listening to your conversations down the pub about all the things you like and dislike.

I presume that I’m not the only person to occasionally surf the web while using the bathroom. Who’s watching / listening then?

What we need is for all devices to incorporate a physical (or at least, OS-level) “off” switch for the mic and the camera. Didn’t Silicon Graphics workstations, in the mid-nineties, have the decency to provide a small plastic flap that could slide in front of the camera for privacy?

As a side note, there are several commenters advocating that we solve this problem by all ditching our smartphones and televisions. I’m curious as to whether they genuinely think that this is a viable or likely option for the vast majority of people, or whether they are simply being smug? As noted above, the list of devices that might be eavesdropping is already extensive and only growing.

Sancho_P January 14, 2016 5:48 PM

Again, I’m skeptical regarding ultrasonic inaudible sound info.
For the (TV) ad it would be easier to recognize e.g. the typical “Call now and we’ll send you two of our famous bags of s**t for the price of one!” in the ad.

Ditto here. Now we have to ad a “Double Zipper” and submerge unused mobiles in caramel pudding (or vainilla if you prefer).

r January 14, 2016 9:47 PM

@Mike Gerwitz,

I see what you did there…
I forgot about bicycle, hadn’t considered it but as a general practice we don’t actually login to shopping sites over Tor respectively. 🙂

But I do see your point, well played.

Clive Robinson January 14, 2016 11:42 PM

@ Sancho_P,

Again, I’m skeptical regarding ultrasonic inaudible sound info.

And so you should be, because it’s totally unnecessary, as I’ve explained in the past.

Most people will tell you that “adds are loud” and they turn the volume down etc. The truth is they are nowhere as loud as people think they are as a sound preasure meter will quickly show.

The main reason “adds are loud” is they are compressed and “general programing content” is not. This trick fools the ear and the brain, but not an audio analyser or heavily regulated transmitter bandwidth (FM) or envelope (AM).

If you look at an audio analyser “waterfall display” of a commercial broadcast it’s usually very easy at a glance to seperate out adds from geberal program content due to the change in the pattern (the flip side is that certain types of music are heavily compressed so you get false positives for adds).

By using various compression techniques, it is quite easy to generate a “recognizable envelope signal” which like Morse Code is very easy to pull out of quite a lot of background noise.

Although there may be “false positives” in simple systems, it does not realy matter. The backend company knows sufficient other information to filter those out with relative ease.

AndyF January 15, 2016 12:20 AM

The EU data protecton laws are quite clear on this sort of product/system and deployment of them would clearly break the regulations. This is because in the EU data protection is based on broad principles which can be applied to individual cases.

It doesn’t prevent a company outside the EU deploying IoT spying tools but any organisation within the EU which tried to use the results would very quickly find themselves in hot water.

John Nash January 15, 2016 4:36 AM

I don’t think you can ever stop your data leaking out. Even without this sort of thing Google/MS/Apple already are present across devices so already know this. For other security info one slip up is all it takes. We are human. Mistakes are a given.

If we’re interested in hiding our browsing, what we need to do is hide it within a stream of automated random browsing designed to look like a human.

If all day long an app on my devices jumps around the net looking at various things neither my OS provider, my ISP or the various cookie companies should be able to figure out when the app is looking and when I am.

If they want to figure out something about me they’ll have a hard time. Nowe it’s them that only has to slip up once to be caught out. Just one time mistake my security app’s browsing for me and you’ve got a mistake in your profile. Pretty soon it’ll start to fill with contradictory data.

TRX January 15, 2016 9:11 AM

Even if a system doesn’t have a speaker… you could still get low-speed and short-range data transfer by seeking the hard drive or playing with fan speed.

SoWhatDidYouExpect January 15, 2016 11:28 AM

@Coyne Tibbets

Your observation would be correct if the laptop were connected to its QuickDoc adapter (which is plugged in an powered on) or if its own power adapter were plugged into a wall outlet and connected to the laptop. Maybe?

In general, the laptop can only respond if its power light is on (that is, turned on even when the lid is down), or in hibernate state. That is almost never the case in my situation. Checking the router shows it is not active. This is probably due to the fact that the laptop is in its case, AFTER being turned off and being placed there for travel or storage purposes. A powered on laptop in the carrying case is not a wise thing…eventually the battery is drained or could be a possible heating/fire hazard (how much could that microphone pick up anyway?)

But, your cautionary point is well taken.

albert January 15, 2016 2:41 PM

@Just passin thru, @Buck,

Since EULAs, etc. are considered legal contracts, they are only invalid if they promote illegal activities. ‘Signing’ away your privacy rights is not illegal. Read those things; they are boilerplate, and court-tested. We can thank Micro$oft for the “we’re not responsible for anything” EULA. I don’t recall who started the “we can do anything with your data” TOS.

Game, set, and match.

@Clive Robinson, etc.

The brain and ears are not fooled. Loudness is a perceived quantity. Just as pitch is our perception of frequency, loudness is our perception of sound intensity. Your example of intensity vs frequency does show compression at work at any instant in time. Loudness may be viewed as the area under the curve in that Intensity vs. Frequency display. More telling is I/F over time. Continuous wide-band ‘program’ material is much more annoying than the occasional short term case. Compression allows constant, maximum sound intensity over time. This is true of pop music, and it’s been used since compression was invented. Looking at TV ads, one notices the ubiquitous presence of ‘background’ ‘music’ (quoted because it’s neither background nor music:) While it may serve, in rare cases, some purpose in reference to the product, it’s primary function is to fill it gaps in the dialog(ad copy), Fast tempos increase the urgency of the message, slow tempos are great for sleep aids. Spoken word covers ~300 to 3000Hz for minimum understandability(sibilants can go higher), where music can cover 20 to 20kHz easily. That’s how you fill up the frequency gaps, and that’s how you keep the annoyability factor at 1.0. Nothing is left to chance in a well-crafted commercial.
I have my doubts about high frequency encoding in TV. You have things that may be useful, and things that sound like they may be useful. Even snake-oil salesmen can make money.
. .. . .. — ….

r January 16, 2016 12:56 AM


fan and hdd are interesting additions to any suspicion here, i don’t think i’ve mentioned my curiosity about monitor/”gpu coil whine” in any of the related previous threads…

I know specifically one of my LCD’s would emit a tone when a window was primarily white and maximized, you think things like that can be modulated?

Figureitout January 16, 2016 7:23 AM

–On some older Dell desktops (at my school) I could clearly hear buzzing electrical noise that would correlate w/ moving windows around/re-sizing on screen. It could also be the graphics card/chip or more likely it’s power supply electronics. I tried to hear w/ typing characters but couldn’t. As well as hearing what I can only describe as “computational noises”, electrical “mumbo-jumbo”, when I plug in a USB stick (as it’s “authenticating” (lol) what it is, and reading the flash).

I tested this too many times to be something else, and I could hear thru my headphones. I tried for a little bit trying to get a sample of the noise w/ audacity on the PC, and I wanted to use my little RTLSDR dongle but it can’t capture audio w/o some “downcoverter”. So frustrating I couldn’t capture this noise and track down exactly what it is.

There’s this acoustic research too, and in the pictures you see the ventilated side pointed at the microphone (these vents all go straight to the CPU), but I vaguely recall there was some noise issues when the fans turned on (so a silly countermeasure would be a bunch of separately powered fans in your box, and that’s just for acoustics).

Figureitout January 16, 2016 7:29 AM

–On the capturing audio bit, there’d probably have to be some microphone anyway, so doubtful it’d work w/ RTLSDR.

albert January 16, 2016 11:08 AM


If anyone has access to schematic diagrams, they might check the mic input circuits. Input signals may be present all the time in the input preamps (and perhaps even further downstream), regardless of the ‘on/off’ state of the mic. I doubt the mic circuitry is controlled by an electronic switch. Is it controlled by software? Ditto for speakers.

To access the mic one would expect to have to have installed malware first. How can this be done through the mic? If it can’t be done on a clean machine, then the malware must already be there before you buy it.

. .. . .. — ….

albert January 17, 2016 3:32 PM

@Figureitout, r, Mike, etc.

I read the ‘Acoustic Cryptanalysis’ paper ( and found it fascinating. We used to ‘listen’ to the motherboards ‘singing’ in older Dell desktops. According to the paper, the acoustic signals are being generated by the voltage regulating circuit components, specifically, capacitors. I suppose using overrated caps, potted in epoxy might work, but you still have the chassis-potential and power input analysis attacks to deal with. The authors suggest some mitigating techniques that don’t require hardware.

I guess this business will continue for a long time….

. .. . .. — ….

Clive Robinson January 18, 2016 2:02 AM

@ ronys,

On reading your post, two things got triggered in the back of my mind.

The first was “There’s always time for lubricant” sceen in the film Evolution (of which you will find plenty of clips up on lub-tube 😉

And an Internet viral from years and years ago which was taken from the “consumer advise sheet” in the box of a Johnson & Johnson “rectal thermometer” where the marketing team had gone a little overboard and said that each one had “been personnaly tested” by the staff on the production line. The viral asked two questions. The first would you want a job doing the testing on that production line? The second would you want to use the rectal thermometer after it had as the product sheet indicated been up a testers bottom?

However on reading the link you gave, it appears that the same marketing copy writers are working for this company…

I’ll be honest, on my list of things to know, the GPS location, name and rectal temprature of somebody I don’t know –or even know for that matter–, does not make the bottom of my things to know list by a very very long way… And the thought of a bunch of “helicopter mums, of the chattering classes” grouping their childrens readings on the Internet looking for “hot spots” of popotential sickness just leaves me floundering in cognative dissonance, muttering comments about sanity or the lack there of.

Figureitout January 18, 2016 8:01 AM

–Yeah it was a great paper (and its derivatives, like the “PITA” one, some small loop antenna and SDR captured noise at 1.7MHz). Thinking back again, I did capture some of the noise w/ audacity (think it was on mic port, I think), resizing the screen (the whiter the screen, the more noise; logically the whiter your screen the more power it needs), but figured it could be easily faked still so not very good evidence. And I was unsure how to take it to the next step (I just wanted to know exactly where it was coming from, which means in-depth circuit analysis, which I’m not good at). That I could hear w/ my headphones must mean some kind of freaky “audio rectification” type phenomenon is happening (all guesswork still) or maybe noise is close to soundcard, and that would mean noise is likely being generated in scattered RF bands (much worse than just audio noise).

So yeah closing all those holes (I could hear different noise plugging in USB stick, what if each peripheral has its own unique noise? I need to replace like 10 large caps around the CPU on an older box, there’s caps everywhere.) seems like a losing battle from a small consumer standpoint. You simply need a sound-proof shielded enclosure w/ strongly filtered power and disciplined OPSEC if these are legit threats (distance and bandwidth limit these).

swade January 18, 2016 12:41 PM

@Mike Gerwitz

Clearly there’s no argument about the value of open source when it comes to security/encryption/etc. In actual practice (see OpenSSL heartbleed), it is easier said than done. Still, if OpenSSL wasn’t open, these exploits might still exist.

However, IMHO, free software has had more to do with the creation and acceptance of the internet surveillance infrastructure than any other factor. Software doesn’t develop for free. Programmers must be paid. When the world expects software to be free, how does a software company keep their lights on? Right now, the solution is to mine data and sell ads. Perhaps this was the long term plan of the evil geniuses at Google right from the start (we’ll give our services away in exchange for personal information which will kill the “paid” service market which will allow deeper surveillance, etc.) or, more likely, it just developed organically, and they got very good at it.

This isn’t all bad. Many “free” services (Yelp, Google Maps comes to mind) are more useful when there are more users. If one had to pay for Yelp, then how many would actually join and, with far fewer reviews, how useful would it be?

No easy answers other than to be aware… which, according this post is just going to get more difficult.

swade January 18, 2016 12:51 PM

One sort follow-up, I realize the “free” software that you mention (open source) is not the same as the “free” software that I’m talking about (closed source, free apps), but I think both contributed to the current expectation that the internet age = free (i.e. no cost) software.

Clive Robinson January 21, 2016 5:00 PM

@ Lawrence,

Can the speakers on my TV or PC or phone produce sounds over 20KHz?

This has been discussed before on thie blog back when BadBIOS was first talked about.

Put simply there are two types of speaker you will find in a PC. The first is the old moving coil / paper cone type, the second is based around a piezo crystal.

Both will if driven by a 20KHz signal will produce some output. In the case of the moving coil unless it’s designed as a “tweeter” then the output will be very small. Piezo crystal speakers however can be rather more efficient as transducers at 20KHz than they are down below 8KHz.

But… the TV/PC you are using probably has analog “roll off filters” with a cut off frequency somewhere between 15-18KHz due to trying to keep the audio level equalised across the band as well as removing digital artifacts from the D-A converter (in laptops however the filter may be absent or above 20KHz due to component issues).

But most humans by the time they are mid twenties can not hear above 17-18KHz and many not above 13KHz in their mid to late thirties.

But you don’t have to use high frequencies to send data in adverts. Usually the audio is compressed to make sound louder thus jingles etc can be aranged so that data envelope modulates two audio bands segments in antiphase. Thus you could have 8-10Khz as one band and 12-13Khz as the second band, you make the level rise in one band but at the same time decrease the second band level proportionately, which leaves the broad band sound level approximately the same. A simple audio analyser can be adjusted to work with this signal and extract any data superimposed this way.

Steve January 30, 2016 7:39 PM

My olfactory system may be deceiving me, of course but why am I smelling the redolent odor of snakeoil here?

I find it difficult to believe that most computer or mobile devices can either send or sense anything in the ultrasound range (more than 20 kHz). Have you listened to the audio produced by your cell phone? It’s pure crap. And I doubt that more than a few audiophiles have computer speakers capable of reproducing anything close to 20 kHz with any faithfulness whatever.

While Clive Robinson’s phase modulation scheme sounds plausible I’d like to see a proof that something like this is actually operating “in the wild.”

It sounds (pun intended) to me that SilverPush, et al, have simply found the 21st Century’s “subliminal advertising” (and that didn’t work, either).

ianf February 5, 2016 4:52 AM

Timely advice from @ Matt “Adblock. Install it. Commercial TV. Unsubscribe from it. You can get most of the shows you want via streaming services (or other methods).

Right-o, all we children of Affluenza with unlimited media budgets.

@ albert

[…] “Self-driving cars will eliminate the need for folks to learn how to drive.

And what would be wrong with that… it’s not like that that learned ability is essential to human survival. There are plenty of other skills that some people possess that other of us wouldn’t know which end is which. And yet we thrive.

[…] “what happens when sensors fail? When the air-speed sensors failed on Air France Flight 447, it crashed into the Atlantic (… the pilot didn’t know what was happening… corrective action was possible, but not taken).” […] “Anyone who thinks that the makers of automated systems are seriously designing for safety and security is living in a dream world. They can’t design safe multi-billion dollar nuclear plants, so what chance do we have with autos, or refrigerators?

That’s a bit headstrong a statement… of course they design ALSO for safety and security (otherwise they’d be killing off their initial customer base), but then they have all those other “holy market gods” to kowtow to… budgets, schedules, etc. All the while the overall complexity of systems grows exponentially. Over and above certain technological level, no systems are ever (long-term-)tested for security and safety, not at the level their designers would prefer to, because then they’d become technically obsolete vs. ever newer entries from the competitors. The final testing is always undertaken by, sometimes v. unlucky indeed, end-users. That’s how it works.

    That said, I think it unfair to compare malfunctions of truly life-critical complex systems as that of AF447 with such stemming from simplex works-or-not of household hardware. Because, if my “IoT” coffee maker communicates behind my back with my fridge and then orders top-up of a fresh can of cream a week too soon, the worst that can happen is I end up with a spare can, not a Chernobyl in my kitchen.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.