back to article Shhh! Shazam is always listening – even when it's been switched 'off'

A security researcher has discovered that when the Mac version of Shazam is switched off, it simply stops processing recorded data. The recording itself continues. The music identification service admits the behaviour but says it only keeps recording purely for technical reasons. Patrick Wardle, a former NSA staffer who heads …

  1. xeroks

    Pause for thought

    Sounds like shazam should think about calling their current "off" funciton "pause" instead, then add a new "off" which actually switches it off.

    I would expect most users will eventually just pause, but they should be given the choice.

    1. BillG
      Devil

      Takes Pivacy

      "Shazam takes user privacy very seriously"

      Whenever I read this classic Google boilerplate statement, I read it as:

      "Shazam TAKES user privacy! Very seriously!"

      1. tomDREAD

        Re: Takes Pivacy

        Shazam takes user privacy. Seriously! FTFY

    2. Gotno iShit Wantno iShit

      Re: Pause for thought

      What gets me about this article is Wardle complains of incorrect use of terminology, off is not (fully) off. Yet Wardle is equally guilty of incorrect use of terminology, El Reg too. Wardle found that the sound is not committed to any storage media, processed nor transmitted to the mothership yet the word 'recorded' is repeatedly used.

      Recorded: to set down in writing or the like, as for the purpose of preserving evidence.

      Sure the mic is on but the data is just going to /dev/nul.

      I agree with xeroks, Shazam should call this state paused, give a proper off option too and explain the difference.

      1. oneguycoding

        Re: Pause for thought

        Ha! But pause usually implies a stop in processing of input data no? Maybe flow-through would be better (or flo-thru for our American speaking friends).

      2. HieronymusBloggs

        Re: Pause for thought

        "Sure the mic is on but the data is just going to /dev/nul."

        No doubt it's stored in at least one buffer (which could be considered a form of recording) before it gets there.

  2. Dan 55 Silver badge

    What does 'off' mean?

    So we're talking about leaving Shazam running but not listening to music?

    Presumably if you exit the app it stops, unless it leaves some always-on background helper process running.

    1. Anonymous Coward
      Anonymous Coward

      Re: What does 'off' mean?

      "off" means "off" ..

      sorry, weird day

  3. Anonymous Coward
    Anonymous Coward

    How else are the US corporations and spooks supposed to harvest all your most personal info...

    ...if they are not collecting all of your data and personal conversations all of the time?

    No need for Big Brother to bug your house when you buy and install this shit for them!

    1. Orwell

      Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

      Not only MacOS. If you have an Android device, Google is always listening and the microphone cannot be switched off. See the comments here:

      http://www.ghacks.net/2014/03/07/mute-microphone-android-device/

      Other devices too.

      http://www.usatoday.com/story/tech/columnist/komando/2015/10/02/3-gadgets-always-listening-and-how-stop-them/73191644/

      Who would have thought that the population would not only invite mass surveillance devices into their homes but pay for then too!

      1. Anonymous Coward
        Anonymous Coward

        Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

        Google always listening is why most of their captured audio from me is likely to be forceful farts and the phrase that follows, "That's for you Google".

        Downside is they can probably identify me at any rest room on the planet.

    2. Voland's right hand Silver badge

      Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

      In this particular case I suspect what the developer is saying is true.

      By the time you ask an app "WTF is this on the radio" the horse has bolted. It is quite likely not to have enough data for an answer. So having two levels of "OFF" - processing and listening is a natural technical decision.

      Now, why did the developers communicate it so poorly is a different story. I suspect it is a case of Hanlon's razor.

      1. allthecoolshortnamesweretaken

        Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

        "Now, why did the developers communicate it so poorly is a different story. I suspect it is a case of Hanlon's razor."

        Well, people who write stuff like "the user's decision not to leverage our app's functionality is fully respected" obviously have poor communication skills.

        1. Deltics

          Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

          I'd say the exact opposite. They are very highly skilled and very highly trained.

          It's the difference between being skilled in communication and understanding the people you are communicating with and their needs/expectations.

    3. bombastic bob Silver badge
      Devil

      Re: How else are the US corporations and spooks supposed to harvest all your most personal info...

      "No need for Big Brother to bug your house when you buy and install this shit for them!"

      Someone would STILL have to code a 'back door' zero-day, or pay them (Shazam devs) under the table for it.

  4. Andy Non Silver badge
    Coat

    On the positive side...

    The developers are listening to what their users say.

    1. TeeCee Gold badge
      Coat

      Re: On the positive side...

      That should be easy to prove. A quick check to see if they really do have their products shoved up their arses should do it.

    2. bombastic bob Silver badge
      Thumb Up

      Re: On the positive side...

      "The developers are listening to what their users say."

      BRILLIANT! on MULTIPLE! LEVELS!!! (thanks, I needed a dose of snark)

  5. Dan Wilkie

    I mean I get their point - and I can see the technical reasoning behind it. But then I did leave my tinfoil hat behind this morning next to my phone so it might be the mind control...

  6. Anonymous Coward
    Anonymous Coward

    Language

    "so the user's decision not to leverage our app's functionality is fully respected"

    Use of our language such as this makes me want to leverage the functionality of my toilet to throw up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Language

      Verbificationalist Ameribarstardationisms of English?

      Shirley not.

      1. Oliver Mayes

        Re: Language

        I'm anaspeptic, frasmotic, even compunctuous to have caused such pericombobulation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Language

          You clever sausage.

  7. Anonymous Coward
    Anonymous Coward

    Perhaps I overreacted..

    Saw the headline and immediately went to the uninstall option!

    1. Robin

      Re: Perhaps I overreacted..

      You call that overreacting? I put my foot through the screen and sent the Shazam developers the bill.

    2. Anonymous Coward
      Anonymous Coward

      Re: Perhaps I overreacted..

      Which bit was an overreaction?

    3. allthecoolshortnamesweretaken

      Re: Perhaps I overreacted..

      No.

  8. Vimes

    'Shazam takes user privacy very seriously'

    Funny how this term is abused so frequently.

    Phorm, BT, 3UK, Vodafone, even the UK government when it was begging the EU commission not to sue them over 'implied consent'...

    1. Captain DaFt

      'Shazam takes user privacy very seriously'

      "Funny how this term is abused so frequently."

      Seems plain enough to me; They take your privacy away and are very serious about it.

    2. Anonymous Coward
      Anonymous Coward

      'Shazam takes user privacy very seriously'

      Funny how this term is abused so frequently.

      No it isn't. You can't ignore something properly unless you know exactly what you're ignoring, and that takes serious effort.

      Sadly, I'm not even joking.

  9. Your alien overlord - fear me

    So if Shitzam is listening, does that bugger up any other app that wants to use the mic, like Skype etc? It certainly caused issues in Windows 10 recently so is MacOS the same?

  10. Anonymous Coward
    Anonymous Coward

    At the very least it's draining power, think I'll stick with Cortana. And whats with the picture, Dog, that's a speaker not a mic!

    1. Anonymous Coward
      Anonymous Coward

      Pedantically...

      A speaker is a mic. Just as a mic is a speaker.

      Switch off your mic and they can still listen in using your speakers.

      1. the spectacularly refined chap

        Re: Pedantically...

        A speaker is a mic. Just as a mic is a speaker.

        That is one of those things that strike me as having been seen on Doctor Who, MacGyver or whatever with no real idea of the practicalities. Seriously, you are not going to get any useable signal out of a moving coil speaker used as a mic even if the surrounding circuitry could theoretically read it. And as for getting any sound at all from a condenser mic, forget it completely.

      2. bish

        Re: Pedantically...

        Ha! Correct, but they'll first have to wire your speakers to an input, and it'll sound pretty awful. For all that effort, they might as well just bug your entire house, which of course they have.

      3. bombastic bob Silver badge
        Facepalm

        Re: Pedantically...

        "Switch off your mic and they can still listen in using your speakers."

        I think you need a refund on your engineering degree

        1. The First Dave

          Re: Pedantically...

          Not at all - a speaker and a microphone are essentially the same device, though optimised in two different directions - making a standard speaker vibrate will cause the driver coil to excite, and exciting a mic will make it vibrate.

          1. mad physicist Fiona

            Re: Pedantically...

            Not at all - a speaker and a microphone are essentially the same device, though optimised in two different directions - making a standard speaker vibrate will cause the driver coil to excite, and exciting a mic will make it vibrate.

            Try explaining how that works with a CONDENSER mike.

            Yes, a moving coil speaker and a DYNAMIC microphone as theoretically interchangable, but there are practical limits. Using a mike as an earpiece can be practical in a pinch (if generally very tinny) but a speaker as a mike is generally a non-starter. Optimised mics generate signals in the 100mV or less region. A speaker in the same role may be lucky to generate 1µV - that's well into the realm of ultra sensitve amplifiers, yes, it can be done, but even then the audio is generally swamped by the effects of imperceptible air currents and temperature changes. In circuit it isn't connected to such a sensitive pre-amp: it goes to a power amp OUTPUT instead

            It's one of those things that asserting blindly is nothing more than intellectual knob waving. In practice it will not work just as the refined chap stated. Claiming otherwise simply shows ignorance.

  11. Anonymous Coward
    Big Brother

    We are listening for your safety and security.

  12. Khaptain Silver badge

    Person of Interest

    As much as the series if full of hyperbole, the authors were clearly up to date about what was possible even several years ago..

    Big Brother is not just watching he is Geo-positioning, Recording, Tracking, Establishing, Analyzing ( Anal being the operative word here) everything and anything wherever possible... Even though the majority of this information is just being used for eventual advertising(spam) it really doesn't require the need for owning a tin-foil hat in order to be paranoid...

    1. Your alien overlord - fear me
      Trollface

      Re: Person of Interest

      You don't need a tin-foil hat to be paranoid. Especially if you own my (patent pending) tin-foil onesie (with hood). Also useful if you're recreating 50s/60s sci-fi films in your underground basement !!

      1. Anonymous Coward
        Anonymous Coward

        Re: Person of Interest

        Your alien overlord - fear me,

        Sorry but my Pedantic streak has kicked in !!! :)

        Is there a basement that is NOT underground ???!!!

  13. Anonymous Coward
    Anonymous Coward

    Red light

    What you need is a red light that comes on whenever the microphone circuit is connected, like professional audio/video gear. Then you'll turn it off when you don't need it.

    Unless you think you can get away with saying "grab her by the p*ssy".... ba-dum-ttssssss

    1. MD Rackham

      Re: Red light

      On laptops that have an LED indicator to show that the camera is on, clever people (pronounced "bastərds") have managed to reprogram the microcontroller to disable the indicator function. So an indicator isn't as useful as one might assume.

      1. Anonymous Coward
        Anonymous Coward

        Re: Red light

        True. It has to be a foolproof circuit, where the LED voltage also switches on the mic's signal path. And the switch (transistor, relay, whatever) needs a bit more voltage than the LED.

        Like everything else down to the logic gates, you can't truly begin to trust it until the day we have fully auditable open-spec hardware.

  14. Bob Rocket

    Why is anyone surprised ?

    I assumed that they were all at it, when you turn it off it just stops uploading it and saves it to a buffer, when you recconnect it uploads it all. Seems Shazam haven't found a buyer for your data so they don't bother ( all your data is slurped by others first).

  15. Anonymous Coward
    Anonymous Coward

    Overreaction?

    I know privacy is serious business but I don't think the devs have done anything wrong here.

    To say "the recording continues" is not true, as the sound is not been recorded (it never is) nor is it being processed. Yes sound waves are entering the microphone, yes those sound waves are compressing/bending something and yes there's a change in resistance in the mic. But is the computer 'listening'?

    If I put a current across the mic to produce voltage changes is it now listening? What if an IC is converting those analog voltage changes into a digital representation somewhere? Now is it listening?

    This seems a bit like a philosophical question, but as long as the sound is not being actively saved or transmitted somewhere it's a bit like the proverbial falling tree in the forest.

    If you want to be cross with the devs then attack them for wasted CPU cycles but please, not privacy....

    and yes (i would imagine) there's a current across it so some changes in voltage occur

    1. Anonymous Coward
      Anonymous Coward

      Re: Overreaction?

      To say "the recording continues" is not true, as the sound is not been recorded (it never is) nor is it being processed. Yes sound waves are entering the microphone, yes those sound waves are compressing/bending something and yes there's a change in resistance in the mic. But is the computer 'listening'?

      The author takes care to point out that it's up for debate if keeping the mic online is a bad thing, but from my perspective I don't want an application grabbing data it has no business accessing until explicitly permitted, I don't like those "foot in the door" strategies.

      What worries me more is that the macOS and iOS versions share the same SDK, so presumably the same "convenient" behaviour. I think I'll uninstall Shazam from my phone - just to be sure. I use it at best once every month so it won't be missed much (never installed the desktop version - one copy is was enough).

      1. Charles 9

        Re: Overreaction?

        "The author takes care to point out that it's up for debate if keeping the mic online is a bad thing, but from my perspective I don't want an application grabbing data it has no business accessing until explicitly permitted, I don't like those "foot in the door" strategies."

        But what happens when the sound you want to search happened five seconds ago? Or in this case, it takes several seconds to go from completely off to listening and recording, by which time the song's ending and there's not enough left to ID it. I for one have had any number of those, "Damn, just missed!" moments to think sometimes it would be nice for it to anticipate when I want a song identified before I realize I wanted it identified but am too late to do it now.

        This is sounding a whole lot like a case of, "You can't please everyone." If you try to appease privacy concerns, people complain because the mic triggers too late. What can you do?

        1. Jeffrey Nonken

          Re: Overreaction?

          Maybe you can't please everyone, but giving the user the option to choose whether to leave the mic on would go a long way.as would being transparent about it.

          1. Charles 9

            Re: Overreaction?

            "Maybe you can't please everyone, but giving the user the option to choose whether to leave the mic on would go a long way.as would being transparent about it."

            But there are people out there who don't like choice, or even the appearance of choice: Information Overload. Like I said, there's just no pleasing some people.

        2. Francis Vaughan

          Re: Overreaction?

          "What can you do?"

          Hinted at in above comments. Simply tell the user exactly what is happening, and provide choice.

          A. Actively listening and identifying what is happening.

          B. Passively buffering the last five seconds of sound so that it can avoid missing the music.

          C. Off. Not doing anything.

          Easy. They could even add a config option "remember x seconds of sound" for B. And add the usual disclaimers "app does not retain any sound longer than the xxx seconds. Doing so may reduce battery life." Nobody would care and indeed many people would probably turn the buffer up to whatever the maximum is.

        3. bombastic bob Silver badge
          Unhappy

          Re: Overreaction?

          "But what happens when the sound you want to search happened five seconds ago?"

          someone else already suggested they add an option for that "feature". You know, on, pause, off; or perhaps, on, off, "no, seriously off". whatever.

          And the audio may not be tracked by *THEM* but a back door trojan horse application *COULD* perhaps 'hook' it and leverage the user's cluelessness with respect to having the microphone on whenever that application is left running...

          [maybe we can blame the "TSR"-ness of phone applications, too? Must they REALLY 'stay running' all of the time?]

        4. Queasy Rider

          Re: any number of those, "Damn, just missed!"

          If that is happening that often, then just leave the damn app running, after all, as has already been pointed out today, all your personals have already been slurped by multiple entities, led by Google.

          1. Anonymous Coward
            Anonymous Coward

            Re: any number of those, "Damn, just missed!"

            Drains the battery when you do that. I need it to be able to start recording immediately after I press "Listen," not take three seconds fiddling like crazy by which time the song's ended.

  16. Greg D

    Can see why, but they should be up front about it

    To be fair, the reasons they gave are acceptable from a technical standpoint - it really would make song recognition less good at its job when people want to identify a song - I know what the scramble is like when the song's about to finish :)

    However, they should be clear about the behaviour as some people won't want that - the power draw on mobile devices is the first issue that comes to mind, followed closely by privacy concerns by would-be attackers using it as a potential attack vector.

  17. cd

    Click Uninstall...Shazam, it's removed.

  18. bish

    Meh

    Honestly, if you have serious privacy concerns and you're using a service like Shazam, you're a fool. However much they process (a handful of FFTs, I assume, with some proprietary nonsense seasoning) and encrypt the audio, you're still taking your personal audio and sending it over the Internet. The idea that such a service could be made 'safe' just creates a false sense of security. If you're worried about someone listening in, don't install software designed to listen in. Shazam probably ought to have been more upfront about how its software works, but come on - surely if you're really concerned about privacy, that takes precedence over your desire to find out what's playing on the radio?

    1. pSy

      Re: Meh

      I generally couldn't give a fuck about what's playing on the radio. My privacy, as and when I choose it to be my privacy, is a tad more important than some hit parade melody. Regardless of context.

    2. bombastic bob Silver badge
      Meh

      Re: Meh

      "surely if you're really concerned about privacy, that takes precedence over your desire to find out what's playing on the radio?"

      well, might be easier to:

      a) look on the 'what is playing' section of the station's web page [a lot of them do this]

      b) if it's internet streaming radio, you'll see the ID text displayed [probably]

      c) who really cares, since RIAA only excretes CRAP these days, with rare exceptions

      and anyway, Shazam probably wouldn't recognize anything _I_ listen to, from JPop to old jazz. Except, maybe, for decent 'more modern' stuff like Muse or Metallica.

      1. Charles 9

        Re: Meh

        "a) look on the 'what is playing' section of the station's web page [a lot of them do this]"

        Not that handy to do when you're on the go, especially if you don't know WHAT station is playing, or even if it is a radio (it could be a dedicated stream personalized for the shop, so no playlist), and then by the time you open up the website and look it up, it could already be on the next song and they keep no history.

        b) if it's internet streaming radio, you'll see the ID text displayed [probably]

        Unless it's a PRIVATE stream. See (a).

        c) who really cares, since RIAA only excretes CRAP these days, with rare exceptions"

        What about stations playing older music, say from the 50's through the 80's? If you're going to say this music is crap, either you have a tin ear or you just don't like music, period.

        PS. Shazam and the like are actually QUITE good with older music since it tends to be pretty popular. Foreign music may be another matter unless the music provider keeps an international database.

  19. NanoMeter

    Removed Shazam

    from my Android phone. Just in case...

  20. Sam Therapy
    Thumb Down

    Weasel words

    Taking privacy seriously is *not* the same as respecting it and ensuring it.

    The problem with language, particularly English, is that it's so malleable it's possible to imply many different things by saying nothing of the kind.

  21. anonymous boring coward Silver badge

    " the user's decision not to leverage our app's functionality"

    Is that the same as "the user's decision not to use our app"?

    Or does "leverage" have some magic meaning I don't know about? Makes you a manager if you utter it enough times, perhaps?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like