There’s more evidence debunking the conspiracy theory that your iPhone is secretly listening to you.
On Tuesday, Apple responded to the House Energy and Commerce Committee’s requests for information on the data Apple products collect on customers. The letter mostly focused on location sharing as well as the inflammatory question of whether iPhones are listening in on users without their knowledge.
Apple unequivocally stated in its response letter (via CNET) that Apple products do not actively listen to users and collect data about what people are saying in the background. It provided more detail on how “Hey, Siri” functions without listening for or collecting other data in the meantime. And it said third-party apps that run on iPhones must indicate to users with clear visual signals if and when they are listening.
“iPhone doesn’t listen to consumers except to recognize the clear, unambiguous audio trigger ‘Hey Siri,'” the letter reads. “Apple provides a visual alert when Siri is listening to a user’s request, and Apple’s Developer Guidelines require its developers to display a visual indicator when their app is collecting audio information from the microphone.”
Apple’s terms and review process may protect these standards. But Apple did say that some developers had specifically violated its privacy terms, and had been removed from the App Store as a result. It did not identify the companies, nor state when these breaches occurred.
“Developers do violate the PLA and App Store Review Guidelines, although most violations are unintentional, unrelated to privacy issues, and easily corrected,” the letter reads. “And, we have removed apps for privacy violations.”
The clear takeaway from the letter is that Apple has built in layers of privacy protections that distinguish it as a company that doesn’t suck up as much data as possible, in contrast to some (*cough Google*) of its competitors. But it also shows that Apple’s policies don’t necessarily mean some companies that run on iPhones aren’t misbehaving.
Hey Siri, u up?
Apple users have the ability to enable “Hey, Siri” functionality, which uses a voice cue to activate Apple’s much-criticized digital assistant.
If iPhone users can turn on Siri through simply speaking a phrase, it’s fair to wonder how Apple can possibly provide this service to customers without actively listening all the time.
The answer, as stated in the letter, is a short buffer that stores data only locally on the device. A buffer is a chunk of audio that is continually recorded over — by definition, buffers aren’t archived. So as far as “always listening”is concerned, your iPhone has only a short amount of recorded audio at any time, is only used to identify the phrase “Hey Siri,” and is stored locally.
In addition, once actual recording takes place upon hearing the “Hey, Siri” phrase, the recording that’s sent to Apple is attached to an anonymous identification number that isn’t tied with your Apple ID. The user can also reset that number at any time.
“We utilize on-device processing to minimize data collection by Apple,” the letter reads. “The customer is not our product, and our business model does not depend on collecting vast amounts of personally identifiable information to enrich targeted profiles marketed to advertisers.”
So, browsers are certainly keeping track of you when you use Siri to search. But according to Apple, Siri herself isn’t eavesdropping at all times.
The conditions of iOS state that third-party apps have to get user permission before accessing the microphone, camera, or location data. They also have to communicate to users what they’ll use those components or information for. As with Siri, apps have to display a visual cue when they’re listening through the microphone. And users can change the settings at any time.
“Consistent with Apple’s view that privacy is a fundamental human right, we impose significant privacy-related restrictions on apps,” the letter reads. “Notwithstanding the developer’s responsibilities and direct relationship with customers, Apple requires developers to adhere to privacy principles.”
This clears up the question of what granting an app like Facebook access to the microphone means. If apps are compliant with Apple’s terms, even after a user has given consent to use the mic, the app has to provide a visual cue that it is doing so.
However, things can still fall through the cracks. The letter states that all apps go through the App Review Process for privacy compliance before getting approved, including updates. And that this process itself is constantly being improved. But that doesn’t mean that Apple monitors apps to make sure they are complying at all times. And that that has led to some breaches.
“Apple does not and cannot monitor what developers do with the customer data they have collected, or prevent the onward transfer of that data, nor do we have the ability to ensure a developer’s compliance with their own privacy policies or local law,” says the letter. “When we have credible information that developer is not acting in accordance with the PLA or App Store Review Guidelines or otherwise violates privacy laws, we will investigate to the extent possible.”
Through its privacy policies, short buffer windows, local storage, and app review process, Apple has put many layers in place to make sure its iPhones aren’t being used to spy on its customers through the microphone. But even Apple acknowledges that there’s no foolproof way to make sure data-greedy companies won’t use our all-seeing and all-hearing robots to suck us dry for personal information — which is likely why arguments that companies like Facebook are listening persist.