Whoops, our bad, we may have 'accidentally' let Google Home devices record your every word, sound – oops Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week. The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate by itself and record its surroundings. …
I wonder if engineer Doe has been keeping his head down for the last 10 years or whether his activities in the intervening period have still to come to light.
Update on this story: The lone, rogue engineer announced that his dog was at fault. Reports are that the dog has in turn implicated the family cat.
The cat has not yet issued a statement, as it is sleeping in the sunshine on a window sill. However, it did briefly stir, give the press a look of haughty indifference, then went back to sleep.
"Somebody asked me why I physically disabled the microphone on my Amazon Fire HD Tablet.
So you buy a device that pretty much has the sole purpose of collecting data for it's master in every way you can conceive of (and then some), then disable the least significant part of it.
If you think that makes you safe, I have a bridge to sell you.
"The bit that listens to you 24-7 is clearly the most significant from a privacy perspective."
Your naiveté is heartwarming. To Jeff Bezos.
"Amazon being notified when I use their tablet is not more significant than Amazon being notified when I interact with the real world."
Fire tablets track, monitor and report back EVERYTHING you do on your tablet, and use this data to build a profile of you which is then monetised. You can turn some of this off - which is great if you like a pretty mirror.
Come on though, clearly "everything you do on your tablet" is much less than "everything you do in the same room as your tablet". Well, perhaps not for some people, but I'm going to guess that Jimbo and sabroni are both over 30 and inhabit a world outside of touchscreen devices at least some of the time.
True, but the difference is that in a system working as intended (and yes I know they fscked it up here), the data collected by the microphone is not mined but used to improve feature quality and then thrown away, rather than being monetised directly. So in my view it's still less insidious than the intrusive, unapologetic, industrial-scale data farming that's going on behind every other interaction you have with that device.
Of course if it were ever to come to light that the recorded data was not only being used to train the system (which the user generally consents to), but was being stored, datamined, scanned for keywords, turned into metadata and sold to the highest bidder, it would immediately tank the credibility (and share price) of the company concerned. I don't believe this is the case - yet.
Fire tablets track, monitor and report back EVERYTHING you do on your tablet, and use this data to build a profile of you which is then monetised. You can turn some of this off - which is great if you like a pretty mirror.
I actually only really use it for watching Amazon Prime Video, I have a no root firewall for limiting what the tablet can send back to Amazon. I also sideloaded Google play apps and haven't opened or used the Amazon app store.
If you've disabled the Google Play store and sideload your apps, that puts you in a sub-1% group of users who would bother to go that far. Even if you're only using it for Amazon Prime Video, that's still data served by Amazon; they don't need to get through your firewall to track it. Some things they can do passively and remotely to build an advertising profile:
- Extrapolate your gender, age group and persona (including the fact that you have a firewall, and are tech-savvy and interested enough to disable the Play Store).
- Build a profile of your interests, socioeconomic and demographic data by collating what you watch, when you watch it, where you are when you watch it (from WiFi if nothing else) and also what you DON'T watch (including skipping over, pausing or rewatching movie scenes).
- Track finger swipes, pauses, zooms and scrolls to further enrich your profile.
- Link your data to other people's data around you; for example if somebody else logs into or uses your tablet, or you regularly log in at the same time as somebody else, inferences can be drawn from this about your living circumstances (married, kids, how under the thumb you are and so on) - and then cross-link their data with yours.
All of this was possible (and was being actively used) in 2015 when I was involved in this kind of software (one of my clients was Sterling, who used data such as this to drive their Configure/Price/Quote dynamic pricing algorithms). I'm absolutely certain much more has become possible since then.
I have downvoted, but not out of malice I can assure you. arXiv is indeed full of some utter dross, but as it's a pre-publication site there are a lot of papers in there that will have been published. For someone like me who has no access to the relevant journals (or just plain too stingy to pay for them) it's an invaluable source. Okay they might be a bit rough around the edges before actual publication, but still.
I wonder if there's anything in their data set that flags whether the arXiv paper has actually gone on to be published in a reputable journal. Now that would be very useful.
"*may have been quietly recording* sounds around your house without your permission or authorization": Doesn’t sound like Google - Surely you meant to write "*has been quietly recording*..."?
Well, their spooky listening device's uptime SLA is 99.999%, so they can't be definitive.
The Chocolate Factory admitted it hadaccidentallyturned on a feature that allowed its voice-controlled AI-based assistant to activate by itself and record its surroundings.
There, FTFY
As Malcolm Nance is wont to say: "Coincidence takes a lot of planning."
"Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off"
Yea, right. Until next update where it will hidden better. Anyone believing it's not recording everything, has no connection to reality of Google.
Google could easily prove it doesn't: Just provide the encryption keys for *your* device to you so you can monitor & record whatever it sends.
Chances of that actually happening? Less than zero.
a decent percentage of their global turnover would do nicely.
Say 25% rising to 50% if they appeal.
They (and others) need to be taught a lesson. Being fast and free when it comes to our privacy is just not on.
I guess our recycling centres will see a lot of Google Home and Alexs devices appearing very shortly.
> I guess our recycling centres will see a lot of Google Home and Alexs devices appearing very shortly.
I really wish this were true, however I am getting the impression that most people in fact don't seem to care.
Before you could claim they were not aware, or they naively believed Google/FB/amazon/etc.. when they pinky promised that they are not recording and will respect privacy. However multiple times now we have seen evidence that it's a pile of lies, and they are recording everything, yet people still use them.
Each time it happens, the company claims it was a mistake of some kind, usually due a "developer" forgetting to disable some debug code, or something similar.
That is patently absurd for anyone who has actually worked in IT. No code makes it to a production FW image without passing through at least one other person. Even if a lone dev made a mistake, there are other devs, teams of integrators, QA people, security people, all of which would have had to sign off on the FW update.
And they are telling me none of them noticed? Not even a massive increase in traffic as audio started getting shifted en-masse to their datacentres post FW update? Either said company is lying, or the amount of incompetence shown should bar them for ever working on anything more complex than a 90s era LCD watch.
Yet, they are successful. These systems are getting more prevalent. You can notice (and avoid) the little boxes in rooms that spy on you, or just chuck them in the bin where they rightfully belong, but now phones have the same technology, as do more and more modern cars, complete with cameras and microphones monitoring you. You can't just remove the spying component, it is all integrated.
Honestly, moving to a shack in the middle of nowhere and just detaching from modern society seems more and more appealing as time goes on.
I really wish this were true, however I am getting the impression that most people in fact don't seem to care.
I wouldn't be above reporting the individual that failed to disclose and receive consent for the online listening / recording device they installed in their house / office / whatever to the ICO. That should cause them to care right quick.
As an added bonus, it might just cure them of the "I don't ever do anything wrong, so I like 24/7 surveillance" fallacy!
GDPR has a 4% global turnover as a limit. Last year GOOG had $160 billion revenue. GDPR can be used against Google only if they eavesdropped in EU/EEA areas. Where did the
In the US, eavesdropping requires consent and may result in monetary penalties and imprisonment. While I'd very much like to see the managers who authorized the recording, going to prison, they'll go scot-free. Google will blame the rogue coders because apparently at Google everybody down to janitor and his dog has full, un-monitored access to the source code.
So... how many here have bought these bugging devices?
...Google will blame the rogue coders because apparently at Google everybody down to janitor and his dog has full, un-monitored access to the source code.
So it's like your standard Federation starship... I guess that's what Google et al are using as their security model?
I am thinking that it is really time for a complete wipe of any servers+ backups +copies that contained any of this data otherwise what proof is there that the data has not been retained
Fines clearly do not work against corporations that include them as being part of running their business
Perhaps having to manually rebuild all their servers to avoid having to wipe them again if any of the data reappears would be more effective given their business model than a token fine that they can pay from selling said data at some point in the future.
Given GDPR then one wonders exactly when android will allow the user to opt of any data being passed to google and friends, same for all the other corporate spies. We still have to buy the hardware so we should be in control and not be forced in any manner to give up control of our data
Unlikely as they will do everything possible to evade, appeal make excuses and then not pay. GDPR looked as though it might just be able to take on the likes of Google and Facebook however the reality is that it still proving almost impossible to get them to comply & pay the fines.
The most important thing appears to be "Oh, sorry, we made a mistake, it won't happen again" and then continue with business as usual.
They appear to be utterly untouchable and it will only be when they stuff up something so badly in the US that whatever administration is in power might just take notice.
But that is not the best way to do that. There is a figure defined as 4% of tunrover but that would be for each juristiction so if there is a fine from France and one from Germany and one from Italy and one from Belgium etc etc...27 members of the EU = 108% of turnover...result
No idea why people bother about GDPR and EU fines. Consumers in Europe have no rights at all, no rights to initiate class-action law-suits, no rights to sue companies without risking financial ruin.
Recent cases like the VW diesel scandal, Porsche IMS bearing issues and several privacy violations by US big tech prove the point. The EU citizens who were the actual victims of these corporate mistakes got nothing, Americans were compensated for their damages due to value loss of their motor vehicles, blown engines or invasions of their privacy.
The EU fines they manage to extort from google & Co. are just used to add a few extra cherries to the 250,000 euro salaries of the divine EU polit bureau members, so the poor guys can fill up their V8 cars with expensive tax free gas in Brussels for 60 euro cents per liter.
"It may be that this feature is or was intended to be used for home security at some point."
Or, more likely, it has something to do with this patent filed by Google. Look carefully at the pictures with the patent. While it has some security features in the patent, it also has some features for listening all the time to learn your habits and routines. Just for instance, if Google does not hear a female's voice for 14 hours for two straight days, it can use an algorithm to know that she is a nurse and start showing advertisements for nurse's scrubs. If it hears a dog barking, it can be trained to distinguish between barks and learn how many dogs you have. Then, learning your habits, it can guess when you need more dog food and start showing your ads for it in advance.
The always-listening might have been accidentally activated. Accidentally activated before they were ready, that is. In the future it will not be accidentally activated, it will be purposefully activated so you can be purposefully shown more "relevant" ads.
Don't be absurd. Google is not going to order a power auger for you.
It's going to auction off the opportunity to advertise power augers, hand digging tools, quicklime, etc to the highest bidder, along with a metric of how price-insensitive you have suddenly become.
Wifey has gone to visit her Mother giving you time to fix up the patio while she is away.
If Google report anyone to the Police for the above then I hope they (google) get sued into oblivion.
Almost every day, we see more and more evidence of Google acting like Big Brother. Oh wait...
They are Big Brother.
Time for them to be shown the door and told "Do not come back into our lives".
This is why, in the hobson's choice between google, MS, and alexa, I would prefer alexa. All Amazon wants to do is sell me things. Google wants to think for me and sell me to the highest bidder, and I'm not sure what microsoft wants, but I know it's going to be nefarious and probably involve a bunch of three-letter agencies.
Really? Amazon offers advertisements too. They want to sell things, but they don't care whose things they're selling as long as they don't make one of the items concerned. In order to get you to buy all those things, they need to advertise items to you, meaning data collection, and in order to maximize their profit, their advertising arm will be happy to sell that opportunity to the most motivated merchant. Your description of Google's usage of the data applies to Amazon in every particular. You may have underestimated their appetite for data or how they will be using it.
"but they don't care whose things they're selling as long as they don't make one of the items concerned"
Not entirely true. I work for Amazon. They have opened the floodgates to third party sellers over the years, and now realise it's all third party brands being sold which is eating their profits. They've now started copying these brands and creating their own clones (UMI and Find being two, as well as AmazonBasics) to muscle out third parties and make more profit.
@ "All Amazon wants to do is sell me things" you wish, MS started out with software, google with web search, apple with computers and associated software. If there is money to be made do you really believe that they will think "no we are not in the business of doing that let someone else make billions off it." no this is not how it works and you know it.
IMHO when ads stopped being broadcast and became aimed at individuals directly then a line was crossed that no one seems willing to restore. Until the owner gets back control of what is theirs then this is all just cash grabs and sound bytes that doesn't stop anything.
Now the people living off targeted advertising believe that it is their right to spy on everyone else in exchange for some token service.
There needs to be world wide acceptance that personal data belongs to the individual it relates to and if it is going to be used then the owner should have complete control and no opt in by default.
I have had the uncanny experience of having discussed something with a coworker and finding a Google ad displaying exactly what we were talking about pop up. And once was somewhat disconcerted to have been thinking of something pretty obscure and when deciding to search for it, Google filled in the rest of my search when I typed the first character..
Excuse me, I need to find my titanium spork to remove the tracking chip from my brain..
The tracking chips are usually baked into crunchy snack foods like corn chips, where you simply won't notice the occasional one that crunches between your teeth. The yellow chemical powder on the chips is electrolyte to power them.
Vaccines are just a red herring, although the patent holder for Vaccertising(tm) is totally pissed they've queered his pitch.
Frequently bought together
I would like to apologise to our customers who may have recently become aware that all our software included a key-logger which was sending everything typed back to ourselves. That data was permanently stored, and forwarded to all our partners, but only in accordance with our policies.
While we indiscriminately logged everything typed I would like to assure everyone that this has affected only a small number of customers and I again confirm that customer safety, security and privacy is our number one priority.
I can reassure customers that their data was only ever shared with third parties we agreed to share it with. We are confident there is no evidence data has been misused and will ask our partners to confirm that.
The key-logging software was part of our diagnostic suite intended to improve customer experience which was inadvertently left enabled for the past decade due to an oversight. We did not realise this as we stored your data and passed it on. The logger's ability to hide from anti-virus checkers and malware detectors was due to accidentally using code from a different product. This was entirely unintentional.
We would like to assure our customers that no harm was intended and can confirm they can continue using our installed software. We have not misused customer data and never would. We must however ask Mr Peabody-Smythe to refrain from describing us as "lying wanker bastards" whenever he refers to us in his emails to friends.
Typical Google.
Just cannot be surprised by this anymore.
Yes, one could argue that privacy laws keep them from doing such things so blatantly, but trying to prove it in today's 'everything is a sodding conspiracy' world where the signal to noise ratio has deteriorated to such a degree, is quite another thing - especially when high-priced lawyers exist and the will to prosecute beyond a fine doesn't, for some bizarre reason.
As I write this long-winded (but ultimately, impotent) expression of outrage, I can already see a possible reasoning, one pointing to incompetence, rather than malice - due to their investment in ADT, these devices start listening and learning when put in 'Guard Mode' - this is not new behaviour.
Alarm systems listen for the sound of glass breaking anyway. And that's what Amazon Echo units do if you turn on 'Guard Mode'. This is an extension of that technological aspect which makes sense - however, the linking of data collection A to B to C and so on, the way an advertising company does - that is concerning.
I still do not see how Google could describe them remotely recording everything that happens in your house, as a feature.
I recall that in the UK, it was reported that a friendly neighbour installed a video camera in a single mum's flat after he volunteered to complete some decorating work, was using wired based cameras, and he subsequently went to prison.
For some reason, a conglomerate listening to many peoples home voices and sounds 24/7, is a feature.
I know everyone is focused on the Google privacy invasion, but I went and read that AI blog post, and it was at least as coherent and sensible as a lot of stuff written by, say, Mark Manson or Darius Theroux, to say nothing of the shit that people post to Facebook or Twitter. The machines are winning, guys.
only one person noticed that although the sentences made grammatical sense, the writing lacked any substance
Sadly, the quality of that article is waaaaay better than many publications masquerading as Local Newspapers. If the 'papers owners see this I imagine they'd sack the staff and we readers could get some quality reporting.
Some of the fucking program manuals are written as aide de memoire. making them absolutely fucking useless, unless you already know what you're doing, and why you're doing it and just need a bit of assistance with the syntax. The people who author, review, and approve these should all be hanged.
Why am I not in the least surprised by this? Still not got one of those spy devices in the house. I bought a dumb TV (which is getting surprisingly hard to do now if you want a large screen size), although the cable box probably manages some of that on its own. The voice remote sits unused and unpowered on the shelf in favour of the old button-press one that came with the old cable box and works just as well with the new box.
Not yet paranoid enough to remove the microphone from the smartphone, although I did tick some option to tell it not to allow Google Play to access the microphone (about which it complains regularly, threatening loss of functionality even though I've not noticed anything I want failing to work).
Being non-technical, I managed to prevent Google accessing the mic on my android phone (a friend's preteen kid was training it to accept her voice every time she came near me as I couldn't be bothered using it) with the help of a web page which claimed that to do so was a "nuclear option." Drama queen.
Thankfully, I read the articles and comments on The Reg and sort of understand some things, so I knew that was a bunch of BS. Thanks, all!
Yeah but they followed you around with your phone... that has a microphone...
Considering my phone is on a charger in the other room when I'm at home, and mobile data isn't working on my phone for when I'm out and about (couldn't make it work even on the couple of occasions where I could have made use of it), not much opportunity for voice collecting.
Because they will believe the salesmen that their lives are not complete without one of these devices.
Voice activation does have use cases, for those who are disabled it can be invaluable, however for most people it is a gimmick that doesn’t achieve much gain for a lot of privacy issues.
For a start how many people have reported the problem that a Tv program or advert contains the start words for these devices, surely the first stage of security is to change the activation word to something unique so that the device only triggers when YOU want it to.
But I still wouldn’t use it myself as I can’t see the advantages.
@"But I still wouldn’t use it myself as I can’t see the advantages." that's nice but how long before it becomes compulsory, say for COVID19 monitoring or to prevent rape, murder and paedophilia.
What about when the gambling company's like insurance, if they insist upon it for cover, can give up your health,car, house work insurance and still be a part of society? How about if you cannot get into a hospital or see a doctor if they do not have access to all your personal data. The list is endless simply because there were many who read 1984 and found it full of business opportunities rather than terrifying.
How about if you cannot get into a hospital or see a doctor if they do not have access to all your personal data.
Oh... you must mean when the NHS is sold off to a US Healthcare Company and we start getting mega sized bills for even the smallest treatment. £1000 per Blood Test seems about right.
I think that's unlikely to happen in our lifetime, considering I've gone seventeen years without either a TV license or smart electricity meter and to date neither of the authorities responsible have taken any steps beyond the occasional auto-generated communication.
Hell, a government possessing the wherewithal to achieve something like that would be amazing right now.
>I think that's unlikely to happen in our lifetime, considering I've gone seventeen years without ... a TV license...
This is one of the reasons why vested interests are wanting the legal status of the TV license changed. Once it becomes a simple subscription, collection becomes a commercial opportunity for Captia et al and they do enforce...
So suggest you plan for things to change...
@"But I still wouldn’t use it myself as I can’t see the advantages." that's nice but how long before it becomes compulsory, say for COVID19 monitoring or to prevent rape, murder and paedophilia.
Well, on BBC Radio 4 a week or so back there was an interview where it was being suggested making always on dashcams mandatory, so it can't be long before they also decide voice recorders should also be fitted - the insurance company accepts no liability as you had a screaming child as a passenger...
These devices are the epitome of marketing newspeak. Their primary function is listening and relaying data to some cloud service. The voice input isn't even processed on the device, so there is absolutely nothing smart about them. Though one might argue that, in comparison to someone who puts a microphone on their dinner table and is surprised to find that their dinner conversation got recorded..
Regarding the naming issue though, if it has to be a buzzwordy kind of name, it should really be smart microphone.
As a side note, I am also a little disappointed that El Reg, almost 6 years after the first release of Amazon Alexa, still hasn't come up with a regism for these devices. May I suggest fartcast/moancast? I also like privacy-opt-out, as an umbrella term for Alexa, Ring, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
