Most are familiar with the old question, “If a tree falls in the forest, but no one is there to hear it, does it make a sound?” Here is the new one that lawyers are facing: “If a microphone is turned on, but no one is there to hear it, is it still eavesdropping?”
Fear of eavesdropping is helping to spawn lawsuits as so many devices in daily use now come with some sort of microphone built in. An Indianapolis Colts fan has brought a lawsuit against the Colts, their app developer, YinzCam, and LISNR who created the technology used.
The Colts smartphone app uses fairly new technology to help deliver news, information, and ads to their fans. It supposedly can activate the smartphone microphone and be able to detect ultra high frequency sounds, far above the normal range of human voice, that can provide data to the app.
This high frequency detection works with technology developed by LISNR. Their technology is able to transmit data via ultrasonic audio. This type of audio data could be distributed via an existing speaker system in multiple locations around a stadium, for example, and when app users are in the vicinity their smartphones can respond with information or advertisements. The app is then effectively listening through the microphone, but it only reacts to the ultrasonic data signals.
The question for the lawyers, then, becomes if a microphone is powered on, can it be considered as “listening” if there is no software or no person able to listen to human voice through that microphone?
The LISNR software is only detecting ultrasonic sounds, and more than that, it only responds when it hears it’s own coded data signals. The coded signal effectively acts as a key, or password, and is required to let any sort of intelligence through. But is that enough to say it is not eavesdropping?
Similar concerns have been expressed regarding the Amazon Echo and Google Home (and we can’t forget Siri, Cortana, OK Google, or others).
The Echo listens for the key word, “Alexa” or “Amazon”, and only upon hearing that word does it actually begin recording your voice in an effort to understand your request. Paranoia advocates thus claim that it is eavesdropping all the time, since it is “listening” for the key word, even though nothing is being recorded or transmitted. A second tier concern would be that Amazon (or the NSA) has a secret ability to turn the mic on to transmit everything it hears back to the Amazon/NSA underground lair. Third tier would be that the NSA or some other nation’s group already has modified the Echo and is collecting data 24/7. These suspicions may seem a bit too conspiratorial in nature. A more realistic concern, though, would arise if you received your Echo as a gift from a competitor, weird friend, or your ex-spouse. In such a case it could have been physically tampered with so that other eavesdropping electronics could have been installed within.
Our own limited testing of the Echo in our lab showed that it did not transmit any data at all, unless it first heard the key word. The Echo transmits its data via wifi, which is easily monitored, but as long as the unit was idle and did not hear the key word, then no data transmission occurred. I would still not allow one in a conference room or any area where confidential communications takes place. Depending on the level of threat you face, the presence of any such devices may merit a thorough TSCM inspection.
Internet-connected coffee makers and other smart devices are now found throughout homes and offices.
New devices brought into any office should be checked and inspected. The potential clearly exists for many IoT (Internet of Things) devices to be compromised, modified or adapted to be used for eavesdropping or espionage purposes. The sheer multitude of internet connected cameras, lighting controls, thermostats, coffee makers, and actual spy devices coming from foreign sources into our homes and offices warrants frequent inspections.
Recent experiments and some not so recent, have demonstrated that audio and data can be transmitted via many unsuspected means. High speed video focused on the edge of potato chip bag can demodulate audio from the room where the bag is located. Tiny motors that exist in your smartphone to create the silent vibration can also detect voice from vibrations and turn it into electric signals. An old-school eavesdropping threat was that the ringers in the old “2500” style telephone sets would similarly pick up audio vibrations, turn it into electric signals, and send it down the phone wire to the eavesdropper’s listening post. Air ducts, pipe vibrations, and the cup against the wall are still viable methods for extracting audio from a target.
High speed video captures audio through glass. In older tech, phone ringers could pick up room audio and send it down the wire.
Reading recent news headlines is enough to make anyone paranoid. To understanding how much you should be concerned, though, an important element is to identify where the real threats may be coming from. Consider your adversaries, what level of determination they may have, and what expense they may go to to get hold of your information. Don’t forget as well, that many threats come from insiders. In our experience, corporate TSCM inspections most often point to the perpetrator being an employee, executive, or contractor who had already been granted access to the sensitive area.