Ultrasonic Beacons: Privacy-Threatening Sound of Silence
You can’t see them, you can’t hear them, but they’re there – stealthy trackers, inaudible to human ear that capture your whereabouts without you having any idea about it. Say ‘hello’ to ultrasonic beacons!
Marketers come up with more and more subtle ways to collect consumer data, even if it means covertly invading their privacy. Use of ultrasonic beacons is one of such ways, as a study conducted by researchers from Technische Universitat Braunschweig in Germany shows. According to research report, 234 Android apps were found to contain the privacy-threatening audio tracking scheme.
Ultrasonic beacons. What’s that?
Ultrasonic beacons are sounds with frequencies from 18 kHz to 20 kHz. Humans can’t hear it, but most mobile devices’ microphones can easily detect the ultrasonic beacons. When emitting from retail stores or embedded to advertisements and even websites, these inaudible sounds are picked up by microphones of mobile devices. This doesn’t happen by default, though. A user has to grant permission for an app to access the microphone in the first place. But we’ll get back to this later on.
These ultrasonic beacons are the core of the ultrasonic cross-device tracking technology, letting marketers track consumers and build detailed profiles based on data collected. The websites you browse, advertisements you see, stores you visit and products you prefer – all this information can be gathered without your notice.
Where do they come from?
The ultrasonic beacons technology is the core of a software developed by the Indian company Silverpush. The software was designed to track TV watching habits of mobile owners. However, the product was killed after privacy concerns regarding such creepy tracking of users spread out widely.
According to the founder of Silverpush, the ad-tracking business was abandoned in late 2015. But it seems that the tech world didn’t forget about the ultrasonic beacons. Going back to the results of the German research, showing that more than 200 Android apps were built using the publicly available developer kit of Silverpush, signals about the growth of the high-tech beacons adoption.
The most important point here is that all the apps cited in the research are available for easy download from the Google Play store, but the tracking capabilities are not mentioned in their privacy policies. And it’s not only some little-known apps that made it to the blacklist – you can find apps of such fast food market giants as Krispy Kreme and McDonald’s, whose Philippines app versions also got listed.
Where’s the danger?
Since many apps deploy the ultrasonic beacons listening technology without a clearly stated purpose, you have to be extremely aware of the permissions you grant for apps downloaded even from such trustworthy source as the Google Play store. A single inconsiderate ‘yes’ to a request asking for access to the microphone might mean that your smartphone will start covertly listening from that moment. And it’s not just when you go online – the ultrasonic beacon technology doesn’t rely on Internet connection, so the microphone is able to catch the ultrasonic sounds either way.
As the microphone of your mobile device goes into ‘always on’ mode, the risk for incidental data collection arises. Yes, an app containing the ultrasonic beacon technology should be picking the high-frequency sounds only, but who can guarantee that there will be no misuse?
Moreover, the beacon listening technology empowers cross-device tracking, letting marketers to build highly detailed consumer profiles combining the data from multiple devices used by a consumer. On top of that, researchers have brought up the issue of deanonymization of Tor network users if ultrasonic beacons are embedded in Tor sites – and this would shake up the privacy and anonymity world.
Is there a bright side?
In case you’re already freaking out about being secretly tracked by your smartphone hearing sounds you can’t hear, calm down and don’t throw it out the window yet. Not everything is as bad as it may seem. There are completely legitimate uses of ultrasonic beacons as well; for example, retail apps that offer you a specific deal when you enter the store, or ticketing apps that let you get to the event venues easier. The critical thing here is knowing and allowing an app to do so.
Shopkick and Lisnr were the two services identified by German researchers for operating in the right way, that is, prominently disclosing the ultrasonic tracking. The good thing is, there are ways to protect your privacy from this intrusive sound of silence.
How to block the ultrasonic beacons
Ultrasonic beacons shouldn’t invade your privacy without you letting them to. There are a few things you can do to avoid the threats caused by ultrasonic signals.
- Review apps installed. Do you actively use all of them? Delete those once downloaded and forgotten. By minimizing the number of apps you will also reduce the risk of some of them potentially having the ultrasonic beacon tracking scheme employed.
- Check app permissions. For those apps you are keeping, double-check the permissions you have granted for the microphone access.
On Android 7.0 Nougat, go to Settings > Apps > Tap the Gear icon > App permissions
On iOS, navigate to Settings > Privacy > Microphone
You will see the list of apps and their statuses regarding the microphone access. Now evaluate – do they all really need it?
- Use common sense. It’s normal when apps such as Viber, Skype or Messenger need to access the microphone. But what about a clothing store app or, let’s say, a weather app? Most likely, there is no clear benefit for you, so for privacy reasons, letting such apps activate the microphone should be a ‘no-no’.
As the countermeasures against unwanted ultrasonic beacon tracking are limited at the moment, the key thing to do is to handle your app permissions with caution. It’s also worth keeping in mind that there are other ways how third-parties can invade your privacy. Use a VPN service, like NordVPN, which will encrypt your Internet data and protect your sensitive information from ISPs monitoring, hackers and identity thieves.