Siri, Are You Spying On Me?

I actually have a slide that's perfect for you in a in a second. So, uh, top of my topic of the presentation, Siri, you're listening to me. Of course, I personally don't like Apple phones. So, Gemini and maybe Alexa and if there's anybody uses Grock. Um, that includes that. So, TLDDR, no. Well, maybe. Um, that's it. end of my talk. You can go now if you want. Um, that would be a bit boring. The the reason why I'm doing this talk is I've had this as a rant for many years where people come across and say I've had this advert and it's about this thing that was doing and it my phone is listening to me. I I literally wrote this I was in

um a course for something totally unrelated um and somebody brought this up um and it was like and they say how they were going for to a holiday and then suddenly got all these adverts to these holiday locations come up and uh this is hence why I wrote the rant. Originally I was going to do this with somebody who actually knows a bit about psychology. So uh unfortunately they had to drop out and I had to do this myself and I know nothing about psychology. So some people may pick holes in this. Anyway, the old joke, this is the earliest version of the joke of it I could find. Uh basically if anybody's sorry it's like my wife asked me why I spoke

so softly in the house. I said I was afraid if Mark Zuckerberg was laughing. She laughed. I laughed. Alexa laughed. Siri laughed. Um, it's a sort of post-modernist nightmare that everything is listening to you. Um, there will be AI generated photos. Uh, I I just love, in fact, I don't know whether you can see this one. There's a solitary finger on here. AI still cannot do fingers. It's getting better, but we're still getting there. Um, oh, my notes. I've already said what's in my notes. So, do people have assistance in the house? Yep. I can see some nods. I have assistance. Um, uh, the house I have all my children in the attic room. I don't

want to stand at the bottom of the stairs and shout children because it mackers my voice. So, I have a couple of Google mini speakers in each of their rooms. And as I discovered today was preparing this, they also use it to communicate with each other and normally swear at each other. So when I get home tomorrow, my kids are in trouble and they ask some very dodgy questions. So um anyway, yeah. So we use that for that. We we have actually one of those Google uh speaker systems in there. We use that for music in the kitchen because it acts as a decent radio and it's a lot easier way than actually having a radio

ourself. Um the way most these work is they constantly listen for a key phrase. Hey Google. Um, actually experiment I want to try Siri play. No. What is oneplus one? Nope. Nobody's got Siri working. Well, my works, but I just Hey, Siri disabled. Yeah, I mean I mean uh my phone it it allegedly copies my voice. I don't know whether it works or not. Um I try not to do it. It's like my Google wallet. I have to unlock my phone to use it because I don't trust the world. Um, but I use my it in my car more regularly because I use Android Auto as I drive. It uh allows me to to choose my

location through voice. And again, going back through my history today, I kept seeing all the places I go to. It's just cuz it's quicker than trying to type it in on my car. So, here's an example. This is my the history uh of my my son has smart lights uh in his in his room and he he likes to sit in his bed and turn them off by saying you know hey Google turn off my lights and this is him messing about with the colors. So disco mode I don't know what disco mode is. Um and this is where I discovered exactly what they're being sent. Sorry my phone keeps buzzing now. I shouldn't be looking at

my watch. Um, and he keeps sending off different conversations with them and interesting questions. So, dodgy statements. This is, if you dig further into these, you can actually see uh your recordings that it makes. So, this is one of those recordings and we can break that into two bits. We have the keyphrase, hey Google, which it records for you, and we have the actual action command, and I can't remember what it was. I think this was show disco lights. So we can see what Google allows me to see that it does. We don't know how much it tracks beforehand. Normally it will listen for the key phrase and then it will take the rest in of the audio and

offloading onto the cloud. So um obviously this question is is my phone listening to me for ads is a very common question. That's uh I did that a couple of days ago. There's loads of ones and you can see 2004, you go back, they go all the way back to 2017, 2016 when people have been first asking. I wrote about this in 2014, the not very good one about article I have learned better how to write. Um cuz I kept seeing adverts for places that I was about to go to cuz I do do a lot of on-site work. I kept seeing hotel adverts. So I did a dive into what how this is working and back in 2016 I wrote

an application that would do this. It would constantly list in the background, send all the audio it heard off to Google servers um and and translate into real worlds. It got on BBC click at one point. It was even mentioned in uh Mitnik's Art of Invisibility and a little footnote. So that's my claim to fame. I've been in the Mitnik book. Um, and Ken, who is sort of my boss at work, who always gets in, always takes all my um, all the things I do. So, I'm going to go into a minor. Sorry, I apologize. I only wrote this like a couple of hours ago. So, anyway, technically, it is possible to do this. Is it feasible,

though? Can we legally do this? Can we logistically do it? Are there any social constructs that get in the way? Um, why, if it can't do this, why do I get ads about stuff I talk about? Why do I see an advert for something mentioned? So, I'm going to go on a bit of a segue here and go on about my first ever solo talk that I did back in 10 years ago in RVAC back in 2015. This is um uh a security con set up in Richmond, Virginia by a couple of people I knew. I entered the CFP. I flew from Infoset Europe where I set up a demo. I was knackered on my flight. I got a redeye

flight. I landed there. I went to do my talk. I had a certain evil device which I'll show in a second which is meant to be listening to noise. Um, and it failed and that boogered up my talk and I went through my whole talk size in 15 minutes because it upset me because I plugged the audio jack into my laptop into the speakers. So, the whole device and this evil device is one of those. I was going to bring one with me, but I forgot to put it in my bag. Um, Furbies. Now, this is a 2016 variant. When they first came out in in 19 Everybody takes a picture of a Furby. I nicked that from the internet. Okay,

you can Google it. Um, back in in in 1998 when the Furby came out, there was a rumor that it would hit it would listen to everything you say and it would start to record what you stated and play it back to you because there was a sequence in the Furby uh logic where it would get better and it would learn more of its language, Furbish, and it would get better with generations and would get better so much so Oh yeah, there we have Furby ears. Now, that's bit one bit I did do. I added the ears. Um, so sorry I is electronic toy and eventually uh rumors when it went got down to one,

it was banned by the in the NSA and it was banned in a in a shipyard in Richmond in Virginia. Um, this is a story that I nick from FAA.gov which explains about it naval shipyard in Portsmouth, Virginia. Um, Tiger Electronics who are the manufacturers said it cannot listen. Question is, can a Furby do it? Question about this one is what do we mean by speech recognition? So, speech recognition has been around since the 1950s. This is a box generated in 1961 by IBM which could do basic speech recognition of the numbers from 1 to 10 and allow you to do things like what is 2 + 2. So it is not new technology. So can we sort of do this?

Here's what a speech wave looks like. I I've not done a full spectrogram. This is just the pitch uh ones. So over here is time and against the actual uh amplitude up here. So this is me saying the numbers one through four. I'm not going to play it because it's me going 1 2 3 4. You I could write a very easy bit of program. I can even get AI to write a bit of program to match all those for me. It'll match for me. It won't match for you. It won't match for anybody else. It won't match me if I say it in falsetto. It won't match me if I change because the tambber is different. So, it

generally uses uh something called markoff uh hidden. I always get this wrong. Hidden markoff models. I stole that from Wikipedia. I don't even pretend to understand it. Um I have a degree in physics. I do not understand the math behind it. So uh it's this is what it does and it breaks it down and so on. So in the processing of it if we think we got to try if a Furby can sort this data how much sort of memory do you think we'll need for doing this and how much memory does a Furby have? Any guess how much memory a Furby has? 16. Optimistic. I like it. um certain sample you wouldn't get much

in 16 kilobytes. I have written a program that would speak out on on a six on an 8- bit computer and it took most of the 64 kilob of memory it had just for my sample. Um what you have in a Furby is a simpler CPU which is 6502 alike. You have 80 kilobytes of RAM, 80 bytes of RA of RAM, sorry, 80 kilobyt of ROM, 80 bytes of RAM, and an EPROM of 512 bytes. That is your memory. Can a Furby record information? It's not feasible, is it? Not unless they're really, really good writing. So last bit of the whole Furby com conversation is it was discovered somebody found the patent for the Furby

and the patent had the source code attached. So people have gone through this. We know how every single bite of the RAM it works. It has a microphone. The microphone's used as a simple yes no indicator. That's all. It just says there is noise. So, the only solution of what you can do with a Furby. Has anybody seen my avatar on everything? That's about the only thing left. I do apologize for the resolution. That photo was taken in 2003. Cameras have improved a lot since then. We were drunk. We had a Furby. What else you going to do? Um, so you I am not allowed to burn a Furby here or I would have done. Um

anyway onto onto other sides. Let's have a look at the legal side. So for this I am not a lawyer. Um I I know some basics about the computer misuse act and other things because it's part of my job. So I actually spoke to a lawyer uh this guy here Neil Brown who runs decoded. He's uh techsavvy lawyer who runs everything on Linux. Um and his privacy is one of his ones. So I spent half an hour having a conversation with him where we just discuss what the actual legal requirements is. There is pretty much one law that will affect this in the UK and that's GDPR. So it's no surprise it's GDPR. Um and normally I don't like word heavy

slides but this one is word heavy because I wanted just to get everything in. So the the main the main requirements are transparency, fairness, and a lawful basis. Just stepping out of your way. Um, do we tell people that we listen to them? Do we have a privacy notice? Who reads privacy notices? Oh, wow. There's more of you actually do that. I I I'm crap. I don't I don't have the time. How many people send it to AI and ask them to summarize it? I like you. I like it. Yes, that's the easy the lazy way of doing it. Is it fair for an advertising company to listen into your private conversations? Now, an ad company could

argue yes because that's their revenue. I'm not a lawyer. That would be precedenting in the court. There has been no precedence on this uh lawful basis. We have legitimate interest which we all see on the cookie uh notification banners and there are various arguments about whether they use legitimate interest properly. So the legitimate interest is the com does the company have a legitimate interest in getting that information from you. Does it balance with your rights as a consumer? There's still shrug. Nobody's actually tried this in in a court of law at the moment. So and the final one is have we got consent? people like Google it's and Apple and Siri etc. You have to

tick a consent button when you actually do this. You don't think you have but you have done. Um I went through the process of turning my phone to Gemini and yes you have to do you have to give Google consent for you to process. Um it has things have been tried before. This was um March 2000 the end of March 2025. Uh O' Carol Sue versus Meta uh decided where O' Carol noticed that uh she was pregnant and Meta started serving ads for pregnancy even before she told people that she was pregnant. Um she successfully sued Meta um and yeah whether how much it was uh the ICO made a statement. So if you don't know ICO is a government watchdog

that is information commissioner watchdog that actually covers all this um they made a statement that statement pretty much says nothing. It just says yeah you can read that yourself. It really doesn't say much. Uh Apple have settled uh 95 million that was 2024 about Siri listening. There was a company called Cox Media Group who did a pitch deck for active listening which is exactly what I'm describing here where they would listen to what your conversations and they would serve ads depending on that one. It's as far as like we can tell it's only a pitch deck. There were no they might have done a few proof of concepts. Who knows whether actually gone into one. Uh but this has set Apple

and Google they now have this monitoring light to say this microphone is active. So Android we have on the left iOS which is a less good one on the right. Um where you know in theory you should always be able to see that. Right. There's going to be quite a bit of segue in this. Let's go into another segue. Has anybody heard of Red Army faction? There's always one. And I don't mean that Red Faction. I'm obviously the only person who plays crap computer games from the 2000 2000 and 08. That's actually Red Army Gorilla. I I mentally get the two mixed up. that Red Army faction. Red Army faction was a far-left um it's described as far-left militant

group, terrorism group basically who were responsible for a number of domestic terrorist acts within Germany including bombings, assassinations, kidnappings and shootouts leading to the deaths of at least 34 people. um they were uh basically wanting communism uh to to be applied to West Germany as well as East Germany during the 1970s and 1980s. You got to ask now what has this got to do with my subject? They also known by two of the founders which is Andreas Barta and Olria Minhoff and I apologize to anybody who's German here for my pronunciation which led to the alternative name of the Bard Minhoff gang which is a term that you may have heard. So this has led to uh what we

call the bard minehoff phenom I can't say it phenom ph phenomenum a thing the bard minehoff thing that word up there phenomenon um which was uh uh found when Terry Mullen wrote a letter to to the press where he had a conversation about the bardinehof group and then he kept seeing the term bardinehof appear here and it wasn't because he wrote the letter. It's just that human brain is amazing that we are very good at pattern recognition. It's something also known as a frequency illusion. So this is where we see a topic um and we just keep picking it out. So, for if for example, I said, you know, uh after after Cat's keynote today where

she was going on about Pop-Tarts, next time you're on the serial aisle, you're going to see Pop-Tarts because your brains triggered that and you'll see that word keeps popping up. Um, as a reverse engineer, I see this a lot. I can look at a hex dump. I can pull information out. It's human human pattern matching is brilliant. Um but bam minehoff doesn't cover everything. I live in an old Victorian house and living in an old Victorian house has a problem uh everybody is living there. you got a problem with cool air and water. And one of the ways of doing this is to open windows. And there was a term that I randomly found uh on the internet a couple of uh it was

it was shown to me one of the list of sters lift and again apology to my for my German which is apparently an app where where the Germans open all the windows, let all the air in, blow all the air out and in theory get rid of all the moisture in the air. So I kept bloody seeing this term for two months and I kept seeing this term everywhere. It was like the wife saw it as well and it's like where the hell has this come from? So I I assume this is part of Minehof. So I went and actually looked at Google Trends and nope. Apparently the whole internet had a little peak around the end of 2004 where this term

got into national consciousness then disappeared again. So, you can't just always say frequency illusion. It's sometimes we see other things and somehow. So, I'm going to go off to another segue cuz I like segways. If anybody know about the TV license, we're all Are we all in England here? Anybody? Yeah. So, for anybody not in who doesn't live in the UK, you have to have a TV license to watch broadcast television. Um, and I'm not going to talk about the TV license. I'm going to talk about its enforcement. I lived for 10 years without a TV. I got so many letters from the TV license in about this. And you have a bit of an Orwellian

thing where they have our database lists every home with a TV license, which is quite freaky. But again, I'm not talking about that. I'm going to talk about TV licensing vans. um which was something that was broadcast about in the 60s that these TV license fans would drive around and they pick up when you're watching TV and they could pinpoint exactly where your TV is on a row of terrace houses and what you were watching and so on. Do TV license fans exist? Yeah there was somebody request and they do exist but we see well maybe I wouldn't say exactly how many times they have to proc people. Well, they are well perhaps they are just about.

Yeah. So, that's exactly what you said there. So, there is a freedom information request. It came back saying capital said we there are TV detector vans. We don't we won't tell you any more information because we call exemption of the freedom information act. When you had CRTVs, it was it's easy to detect something. Who has a CRTV anymore? Of course, Glenn has one. There's always one. Actually, I have a load in my garage, but that's irrelevant. Um, nowadays, you can detect your STRs. Likelihood of that happening, minimal. So, there's a principle called Aans Razor, which says the simplest solution is generally the easiest one. So for TV license fan, does it exist or is it the fact that they just

have a database of everybody and they just send a bloke round? Actually, sorry that was sexist. I do apologize. They send somebody round. Except um just to knock on the door and say, "Do you have a TV?" I personally believe that's the way they do it. So I'm actually ahead of my slides for once, which is very good. So, in conclusion, because you could tell I was getting near the end of writing my slides at this point, devices techn technically devices can and do listening. It's not difficult to do. I wrote a program um in what you would call vibe coding in 2016, which is basically stack overflow. Um, and you can do it, but there's no

indications on phone legally, which they shouldn't be able to do without notification, and there should be a privacy policy to protect you. Is it worth it? Speech processing expensive. You can't do it on phone. You have to offload it to the cl to the cloud, which means you need a persistent internet connection. Do we notice patterns? So, we got the frequency illusion. Do we notice when it doesn't happen? Uh, as an example, I took my family to Copenhagen for holiday uh last year. I typed in multiple times in Google Copenhagen to find things in there to do. I didn't get any ads about Copenhagen. I spoke about it many times in front of my in front of

multiple listening devices. No ads. And I was looking. So, um, and finally, Okans Razor, is it likely for this to happen? So, and that's that's why my conclusion is maybe. So, there we [Applause] are. Thank you very much. So, questions. You miserable a lot. Oh, good. One. Right. Get the ball. But get the ball rolling. Although when is that out? Move it closer to your mouth. really close. No. Um although that covers us in uh EU and GDPR, UK DPA. What about other countries? cuz you know there's been instances where North American law enforcement have gone to um certainly AWS or Amazon sorry for Siri cuz there was that case where yes person was murdered around a swimming pool or a

hot tub and they got the evidence from that about the arguments although you know the words weren't used it's possible the technology really exists but we have privacy protections in Europe to stop it being used there was a reason why I chose phones rather than assistance. As you can see from the list, um there was a keyword and so on. Um there was a case where Amazon were found, excuse me, on this. I didn't put that on because there are too many slides of just court cases. So yes, it is likely in terms of what the legal status is. I'm not a lawyer. I'd have to talk to somebody and I can't afford that. More questions. Yes, coming your way.

Hold on a minute. I'm just walking around. Sorry, I need to cough and I talk some talk amongst yourself. Hello, I'm here. Hello. So, um my question would be so obviously people still see things sometimes and sometimes as you mentioned they cannot be explained away by just frequency illusion. So, what do you think about perhaps uh it being that those companies just know us so well that they can predict what our plans might be? I I would say that's probably highly likely. So, one of my problems when I tried to experiment this, I tried to turn all the privacy features off on my life and I spent too long turning them on. So, uh, apparently Google doesn't know much, but

about me, but because I turn privacy features off on my general life, I I have different browsers for doing running different programs and I have I'm the one who when all those cookie consent goes up goes, "No, do not consent, do not consent, do not consent. It takes bloody ages." Um, I started getting adverts for things that my wife was browsing for because she goes from the same IP address. So um it it is fully possible and there's a whole host of data about us and it goes down to IP address level and so on and it's like the reason I'm asking is because I remember one case uh that so the story so it was in the US and it was to one of

the large chain shops so it was Walmart or Target I don't think this is about the pregnancy again. Yes. So for those unfamiliar, so uh the father of Adra who was 14 15 were extremely age to be pregnant to begin with started receiving the coupons for pregnancy products and for baby products and he complained about this and they apologized and then it turned out that she indeed was pregnant and she was browsing the pregnancy symptoms. So, that was a case um like about five, six, seven years ago, which is even probably longer. And it's so a 14-year-old was browsing pregnancy ones cuz she was pregnant and they were getting vouchers for it. Now, I've heard of that one before. I've read

about that one. I've heard an alternative view of that one. And it's awkward raiser again. What happens if they sent out just loads of packs of vouchers to pregnancy to everyone? Do we know that they never did that? And that's one I've heard. I don't know what's true or not. Or it's likely they could maybe have thought that she was browsing the pregnancy one. It is fully feasible either way. More [Music] questions or not? Yes. Good. You got one. Good to have good to have three questions. Three questions. Let's see if we can make it four. Finish on time. So if if this was happening, yeah, do you think it matters and do you think in 10 years

time if this was happening will it matter given that 10 20 years ago if you had come into the room and said you're all going to have a microphone that listens to you all the time in every room in your house people would probably have said that's crazy we'll never do that that's the world we're in now kids growing up with this have it in that world are we going to care in 10 years I don't I'll be honest. Um, the world my children have grown up into is totally different. The world I grew up into. They're used to having p, you know, permanently connected internet access. Maybe it's not an issue for them. I I

honestly do not know. Come back in 5 years. Ask Google. Yes. And ask Google. I could do it now. Hey, Google. Which is really probably where I'm going to because the technology is there. Yeah. The ability is there. Surely if there's an opportunity that we should be using it should we feasible? Any phil philosophers here? Um I am I am 100% sure that somewhere um in fact that the person with the microphone might answer this better than me. I'm 100% certain in one university somewhere a PhD student is putting that in as a thesis or or you know a request for funding to do that research project. Right. Okay. Well, thank you once [Applause]