Muting videoconferencing apps may not prevent them from listening

Martin Brinkmann
Apr 17, 2022
Updated • Apr 17, 2022
Security
|
12

Videoconferencing solutions have seen a huge boost since 2020. Workers and students started to work or learn from home, and communicated with others using videoconferencing services.

Videoconferencing relies on camera and microphone access, and it appears that the built-in controls to mute the microphone are not always preventing apps from listening and sending data.

Sometimes, users who participate in a video conference may want to mute their audio output. Examples may include going to the bathroom, talking to someone nearby, or answering the door. Most users would expect that hitting the mute button does mute all audio and prevents the sending, but research suggests that this may not be the case.

The research paper "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps", published by assistant professor Kassem Fawaz of electrical and computer engineering at the University of Wisconsin-Madison, suggests that videoconferencing applications may still record and send data while mute is activated.

Videoconferencing applications require access to a device's camera and microphone, which the users control through operating system functionality, and sometimes, in the case of the camera, through hardware options. Permissions can be revoked and managed, but once permissions have been granted, apps and services have access to the hardware devices until the permissions do get revoked.

Most applications and services include built-in options to turn off the camera or the microphone. Blocking access to the camera prevents apps from accessing the camera as it "engages an OS-level control" according to the researchers. The mute control in applications on the other hand uses a different app-dependent system, which may lead to the recording and sending of audio data while mute is active. The researchers note that none of the operating systems they looked at supported "OS-mediated software mute" functionality.

Videoconferencing services can be divided into the two broad categories native apps and web apps. The core difference between the two categories when it comes to muting is that native apps "collect data from the microphone with few restrictions" while web apps need to "request access to the microphone through a web server", which "generally has more restrictive policies for data collection and more tools that allow the user to control the app's access to hardware".

The team analyzed the muting behavior of ten different video conferencing and audio chat applications, including Microsoft Teams, Skype, Zoom, Google Meet, Discord and Jitsi Meet. The services were then classified into three "broad policies" based on the analysis:

Continuously sampling audio from the microphone: apps stream data from the microphone in the same way as they would if they were not muted. Webex is the only VCA that continuously samples the microphone while the user is muted. In this mode, the microphone status indicator from an operating system remains continuously illuminated.

Audio data stream is accessible but not accessed: apps have permissions to sample the microphone and read data; but instead of reading raw bytes they only check the microphone’s status flags: silent, data discontinuity, and timestamp error. We assume that the VCAs, like Zoom, are primarily interested in the silent flag to tell if a user is talking while the software mute is active. In this mode, apps do not read a continuous real-time stream of data in the same way as they would while unmuted. Most Windows and macOS native apps can check if a users is talking even while muted but do not continuously sample audio in the same way as they would while unmuted. In this mode, the microphone status indicator in Windows and macOS remains continuously illuminated, reporting that the app has access to the microphone. We found that applications in this state do not show any evidence of raw audio data being accessed through the API.

Software mute: apps instruct the microphone driver to completely cut off microphone data. All of the web-based apps we studied used the browser’s software mute feature. In this mode, the microphone status indicator in the browser goes away when the app is muted, indicating that the app is not accessing the microphone.

Cisco Webex was found to access the microphone continuously while muted. The researchers could not determine how Microsoft "Teams and Skype use microphone data when muted", as they make direct calls to the operating system. The research team concluded that the behavior of applications that fall into categories one and two violate user expectation.

Conclusion

Computer users have better control over the muting behavior when they use web services, as these need to go through the browser for their activity. When it comes to muting and videoconferencing applications, it is advised to use the operating system's mute functionality, as it ensures that access to the microphone is prevented for the time it is being muted.

The full research paper is available here as a PDF document.

Now You: do you use videoconferencing tools?

Summary
Muting videoconferencing apps may not prevent them from listening
Article Name
Muting videoconferencing apps may not prevent them from listening
Description
The microphone mute toggle of videoconferencing applications may not prevent apps from listening and sending audio data.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. beemeup5 said on April 18, 2022 at 4:22 am
    Reply

    I have a cheap USB headset controller (one end is a TRRS port while the other is a conveniently long USB cable which plugs into the PC and whatever is connected shows up as a USB headphone / mic in the OS) that has separate buttons for enabling / disabling the headphones or microphone.
    If I want to mute myself I press the mic button, the light turns off on the switch, I know I’m muted.

    My webcam comes with a physical privacy cover too. Don’t trust software, be sure with hardware.

  2. owl said on April 18, 2022 at 1:37 am
    Reply

    These features are designed to “prioritize usability for corporate use, which is the primary market that profitable as a service business”, rather than privacy measures for home use.
    https://www.ghacks.net/2022/04/06/microsoft-teams-in-firefox/#comment-4518944
    In short, the results tend to be in conflict with what is desired for corporate use and what is not desired for home use.
    Home users should be aware of their use and merits and demerits.

  3. Tony said on April 17, 2022 at 8:21 pm
    Reply

    I have a USB extension cord that I keep on routed to my desk for easy access to disconnect my camera from the USB when I’m not using it.

    I also uninstall WebEx at work, after using it for necessary meetings.

    It is sad that Teams is built-in to Windows 11 now. (I think you can remove it though.) Teams recently seems to have integrated LinkedIn, so now there is a social media aspect attached to Teams spying.

  4. MrE said on April 17, 2022 at 7:49 pm
    Reply

    I have been using MicSwitch on Windows. Check it out @ https://github.com/iXab3r/MicSwitch

    It works great for Windows users.

  5. Mr X said on April 17, 2022 at 3:40 pm
    Reply

    And this is why we need physical switch buttons to turn off sound and video. Completely. Ideal would be, on a laptop, a webcam/mic on top of the lid that pops out when you need it. When it pops out it gets electrical contact and is on. When you push it back in it has no electrical contact and is off, the peace of mind you get is also a massive bonus, because the webcam cannot see anything, not even if there are tiny little chinese and russian spies inside your laptop hotwiring the electrical connections without you knowing it. When these tiny little spies are pushing the camera up from its concealed case, you will know. And then you can boil your computer before placing it in an oilbarrel and pouring concrete over it and dumping it in an active volcano.

  6. Anonymous said on April 17, 2022 at 2:37 pm
    Reply

    I only use web-based apps, which seem fine according the article. But I don’t trust them anyway: when I want to mute, I mute my headset.

  7. Paul(us) said on April 17, 2022 at 11:34 am
    Reply

    I am using Microsoft Teams and Google Meet because that’s what, most people use with who I video conference. Also, I am still finding no time (Or am I too lazy?) up to right now to research or I can use Telegram, Signal Discord, and Jitsi Meet with people who use Microsoft Team and Google meet and or their saver to use?

  8. Yash said on April 17, 2022 at 10:52 am
    Reply

    Supposedly Android and iOS are much more secure coz sandbox, uniformity and more nonsense. The companies who have bad privacy practices will always violate user privacy. Android and iOS are among the worst for privacy so no surprises Apps find new ways every now and then to get around supposedly secure OS.

    1. owl said on April 18, 2022 at 1:42 am
      Reply

      Equating Google and Apple is too extreme.
      Google is certainly injustice and sly (the end-user is like a “lamb of God”), but Apple products have a high degree of freedom (Beneficial arbitrariness) by the end user.

      While perfection is ideal, it is often unsuitable for actual use cases.
      Especially in corporate use, performance (usability and efficiency) is paramount.

      1. Yash said on April 18, 2022 at 5:21 pm
        Reply

        Well that is a good point about Apple. But I listed them too because this behaviour was first noticed on iOS.

        I won’t agree with high degree of freedom about Apple products. Most of the time there are few options. The only thing driving Apple is the premium they charge. Thanks to the premium, Apple products escape scrutiny because premium. Though some can say performance of Apple OS can demand premium because it is quite good especially in tablets, sector solely ruled by Apple. Part of very few examples where monopoly is good because it is driving the sector alone.

      2. owl said on April 19, 2022 at 2:39 am
        Reply

        @Yash,
        > I won’t agree with high degree of freedom about Apple products.

        You were equating Google with Apple, so I just expressed the difference between Google and Apple.

        By the way, are you an Apple product user?
        Unless you are an actual user, you have no way of knowing what is really going on.
        I have been an Apple product user since the “Macintosh” era and have used various Apple products both at home and at work.

        You, @Iron Heart, and others are reviewed from a “perfect” oriented point of view, but it is not correct to judge things on a “good or bad” binary.
        “Perfection never exists” in all times and places.
        In other words, we should make value judgments based on “better” options and use cases.

        In the following, What makes “Apple” better than “Google”
        Apple is committed to protecting user privacy by including anti-tracking features in its Safari web browser and specifying the use of data in its App Store. Even Apple’s own products are limited in some functions due to Apple’s privacy protection guidelines.
        Apple’s Privacy Rules Leave Its Engineers in the Dark — The Information
        https://www.theinformation.com/articles/apples-privacy-rules-leave-its-engineers-in-the-dark

        iPhone and iPad users have probably experienced the following “choose whether to track” screen when installing an app. This display is one of Apple’s privacy protection mechanisms to “let users decide for themselves how their information is handled,” and a number of such mechanisms are in place in its products.
        https://www.apple.com/privacy/

        In addition, Apple’s privacy protection guidelines apply not only to apps developed by third-party vendors, but also to apps and operating systems developed by Apple itself, as a screen similar to the above “screen for selecting whether to track” is displayed when installing Apple’s genuine apps.

        For example, the “Speak to Siri to Shop” feature, which was developed in 2015, was discontinued because “no workaround could be found for Siri to link the voice information it collects to the Apple ID.”

      3. Yash said on April 19, 2022 at 1:27 pm
        Reply

        Just out of curiosity – are you an Apple salesman?

        And please don’t compare me with IH. His world involves binary code.

        Freedom of choice in Apple – do you know Safari is part of PRISM? Stating Safari’s privacy protections is hypocrisy at best. You know why? Coz in Apple’s view, if they track user history – all fine. But if someone else tries – panic! burglar!

        Recent Apple privacy policy changes where they wanted to scan user photos for tracking sorry I mean security. Introducing new tech where you can’t even replace battery from 3rd party service. There are hell lot more ugly cases than these. So much for freedom of choice.

        Praising Apple and saying Google is bad is same like fan protests at various clubs where they diss their owners for lack of spending for success and then doing it again because surprise now there is no financial stability!

        BTW I own iPad currently but that’s farthest I’ll go in Apple devices. Used others and have no intention of buying anything again from Apple.

        Plus read this article again, this muting behaviour was noticed in iOS first.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.