Muting videoconferencing apps may not prevent them from listening
Videoconferencing solutions have seen a huge boost since 2020. Workers and students started to work or learn from home, and communicated with others using videoconferencing services.
Videoconferencing relies on camera and microphone access, and it appears that the built-in controls to mute the microphone are not always preventing apps from listening and sending data.
Sometimes, users who participate in a video conference may want to mute their audio output. Examples may include going to the bathroom, talking to someone nearby, or answering the door. Most users would expect that hitting the mute button does mute all audio and prevents the sending, but research suggests that this may not be the case.
The research paper "Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps", published by assistant professor Kassem Fawaz of electrical and computer engineering at the University of Wisconsin-Madison, suggests that videoconferencing applications may still record and send data while mute is activated.
Videoconferencing applications require access to a device's camera and microphone, which the users control through operating system functionality, and sometimes, in the case of the camera, through hardware options. Permissions can be revoked and managed, but once permissions have been granted, apps and services have access to the hardware devices until the permissions do get revoked.
Most applications and services include built-in options to turn off the camera or the microphone. Blocking access to the camera prevents apps from accessing the camera as it "engages an OS-level control" according to the researchers. The mute control in applications on the other hand uses a different app-dependent system, which may lead to the recording and sending of audio data while mute is active. The researchers note that none of the operating systems they looked at supported "OS-mediated software mute" functionality.
Videoconferencing services can be divided into the two broad categories native apps and web apps. The core difference between the two categories when it comes to muting is that native apps "collect data from the microphone with few restrictions" while web apps need to "request access to the microphone through a web server", which "generally has more restrictive policies for data collection and more tools that allow the user to control the app's access to hardware".
The team analyzed the muting behavior of ten different video conferencing and audio chat applications, including Microsoft Teams, Skype, Zoom, Google Meet, Discord and Jitsi Meet. The services were then classified into three "broad policies" based on the analysis:
Continuously sampling audio from the microphone: apps stream data from the microphone in the same way as they would if they were not muted. Webex is the only VCA that continuously samples the microphone while the user is muted. In this mode, the microphone status indicator from an operating system remains continuously illuminated.
Audio data stream is accessible but not accessed: apps have permissions to sample the microphone and read data; but instead of reading raw bytes they only check the microphone’s status flags: silent, data discontinuity, and timestamp error. We assume that the VCAs, like Zoom, are primarily interested in the silent flag to tell if a user is talking while the software mute is active. In this mode, apps do not read a continuous real-time stream of data in the same way as they would while unmuted. Most Windows and macOS native apps can check if a users is talking even while muted but do not continuously sample audio in the same way as they would while unmuted. In this mode, the microphone status indicator in Windows and macOS remains continuously illuminated, reporting that the app has access to the microphone. We found that applications in this state do not show any evidence of raw audio data being accessed through the API.
Software mute: apps instruct the microphone driver to completely cut off microphone data. All of the web-based apps we studied used the browser’s software mute feature. In this mode, the microphone status indicator in the browser goes away when the app is muted, indicating that the app is not accessing the microphone.
Cisco Webex was found to access the microphone continuously while muted. The researchers could not determine how Microsoft "Teams and Skype use microphone data when muted", as they make direct calls to the operating system. The research team concluded that the behavior of applications that fall into categories one and two violate user expectation.
Computer users have better control over the muting behavior when they use web services, as these need to go through the browser for their activity. When it comes to muting and videoconferencing applications, it is advised to use the operating system's mute functionality, as it ensures that access to the microphone is prevented for the time it is being muted.
The full research paper is available here as a PDF document.
Now You: do you use videoconferencing tools?Advertisement