Spotify is listening to me on GrapheneOS

TranceSeven

zzz I'm beginning to think that there's an aggregate service that handles this cookie consent, which is used by a huge number of partners. I was on the NFL website back in January and it used exactly the same cookie consent banner as another site that I had just visited that was otherwise completely unrelated. Same banner, same number of partners (last I looked, it was over 900).

de0u

DeletedUser410 I used Spotify in the past (years ago, before using grapheneOS)
I got the feeling that it used to keylog my in-browser searches, based on the very much specific ads that I was receiving

The human mind is very good at seeing patterns, even when the underlying data are random. A cloud may look like a horse, but that's happening inside the brain, not because somebody is shaping nearby clouds into horses.

With systems designed to collect and react to behavioral data, like Spotify, the app is reacting to the same person as the web browser. If you searched for hiking pants, meanwhile you may well have been listening to the same kind of music as people who buy hiking pants listen to.

Without actual details of what was searched for and of the ad (which, understandably, you may not wish to provide), it's hard to evaluate how surprising a given example might be. But it's important to keep in mind that most of us exhibit the same behavior across multiple systems, and these systems are designed to classify behavior. Knowing your identity is great for them because it allows them to transfer their existing behavior observations, but even without identity your behavior is still your behavior.

DeletedUser410

de0u

I understand and agree with your point
I can also understand that since I have not provided contextualized evidence (even if anecdotal and empirical) other users might (and should) be skeptical of my claims
I also want to apologize for this, since I understand that claims , even if truthful and in good faith must be at least sustained with precise description of facts.
Spreading misinformation is far from my intentions, especially here, where I am talking with like minded people that support a great project that I strongly believe in and support.
I agree that I have not (and will not) provide precise information and context of my claims, since they are very much of private nature, so much that I personally consider the app unsafe
Based on my personal opinion I would not advise anyone to use the afromentioned app in an enviroment where there are sensitive information / important apps etc..
It is of course possible (as other users have pointed out) that I migth be wrong and the event might be casual, but since it presented itself multiple times until I deleted the app I doubt it.
I shared my point of view only to be of help to the person who started the tread
It was not my intention to spread misinformation / fear / make sensational claims or sound paranoid
I hope this clarifies my position.

hooram95

de0u The human mind is very good at seeing patterns, even when the underlying data are random. A cloud may look like a horse, but that's happening inside the brain, not because somebody is shaping nearby clouds into horses.

With systems designed to collect and react to behavioral data, like Spotify, the app is reacting to the same person as the web browser. If you searched for hiking pants, meanwhile you may well have been listening to the same kind of music as people who buy hiking pants listen to.

Without actual details of what was searched for and of the ad (which, understandably, you may not wish to provide), it's hard to evaluate how surprising a given example might be. But it's important to keep in mind that most of us exhibit the same behavior across multiple systems, and these systems are designed to classify behavior. Knowing your identity is great for them because it allows them to transfer their existing behavior observations, but even without identity your behavior is still your behavior.

Yeah, I totally agree with you @de0u it’s not really spying, just clever pattern-spotting. Our habits show up across platforms more than we realize, and it’s kind of wild (and a bit unsettling) how easily systems can connect the dots.

zzz

ryrona

There is a popular myth that a certain major social media platform has been spying on their users using the phone microphone, to show targeted ads, [...] No such spying using the microphone actually happened, and would in fact be very illegal in pretty much all countries.

It is illegal - kind of.
Enforcement is pathetic and they know it. Surveillance corps bug the mic and everything else they can, then years later they take the weak wrist slap offered by regulators, then simply continue doing their disgusting business.

One of many examples:
https://apnews.com/article/apple-iphone-siri-settlement-what-to-know-3a543c8f31256b03897cdeaca4cd9b3f

ryrona

dawt Regular apps can definitely communicate across profiles by listening on localhost.

Yeah, that is what I said, the shared loopback device is the only known way apps can communicate between profiles. And it is true they only need network permissions for that. They don't need and cannot obtain the INTERACT_ACROSS_PROFILES permissions.

Blastoidea Just because something is illegal, doesn’t mean it isn’t done.

That was not my point. Such spying did not occur in the mentioned case. I just mentioned it is also illegal to spy in that way, as many falsely believed it was legal and broadly done.

zzz It is illegal - kind of.
Enforcement is pathetic and they know it. Surveillance corps bug the mic and everything else they can, then years later they take the weak wrist slap offered by regulators, then simply continue doing their disgusting business.

One of many examples:
https://apnews.com/article/apple-iphone-siri-settlement-what-to-know-3a543c8f31256b03897cdeaca4cd9b3f

Yeah, but that was brought to court. Unlike pretty much all data collection and user profiling that the big corporations openly do, and openly admit in their privacy policy that they do, listening through the microphone is not one of them, since it would be illegal for them to do at all, and illegal for them to omit in their privacy policy.

Still, it happens, through neglect or ignorance or malice. So don't grant microphone permissions to possibly untrusted or invasive apps.

DeletedUser433 You mean they don't need [IPC]? Isn't that kinda risky, what if other apps have been using it all this time?

This is not theoretical, the Facebook app, Instagram app, and Yandex apps have all been caught spying across profiles using the loopback device, including spying on web browser activity done in other user profiles if visited web pages embedded their analytics javascripts, calling home through the loopback device to the app installed in another user profile.

Open bug ticket:
https://github.com/GrapheneOS/os-issue-tracker/issues/4772

The issue is partially mitigated by patching Vanadium to block loopback connections from websites, but other apps can still communicate across profiles, including that Instagram installed in one profile can communicate with Instagram installed in another user profile.

DeletedUser433

dawt You mean they don't need IRC? Isn't that kinda risky, what if other apps have been using it all this time?

de0u

DeletedUser410 I shared my point of view only to be of help to the person who started the [thread].
It was not my intention to spread misinformation / fear / make sensational claims or sound paranoid.
I hope this clarifies my position.

If the forum fills up with threads in which people make allegations about specific apps doing specific shocking and illegal things, but don't provide corroborating details, that could be problematic.

There is a difference between publicly describing one's experiences, even if shocking, and publicly stating shocking and negative conclusions about particular third parties who might view those conclusions as defamatory.

I am not an attorney, and defamation law varies widely by country, but I would be hesitant to post things like "Something happened to me that I won't provide details of, so I concluded that Spotify in particular was in particular logging keystrokes I typed at other apps".

DeletedUser433

ryrona So I must encrypt everything before sending it through the Inter Profile App? These companies are so insidious

ryrona

DeletedUser433 So I must encrypt everything before sending it through the Inter Profile App? These companies are so insidious

No, they cannot spy on the data sent on the loopback device. They can send data there themselves, if they have an app on both user profiles they control. That is what I meant.

dawt

DeletedUser433
Inter Profile Sharing has a password feature specifically for this reason.

ryrona
No, both are true. There's nothing preventing some rogue app from impersonating the Inter Profile Sharing app (ie. listening on the same port and implementing the same protocol) and stealing data that you send through the Inter Profile Sharing app.

DeletedUser410

de0u

I expressed my opinion, and I tried to clarify that this was not a given fact, and, as other users pointed out I might be wrong
Since many people with more experience than me on this topic pointed out that most likely what happened to me was a casuality, I retract what I said.
It is far from my intention do make wrong statements that might put this forum in a bad spot.
I apologize and hope that should an admin read this post would delete my previous ones should they be considered harmful to the community
Or maybe someone can just flag them and have them deleted since I am unable to do it.
I do not know what else to say and I sincerely hope this settles it

FlipSid

nonyabidness
I use Google Messages for the exact same reason. I don't have any issues, as described in this thread, with it.

de0u

DeletedUser410 I sincerely hope this settles it

I think so / hope so. At this point, if somebody comes on this thread it doesn't contain only the rumors. May your GrapheneOS work flawlessly (and may your device's flash storage last past the EOL date).

raccoondad

DeletedUser410 There is malaware that keylogs users and I do not see how a big app might noto do it since there is big money in it.

No, they are not. There are millions of other explanations, this is just pure misinformation.

This is not how android, GOS, or Spotify functions. You most likely were still hit with google analytics if not a coincidence between the ad and a search you made. You not being logged in or not using Google search doesnt mean analytics isnt being used.

You are making completely unfounded statements on a subject you don't understand. This stuff just spreads paranoia and actively makes people fall for bad security practices.

DeletedUser410

raccoondad

In my previous post I acknowledged my mistake and apologized for it.
I have also explicitly retracted my statement recognising my conclusions were wrong and misguided.
I obviously jumped to conclusions without doing enough research on the topic
I tried to delete my previous post in order to prevent further misinformation on the topic
Since it is not possible for me, I also asked if other users can flag the posts so that moderators / admin can delete them and avoid this to go on any longer or from other users to read and be misguided by my wrong assumptions
Misguiding other people is far from being my intention
If you can flag my previous posts so that admin can read these last posts and delete the previous ones I believe it would be for the better
I hope that by now it is clear that I was wrong and my intentions were not malicious.
I apologize again
Thanks in advance

LGgos

One thing you want to do with Google Messages is turn off spam protection. If you read the policy linked from the toggle, that sends your messages to Google and is also used to train their AI. You have no granular privacy settings here - either you use the spam filter and hand over everything for them to do what they like with, or you switch it off.

This is like a lot of newer Google stuff unfortunately. Google Assistant Vs Gemini is another example, GA was made while Google was at least pretending to care so keeping your recordings can be disabled - Gemini is just "hand over all your data and all your conversations forever including training or you can't use it".

« Previous Page