Hardcore Spying for Profit: The SilverPush Framework

The FTC has sent out letters to 12 companies telling them to stop using SilverPush in their products. Have you ever downloaded an app that wanted access to your microphone, even though it has no apparent use for it? Those torch and calculator apps are the sort that would likely be using the SilverPush framework.

“These apps were capable of listening in the background and collecting information about consumers without notifying them. Companies should tell people what information is collected, how it is collected, and who it’s shared with.” – Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.

SilverPush uses “Unique Audio Beacons” to collect data about what you are watching and reading. Adverts that use SilverPush will emit an ultrasonic sound that is picked up by devices that contain the framework- although malware is a more accurate description.

Although SilverPush claim to have ceased using UABs they still haven’t removed it from their website. The product page describes how it can help clients to “understand customer behaviour across screens”. In other words, cross-platform surveillance to sell stuff! Adding another layer of disturbingness to the situation- the malware… err framework runs in the background.

Yup, that’s right full intrusion into your home. This malware makes devices whisper things you do in private away in real-time. Because that is the speed the internet (and the market) moves at these days.

We do not know which received apps the warnings. They have kept pretty tight lipped. The only thing we know is you can find them on the Google Play store. SilverPush claim that the product is not used domestically- i.e. within the United States- but it does boast of previous customers including Google, Facebook and Angry Birds.

The Center for Democracy and Technology has been on SilverPush’s case since last year. In comments filed with the FTC they said:

“Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.”

The founders of SilverPush were pretty pleased with themselves a few years ago. In an interview with Business Standard Mudit Seth boasted that they identify users through 50 different parameters. Given that advertising is a multi-billion dollar industry the question is, how many other companies are doing the same thing as SilverPush under the radar?