Disabling video conferencing apps may not prevent them from listening
Video conferencing solutions have seen a huge boom since 2020. Workers and students have started working or learning from home and communicating with others using video conferencing services.
Video conferencing relies on access to the camera and microphone, and it seems that built-in commands to mute the microphone don’t always prevent apps from listening and sending data.
Sometimes users who are in a video meeting may want to mute their audio output. Examples might include going to the bathroom, talking to someone nearby, or answering the door. Most users would expect pressing the mute button to mute all audio and prevent sending, but research suggests that may not be the case.
The research paper “Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps”, published by Assistant Professor Kassem Fawaz in Electrical and Computer Engineering at the University of Wisconsin-Madison, suggests that video conferencing apps can still save and send data while muted.
Video conferencing applications require access to a device’s camera and microphone, which users control through operating system features and sometimes, in the case of the camera, through hardware options. Permissions can be revoked and managed, but once permissions are granted, apps and services have access to hardware devices until permissions are revoked.
Most apps and services include built-in options to turn off the camera or microphone. Blocking access to the camera prevents apps from accessing the camera because it “engages control at the operating system level” according to the researchers. Mute control in apps, on the other hand, uses a different system depending on the app, which can result in audio being recorded and sent when muted. The researchers note that none of the operating systems they reviewed support the “OS-mediated software mute” feature.
Video conferencing services can be divided into two broad categories of native apps and web apps. The main difference between the two categories when it comes to muting is that native apps “collect microphone data with few restrictions” while web apps must “request microphone access through a web server”, which “generally has more restrictive policies”. for data collection and more tools that allow the user to control the application’s access to hardware”.
The team analyzed the mute behavior of ten different video conferencing and audio chat apps, including Microsoft Teams, Skype, Zoom, Google Meet, Discord and Jitsi Meet. The services were then categorized into three “big policies” based on the analysis:
Continuous sampling of audio from the microphone: Apps stream data from the microphone in the same way as if they were not muted. Webex is the only VCA that continuously samples the microphone when the user is muted. In this mode, an operating system’s microphone status indicator stays on all the time.
The audio data stream is accessible but not accessible: applications have permissions to sample the microphone and read the data; but instead of reading the raw bytes, they only check the microphone status indicators: mute, data discontinuity, and timestamp error. We assume that VCAs, like Zoom, are primarily interested in the mute flag to indicate if a user is talking while the mute software is active. In this mode, apps don’t read a continuous stream of real-time data the way they would if sound wasn’t enabled. Most native Windows and macOS apps can check if a user is talking even when muted, but doesn’t continuously sample audio the same way it would when unmuted . In this mode, the microphone status indicator on Windows and macOS stays on continuously, indicating that the application has access to the microphone. We have found that applications in this state show no evidence of accessing raw audio data through the API.
Software Mute: Applications instruct the microphone driver to completely mute microphone data. All of the web apps we studied used the browser software’s mute feature. In this mode, the microphone status indicator in the browser disappears when the app is muted, indicating that the app is not accessing the microphone.
Cisco Webex was found to continuously access the microphone while muted. Researchers couldn’t determine how Microsoft “Teams and Skype use microphone data when muted” because they make direct calls to the operating system. The research team concluded that the behavior of apps that fall into categories one and two violates user expectations.
Computer users have greater control over opt-out behavior when using web services, as these must pass through the browser for their activity. For mute and video conferencing applications, it is advisable to use the mute feature of the operating system, as it ensures that access to the microphone is prohibited during the mute time. .
The full research paper is available here as a PDF document.
Now you: do you use videoconferencing tools?