Music-recognizing app Shazam retains access to the Mac's microphone, keeping it in a constant on state, even when Shazam has been turned off. The potentially worrisome feature was discovered by security researcher Patrick Wardle, who developed an app called "OverSight" to warn users of when other apps are using their webcam and microphone. After its launch, one OverSight user contacted Wardle and told him Shazam kept listening even after it was toggled off in settings.
Wardle, who's also an ex-NSA hacker, reverse-engineered Shazam's Mac app and posted his findings in a personal blog. What he discovered was that the app essentially keeps the Mac's microphone on to create a snappier user experience when song detection is required, but Wardle doesn't believe there's "any malice" to the company's desktop and laptop app.
In a statement sent to Motherboard, Shazam's vice president of global communications, James Pearson, confirmed that the app keeps the microphone on but "the audio is not processed unless the user actively turns the app 'ON.'" In essence, Shazam for the Mac is constantly accessing the computer's microphone, but only gaining access to audio and processing user data when turned on.
“There is no privacy issue since the audio is not processed unless the user actively turns the app ‘ON.’” James Pearson, the VP of global communications for Shazam, said in an emailed statement. ”If the mic wasn’t left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users ‘miss out’ on a song they were trying to identify.”
As Wardle summed it up on his blog:
In other words what 'OFF' appears to mean, is simply, "stop processing the recorded data" ...not cease recording.
Pearson refuted the idea that the always-on microphone was a bug, reiterating that the lack of audio processing in Shazam's off state was always the company's intended purpose for that mode, saying that "the user's decision not to leverage our app's functionality is fully respected" because of it. Since the report has become more widespread, Shazam's Chief Product Officer Fabio Santini confirmed to CNET that the company will be updating the Mac app within the next few days to change how the app works, in order "to show that we care, and we pay attention, and we want them to feel good about using Shazam on their Mac."
Despite Wardle's confirmation that Shazam appears to be largely truthful, with no recorded audio being sent, saved, or processed by the company when the app is turned off, he remained wary of Shazam's failure to disclose exactly how much access it has to the Mac's microphone before his discovery. This is mostly due to the fact that, although Shazam's intentions appear wholesome, another party could design malware that resides within the app and steals its toggled-off recordings, without the user ever being warned.
Again, though it appears that Shazam is always recording even when the user has toggled it 'OFF' I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc). However, I still don't like an app that appears to be constantly pulling audio off my computers internal mic. As such, I'm uninstalling Shazam as quickly as possible!
On iOS, users have a bit more insight into Shazam's background functionality thanks to Apple's hard-to-miss red banner that sticks to the top of the screen when an iPhone's microphone is on in another app. Wardle's main problem appears to be a lack of a similar warning for users on the Mac side of things, saying that "users should know" what has access to their computer's input devices and when.
Check out his full breakdown of the Shazam Mac app here.
Update: Shazam's Vice President for global communications James Pearson contacted MacRumors to emphasize that Shazam has not actually recorded audio using the Mac's microphone using this behavior.
Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted.