The persistent belief that smartphones record conversations for advertising purposes is largely unfounded. Academic studies and technical analyses have found no evidence of persistent voice surveillance by major platforms. What is happening is both more subtle and more pervasive: ultrasonic beacon technology that uses frequencies beyond human hearing to track your physical location, television viewing habits, and cross-device behavior through microphone access granted to hundreds of apps. By 2017, at least 234 applications had embedded software development kits capable of ultrasonic tracking, monitoring millions of users across retail environments, television programming, and public spaces without explicit consent.
The experience is nearly universal among smartphone users: you discuss a product with a friend, mention a brand you have never searched for online, and within hours advertisements for that exact item appear in your social media feeds. The coincidence feels too precise to be accidental. Surveys consistently show that substantial majorities of users—between 40% and 60% depending on the study—believe their phones are secretly recording their conversations for advertising purposes.
The technical evidence suggests otherwise. Multiple academic studies, including comprehensive research by Northeastern University published in 2018, have monitored network traffic from thousands of popular applications and found no evidence of apps secretly recording audio and transmitting it to advertisers. The researchers tested over 17,000 Android apps, playing audio in the background while monitoring all network communications, and detected no instances of unauthorized audio capture for advertising.
What the research did reveal was more subtle and, in some ways, more invasive: apps were capturing screenshots and screen recordings of user activity and transmitting this visual data to third parties, often without clear disclosure. The actual surveillance was not acoustic but visual, not conversational but behavioral.
But the persistent belief in audio surveillance is not entirely unfounded. While continuous conversation recording appears not to be occurring, a related technology has been deployed that uses smartphone microphones for tracking in ways most users do not understand and have not meaningfully consented to: ultrasonic beacons.
Ultrasonic tracking operates at frequencies between 18,000 and 20,000 hertz—above the typical range of adult human hearing, which generally extends to about 17,000 Hz, but well within the capability of smartphone microphones and speakers. The technology embeds unique identifying tones at these frequencies into television commercials, in-store audio systems, and other media. Apps with microphone access can detect these inaudible markers and report back which beacons were encountered, enabling tracking of television viewing, physical location, and cross-device behavior.
The technical approach was pioneered by several companies in the mid-2010s, most prominently SilverPush, an Indian advertising technology firm founded in 2013. SilverPush's system worked by inserting ultrasonic audio markers into television advertisements. When a smartphone with an app containing SilverPush's software development kit was in the same room as a television playing the ad, the phone's microphone would detect the ultrasonic tone and record which advertisement had been broadcast. This created a direct measurement of advertising exposure independent of what the user was doing on their phone.
The implications extended beyond simple ad measurement. By correlating which devices detected the same ultrasonic beacons from the same television at the same time, the system could link smartphones, tablets, and other devices to the same household or individual with high confidence—a practice known as cross-device tracking. This allowed advertisers to build unified profiles across all of a user's devices without requiring login data or cookies.
"Ultrasonic tracking represents a fundamentally different approach to cross-device identification. Rather than probabilistic inference based on IP addresses and browsing patterns, it provides physical-world proof that devices were in the same location simultaneously."
Arp, Daniel, et al. — IEEE European Symposium on Security and Privacy, 2017By 2016, SilverPush reported deployments across 18 countries. The company maintained that its technology was privacy-protective because it did not record actual conversations—only detected the presence of specific ultrasonic markers. Users had technically granted permission by allowing apps to access the microphone. But the specific use case of detecting inaudible tracking beacons was rarely, if ever, explicitly disclosed.
The true scope of ultrasonic tracking became clearer through academic research and regulatory investigation. In March 2016, the Center for Democracy & Technology, a digital rights organization, filed a complaint with the Federal Trade Commission alleging that SilverPush and the app developers using its SDK failed to adequately inform users that their microphones were being used for cross-device tracking.
The FTC responded by sending letters to 12 app developers in April 2016, requesting information about their data collection practices and disclosures. The investigation highlighted a fundamental gap in mobile platform permission systems: Android's microphone permission was binary—an app either had access or it did not. The permission system did not distinguish between using the microphone for voice calls, voice commands, audio recording for content creation, or ambient ultrasonic tracking.
Academic researchers at Braunschweig Technical University in Germany conducted the most comprehensive empirical analysis of ultrasonic tracking deployment in 2017. The team analyzed 1.3 million Android applications from the Google Play Store, searching for code signatures associated with ultrasonic tracking SDKs. They identified 234 applications that contained such code—not a large percentage, but representing potential exposure for millions of users given the install base of popular apps.
The researchers went further, conducting physical surveys of retail environments across four European cities. Using custom detection equipment capable of identifying ultrasonic frequencies, they monitored 35 stores for the presence of tracking beacons. Four stores—more than 11%—were actively broadcasting ultrasonic signals for tracking purposes. The beacons could be detected at distances up to 8 meters in typical retail environments, covering entire store sections.
While SilverPush focused on television-to-mobile tracking, other companies developed ultrasonic technology for different tracking applications. Lisnr, founded in 2012 and based in Cincinnati, positioned its ultrasonic platform primarily for proximity marketing and mobile payments. By 2018, Lisnr claimed deployment in over 150 million devices globally.
Lisnr's technology operated at slightly different frequencies—18.75 to 19.2 kHz—and could transmit data at rates up to 100 bits per second through audio alone. The company partnered with retailers, stadiums, and transportation systems to enable location-based services. A user entering a retail store might automatically receive a coupon on their phone. A concert attendee could have their ticket authenticated through ultrasonic transmission without needing NFC or Bluetooth.
Signal360, another retail analytics company, used fixed ultrasonic beacons throughout stores to track customer movement patterns. The system created heat maps showing which aisles customers visited, how long they lingered near specific products, and what path they took through the store. The data was sold to retailers as superior to WiFi-based tracking because it required no action from shoppers and worked regardless of whether they had enabled WiFi on their devices.
Shopkick represented a somewhat more transparent implementation. The rewards app, which had over 15 million users by 2017, used ultrasonic beacons to verify that users were physically present in stores before awarding points. Users had to actively open the app to trigger the verification process, making the listening more apparent than passive background tracking. However, once microphone permission was granted for this feature, the technical capability for continuous ambient monitoring existed, relying on company policy rather than technical limitation to prevent abuse.
The central legal and ethical question around ultrasonic tracking is whether standard platform permission systems constitute meaningful informed consent for this specific use case. Android's permission model notifies users that an app can access the microphone, but provides no detail about what the microphone will be used for or when it will be active.
Privacy policies typically mentioned data collection in broad terms, but users would need to separately locate and read these policies—often thousands of words long—rather than receiving specific disclosure at the point of granting permission. A user allowing a messaging app to access the microphone for voice messages might reasonably assume that is the extent of microphone use, not that the app would continuously listen for inaudible tracking beacons from retail environments and television advertisements.
The FTC's position, articulated in its 2016 letters to developers and 2017 public warning, was that even when technically covered by privacy policies and permission systems, failing to clearly disclose unconventional uses of device sensors could constitute deceptive practice under Section 5 of the FTC Act. However, the agency stopped short of prohibiting the practice entirely, focusing instead on disclosure requirements.
In November 2017, the FTC issued a statement noting that "as of the end of 2017, the Commission is not aware of any apps that are currently using ultrasonic cross-device tracking." This suggested that regulatory attention had successfully deterred deployment in the US market, at least temporarily. However, the statement also acknowledged that the technology remained viable and that future implementation would require clear disclosure.
European regulators took a more aggressive stance. The General Data Protection Regulation, which took full effect in May 2018, imposed stricter requirements for consent than US law. GDPR Article 6 requires that consent be "freely given, specific, informed and unambiguous"—a standard that generic microphone permissions arguably do not meet for ultrasonic tracking.
GDPR's purpose limitation principle, outlined in Article 5, requires that personal data be "collected for specified, explicit and legitimate purposes." A single microphone permission covering both voice calling and ambient ultrasonic tracking would likely violate this principle, as the purposes are distinct and one is not obvious from the other. Article 25's requirement for data protection by design and by default would require that tracking be opt-in rather than automatically enabled when microphone access is granted.
No major GDPR enforcement actions have specifically targeted ultrasonic tracking, likely because deployment decreased following earlier regulatory attention from the FTC and European national authorities. However, the regulation's framework makes aggressive ultrasonic tracking legally risky in European markets, particularly when combined with national privacy laws in countries like Germany and France that provide additional protections.
While not involving ultrasonic tracking directly, the FTC's 2017 settlement with television manufacturer Vizio established important precedents for disclosure requirements around ambient monitoring technologies. Vizio had installed Automatic Content Recognition software on 11 million smart TVs that tracked viewing behavior second-by-second, capturing not just broadcast programming but also content from connected devices like cable boxes and streaming devices connected via HDMI.
This viewing data was aggregated with demographic information purchased from data brokers and sold to advertisers—a business model similar in structure to ultrasonic cross-device tracking. The FTC found that Vizio's disclosures were inadequate even though the practice was mentioned in privacy policies. The $2.2 million settlement required explicit opt-in consent, deletion of data collected without valid consent, and implementation of a comprehensive privacy program.
"Consumers didn't know that Vizio was monitoring their sensitive viewing habits, let alone that Vizio was selling that information to others. Smart TV manufacturers must prominently disclose and obtain meaningful consent."
Jessica Rich, Director of FTC Bureau of Consumer Protection — February 2017The Vizio settlement established that devices capable of monitoring user behavior in home environments must provide clear, prominent disclosures separate from generic privacy policies, and must obtain affirmative opt-in consent. While the case involved smart TVs rather than smartphones, the principle applies equally to ultrasonic tracking: monitoring user behavior in physical spaces requires disclosure beyond what standard permission systems provide.
Mobile operating systems have evolved to provide greater transparency around sensor access, though ultrasonic tracking capabilities remain intact. Android 10, released in 2019, introduced more granular location permission controls, allowing users to grant location access only while an app is actively in use rather than continuously in the background. Android 12, released in 2021, added a privacy dashboard showing which apps have accessed sensitive permissions and when.
iOS implemented similar transparency features, with iOS 14 adding visual indicators when the microphone or camera is active. iOS 14.5, released in April 2021, introduced App Tracking Transparency, requiring apps to request explicit permission before tracking users across apps and websites owned by other companies. However, these frameworks focus primarily on conventional tracking methods like advertising identifiers and cookies, not ultrasonic beacons.
The technical capability for ultrasonic tracking remains unchanged. Smartphone microphones can detect frequencies up to 22-24 kHz—well above the 18-20 kHz range used by tracking beacons. The permission systems continue to treat microphone access as binary rather than purpose-specific. An app with microphone permission can listen for ultrasonic beacons regardless of whether that specific use was disclosed or whether the user would consent if explicitly asked.
The current evidence suggests that aggressive ultrasonic tracking deployment has declined since regulatory attention intensified in 2016-2017. The FTC's 2017 statement that it was unaware of active ultrasonic tracking, combined with the absence of more recent academic studies detecting widespread deployment, suggests the practice is not currently prevalent in mainstream apps distributed through official app stores.
However, several important caveats apply. First, the absence of detection does not prove absence of capability. The 234 apps identified with ultrasonic tracking SDKs in the 2017 Braunschweig study had the technical capability for tracking even if that capability was not actively being used or was used only in certain geographic markets.
Second, detection studies rely on analyzing network traffic and code signatures, which may miss tracking implementations that use encrypted transmission or obfuscated code. The Northeastern study that found no evidence of audio recording specifically noted this limitation—absence of detected transmission does not definitively prove no transmission occurred.
Third, regulatory and research attention has focused primarily on the US and European markets. Deployment patterns in other regions remain largely unexamined. The technical infrastructure for ultrasonic tracking—both the beacon transmission hardware and the SDK software—continues to exist and could be deployed rapidly if commercial incentives outweigh regulatory deterrence.
Ultrasonic beacons represented one approach within the broader cross-device tracking industry, which was estimated at over $3 billion annually by 2017. The industry pursues three primary methodologies. Deterministic tracking relies on login data—when users sign into platforms like Facebook, Google, or Amazon on multiple devices, those platforms can definitively link the devices. This approach is highly accurate but limited to walled gardens controlled by large platforms.
Probabilistic tracking uses statistical analysis of IP addresses, browsing patterns, location data, and other behavioral signals to infer device relationships without direct login data. Companies like Drawbridge (acquired by LinkedIn in 2019) and Tapad (acquired by Telenor in 2016 for $360 million) built substantial businesses around probabilistic graphs. This approach can operate across platforms but is less accurate than deterministic methods.
Ultrasonic tracking offered a third approach: physical-world proof that devices were in proximity simultaneously. A smartphone and tablet both detecting the same ultrasonic beacon from a television at the same time provided strong evidence of common ownership. This was more reliable than probabilistic inference but required hardware deployment and app integration, limiting scale.
The cross-device tracking landscape has shifted substantially since 2017. Apple's App Tracking Transparency framework, mandatory since iOS 14.5 in April 2021, requires apps to request explicit permission before accessing the Identifier for Advertisers (IDFA) or tracking users across apps and websites. Google announced plans to deprecate third-party cookies in Chrome and implement Privacy Sandbox alternatives, though implementation has been repeatedly delayed. These platform changes have significantly disrupted probabilistic tracking while strengthening the position of deterministic tracking through logged-in platforms.
The persistent belief in audio surveillance, despite limited evidence of its occurrence, reflects several psychological and structural factors. First, the experience of seeing ads for recently discussed topics, while often coincidental, is occasionally accurate because conventional tracking already captures so much behavioral data that advertising systems can predict interests with unsettling accuracy based on browsing history, location data, search queries, and social connections.
Second, the technical possibility exists. Phones do have microphones. Apps do have permission to access those microphones. The architecture for audio surveillance is in place; only policy and law prevent its activation. Users are correct that their devices could listen—they are wrong primarily about whether that capability is currently being used for advertising.
Third, actual surveillance through other means is occurring and has been repeatedly documented. The Northeastern study found undisclosed screen recording. Location tracking is pervasive. Browsing history is collected and sold. Users' intuition that they are being monitored is accurate; they have simply misidentified the technical mechanism.
Finally, companies have provided rational basis for distrust. Vizio did collect viewing data without adequate disclosure. Facebook did allow Cambridge Analytica to harvest data from 87 million users. Google did bypass Safari privacy settings to install cookies. The documented history of privacy violations makes extraordinary claims seem plausible because extraordinary privacy invasions have repeatedly proven true.
As of 2024, ultrasonic tracking appears to be largely dormant in mainstream consumer applications in regulated markets, deterred by regulatory attention, platform transparency improvements, and public awareness. Companies that built businesses around the technology have pivoted toward other services or rebranded to emphasize more accepted use cases like audio-based authentication rather than ambient tracking.
However, the technical capability remains intact. Smartphone microphones can detect ultrasonic frequencies. Permission systems continue to grant binary microphone access without purpose limitation. Beacon transmission hardware exists and could be deployed in retail environments, embedded in media, or broadcast in public spaces. The infrastructure for a rapid resumption of ultrasonic tracking remains in place, held in check primarily by regulatory deterrence and reputational risk rather than technical impossibility.
The more profound issue extends beyond any single tracking methodology. Mobile platforms have created architectures where sensors designed for user-beneficial functions—microphones for calls, cameras for photos, GPS for navigation—can be repurposed for surveillance with only minimal disclosure requirements. Permission systems inform users that access is being granted but rarely specify the full range of uses or provide granular control over different purposes.
Your phone is almost certainly not recording your conversations for advertising purposes. But it has the capability to detect signals you cannot hear, in environments you consider private, for purposes you have not meaningfully consented to. The absence of current widespread deployment should not be mistaken for absence of capability or future intent. The architecture of ambient surveillance is in place. Whether it remains dormant depends on the ongoing balance between commercial incentive, regulatory deterrence, and public awareness.