Video Conferencing Apps May Listen to Users Even When Muted

A team of experts from the University of Wisconsin–Madison and Loyola University Chicago has published a study revealing that popular video conferencing apps, including those used in corporate environments, continue to actively access the microphone even after users press the Mute button. Essentially, the mute buttons within these apps may not fully deactivate the microphone, unlike the controls provided by the operating system.

The researchers plan to present a detailed report on this issue at the Privacy Enhancing Technologies Symposium in July 2022.

How Video Conferencing Apps Handle Microphones

The study warns that some apps constantly monitor microphone input—even when muted—and collect telemetry data, which is then sent to their servers. This data can be used to accurately determine different types of background activity by users.

According to the analysts, the main problem is that video and audio signals are processed inconsistently. For example, in macOS and Windows, turning off the camera in an app is tied to an OS-level control, which completely disables the camera and provides a clear visual indicator that it’s off. However, software mute buttons depend on the specific app and rarely show a visible indicator that the microphone is still recording sound. In essence, mute buttons in apps often don’t work the way most people expect.

“In video conferencing apps, we found fragmented policies for handling microphone data: some constantly monitor microphone input while muted, others do so periodically,” the experts wrote. “One app even sends audio statistics to its telemetry servers when the app is muted.”

Which Apps Were Studied?

The researchers examined popular video conferencing products such as BlueJeans, Cisco Webex, Discord, Google Meet, GoToMeeting, Jitsi Meet, Microsoft Teams/Skype, Slack, WhereBy, and Zoom (Enterprise). To prove that the sense of privacy users feel when their microphone is muted is false, the experts used a proof-of-concept classifier for background activity. This allowed them to accurately recognize six types of background actions based on telemetry packets sent by the apps when the microphone was muted.

Most of the products listed above had some privacy issues, but these were generally limited or only theoretical. All of these apps had the technical ability to capture audio when the microphone was muted, but most never actually used this capability.

The researchers explained that most native Windows and macOS apps “can check if the user is speaking even when muted, but they don’t continuously sample audio as they would if the mic were on.” For web apps, the browser’s software mute function tells the “microphone driver to completely disable microphone data.” However, the researchers couldn’t determine exactly how Microsoft Teams and Skype use microphone data when muted, since “they access the operating system directly” instead of using the standard Windows API.

Cisco Webex: A Notable Exception

One app, however, was found to misuse its capabilities and analyze audio signals even when the microphone was muted. Cisco Webex was discovered to send network packets containing audio telemetry data to its servers every minute, even if the microphone was muted.

“We found that all the apps we studied can actively access the microphone (i.e., capture raw audio) when the user is muted. Interestingly, Cisco Webex requests microphone access regardless of the mute button’s state in both Windows and macOS. Even when muted, the Webex audio buffer contained raw microphone audio.”

The researchers emphasized that Webex was the only product that “continuously records microphone data when the user is muted” and sends telemetry data to its servers every minute. The experts were able to intercept this data in plain text and use it for highly accurate fingerprinting of users’ background activities.

This telemetry does not include actual recorded sound, but rather values derived from the audio, such as the volume level of different background activities. These values were sufficient to identify background activity in the room—like cooking, cleaning, or typing—with up to 82% accuracy.

Cisco’s Response

The researchers notified Cisco about this issue in January 2022 so the company could investigate. Cisco has since told the media that the problem has been resolved:

“In January 2022, researchers found that audio setting data, such as volume and gain (but not actual voices or sounds), was being logged and collected when users muted themselves in Webex during conferences. This data was intended to support user experience (for example, muting notifications, suppressing background noise, optimizing volume) and troubleshooting. In January 2022, Webex stopped collecting audio setting data related to troubleshooting when users muted themselves,” the company stated.

Webex customers are now advised to contact Cisco if they want to completely disable this type of “tracking,” which is necessary “for features that remain active even when the user is muted, such as mute notifications and echo suppression.”