You open Shazam and tap the button to identify a song. Done? You toggle it off. The button says off. But the microphone is still on. A security researcher found that Shazam never stops accessing your Mac's microphone while the app is running. "OFF" means Shazam stops processing audio. It doesn't mean Shazam stops receiving audio. Your microphone is still active, still streaming sound to the app. You just can't tell because the button says off. The distinction between "receiving audio" and "processing audio" exists in Shazam's code. It doesn't exist in any user's understanding of what "off" means. When you turn something off, you expect it to stop listening. Shazam stops thinking about what it hears. It doesn't stop hearing. You opened Shazam. Before you identified a single song -- before you even tapped anything -- the app sent your device identifiers and advertising ID to Facebook. Privacy International caught this in 2018: the moment Shazam launched, it called home to graph.facebook.com. Not after you used it. On launch. Your advertising ID went to Facebook because you opened a music app. Apple bought Shazam that same year. Apple -- "what happens on your iPhone stays on your iPhone" -- acquired an app that was transmitting user data to Facebook before users could do anything about it. Apple has since cleaned up some trackers, but Exodus Privacy still finds tracker signatures in the Android version. The app that identified your songs also identified you to Facebook.
What they claim: Shazam allows users to toggle music recognition on and off, with an "OFF" state that implies the app stops listening to ambient audio.
What we found: A security researcher discovered that Shazam never stops accessing the microphone on Mac as long as the app is running. Toggling the app "OFF" tells Shazam to stop saving or processing audio data, but the app continues receiving audio input from the microphone. The distinction between "receiving" and "processing" audio is invisible to users -- the toggle appears to turn listening off, but the microphone remains active. The user interface communicates "off" while the hardware remains "on." On mobile devices, Shazam's auto-recognition feature maintains microphone access in the background. The app's core function -- identifying music from ambient audio -- requires constant microphone access when active, creating a persistent audio surveillance channel that users believe they can disable but technically cannot while the app is running.
What they claim: Shazam presents itself as a simple utility: hear a song you like, tap a button, find out what it is. "Shazam will identify any song in seconds."
What we found: Shazam's identification history creates a detailed behavioral profile over time. Each identification records: the song, the timestamp, and optionally the location. Combined, this data reveals where users spend their time (restaurants, shops, gyms, bars, concerts), when they are active, their emotional state (song genre correlates with mood), their social context (identifying songs at parties vs. alone), and their cultural and demographic profile. With 225 million monthly users, Shazam's aggregate data reveals real-time cultural trends and commercial intelligence -- which songs are playing in which stores, which neighborhoods, at what times. Apple's privacy page states this data may be used in "de-identified, aggregate" form to "support related Apple products and services." A library of every song you've ever identified, timestamped and geotagged, is not a music tool. It's a behavioral diary.
What they claim: Shazam requests location access to "show you where you recognized a song" and to provide local trending charts.
What we found: Shazam requests coarse location access (ACCESS_COARSE_LOCATION on Android). The stated purpose -- showing where you recognized songs and building local charts -- benefits Shazam and Apple's data collection more than the individual user. Most users do not need a map of where they heard songs. The feature creates a location-tagged history of user movements anchored to specific venues: the restaurant where a song was playing, the store, the gym, the bar. Combined with timestamps, this creates a partial mobility trace. Shazam's local trending charts aggregate this location data across millions of users, revealing which songs are playing in which commercial venues -- data of direct value to the music industry, advertisers, and Apple's own services. The "where you recognized a song" feature is presented as a user benefit but primarily serves as a mechanism to justify continuous location data collection from a music app.
What they claim: Apple positions itself as the privacy company -- "Privacy. That's iPhone." -- and Shazam benefits from this brand association as an Apple-owned service.
What we found: Shazam's pre-acquisition data practices -- including Facebook SDK integration, advertising ID transmission, and tracker presence -- were not fully disclosed to users when Apple acquired the app. Apple removed some third-party SDKs post-acquisition, but the Exodus Privacy analysis continues to find tracker signatures in the Android APK. Apple's privacy page for Shazam uses careful language: data "may be used" in "de-identified, aggregate" form for "related Apple products and services." The word "may" creates maximum flexibility while the phrase "de-identified" suggests anonymity that research has repeatedly shown is difficult to maintain with behavioral data. Apple's privacy reputation creates a trust halo that reduces the scrutiny applied to Shazam's data practices. Users who would question a Facebook-owned music app accept identical data collection from an Apple-owned one. The brand is the privacy policy most users read.
What they claim: Shazam's privacy summary states it collects data to provide the music recognition service and improve the user experience, with Apple emphasizing its commitment to privacy.
What we found: Privacy International's 2018 investigation found that immediately after opening Shazam -- before any user interaction -- the app sent data to graph.facebook.com. The data included device identifiers, the advertising ID, and app version information. The Shazam configuration exchange also contained references to Facebook and other advertising providers. This data transmission happened automatically, before the user identified any music or made any choices about data sharing. The Facebook SDK was present in the app's code, enabling automatic data collection on launch. Apple acquired Shazam in 2018, the same year this investigation was published. While Apple has since removed some third-party SDKs, the Exodus Privacy report continued to find tracker signatures in the Android APK. A music identification app that phones Facebook before you even tap a button.
What they claim: Apple marketed the Shazam acquisition as enhancing the music experience for Apple users, bringing "a great Shazam experience to even more people."
What we found: The European Commission opened an in-depth antitrust investigation in April 2018, specifically concerned that Apple would use Shazam's data as a competitive weapon. Shazam data reveals which users subscribe to which streaming services -- Spotify, Amazon Music, YouTube Music. The Commission worried Apple could use this data to target competitors' customers and push them toward Apple Music. While the deal was ultimately cleared (September 2018), the Commission's investigation acknowledged data as a weapon in digital markets. The investigation examined data along four metrics: variety, velocity, volume, and value. Apple paid $400 million for Shazam -- a company that had never been consistently profitable. The value wasn't in the technology. The value was in the data: 225 million monthly users' music habits, streaming service preferences, and behavioral patterns. Apple didn't buy a song identification app. Apple bought a funnel to its competitors' customer data.