Privacy SOS

Is Amazon’s Echo listening and keeping tabs on your conversations even when you haven’t commanded its attention? And does Google collect your health data?

From The Jetsons to Smart House and Star Trek, pop culture tells of our fascination with futuristic technology. So it’s no surprise to see many consumers enamored by Amazon and Google’s electronic home assistants and “smart” appliances. Want to turn off the lights? Just give Alexa a shout. In the mood for pizza? Say “Okay Google” and place your order. The benefits seem obvious: these devices make it easier than ever before to access and make use of the many services the internet offers. But both Amazon and Google make billions of dollars a year selling advertisements, which these companies are able to do in more and more targeted—and profitable—ways because of how much sensitive information they collect about their users. That isn’t news, of course. But the sensitivity and quantity of information that these companies can collect through their home assistants is something different from what we’ve seen over the past ten or so years. And according to a new report from the Consumer Watchdog, consumers should be very concerned about what that means for their personal privacy, and that of their families, friends, and guests.

Amazon was the first company to release a digital home assistant, the Echo. Users say “Alexa” to get the device’s attention, and follow it with a command, like asking it to make a call, look something up, or place an order. According to Amazon, the device’s natural status is a “passive listening state” during which it analyzes all the conversations taking place around it but does not record or store them. Once a user addresses it, the Echo switches to a “responsive state” in which it does record speech and sends it back to Amazon’s servers. The company says that it then uses the stored data (aka: your words) to target advertising to the user.

But Consumer Watchdog’s analysis of a 2014 patent application for Amazon’s “Keyword Determinations from Voice Data” technology indicates that the company can sneakily sidestep its promise not to store conversations that take place while the Echo is in its “passive listening” state. According to the application, under this system the Echo would continuously listen for a “trigger word” which the application describes as “a verb indicating some level of desire or interest in a noun.” This means that the Echo would constantly listen and wait for consumers to use common terms like “love,” “enjoy,” and “dislike.” It would then translate statements including these triggers into keywords and potentially even associate them with specific household members. This sensitive information grabbing doesn’t, technically speaking, just apply to live conversations. If a user makes a call through Echo, the audio processing algorithm can analyze the conversation and store data for both persons on the call. Even if one of the people on the phone does not have an Echo device, the software can still collect their data. The patented tech allows the collected conversation data to be sent back to a data center and used for advertising purposes. The patent also indicates that during this process, the Echo could additionally send location data along with the keywords.

Google jumped into the digital home assistant market with the introduction of Google Home. Like Amazon, Google says the device does not record or send back voice data until a user addresses it by saying “Ok Google.” Like the Echo, Google Home can perform household tasks, look things up, and make online purchases. Unlike the Echo, however, Google Home can draw on a plethora of a user’s data by analyzing their Chrome browsing history, their Google searches, emails in their Gmail accounts, and their location data from Google Maps. This mass of information allows Google Home to tailor and target its interactions with users. Additionally, because of its line of “smart” home appliances like thermostats and security cameras, Google can record a wide variety of information like “noise signatures, moisture levels, subtle temperature changes, light levels, and other data that indicate what is happening inside the home.”

A patent application reveals that, using all the audio and visual information it collects, Google can determine details like when users are home, when they’re sleeping, when they’re watching TV, and even when they shower. The application explains why this information is relevant to Google’s business: “The answers to these questions may help third-parties benefit consumers by providing them with interesting information, products and services as well as with providing them with targeted advertisements.” Other patent applications reveal that Google seeks to collect consumers’ health data. For example, they describe creating systems to monitor how many times a specific toilet is flushed and to track users’ breathing patterns as they sleep. Another application details the ability to track users’ heart rates and advertise vacation plans to those who seem to be stressed.

Though convenient and seemingly fun, digital home assistants like the Echo and Google Home pose significant risks to consumers’ privacy and security, especially because many states and the federal government do not explicitly address these devices in privacy law. We don’t know how often, or how, law enforcement is demanding Amazon and Google hand over home device data, but there are already indications the police and federal agencies are interested in it. These companies track our movements online by using cookies and location data, and home assistant products allow them to track us when we’re “offline” as well. They can capture our conversations, our preferences, our habits, and who we interact with. In so doing, they further commodify individuals’ information by adding ever grainier details to companies’ dossiers on consumers.

And where there’s data, there’s a glut of commercial and government interest in sucking it up. Home insurance and utilities companies made deals with Google to put smart devices in their customers’ houses. Lenders and health insurance companies may also soon try to form similar deals. Law enforcement agencies have already sought out collected data, and in many states, including Massachusetts, electronic privacy law is stuck in the 1980s. Hackers are likely attracted to the mass of information as well, and it’s unclear whether the data is sufficiently protected. As recently as November, Armis, a security firm, revealed that both the Echo and Google Home were at risk of being hacked through Bluetooth. Digital home assistants compromise privacy for convenience. Consumers should be wary of adopting them, especially in states like Massachusetts, where lawmakers haven’t updated electronic privacy law to require law enforcement get warrants to obtain our sensitive data from companies like Amazon and Google.

This blog post was written by ACLU of Massachusetts Technology for Liberty intern Iqra Asghar.

© 2018 ACLU of Massachusetts.