Smart speakers — Amazon’s Echo, Google’s Nest, Apple’s HomePod, and the like — are in approximately one-third of American homes, a number that’s sure to increase once all the cyber Monday deals have been shipped and Christmas presents have been unwrapped. But the people receiving (or giving) these digital personal assistants may not realize all the potential privacy pitfalls that come with them — or know what they can do to protect themselves from always-on listening and data collection devices.
Smart speakers and their virtual assistants are nice to have, but they collect a ton of data about their users by design. They listen for your commands, record your requests, and those recordings may be stored and accessed by other human ears. They can be used to build or contribute to a more comprehensive profile of their users, and their manufacturers are constantly coming up with new and unforeseen ways to use the data they collect. That doesn’t mean they don’t make for good and useful gifts, just that you should fully consider your privacy options before you decide to open your (or your Uncle Fred’s) home to one.
Smart speakers are more popular than ever, and users don’t always know what they’re getting into
Market intelligence firm IDC estimates that about 18 million smart speakers will be shipped in America in the fourth quarter of 2020 alone. Roughly 80 percent of those will be made by Amazon or Google, and most of the others made by third parties that incorporate Amazon’s Alexa and Google’s Assistant. (Apple’s HomePod has only a fraction of the market share, but if you count devices with Apple’s Siri voice assistant then you’ve got pretty much every iPhone and iPad out there, too.)
“Smart speakers are likely to be a hot item for the holidays this year,” Adam Wright, senior analyst for IDC, told Recode. “Vendors like Apple, Amazon, and Google have released new devices and ramped up their marketing efforts, and they are heavily discounting these devices for the holidays, making them highly visible and affordable. Moreover, the pandemic is serving as a boost for sales of these devices as consumers shift their spending priorities from other areas and look to these devices for entertainment and to stay connected with friends and family.”
Smart home devices make lives easier for their users in many ways. Depending on the smart home tech you own and what you connect to your speaker, it can play your favorite songs, answer your questions, tell you the weather, turn on your lights, control your thermostat, and announce who’s knocking on your door, among other things — and all cued by verbal commands issued from your couch.
That’s great for everyone, from people who have mobility issues to people who have always dreamed of living in a computer house that is at their beck and call. While smart speakers on their own are affordable for most people, getting all the bell and whistles — a video display, smart bulbs and plugs, security cameras and systems, thermostats, and the like — can bump the price tag up considerably.
There’s another cost, too: privacy. You may not be comfortable putting microphones that connect to some of the largest companies in the world — and the biggest collectors of personal data — in your home. And you might rightfully be concerned about what these devices are listening to and recording.
“If you have received one of these things as a gift, and you’re super paranoid, it’s probably going to be a very nice paperweight,” David Choffnes, an associate professor in computer science at Northeastern University who studies smart speakers, told Recode.
Studies have shown that most smart speaker owners don’t know that their devices are storing their recordings or that they might be reviewed by humans, and are concerned about how much data their devices collect about them (apparently not so concerned that they don’t continue to use them, however). But you do have some privacy options, and you might as well know what they are before you turn on your new digital assistant, or relegate the gift from a well-meaning loved one to very nice paperweight status.
How to know (and control) who’s listening to you and when
First of all: Yes, smart speakers are listening to you. In order to work, they have to. When you say a verbal cue — Hey Google, or Alexa, or Siri — the devices wake up, record your request, and send it to their servers, translate it into computer speak, and send a response back to you, all of which happens almost instantaneously. Developers are constantly refining and improving their voice recognition algorithms, but they aren’t perfect and the speakers make mistakes. They may not understand what you say or they may activate accidentally. So human beings are contracted to listen to a small sample of recordings to see where device algorithms are getting things wrong.
And that means someone out there might hear your request to play “Despacito” — or, if the device was activated accidentally, whatever you happened to say without knowing you were being recorded at all. Now, the chances that you can be identified by the listener and that you’ll say something embarrassing or somehow incriminating are exceedingly small. But there have also been isolated instances where Alexa recordings were turned over to law enforcement for use in investigations, or accidentally sent to random people. You may also want to consider who else in your home your device might overhear — your kids or (assuming the pandemic ever ends) visiting friends, for instance — and if they’re comfortable having Amazon listening in on whatever they say.
Amazon, Google, and Apple all give users the option not to have their recordings reviewed by human ears, and you can delete whatever they’ve recorded. (More details on how to do this can be found here, or you can check the privacy policies of those devices.) Some devices also allow you to disable their microphones and, if applicable, cameras. That will, of course, defeat the purpose of having these devices in the first place, but it’s not a bad idea to do it temporarily if you’re engaged in an activity you don’t want someone else to potentially see or hear.
Along those lines, you may want to avoid placing, say, a camera in sensitive areas and trusting that your device has taken proper security precautions or has your best privacy interests at heart. When Amazon’s Ring cameras were hacked, strangers could see inside children’s bedrooms. (Ring says that in this instance its systems and network were not hacked directly. The company told Recode that bad actors obtained Ring users’ login credentials through hacks of other companies and then used those credentials to gain access to Ring accounts. The company now has mandatory two-factor authentication on its products.) Ring also has partnerships with hundreds of police departments across the country, and its app was found to include multiple trackers that sent user information to Facebook, among other companies.
Your data may be used in other ways, but you can minimize your exposure
Another privacy control you should consider: how the devices collect and use your data in other ways. Google says it “may use” your interactions with Google Assistant to target ads to you, for instance. You’ll have to check your privacy settings and turn off ad personalization to prevent this, and trust that a company built on data collection and targeted ads is respecting your choice. Meanwhile, Amazon hasn’t been shy about its plans to create a virtual assistant that runs many aspects of its users’ lives — so it would have to know and learn a lot about its user to be able to do. You may be giving data to a company to be used for some future purpose you can’t yet imagine, let alone control.
“The thing that actually worries me a little bit more these days is just because they’re not sending [your recordings] to humans to interpret, doesn’t mean that they’re not doing something with your data,” Choffnes said. “The question I have is more what are the secondary purposes they might use that data for?”
One possible example of this is Amazon’s Sidewalk, a somewhat mysterious free feature coming to Echos, Rings, and any other device under its Sidewalk Bridge umbrella. Sidewalk uses Bluetooth and radio frequencies to connect all of your devices to each other and to any other Sidewalk Bridge devices in the vicinity — your neighbor’s Echo, for instance — turning your smart home into a smart neighborhood. It will extend the range of your own devices beyond your home wifi, and keep you connected through your neighbor’s wifi if yours goes down. It also means Amazon is getting an uninterrupted and expanded feed of your data. Amazon says this could allow people to use security cameras that exceed their home wifi range or locate lost pets (assuming they’re outfitted with a Sidewalk-enabled tracking device).
But Amazon hasn’t told us much about the service beyond basic details and a privacy white paper meant to assure concerned users that, while their data might be traveling through their neighbors’ devices, their neighbors can’t see or access any of it.
Another major concern among privacy advocates is that Sidewalk is opt-out, with a notice going out to Echo users — tens of millions of them — to let them know that their devices would be added to the Sidewalk network unless they went into the privacy settings on their Alexa and Ring apps to turn it off. Amazon didn’t respond to Recode’s questions as to why it placed the burden of choice to use Sidewalk on its customers, rather than creating a service so immediately useful to them that the majority would happily opt into it.
“It’s an interesting thing they built,” Choffnes said. “But if you can’t provide a compelling reason for everybody to opt in — and then your solution to that is to make it opt out — that’s a red flag, right?”
So, after you peel off the wrapping paper on your brand new virtual assistant and before you decide to turn it on — or toss it — take a look at how much data you might be giving away and how it may be used, how to prevent some of that exposure, and, finally, if the service it provides is worth what Amazon, Google, and other companies may learn about you.
Updated December 11, 2020, 6:45 pm ET: Added comment from Ring.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.