Who are “they” anyway? This perennial question has been asked for decades—and now that we have reached the 21st century, the question has taken on new meaning. With the advent of Artificial Intelligence (A.I.) and mainstream consumer access, the new question is not if someone is listening, but who is listening and what are they planning to do with all the data they find?
In an Engadget article earlier this year, researchers reportedly found a way to control Alexa remotely and task her with recording and transcribing your private conversations. So, perhaps it’s good idea to follow-up on this report with more information. There are very few safeguards in the wild frontier of AI and Machine Learning, which means your home, car, or office Siri (Apple), Alexa (Amazon) Cortana (Microsoft) could easily and subversively be eavesdropping on your every music request, food delivery order, or seemingly private conversation with your family. For many of us, this may not seem all that concerning—after all, what can anyone do with the information that you love Drake and Pad Thai? Fortunately, nothing. But can you really say there is nothing, absolutely nothing, happening in your home that isn’t private? If the answer is no, then there’s a potential problem.
Tap Tap—Is This Thing On?
It may sound creepy, but for AI or “machine learning” to work, your smart device needs to get to “know” you. Essentially, the AI powered service in your car, home, or smart phone optimize themselves over time, fine-tuning the way they listen to your voice. In this way, consumers are unwittingly trading convenience for privacy. Some people are concerned that even when these devices are shut down or “sleeping,” they are still collecting data by listening to our conversations. And while this sounds like something akin to an Orwellian plot, it is not far from reality.
Earlier this year, researchers built a seemingly harmless Alexa Skill that would actively record long after most Skills shut down to preserve people’s privacy. To be clear, a “Skill” is a conversational application for Amazon IoT products that provides capabilities and enables customers to create a more personalized experience. Checkmarx’s Amit Ashbel told CNET that it could just keep recording. He found that as far as we could tell, there was no limit—just as long as no one told the bot to stop. And to be clear again, this is not a theoretical scenario but a real one.
Case in point. In May of this year, Amazon said that one of its Echo devices mistook a woman’s words for a set of commands instructing it to record her conversation with her husband and then sent it to one of his employees. Apparently, it was a benign conversation, but if you own an Echo and are concerned about what it might be recording, an Amazon help page explains that you can review, listen, and delete the audio and other interactions in the settings menu.
In early October, Facebook announced its first branded hardware products, the Portal and Portal Plus— AI-powered smart speakers and video-chat devices that live in your home and let you call your Facebook friends. The launch of the Portal, Facebook’s fancy new video-chat device and its always-on microphones and cameras has the social networking giant battling a backlash after successive scandals. The company claims higher security standards, but this may come at a price. Facebook may use the data it collects about you to target you with ads, despite claims that it would not, as reported in Recode.
Anything Connected Can Be Hacked—So Protect Your Rights.
Stricter scrutiny and regulation on tech players compared to the recent past is right around the corner. Smart speakers and other connected devices will continue to raise the question of privacy and security, especially in the context of the Facebook and Google data breaches in October 2018, and the Cambridge Analytica one earlier in the year.
On September 28, 2018, California Governor Jerry Brown signed into law a bill titled “Security of Connected Devices” (CaSCD) to regulate security of Internet of Things (IoT) devices. Like the California Consumer Privacy Act of 2018 (CaCPA), this law is the first of its kind in the U.S. and will become effective on January 1, 2020. It requires a manufacturer who sells or markets a connected device to California residents to equip that device with “reasonable security features,” appropriate to the nature and function of the device and to protect the information it may collect, contain, or transmit. Citing recent incidents of security vulnerabilities in children’s toys, the California Senate urged that the boom of IoT demands increased security measures to “prevent against attacks on personal privacy by way of internet-connected devices which include everything from cars, to street lights, parking meters, microwave ovens, door locks, power plants, and more.”
Each company’s strategy is to create its own ecosystem, which in and of itself is not a competitive issue. However, in doing so, they limit the choices of their consumers—for instance, by picking which item to highlight for a generic query as opposed to using a list through the web. Europe is already on the forefront of this type of regulation as French regulator Arcep has recently introduced the concept of platform/device neutrality when it comes to smart speakers, highlighting some of the antitrust issues Google has faced.