back to article Amazon and Google: Trust us, our smart-speaker apps are carefully policed. Boffins: Yes, well, about that...

The voice applications people use with their Amazon Alexa and Google Assistant smart speaker devices have privacy policies, but most users don't read them and neither device maker has shown much concern about policy problems or inconsistencies. Computer scientists from America's Clemson University – Song Liao, Christin Wilson …

  1. Winkypop Silver badge
    Big Brother

    Home “speakers” and privacy

    People gave that up when they turned their DIY wall-screens on.

    1. HildyJ Silver badge
      Facepalm

      Re: Home “speakers” and privacy

      It's worse than that. People actively want to give up their privacy to make their life easier.

      Whether it's actually easier is debatable but they've been told it's easier and they believe it.

  2. Charles 9 Silver badge
    WTF?

    Shut Up And Take My Privacy!

    Guaranteed, if someone tried to shut the door on them, at least the half the stuff would flat stop working and there'd be a backlash, privacy be damned.

  3. Mark192 Bronze badge

    Excellent article and research.

    So, essentially, the privacy policies that did exist were often cut and pasted from other, unrelated, products.

    I doubt there is any protection, even with a legit privacy policy, that protects us from bad actors.

    If I can use an analogy, it's like there's no barn door to shut because there's no barn, just an empty plot of land in the Wild West.

    The only good thing is that the Google and Amazon's focus on numbers means many users will not bother installing anything because the useful/entertaining stuff has been drowned out by all the crap.

    1. Neil Barnes Silver badge

      Indeed. A colleague recently plumbed in an Alexa at the office. After regaling me with fart noises, he was very fast indeed to cancel after I asked it to order fifty sex toys...

  4. Lee D Silver badge

    Top tip:

    If your device has a microphone, it's entirely a trust issue about what's happening to that data from that microphone.

    If it does not have a microphone, then it can't record sound.

    If you don't put this stuff in your living room, then it can't do things.

    1. Anonymous Coward
      Anonymous Coward

      My phone has microphones and I carry that around everywhere.

      Can you recommend a good tin foil hat?

      1. Anonymous Coward
        Anonymous Coward

        Naah - just wrap the phone in a few layers of foil. Works just as well, and also reduces the number of idiot callers.

      2. Graham Cobb

        My phone has microphones and I carry that around everywhere.

        Yes. And it is an important issue. But, as with all security, a risk assessment (even informal) is probably more useful than a tin foil hat.

        It is well understood that phone microphones are always compromised at a low level (often in hardware/ROM firmware) and are accessible over the air to network operators and law enforcement. That is why in very high security environments phones are banned and are even stored in Faraday cage bags at site reception.

        However, if your threat concerns do not include nation states or law enforcement, phone microphones by themselves are not much of a problem: any phone company or operator routinely tapping all its customers mics would be noticed quite quickly.

        However, it is clear that all "voice assistants" (whether from device manufacturers, operators, or 3rd party apps) are always listening and retaining data. Many people have noticed that adverts reflect recent conversations held near the phone, even when the assistant has not been asked a question. The only way to avoid that is to uninstall them. In the case of built-in assistants it should be enough to use their setting to disable them -- if they claim to be disabled but in fact are still recording then they are clearly committing an offence.

        But if you leave it enabled (listening for its trigger word), it will be recording and sending information back to its masters.

    2. Psmo Silver badge
      Megaphone

      Assuming they tell you. Remember the Nest thermostat that had a microphone?

      Google claimed it was not active...

  5. low_resolution_foxxes Bronze badge

    What's the situation these days with Smart TVs?

    My TV is not specified in the user manual with a microphone, nor does it appear to have any obvious microphone mechanical structures.

    That said, there is a button on the remote control that I allegedly need to push for it to interact with it using my voice.

    I'm using a Samsung 4K TV, so I am basically starting from the default position, that it will be hackable by anyone who wants it. C**** thing even serves me adverts on the UI menu.

    1. Julz Silver badge

      The microphone is probably in the remote.

    2. Anonymous Coward
      Anonymous Coward

      My LG is the same

  6. low_resolution_foxxes Bronze badge

    I am pleased at Google's response, actually paying attention and providing a bug bounty.

    1. EnviableOne Silver badge
      FAIL

      but they fail as their own apps dont follow their policy:

      "The boffins also observed that of the 243 Assistant actions recorded without a privacy policy, 101 had been developed by Google."

  7. eldakka Silver badge

    "We require developers of skills that collect personal information to provide a privacy policy, which we display on the skill’s detail page, and to collect and use that information in compliance with their privacy policy and applicable law," an Amazon spokesperson said in an emailed statement.

    Nowhere do I see in that statement regarding provacy policies adjective on those policies like:

    • relevant
    • accurate
    • reasonable
    • enforceable
    • understandable
    • binding
    or their synonyms.

    1. EnviableOne Silver badge

      sounds like a good box ticking exercise.

      they will only get better once they get hit with fines under GDPR or CCPA

  8. Pascal Monett Silver badge
    Thumb Down

    "optimized for quantity over quality"

    That seems to be what the epitaph of our civilization should be.

    "We require developers of skills that collect personal information to provide a privacy policy "

    No you don't, you just say you do. There are 47K+ "skills" that prove that a privacy policy is not a requirement.

  9. Screwed

    Very tempting to stop speaking English. That must be one of the biggest security issues.

    Thinking about Welsh. Should help for a while, until I develop a completely private language. And Welsh can actually be useful in other contexts.

    1. General Purpose

      Have you considered learning sign language?

  10. Mike 137 Silver badge

    No surprise there

    I remember a public presentation by a well known data protection consultant, who said "your privacy policy is PR". And so it seems for almost every Europe relevant privacy policy we've examined in the course of a couple of years of research. Less than 0.5% have been even broadly compliant with the GDPR and literally only a couple have essentially been fully compliant.

    1. Anonymous Coward
      Anonymous Coward

      Re: No surprise there

      I remember an internal corporate presentation where the expert said "your privacy policy exists to protect yourself from lawsuits". The advice was to never explicitly state you would never do X, because that is how you paint yourself in a corner and expose yourself to lawsuits. Instead, policies should give example of what you would do, and leave it open-ended.

      Which is actually pretty reasonable, considering people who don't care about privacy don't read anything, and people who care don't trust anything anyway. The actual text of policies is only read by lawyers preparing a lawsuit or defending against one...

  11. oiseau Silver badge
    Facepalm

    None

    Who can you trust these days?

    Certainly not Amazon or Google.

    Or any of the usual suspects for that matter.

    O.

  12. Psmo Silver badge

    "Optimi(z/s)ing for quantity over quality"

    Big G's real corporate motto.

  13. hoola Bronze badge

    The majority do not care.....

    What is troubling about this is that the people who use these devices simply don't give a stuff about privacy. They have not idea how the things work and have no concerns about what is being collected. Those of us that do care are in such a small minority that it is an irrelevance . Companies will continue to spew out ever more Internet connected tat that a gullible public will buy, install and use, further increasing the data collected by these parasites.

    Even if they do get caught out the standard procedure is to say "Sorry, we made a mistake" and pay a derisory fine that is the equivalent of losing 1p.

    The only thing that may be a game changer is if the fines are linked to revenues and are of sufficient magnitude that it actually hurts.

    1. Charles 9 Silver badge

      Re: The majority do not care.....

      At which point they'll just lobby the government itself or campaign for a change, finding that to be cheaper.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020