Amazon and Google: Trust us, our smart-speaker apps are carefully policed. Boffins: Yes, well, about that...

Who can you trust these days?

The voice applications people use with their Amazon Alexa and Google Assistant smart speaker devices have privacy policies, but most users don't read them and neither device maker has shown much concern about policy problems or inconsistencies.

Computer scientists from America's Clemson University – Song Liao, Christin Wilson, Long Cheng, Hongxin Hu, and Huixing Deng – provided The Register with a pre-publication copy of research they conducted into voice assistant apps and their privacy rules.

In a paper titled, "Measuring the Effectiveness of Privacy Policies for Voice Assistant Applications," the boffins analyzed 64,720 Amazon Alexa skills and 2,201 Google Assistant actions – apps that interact with the voice-controlled mic-speaker hardware people use to bug their own homes – and found them largely lacking.

Of these 46,768 Alexa skills (72 per cent) and 234 Assistant actions (11 per cent) had no privacy policy.

The academics attributed the Google-favoring gap to Amazon's lax skill certification process, the focus of previous research.

"After conducting further experiments on the skill certification, we have understood that even if a skill collects personal information, the developer can choose to not declare it during the certification stage and bypass the privacy policy requirement," the paper states.

"This is achieved by collecting personal information through the conversational interface (e.g., asking users’ names). Even though this data collection is prohibited, the certification system of Amazon Alexa doesn’t reject such skills."

The boffins also observed that of the 243 Assistant actions recorded without a privacy policy, 101 had been developed by Google.

What's more, they found 1,755 Alexa skills and 80 Google actions with broken privacy policy systems, along with various other problems like duplicate privacy policies URLs shared across different apps and privacy policies that offer descriptions inconsistent with the app's actual function.

Alexa photo via Shutterstock

Amazon's auditing of Alexa Skills is so good, these boffins got all 200+ rule-breaking apps past the reviewers


Worse still, Amazon and Google both offer voice assistant apps that violate their own rules. Amazon's Weather skill, for example, collects location data but doesn't provide a privacy policy link in its store description.

The Clemson scientists have published a summary of their findings to GitHub.

Asked why Amazon and Google haven't addressed these issues when the Clemson computer scientists can flag them with a bit of Python code, Long Cheng, assistant professor in the school of computing at Clemson University and a co-author of the research paper, speculated that it may have something to do with how new these platforms are.

"They probably focus more on implementing new features/functionalities at the current stage," he said in an email, noting that Google [PDF] took the issue seriously and removed the Assistant actions with missing privacy policies. The ad biz also paid a $5,000 reward for reporting the problems.

Amazon makes privacy policies mandatory only for skills that collect personal information, Long said, adding "But we found so many Alexa skills providing meaningless privacy policies."

"The presence of so many problematic privacy policies indicates that Amazon's post-certification audits still need to be improved," he said.

Those developing voice assistant apps are often not professional developers, he said, suggesting that both Amazon and Google have optimized for quantity over quality.

The research paper also describes a survey of 66 Alexa and 25 Google Assistant US-based users, conducted through Amazon Mechanical Turk. The findings found that 52 per cent of respondents were unaware of the privacy policies of their voice assistant apps; 73 per cent rarely read those privacy policies; and 47 per cent don't know what kind of information their skills/actions are capable of collecting.

Also, 75 per cent of respondents said they would enable a skill intended for kids without reading its privacy policy.

The paper's authors say they've reported their findings to Amazon, Google, and the US Federal Trade Commission.

The Register asked Amazon and Google to comment on the research.

"We've been in touch with a researcher from Clemson University and appreciate their commitment to protecting consumers," a Google spokesperson said in an emailed statement. "All Actions on Google are required to follow our developer policies, and we enforce against any Action that violates these policies."

"We require developers of skills that collect personal information to provide a privacy policy, which we display on the skill’s detail page, and to collect and use that information in compliance with their privacy policy and applicable law," an Amazon spokesperson said in an emailed statement.

"We have not yet been given the opportunity to review this research paper. We will closely review it when available, and engage with the authors to understand more about their work. We appreciate the work of independent researchers who help bring potential issues to our attention."

The paper concludes with the recommendation that platform owners implement a function to briefly summarize voice app privacy policies aloud, since many people only interact with voice assistant software via voice. ®

Other stories you might like

  • Employers in denial over success of digital skills training, say exasperated staffers

    Large disparities in views from bosses vs workers on 'talent transformation initiatives,' says survey

    Digital transformation projects are being held back by a lack of skills, according to a new survey, which finds that while many employers believe they are doing well at training up existing staff to meet the requirements, their employees beg to differ.

    Skills shortages are nothing new, but the Talent Transformation Global Impact report from research firm Ipsos on behalf of online learning provider Udacity indicates that although digital transformation initiatives are stalling due to a lack of digital talent, enterprises are becoming increasingly out of touch with what their employees need to fill the skills gap.

    The report is the result of two surveys taking in over 2,000 managers and more than 4,000 employees across the US, UK, France, and Germany. It found that 59 per cent of employers state that not having enough skilled employees is having a major or moderate impact on their business.

    Continue reading
  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Former Microsoft veep Brad Silverberg has paid tribute to Bill Gates for saving Windows 95.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from Microsoft cybersecurity pro Ashanka Iddya, explained Gates's role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading

Biting the hand that feeds IT © 1998–2022