Privacy and Security Issues with Smart Speakers

Q&A: Privacy and Security Issues with Smart Speakers

Featuring Phyllis Marcus

Partner at Hunton Andrews Kurth LLP + Speaker & Expert on Children's Online Privacy Laws

Phyllis Marcus heads the advertising counseling practice at Hunton Andrews Kurth LLP. She also focuses on privacy issues related to mobile commerce and is a national expert in children’s online privacy law. She is frequently interviewed by media outlets, including Bloomberg Law, Law360, The New York Times, The Washington Post, and NPR Marketplace. In this interview, Phyllis talks about privacy and security issues surrounding our smart speaker devices.

AMY KWAK: I’m not a tech person who has a lot of gadgets, like an Alexa or Ring doorbell. Does that mean I don’t have a smart speaker? What exactly is a smart speaker?

PHYLLIS MARCUS: Smart speakers are hidden in places where you might not expect them. For example, if you have an internet connected TV, you have a smart speaker. Internet connected devices, such as tablets, laptops, and even children’s toys, can have smart speakers enabled in them.

AMY KWAK: Let’s say I buy an in-home assistant, like an Alexa, that I know is a smart speaker. I have to check on the consent boxes to operate the device – the ones that say I agree “someone” can collect my data, and if I don’t check the boxes, I can’t operate the system, right? Or can I get around that part?

PHYLLIS MARCUS: When you are setting up the device, you have to agree on the terms of service for the product, which is a contract between you and the manufacturer. But there are now more granular privacy settings in the settings portion of your device, so you can think through the choices the manufacturer is giving you and set up the device based on your comfort level. For example, you can choose if you want voice recordings to be saved and for how long, or that you want them deleted altogether. Based on your settings though, the manufacturer might say the functionality of the smart speaker might be less than optimal because the manufacturer uses your voice to use artificial intelligence to make voice searches better and smarter. So you need to weigh having a voice-activated system that is as up to date and up to speed as possible, against how comfortable you are with recordings going back in time that are captured, transcribed, and held by the company.

AMY KWAK: If I click on all on the boxes for optimal performance, when my information is collected, is there anything else happening with my information other than that which is necessary to operate my device better for me?

PHYLLIS MARCUS: There are tons of uses for your searches downstream, and they could be shared widely with advertisers. There is a complicated ecosystem where your information could be disseminated all over the place for you to get more personalized advertising directed back to you. But again, with certain products, you might be able to turn off uses for personalized advertising, in which case you won’t see targeted ads that you might be interested in, based on your searches.

AMY KWAK: What if the product is made in a different country, like China, and the consent box relates to a Chinese company. How is this different?

PHYLLIS MARCUS: This puts users in a bit of a bind. There are companies that are household names that we have come to trust and whose practices are transparent enough that you can read about them. In the case of Tic Tok, for example, Tic Tok’s owner is in China, and the [former] administration had sought to ban Tic Tok in the US unless it was sold or spun off to a US-based company because of security concerns about who might have access to our user information while in foreign hands. This is something for users to think about when engaging with a company based outside of the US.

AMY KWAK: How do I know if I have a privacy concern or a security concern, and what is the difference?

PHYLLIS MARCUS: Privacy deals with the bits and pieces of information that a company collects about you and from you. Security deals with how the company keeps that information safe once it’s gathered. While separate, they merge in consumers’ minds because you want to give as little information about yourself in order to make your product function, and then you want to know your information is being stored securely.

Even with companies that are household names, there are both privacy and security questions that regulators and law enforcers look into. The Federal Trade Commission is the primary agency that enforces both privacy and security. For example, the FTC settled with Zoom regarding allegations that Zoom represented it encrypted users’ data in a certain way, when it actually couldn’t secure peoples’ data the way Zoom represented and meet those privacy promises. The FTC also alleged Zoom downloaded a particular installer in the background that was difficult for users to uninstall because users didn’t realize it was there.

AMY KWAK: What kinds of protections do we have under the law? Are we at the mercy of product developers?

PHYLLIS MARCUS: There are industry standards, and there are regulators, investigators, and law enforcers helping to keep industry members honest. So we aren’t entirely at their mercy, but there are more companies out there than there is the ability to oversee them. We might see more actions in the future brought by agencies at the state level due to the need for consumer protection. Again, you can exercise some control by using the settings function to select the privacy settings to your comfort level. Regarding security, we have less control over what a company does to keep our information secure. The basic premise is that companies should do what they say and say what they do, but it’s a problem for all of us if they don’t do this.

AMY KWAK: What is the relationship now between consumers and manufacturers? Do consumers even have privacy concerns anymore because our expectations for privacy have been eroded over time with the rollout of each new device? And if we still care about privacy, do the manufacturers’ care since they seem to have the upper hand?

PHYLLIS MARCUS: This is complicated and it depends on whom you ask. I would say manufacturers are very interested in consumer trust and in building secure products, and that trust can be lost quickly if they are not protecting our interests. So consumer demand and consumer engagement is an important piece of this. But on the flip side, consumer interest in what is quick, easy, engaging, fun, and new, will continue to push the envelope even further.