Who Needs Privacy? Consumers Opt for Convenience in Voice, Home Assistants

Whether it’s Alexa, Amazon Echo, Google Home or some other voice recognition, home assistants are growing in popularity. As voice and digital assistant devices continues to burgeon, though, many consumers remain worried about their privacy, particularly in light of recent disclosures such as a vulnerability in Cortana software that allowed an attacker to break into a Windows 10 computer.

Worried as consumers might be, within a week of the news about the Cortana hack Marriott hotels announced it is welcoming Amazon Alexa to assist in providing services to its customers. While one software is hacked, another is morphed into a virtual butler for hotel guests. It’s not surprising that a study recently published by OpenVPN found that only 3 percent of survey respondents have stopped using their home assistant devices out of fear.

In surveying 500 full-time employees, OpenVPN looked for relevant data on consumers’ feelings toward home and voice assistants and found that employees often are willing to trade convenience for security. They found that of those who said a voice assistant invading their privacy was their top cybersecurity concern of 2018, 64 percent still own voice assistants.

More than one-third of respondents (36 percent) believe their voice assistant is secure and will not be hacked. And while 24 percent of respondents believe their home assistant has the potential to be hacked, they continue to use it for its convenience.

The study revealed the confounding reality that even though people are afraid these devices will be hacked, they still use them. Because most consumers don’t know how the technologies can be hacked, they mistakenly assume that their devices are secure until it is proven otherwise.

What are the Inherent Risks of Home Assistants?

Home assistants are computers. Any computer can be hacked, making all devices are vulnerable. “There are personal risks associated with home assistants,” said Terry Ray, CTO of Imperva. “They are internet-connected, which means they will need patches.” Given the reality that an attacker could leverage a known or zero-day vulnerability, home assistants potentially open your home network to threats.

When it comes to malware and zero-day exploits targeting specific models, there aren’t many security risks, said Paul Bischoff privacy advocate with Comparitech.com. “Some researchers have developed proof-of-concept attacks, but those vulnerabilities were disclosed responsibly and have been patched. All voice queries are encrypted and uploaded to a verified cloud server, so they can’t be deciphered even if a hacker intercepts them.”

The recent FBI warning for everyone to reboot their home routers due to widespread suspected Russian vulnerabilities is a perfect example of the risks to the technology we bring into our homes. Lest you need something a little more exciting, Ray said there are additional, more sensational risks associated with what home assistants see, hear and learn.

Alexa and her cohorts are constantly listening to everything around them, which is why they respond when their name is called. “If you’re like me, they also sometimes ‘think’ they hear their name when in fact it wasn’t spoken,” said Ray. “This goes to the story a couple of months back of a user claiming that his digital assistant recorded a conversation and subsequently sent it out via email unknown to him.”

Whether these tales are urban legend or the reality we now live in, some people—including Ray—have had to disable the voice purchase feature because his young children liked to play with the home assistant.

Factoring Out Privacy for Convenience

Most manufacturers currently claim that they do not share the data collected on the devices, but they do use it in an effort to target your home needs better. Obviously, the risk in collecting and storing data is that it could also be lost or stolen. That’s true of any internet-connected device.

“The data that exists on these systems isn’t very different from the data of Amazon or Google and the likes of what they already know about you. The only difference is what these devices hear and see around them, making the biggest threat from these devices their need to be patched like any other IoT device,” Ray said.

As is the case with most data collected by tech companies, the larger concern is privacy. The manufacturers are the tech giants—Amazon, Google, Apple—and they can store and analyze all interactions with the user. The convenience of voice assistants come at the cost of privacy. “There’s simply no way around the fact that AI-guided voice assistants improve as you share more information with them,” said Bischoff. “When it comes to Google Home and Amazon Echo, that information serves a dual purpose: to better tailor the AI to the user and to sell advertisements.”

Consumers need to understand that their data is being hoarded by these large corporations, which is in turn used to sell ads and recommend products. But, voice assistants are novel, popular and heavily advertised. “They’re also getting much more affordable, and privacy is an afterthought for most consumers, unfortunately.”

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus