Can I Trust Her? Intelligent Personal Assistants and GDPR

Abstract

Voice Command Devices and the Intelligent Personal Assistants they embody have become ubiquitous in homes and offer individuals many convenient and entertaining features. The Amazon Echo and its intelligent personal assistant, “Alexa”, is a leading innovation in this area. This novel research examines aspects of trust and privacy relating to personal use of the Echo. It aims to demonstrate the types of data that may be vocally extracted from a selection of the multitude of applications that may be linked to the Echo. In the era of Voice IoT, Big Data and Artificial Intelligence, trust and privacy concerns are paramount for the individual. Personal data has never been more valuable, both to large reputable corporations and to criminal groups. The European Union's General Data Protection Regulations (GDPR) came into force in May 2018, aiming to protect the privacy of personal data of EU citizens. This has further highlighted the trust issues stemming from this technological medium. This paper demonstrates that a typically configured Echo device can prove to be a vulnerable channel by which personal information may be accessed. Where no safeguards are implemented, a plethora of data including personal identifiable information and personal health information is available from the device. Data exposure by simple vocal request leaves the system vulnerable to inquisition by any unauthorized individual who is within “ear shot” of the device. The research explores the extent to which these risks can be reduced or mitigated, offering a set of recommendations aimed at building trust and preserving user privacy, while still enabling functionality of the device. Trust and privacy are based on a triad of shared responsibility. While the GDPR enforces trust between the voice service providers and the consumers, adherence to these recommendations will empower individuals to trust against privacy breaches from local sources.