She Knows Too Much – Voice Command Devices and Privacy

Voice controlled Internet of Things (IoT) devices have become ubiquitous in homes and offer individuals many convenient and entertaining features. The Amazon Echo and its intelligent personal assistant, "Alexa", is a leading innovation in this area. This novel research examines aspects of privacy relating to personal use of the Echo. It aims to ascertain the types of data that may be vocally extracted from a selection of the multitude of applications that may be linked to the Echo.In the era of IoT, Big Data and Artificial Intelligence, privacy concerns are paramount for the individual. Personal data has never been more valuable, both to large reputable corporations and to criminals groups. The European Union’s General Data Protection Regulations (GDPR) will come into force in May 2018, aiming to protect the personal data of EU citizens. This has further highlighted the emergent risks stemming from this technological medium.This paper demonstrates that a typically configured Echo device can prove to be a vulnerable channel by which personal information may be accessed. Where no safeguards are implemented, a plethora of data including personal identifiable information and personal health information is available from the device. Data exposure by simple vocal request leaves the system vulnerable to inquisition by any unauthorized individual who is within "ear shot" of the device. The research explores the extent to which these risks can be reduced or mitigated, offering a set of recommendations aimed at preserving user privacy, while still enabling functionality of the device. Adherence to these recommendations will empower individuals to guard against privacy breaches from local sources.