I own a Google Home device. It sits in my kitchen.
My children love to ask google “What sound does a _insert your favorite large African mammal here_ make?” Roars and grunts aside, this device is a small step up above novelty level with incredible voice recognition. I currently have it connected to a portion of my interior lighting, my smart thermostat, and a smart outlet.
My mother, on the other hand, has read that this device is “always listening”… and has promised not to step into my home unless the google Home device is safely off, in a duffle bag, in the garage… pretty much anywhere other than in the middle of our family life.
She has the same exact rules for my brother-in-law and his Amazon Alexa ‘girl friend’.
Privacy Statements from both Amazon (Alexa) and Google (Home) shout out high praises for their privacy. That being said, where does the truth reside?
Should we blindly trust in promised privacy like my endearing children, or fear these devices as if they are KGB hardware?
Both devices are always listening.
They are designed to process audio inside the device (locally)… always listening for the wake word.
What are the wake words?
With the Google Home device, you can say “OK, google”, or “Hey google.” These are 4 syllable and 3 syllable wake phrases.
With the Amazon Echo device, the preset wake word is “Alexa”. This can be changed to 3 other options – “Echo”, “Amazon” and “Computer”. These options are 3 or only 2 syllable words.
Owners of these devices are relying on the processing capability of their $100 odd dollar hardware to analyze every sound in their home. 2, 3 or 4 syllable phrases are waited for before recordings get sent upward… to the cloud.
What data is sent to the cloud?
Amazon and Google both only send recordings to their cloud servers for processing and storage if the wake word is deciphered.
Amazon collects a short moment before the wake word is uttered.
The phrase is sent, and the speech to text result is saved by Google and Amazon.
That data may be used to suggest shopping suggestions, affect your future search results or affect your personality/economic/shopping/advertising ‘profile’ in ways yet to be determined. Each device gives the user option to adjust what is saved and delete previous requests.
So, these devices are NOT always listening on the “server” side.
But when they are listening, the corporate entities are going to listen and infer what they can.
Wake Word Security
You may have noticed above that I counted wake word syllables. Relying on local hardware alone, these words are most at risk of being misinterpreted.
To dig deeper into this, I spent a few minutes this morning with the wake word and some handy Sounds Like and Rhymes With Tools over at http://www.yougowords.com.
Alexa – Alexa has floated around the Amazon space for a number of years, starting out as a website rating tool. Surprisingly, this word is fairly unique in the English language. X is not commonly used which makes the phrase fairly hearty. Unless your NAME is Alex, Alexandria or the like, Alexa is a hard word to be misconstrued.
Echo – Probably one of the worst wake words you can use with your Alexa enabled device, E-C-O is an extremely common English prefix used in 1000s of words that often discuss economics and ecology. If you work in finance, biology, life sciences or the environment, stay away from this phrase.
Amazon – The letter Z is not widely used in the English language, making the wake word Amazon fairly innocuous. However, if you use the phrase Zone often, take many photos of the Horizon, often order Calzones from the pizza shop, work for Barbizon modeling or prescribe or use drugs that end with the letters zone (there are many), this may not be a suitable phrase.
Computer – This phrase is great for StarTrek fans, but for those of us that care about privacy, run from this wake word, as it permeates most of American’s lexicons.
OK google and Hey google – All together, these phrases are hard to repeat, however the sound ‘goog’ can be mis-read, or, more importantly, mis-pronounced as the sound ‘good’ or ‘gig’… which can be thrown off by phrases like goodwill, Goodyear, goodbye and giggle. It’s not quite as safe as the wake word Alexa, OK Google is a much better choice than Amazon’s secondary choices by far.
From my basic linguistic knowledge, I vote for the word Alexa as the most secure word.
Trusting in the Firmware
The Google and Amazon devices do offer muting capabilities. A user can press the mute button on either device and stop the device from listening entirely. Positive feedback is provided for such mute button presses with the device lighting indicating the mute status.
Really Trusting the Firmware
The truth is, you have a high performance microphone device in your home and you are relying on the firmware/software code to keep the sounds of your home inside of your home.
Amazon and Google are huge software companies, and their track records in security are among the best. However, in home listening devices are a target.
In the case of a hacked Amazon Echo or Google Home device, your home life could be recorded and live streamed to anyone without your knowledge. Just saying.
In the case of a court order, can Amazon or Google be forced to allow always-on listening to a home? What if national security is involved? Can Amazon or Google be required to rewrite their code to subvert their stated privacy settings?
I am not a legal professional, but I do not believe that a commercial company can be forced to rewrite their code to allow for government access. As long as devices are NOT always recording now with their default hardware and software, it would be legally more difficult to require code to be rewritten to do so. A government can request data that has already been recorded and stored, however, but those are legal battles I am not equipped to answer.
One can point to the 2015-2016 case regarding the FBI’s request to Apple to provide the means to unlock encrypted iPhones. Apple, looking to protect the trust of their customers, fought that legal battle. The battle only ended when the US Government found a way to subvert that encryption on their own. It is hard to say where it would have ended if the US Government was not technically successful in their hacking.
So where does this leave Us in the IoT Brew?
With innocuous searches involving large mammals, or controlling the lighting in my home, I do believe that Amazon and Google devices are a safe bet, and worth the privacy and hacking concerns that are raised.
Will I duffle bag the device when my mom visits? I also think that is a reasonable request.
Do I suggest you mute your devices when you talk about your investments, reviewing the prescriptions form your neurologist, car shopping and/or elective surgery? Probably…also.. a reasonable idea.
Enjoy the future my friends, but be aware.
Wait Wait Wait… I’m a Hardware Developer
Both Google and Amazon offer extensive APIs (software protocols) to connect third party devices (thermostats, lightbulbs, home audio, etc). In fact, at CES 2017 this past month, it felt as if every consumer IoT company, their brother, their sister-in-law twice removed and the presenter across the aisle showed off their home IoT Internet Connected Devices CONTROLLED via an Alexa powered Echo or Echo Dot. Consumer-based IoT – no doubt that control can and will reside on these devices. Designing such connectivity is offered by Hallsten Innovations along with hardware IoT device design. We put in the utmost care in securing our devices to make sure they are not prone to malicious code, and that they can’t communicate improperly with your Echo or Home device.