Eric Pait

OK Google, Have You Been Listening this Whole Time?

The modern digital assistant has been in the works for decades. IBM introduced the Shoebox, a speech recognition machine that had a vocabulary of sixteen words, in 1962.1 Over time, speech recognition machines have evolved from the Shoebox to automated telephone support, and now they take the form of internet-connected devices such as Amazon Alexa, Google Assistant, and Apple’s Siri. Today’s digital assistants provide consumers with many conveniences—controlling their music, house lights, or thermostat with nothing more than their voice—but also raise several privacy concerns.

For digital assistants to function, the hardware is built to include microphones that are always listening, waiting to hear the “wake word” that signals the consumer is providing a command.2 This hardware can be a cell phone, a smart speaker placed in the home, a vehicle, or even a washing machine.3 To make sure the assistant receives the full command, these devices are not only always listening, but always recording.4 However, the prerecording and wake-word recognition is processed locally, so only the audio recorded after the wake word is stored and transmitted to the servers to be processed.5

That audio recorded prior to one of these devices hearing its wake word is kept local may reduce some privacy concerns, but these devices aren’t foolproof. Recently, Google made the decision to disable a touch-to-activate feature on its new Google Home Mini device because a hardware defect caused some units to think the feature was constantly being activated.6 The devices impacted by this defect were always listening and transmitting audio clips to be stored on Google’s servers.7

Google has taken steps to prevent accidents like this from continuing to happen, but the incident raises an important concern: digital assistants could be recording and transmitting audio without consumers ever realizing.8 There are ways to mitigate this concern. For example, Apple’s Siri solely processes voice recordings locally, or a company could also require a second command in addition to the wake word before transmitting recordings to a server (similar to the functionality seen in Google’s Clip camera).9 The downside to this approach, however, is that the consumer may not be able to improve the assistant’s accuracy as effectively when the only data being sent to the servers is de-identified.10 This privacy-versus-AI-development dichotomy may have resulted in Apple, which has taken a very public stance on promoting user privacy, lagging behind its competition in AI development; but these are the types of debates that will continue to develop as these devices become ubiquitous in consumers’ daily lives.11

Additionally, as the presence of these always-listening microphones continues to grow, there are concerns over what access law enforcement may have the data captured. Amazon found itself at the forefront of this debate when prosecutors in Arkansas sought a court order for data from an Amazon Echo device in the home of a murder suspect.12 Amazon challenged the subpoena, arguing that the recordings were constitutionally protected, but the company eventually released the data to prosecutors after the suspect consented to the disclosure.13 As a result, much like the encryption debate that surrounded Apple’s legal battle with the FBI over access to data on an iPhone owned by a perpetrator of the San Bernardino shooting, the legal questions that surround law enforcement access to data recorded by these devices remain unanswered by the courts.14

To assist the courts, organizations such as the ACLU have stated that, regardless of potential constitutional protections of the data, Congress needs to provide legislative protections similar to those that have been enacted for wiretaps.15

Although these digital assistants have raised a number of privacy concerns, the rapidly growing market for digital-assistant-enabled products means that consumers likely prioritize the conveniences they provide over the potential privacy issues they create. As such, while courts may eventually extend some constitutional protections to consumers using these devices, the onus is on Congress and consumer-protection agencies to proactively create legal protections for the data collected by these devices. Until these protections are in place, there are more questions than answers surrounding who can use this data and in what ways, and consumers are dependent on policy decisions made by companies and law enforcement agencies to make sure the data is not misused.

GLTR Staff Member; Georgetown Law, J.D. expected 2019; University of North Carolina at Chapel Hill, B.A. 2014. ©2018, Eric Pait.