Amazon Alexa, Google Home and other similar voice activated digital assistants are becoming increasingly popular. But understandably they are also raising privacy concerns.

When a user interacts with these devices the information is collected and typically stored in the cloud:
  • With Amazon Alexa users can review and delete this information but Amazon says that deleting the data may degrade the Alexa experience.
  • Similarly Google says that deleting the interaction history will limit the personalised features of its digital assistant.

In short, these types of services, based on artificial intelligence, need data from users to learn and adapt so the more data they have the better.

But this creates a privacy paradox. If users want the best experience they must agree to sacrifice a degree of privacy.

In their favour companies like Amazon and Apple (HomePod digital assistant and Siri) have made headlines by vigorously defending their customers' privacy. However, it’s not clear what Google’s position is. Some journalistic attempts to discover its stance on how it uses customer data gave the impression that Google was obfuscating.

Whatever a service provider’s position on customer privacy there are a number of issues that need clarification.
  • Can third parties or government obtain this data with or without court orders?
  • What if a device is accidentally activated and starts recording conversations?
  • What are users’ rights to restrict the use of their data collected and stored by digital assistants?
  • Are privacy expectations undercut by a service provider's terms of service or privacy policy?

These questions, can in fact, be applied to most smart connected devices that collect user data.

General Data Protection Regulation

In May 2018 the EU’s General Data Protection Regulation (GDPR) is set to come into effect. These regulations will govern UK citizen data even for US companies like Amazon and Google, because they are providing services into the EU.

When the UK leaves the European Union, UK parliament will be able to make changes to the GDPR framework as it sees fit. But the remit of GDPR will largely remain. GDPR is important legislation that seeks to protect consumer privacy.
  • GDPR says that services need to be built on ‘privacy by design’ principles. This means that protection must be built in and this applies to all IoT devices.
  • IoT device manufacturers need to be transparent about what data they are collecting, why they are collecting it and what they will do with it.
  • Consumers have the right for this data to be deleted.

The UK’s Information Commissioner’s Office (ICO) is already looking carefully at data protection around IoT devices. It acknowledges that currently many smart connected devices fall well below required data privacy standards.

As such the ICO is expected to keep a close eye on IoT data transgressions including those that may occur via digital assistants. In short, a robust legal privacy framework will soon be in place, but we can certainly expect to see ‘transgressions’ from device manufacturers until the message gets through.