More than Smart Speakers: Security and Privacy Perceptions of Smart Home Personal Assistants

Smart Home Personal Assistants (SPA) such as Amazon Echo/Alexa and Google Home/Assistant have made our daily routines much more convenient, allowing us to complete tasks quickly and efficiently using natural language. It is believed that around 10% of consumers around the world already own an SPA, and predictions are that ownership will keep rising. It is therefore paramount to make SPA secure and privacypreserving. Despite the growing research on SPA security and privacy, little is known about users’ security and privacy perceptions concerning SPA complex ecosystem, which involves several elements and stakeholders. To explore this, we considered the main four use case scenarios with distinctive architectural elements and stakeholders involved: using builtin skills, third-party skills, managing other smart devices, and shopping, through semi-structured interviews with SPA users. Using a grounded theory approach, we found that users have incomplete mental models of SPA, leading to different perceptions of where data is being stored, processed, and shared. Users’ understanding of the SPA ecosystem is often limited to their household and the SPA vendor at most, even when using third-party skills or managing other smart home devices. This leads to incomplete threat models (few threat agents and types of attacks) and non-technical coping strategies they implement to protect themselves. We also found that users are not making the most of the shopping capabilities of SPA due to security and privacy concerns; and while users perceive SPA as intelligent and capable of learning, they would not like SPA learning everything about them. Based on these findings, we discuss design recommendations. Copyright is held by the author/owner. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee. USENIX Symposium on Usable Privacy and Security (SOUPS) 2019. August 11–13, 2019, Santa Clara, CA, USA.

[1]  Irene Pollach,et al.  What's wrong with online privacy policies? , 2007, CACM.

[2]  Deepak Kumar,et al.  Skill Squatting Attacks on Amazon Alexa , 2018, USENIX Security Symposium.

[3]  Alex X. Liu,et al.  The Insecurity of Home Digital Voice Assistants - Amazon Alexa as a Case Study , 2017, ArXiv.

[4]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[5]  Annie I. Antón,et al.  Examining Internet privacy policies within the context of user privacy values , 2005, IEEE Transactions on Engineering Management.

[6]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Lorrie Faith Cranor,et al.  Designing Effective Privacy Notices and Controls , 2017, IEEE Internet Computing.

[8]  Ilaria Liccardi,et al.  Consumer Attitudes Towards Privacy and Security in Home Assistants , 2018, CHI Extended Abstracts.

[9]  Awais Rashid,et al.  Skip, Skip, Skip, Accept!!!: A Study on the Usability of Smartphone Manufacturer Provided Default Features and User Privacy , 2019, Proc. Priv. Enhancing Technol..

[10]  Kang G. Shin,et al.  Continuous Authentication for Voice Assistants , 2017, MobiCom.

[11]  K. Charmaz,et al.  Constructing Grounded Theory , 2014 .

[12]  Helen Nissenbaum,et al.  Learning Privacy Expectations by Crowdsourcing Contextual Informational Norms , 2016, HCOMP.

[13]  Franziska Roesner,et al.  End User Security and Privacy Concerns with Smart Homes , 2017, SOUPS.

[14]  Tadayoshi Kohno,et al.  Computer security and the modern home , 2013, CACM.

[15]  Nick Feamster,et al.  Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[16]  Lorrie Faith Cranor,et al.  Exploring How Privacy and Security Factor into IoT Device Purchase Behavior , 2019, CHI.

[17]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[18]  Ivan Flechais,et al.  Informal Support Networks: an investigation into Home Data Security Practices , 2018, SOUPS @ USENIX Security Symposium.

[19]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[20]  Rana El Kaliouby,et al.  On the Future of Personal Assistants , 2016, CHI Extended Abstracts.

[21]  Abigail Sellen,et al.  "Like Having a Really Bad PA": The Gulf between User Expectation and Experience of Conversational Agents , 2016, CHI.

[22]  Bashar Nuseibeh,et al.  Privacy Dynamics: Learning Privacy Norms for Social Software , 2016, 2016 IEEE/ACM 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[23]  Tara Matthews,et al.  "She'll just grab any device that's closer": A Study of Everyday Device & Account Sharing in Households , 2016, CHI.

[24]  William Haack Madeleine Severance Michael Wallace Jeremy Wohlwend Security Analysis of the Amazon Echo , 2017 .

[25]  Jose M. Such,et al.  Sharing Policies in Multiuser Privacy Scenarios: Incorporating Context, Preferences, and Arguments in Decision Making , 2016 .

[26]  Aziz Mohaisen,et al.  You Can Hear But You Cannot Steal: Defending Against Voice Impersonation Attacks on Smartphones , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[27]  Jose M. Such,et al.  Smart Home Personal Assistants , 2019, ACM Comput. Surv..

[28]  Meiken Hansen,et al.  Scripting, control, and privacy in domestic smart grid technologies: insights from a Danish pilot study , 2017 .

[29]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[30]  Veton Kepuska,et al.  Next-generation of virtual personal assistants (Microsoft Cortana, Apple Siri, Amazon Alexa and Google Home) , 2018, 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC).

[31]  Natalia Criado,et al.  Implicit Contextual Integrity in Online Social Networks , 2015, Inf. Sci..

[32]  Nick Feamster,et al.  User Perceptions of Privacy in Smart Homes , 2018, ArXiv.