Tracking, Profiling, and Ad Targeting in the Alexa Echo Smart Speaker Ecosystem

Smart speakers collect voice commands, which can be used to infer sensitive information about users. Given the potential for privacy harms, there is a need for greater transparency and control over the data collected, used, and shared by smart speaker platforms as well as third party skills supported on them. To bridge this gap, we build a framework to measure data collection, usage, and sharing by the smart speaker platforms. We apply our framework to the Amazon smart speaker ecosystem. Our results show that Amazon and third parties, including advertising and tracking services that are unique to the smart speaker ecosystem, collect smart speaker interaction data. We also find that Amazon processes smart speaker interaction data to infer user interests and uses those inferences to serve targeted ads to users. Smart speaker interaction also leads to ad targeting and as much as 30X higher bids in ad auctions, from third party advertisers. Finally, we find that Amazon's and third party skills' data practices are often not clearly disclosed in their policy documents.

[1]  D. Choffnes,et al.  In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes , 2023, IMC.

[2]  D. Choffnes,et al.  BehavIoT: Measuring Smart Home IoT Behavior Using Network-Inferred Behavior Models , 2023, IMC.

[3]  P. Barlet-Ros,et al.  Amazon Alexa traffic traces , 2022, Comput. Networks.

[4]  Konstantinos Psounis,et al.  HARPO: Learning to Subvert Online Behavioral Advertising , 2021, NDSS.

[5]  Athina Markopoulou,et al.  Auditing Network Traffic and Privacy Policies in Oculus VR , 2021, USENIX Security Symposium.

[6]  Hamed Haddadi,et al.  Blocking Without Breaking: Identification and Mitigation of Non-Essential IoT Traffic , 2021, Proc. Priv. Enhancing Technol..

[7]  Paul G. Allen,et al.  What Makes a “Bad” Ad? User Perceptions of Problematic Online Advertising , 2021, CHI.

[8]  Jose M. Such,et al.  SkillVet: Automated Traceability Analysis of Amazon Alexa Skills , 2021, IEEE Transactions on Dependable and Secure Computing.

[9]  Hongxin Hu,et al.  Dangerous Skills Got Certified: Measuring the Trustworthiness of Skill Certification in Voice Personal Assistant Platforms , 2020, CCS.

[10]  Daniel J. Dubois,et al.  A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild , 2020, Internet Measurement Conference.

[11]  Daniel J. Dubois,et al.  When Speakers Are All Ears: Characterizing Misactivations of IoT Smart Speakers , 2020, Proc. Priv. Enhancing Technol..

[12]  D. Herzog Limited , 2020, Sovereignty, RIP.

[13]  Athina Markopoulou,et al.  The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking , 2020, Proc. Priv. Enhancing Technol..

[14]  Zubair Shafiq,et al.  Characterizing Smart Home IoT Traffic in the Wild , 2020, 2020 IEEE/ACM Fifth International Conference on Internet-of-Things Design and Implementation (IoTDI).

[15]  Nick Feamster,et al.  Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices , 2019, CCS.

[16]  Hamed Haddadi,et al.  Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach , 2019, Internet Measurement Conference.

[17]  N. Feamster,et al.  IoT Inspector , 2019, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[18]  Zubair Shafiq,et al.  Inferring Tracker-Advertiser Relationships in the Online Advertising Ecosystem using Header Bidding , 2019, Proc. Priv. Enhancing Technol..

[19]  Rita Singh,et al.  Profiling Humans from their Voice , 2019 .

[20]  Christo Wilson,et al.  Tracing Information Flows Between Ad Exchanges Using Retargeted Ads , 2018, USENIX Security Symposium.

[21]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[22]  Pablo Rodriguez,et al.  If you are not paying for it, you are the product: how much do advertisers pay to reach you? , 2017, Internet Measurement Conference.

[23]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[24]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[25]  Decision of the European Court of Justice 11 July 2013 – Ca C-52111 “Amazon” , 2013, IIC - International Review of Intellectual Property and Competition Law.

[26]  John A. Weaver,et al.  And What Will You Do With It , 2011 .

[27]  David R. Choffnes,et al.  Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem , 2022, ArXiv.

[28]  Hongxin Hu,et al.  SkillDetective: Automated Policy-Violation Detection of Voice Assistant Applications in the Wild , 2022, USENIX Security Symposium.

[29]  Umar Iqbal,et al.  Khaleesi: Breaker of Advertising and Tracking Request Chains , 2022, USENIX Security Symposium.

[30]  Anupam Das,et al.  Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem , 2021, NDSS.

[31]  A. Markopoulou,et al.  OVR SEEN : Auditing Network Traffc and Privacy Policies in Oculus VR , 2021 .

[32]  William Enck,et al.  Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck , 2020, USENIX Security Symposium.