By Anna Akins, Technology Reporter 

Smart speaker adoption has exploded in recent quarters, but so have concerns about their privacy risks.

Research firm IDC said a total of 99.3 million smart speaker units shipped globally in 2018, representing a 141% jump over the 41.2 million units shipped in 2017. The trend indicates that consumers are finding value in speakers that respond to voice commands to perform various tasks or services.

Technology companies maintain that listening to the recordings captured on smart speakers will help improve the functionality of the devices, but analysts and industry experts said they need be more transparent about their data practices and also provide users with more controls over their privacy. Failing to do so, they said, could result in significant reputational and regulatory consequences.

Speakers, staff listening

A Bloomberg News report in April first revealed that Amazon.com Inc. employees listen to voice recordings captured on the company’s Alexa-powered Echo smart speakers in the homes and offices of device owners. A month laterprivacy groups filed a complaint with the U.S. Federal Trade Commission over privacy concerns related specifically to the company’s Echo Dot Kids Edition speaker, saying the product may be violating the Children’s Online Privacy Protection Act by collecting personal information from children under the age of 13.

A group of senators has also called for the FTC to investigate the matter.

Amazon contends that the recordings are meant to help the company improve speech recognition capabilities.

“We only annotate an extremely small number of interactions from a random set of customers in order to improve the customer experience,” an Amazon spokesperson said in an emailed statement. “For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests and ensure the service works well for everyone.”

Amazon currently dominates the smart speaker market, capturing 38.2% of the global market share of smart speakers shipped during 2018. Google LLC is not far behind, holding 30.3% of the global market share for smart speakers shipped in 2018, according to IDC.

Alexa software is designed to record audio after it detects a specific “wake word,” such as “Alexa,” but Amazon employees reportedly overhear more private interactions from Echo device owners if the Alexa software is unintentionally awakened.

Amazon Echo

Amazon also does not explicitly tell consumers that its staff is listening to their interactions with Alexa. Instead, the company says on its website: “We use your requests to Alexa to train our speech recognition and natural language understanding systems.”

Florian Schaub, a University of Michigan professor in the School of Information who has expertise in smart speakers and privacy, said in an interview that the somewhat “vague” privacy policies Amazon and its peers have developed makes it difficult for users to fully understand how their personal data is being handled.

“Amazon annotating some of its recordings makes a lot of sense to me because that’s the only way to improve the speech recognition technologies,” Schaub said. “But at the same time, the way it’s doing it at the moment kind of happens behind the back of the consumer.”

Schaub also said that large tech firms must be more “proactive” in educating users about the specific types of data they are collecting and why they are collecting it in order to build trust.

Cautious consumers

According to a recent IDC consumer survey, about 59% of respondents said they are “highly concerned” about the privacy of their smart home devices, while about three-fourths of those surveyed said they are at least “somewhat concerned.”

“Security and privacy is a major concern for most consumers,” Adam Wright, a senior analyst at IDC who conducted the survey, said in emailed comments. “Most consumers are unhappy or unsure about sharing information with first-party device makers but are decidedly against sharing information with third-party companies.”

Similarly, another recent study conducted by Parks Associates, a market research and consulting company, found that about 25% of U.S. broadband households that do not own a smart home device cite privacy and security concerns as the main reasons why.

Parks Associates also recently found that 44% of U.S. broadband households surveyed are “very concerned” that someone might gain access and control to their smart home products without their permission, while 21% said they were “concerned.”

“So much is riding on voice control,” Brad Russell, a research director at Parks Associates who has expertise in connected home technologies and data privacy, said in an interview. “It’s just a spider web of technology that’s going to be everywhere — in your car, in your workplace, in the mall.”

Russell said big tech companies must give consumers more granular controls of their data, noting it could be “catastrophic” if they were found to be misusing private information.

Looming legislation, regulation

In May, the California State Assembly’s privacy committee advanced a bill known as the “Anti-Eavesdropping Act” that would prohibit makers of smart speaker devices from sharing voice recordings with third parties. Under the bill, Amazon, Google, Apple Inc. and other smart speaker providers cannot store recordings unless consumers provide their consent in writing.

“Recent revelations about how certain companies have staff that listen in to private conversations via connected smart speakers further shows why this bill is necessary to protect privacy in the home,” Assemblyman Jordan Cunningham, R-Calif., the bill’s author who introduced the legislation in January, said in a statement.

Schaub said the U.S. should consider implementing a privacy approach similar to Europe’s sweeping new privacy law known as the General Data Protection Regulation, or GDPR, claiming current U.S. laws are a bit too “reactionary.”

“One of the big problems with how we think about regulatory frameworks with regards to privacy and consumer protections in the United States is that it’s very piecemeal,” Schaub said. “Whereas in Europe, GDPR has a better approach in terms of clearly defining what you need to do when you’re collecting personally identifiable data.”

Among other provisions, the GDPR requires a company to obtain unambiguous affirmative consent from a user before collecting or processing the user’s personal data.

Governance matter

Given the potential for more legislation and regulation, it will be imperative for all technology companies to take the “highest business ethics position” to steer clear of violating consumers’ personal liberties, Betsy Atkins, who is CEO and founder of venture capital firm Baja LLC and has expertise in corporate governance matters, said in emailed comments.

Ultimately, the potential for brand damage and loss of trust, Atkins said, is not worth the risk.

“As board members this is one of the important moral compass/true north moments in balancing both short and long term and doing the appropriate stewardship for the shareholders,” she said.