[personal profile] mjg59
Traditionally, devices that were tied to logins tended to indicate that in some way - turn on someone's xbox and it'll show you their account name, run Netflix and it'll ask which profile you want to use. The increasing prevalence of smart devices in the home changes that, in ways that may not be immediately obvious to the majority of people. You can configure a Philips Hue with wall-mounted dimmers, meaning that someone unfamiliar with the system may not recognise that it's a smart lighting system at all. Without any actively malicious intent, you end up with a situation where the account holder is able to infer whether someone is home without that person necessarily having any idea that that's possible. A visitor who uses an Amazon Echo is not necessarily going to know that it's tied to somebody's Amazon account, and even if they do they may not know that the log (and recorded audio!) of all interactions is available to the account holder. And someone grabbing an egg out of your fridge is almost certainly not going to think that your smart egg tray will trigger an immediate notification on the account owner's phone that they need to buy new eggs.

Things get even more complicated when there's multiple account support. Google Home supports multiple users on a single device, using voice recognition to determine which queries should be associated with which account. But the account that was used to initially configure the device remains as the fallback, with unrecognised voices ended up being logged to it. If a voice is misidentified, the query may end up being logged to an unexpected account.

There's some interesting questions about consent and expectations of privacy here. If someone sets up a smart device in their home then at some point they'll agree to the manufacturer's privacy policy. But if someone else makes use of the system (by pressing a lightswitch, making a spoken query or, uh, picking up an egg), have they consented? Who has the social obligation to explain to them that the information they're producing may be stored elsewhere and visible to someone else? If I use an Echo in a hotel room, who has access to the Amazon account it's associated with? How do you explain to a teenager that there's a chance that when they asked their Home for contact details for an abortion clinic, it ended up in their parent's activity log? Who's going to be the first person divorced for claiming that they were vegan but having been the only person home when an egg was taken out of the fridge?

To be clear, I'm not arguing against the design choices involved in the implementation of these devices. In many cases it's hard to see how the desired functionality could be implemented without this sort of issue arising. But we're gradually shifting to a place where the data we generate is not only available to corporations who probably don't care about us as individuals, it's also becoming available to people who own the more private spaces we inhabit. We have social norms against bugging our houseguests, but we have no social norms that require us to explain to them that there'll be a record of every light that they turn on or off. This feels like it's going to end badly.

(Thanks to Nikki Everett for conversations that inspired this post)

(Disclaimer: while I work for Google, I am not involved in any of the products or teams described in this post and my opinions are my own rather than those of my employer's)

Date: 2018-01-20 06:11 pm (UTC)
From: (Anonymous)
Why do these devices *need* to log every query, or voice, or action? Why do they not follow the principle of logging as little as possible?

Date: 2018-01-22 07:31 pm (UTC)
From: (Anonymous)
Here are three arguments for. Your judgement as to their merit.

Try taking a support call sometime! It is unlikely the user knows what was actually happening, or saw all the electronic interactions. A detailed log allows getting to the bottom of issues, on the first call. (It is very time consuming and annoying for all parties to have to repeat everything first, before being able to start diagnosis.)

Finding bugs/anomalies is way easier. Some issues don't affect all users, so it is easier to gather data and then dig through that to see what bugs/issues do happen. Sometimes users do operations in an unexpected order, which then results in a bug. Collecting the data allows you to find and fix bugs so much quicker, benefiting the user.

The collected data also helps with product planning. You find out which features are actually used, and when. You find where to focus more or less effort. You find out what customers really value. And it suggests new features.

Date: 2018-01-25 11:37 am (UTC)
From: (Anonymous)
All the above could be default off until the support staff request the change and advise the user to turn them back off once the issue is solved. The last one should be clearly requested of the user after explaining all the data collected and what purpose it serves. Otherwise the contract is unconscionable, in my view...

Date: 2018-01-27 02:16 am (UTC)
From: (Anonymous)
That isn't resolving on first call! And it requires enough user interface via the device for the user to see and change the setting.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags