A number of Google Home Mini devices that were distributed to members of the press had a defect that caused them to record everything being said around them. This discovery renewed privacy concerns surrounding smart speakers as surreptitious listening devices in our homes.
The Google Home team is aware of an issue impacting a small number of Google Home Mini devices that could cause the touch control mechanism to behave incorrectly. We immediately rolled out a software update on October 7 to mitigate the issue.
Who is affected: People who received an early release Google Home Mini device at recent Made by Google events. Pre-ordered Google Home Mini purchases aren’t affected.
As a general matter, Google Home and Amazon Alexa devices must “listen” to surrounding conversations to capture “wake words” (e.g.,”Alexa,” “OK Google”) that activate them. Some privacy advocates have sounded alarms about this and expressed concern that these devices could be abused by unscrupulous law enforcement or other malevolent state actors (see Orwell’s Telescreen).
In a well-publicized criminal case in Arkansas, local prosecutors sought recordings on an Amazon Echo in a murder investigation. Amazon fought to prevent authorities from getting access to these recordings without a warrant. The defendant in the case ultimately consented to the release of any stored data, so the warrant issue was never formally ruled on by a court.
As Internet of Things devices proliferate, privacy warnings about personal data collection will intensify. It’s very likely that there will be more than 30 million smart speakers in US homes by year-end. Google and Amazon are competitively discounting and aggressively marketing them. Google’s $49 Home Mini was introduced as a low-cost answer to the Amazon Echo Dot, which Amazon just discounted to be $5 cheaper than the Mini.
These devices are also widely available in Europe, which raises the question of how they will be addressed under the forthcoming General Data Protection Regulation (GDPR) taking effect in May 2018. Millions of smart speakers will be installed in European homes by then.
In order to process “personal data,” companies must obtain opt-in consent from users:
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data — in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
It’s safe to say that these devices will be “processing sensitive personal data” and that explicit consent will be required in every case.
There’s no explicit mention of smart speakers in the GDPR documentation. However, artificial intelligence is addressed to some degree in Article 22 (“Automated individual decision-making, including profiling”), which says:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her [unless explicit consent is provided].
Most consumer-facing AI technologies, including smart speakers and self-driving cars, will require explicit opt-in consent in Europe. For Echo or Home, it might be as simple as a verbal statement played upon setup, which asks for the owner to OK use of his or her personal data. Alternatively, there might need to be ongoing or periodic disclosures and consent.
There’s currently a lack of clarity about what will be specifically required from smart speaker makers. We’ll likely see some guidance, however, from the EU or NGOs in the next several months. The consumer question will be: how do I feel about a third-party recording device in my home?