Your browser is not supported. Please update it.

5 May 2022

Amazon voice surveillance exposed; Apple grapples clean ads

A new collaborative paper from four US universities has declared that Amazon Echo devices are using voice data to target ads both within and outside of the Amazon ecosystem. As fears surrounding Big Tech privacy practices reach boiling point, the report unapologetically paints Amazon as a black box when it comes to protecting consumer data.

Titled ‘Your Echoes are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem,’ the paper has made a convincing case that Amazon collects consumer interactions with Alexa via Echo smart speakers and passes these onto third parties for monetization purposes.

While Amazon has accepted that it tracks voices for recommended purchases within its own ecosystem, it has denied the paper’s accusation that it shares this data with up to 41 advertising partners, which can drive bid prices up 30-fold.

The team of ten research scientists created an auditing framework to measure online advertising data collection. This required a custom Raspberry Pi router to record the network endpoints contacted by Amazon Echo, while an Amazon Echo was emulated by setting up Alexa Voice Service SDK, in order to capture unencrypted network traffic.

To test Alexa’s workings, the researchers created several personas to interact with Alexa while using third-party skills. Each persona had its own interests and interacted accordingly with a range of Skills including Connected Car, Dating, Fashion & Style, and Religion & Spirituality. A ‘vanilla’ persona was used as a control.

Voice commands were issued to the replica Amazon Echo and then researchers observed how the data was used for audio ads, web display ads on browsers logged into an Amazon account, and non-Echo devices. The research found that each persona was served targeted ads on the web outside of Amazon’s walled garden, leading to the conclusion that “smart-speaker interactions are used for the purpose of targeting ads, and that this implies significant data sharing across multiple parties.”

Naturally, Amazon has denied many of the findings. The company’s spokesperson, Lauren Raemhild, says that “many of the conclusions in this research are based on inaccurate inferences or speculation, and do not accurately reflect how Alexa works.” However, details on where the apparent factual inaccuracies lie are few and far between.

“We are not in the business of selling our customers’ personal information and we do not share Alexa requests with advertising networks,” Raemhild continued.

Amazon says that third-party skills on the Alexa platform are required to publicly post their privacy policy on their skill page. However, the researchers found that over 70% of these policies did not even mention Alexa or Amazon, with only 2.2% of skills clearly expressing their data collection practices.

Meanwhile, it seems attempts to get ahead of privacy regulation elsewhere in the Big Tech sphere is already causing damage to the monetization powers from these huge companies. A new study from Apps Flyer has found that only 46% of iPhone users consent to have their data tracked across apps, with consent rates highest when the option is given upon first opening the app.

On the one hand, it seems that consumer responses to Apple’s App Tracking Transparency (ATT) framework are less hostile than was feared by many in the industry. When iOS 14.5 went live in May 2021, bringing in the ATT, the Post-IDFA Alliance reported that between 63% and 83% of iPhone users had opted out of in-app tracking, while Lotame predicted an 80% opt-out rate later in the year.

Nonetheless, the fact that it is still a minority of all users demonstrates the difficulties that privacy regulations are causing advertisers and publishers. With addressable audience pools shrinking, it is expected that CPM is set to rise on the iOS platform.

Meanwhile, data privacy regulations are lurching forward. Just last week, a provisional political agreement was reached on the landmark Digital Services Act (DSA) between the European Council (representing all 27 member states) and European Commission. Expected to come into force in 2024, the DSA looks to sharpen the defined responsibilities of online platforms when informing users about how their data is monetized.

Much like GDPR, we expect the influence of the DSA will stretch far beyond Europe, with the EU now seen as a leader in tech regulation by many around the world, especially in the US.