With the release of Amazon Echo Show 2, and the Facebook Portal, live video cameras are poised to become a bigger part of daily life in our own homes. Do these video technologies create a new privacy threat?
A local TV channel asked me to comment recently, but the on-camera interview never happened. (Too much competing news these days, I guess.) Here are a few thoughts I would have shared.
Are new video technologies at home, like the Echo Show 2 and the Portal, a privacy threat?
A recent study of Echo Show reviews found that the vast majority of comments don’t mention privacy or security issues. But of those that do, three times as many consumers raised privacy issues about smart speakers with video, compared to speakers with audio only. Consumers evaluate privacy in terms of the ‘creepiness’ of new technology and its uses. It appears that video at home is considered significantly more ‘creepy’ by people who care about privacy.
In this same study, a small percentage of reviewers evaluated the privacy risks versus benefits of using an Echo Show in their homes, and either accepted or rejected it. The majority of reviewers, however, did not weigh costs versus benefits. Instead, they were resigned to new technology requiring ever more private information. Accepting the inevitable, they figured they might as well use the technology, even if they aren’t completely thrilled about the privacy implications. Another study of mobile phone privacy called this attitude ‘learned helplessness’.
Are there risks of using this technology?
The added convenience of using this technology should be balanced against the hidden complexity and risks that it adds to our lives.
Hidden complexity comes from the more detailed, and ever changing, privacy settings that consumers are being asked to manage. Consumers in general don’t have the time or inclination to be great systems administrators. Few read the terms of service that they ‘consent’ to. And few change the default privacy settings. With the Echo Show, for example, a new feature was added after release called “Drop In”. With Drop In, another caller can automatically start a conversation without the target having to accept the call. Drop In is optional, but the default is to set to yes.
The new risks of this technology include errors, security breakdowns, third party sharing, and law enforcement requests.
Errors: Even if you completely trust technology companies, they regularly make mistakes. No company has perfect procedures or employees, and no software is ever bug free, so private information can escape even with the best of intentions. One software error caused a smart speaker to record private conversations and send the recording to random people on a contact list. A Facebook software update last year accidentally made the private posts of 14 million users public. It’s not all software bugs: an on online reviewer who called Amazon for support reported that first line help desk employees had access to their entire list of personal contacts. Without proper internal controls inside a company, personal information is at risk.
Security breakdowns: Even the biggest tech names cannot keep their data completely secure. Just a few weeks ago, a Facebook security failure opened 90 million user accounts to potential unauthorized access. Google just reported a massive new security flaw. The list of known data breaches is long, and perhaps many more go unreported. Instead of your grocery store purchases being released into the wild, in the future it could be your video.
Third party sharing: The Cambridge Analytica scandal during the 2016 election, where a private company obtained detailed personal information on over 50 million people through a quiz app, highlighted the risk that personal information will be shared elsewhere. Facebook apps are still able to obtain personal information, from yourself or your friends. Alexa skills added to an Echo also share information outside of Amazon.
Law enforcement requests: Local police and federal investigators are increasingly asking tech companies to hand over personal information. In 2016, Facebook reported receiving about 50 thousand law enforcement requests they can legally disclose (Patriot Act requests cannot be disclosed), and fulfilled them over 80% of the time. Even Amazon reports receiving about 4 thousand requests a year. Handing over mobile phone location records didn’t even require a warrant until a Supreme Court ruling this summer, so be especially alert for new technologies that may not be covered precisely under previous law.
Do you have any advice for consumers?
The standard advice is to change your privacy settings. While seemingly obvious, it’s terrible advice in practice because privacy settings change too often, and are too complex, for the vast majority of busy consumers to deal with, even if they wanted to. One study asked 65 people to change their social network privacy settings to reflect their sharing preferences, and not a single person was able to do it without making an error.
Better advice is to do a cost/benefit calculation. Is the increased complexity and risks of home video technology worth the added convenience? If you are a busy caretaker or parent, and this technology helps you better cope with daily life, that’s a significant benefit that may be worth the risks. But the most common use of smart speakers is to listen to music. If so, there may be other ways to do this without adding as many privacy risks, including leaving out the video.
I’d also recommend doing a ‘Trust Test’, though there is no scientific data to support its validity. Say out loud (not just in your head) “I trust Amazon and Facebook with some of the most intimate details of my personal life.” If you can say that out loud with a straight face, then go for it.
Is there anything technology companies can or should be doing differently?
Technology companies should make the default privacy options the most restrictive, and force people to opt-in to sharing their personal information, especially for automatic updates like the “Drop In” feature in Echo Show. If tech companies don’t start doing this themselves, it should be mandated.