For years, smart speakers from Amazon, Google and Apple have traded data back and forth with other devices in the home. This is how their voice assistants turn on the smart lights. But in early 2019, something changed: Amazon and Google began requiring continuous status-change updates from devices — requiring, for instance, partnered smart bulbs to send data to Amazon or Google any time they are turned on or off.
It was a seemingly small change and one that received modest media coverage, but some smart home developers are increasingly uncomfortable with the change. A few weeks ago, after publishing a story on the security differences between Apple’s Homekit platform and its competitors, I received an email from a popular smart home security company. A representative, who asked to remain unidentified, suggested that I look further into the security issues raised by status updates.
After probing further, it appears that not only do status updates make users and their data more vulnerable to attack, but it also gives these tech giants access to more home occupancy data than ever before. Despite the discomfort of numerous partners, Google and Amazon have shown no willingness to alter course.
The cost of convenience
The stated reason for the status update policy change last year was convenience. Essentially, as an Amazon spokesperson told me over email, “information about the state of customers’ smart home devices … is used to help Alexa complete actions on customers’ behalf” and “to enable a great smart home experience.”
Before automatic status updates, if you asked your voice assistant to turn on the lights, Alexa or Google Assistant had to ping the smart bulbs to check whether they were already on, receive the status, then send the appropriate command. With status updates in place, the first two steps of that process were excised.
The policy also enables proactive features like Hunches or other reminders (such as suggesting you lock your door before bed). These are the small conveniences that make voice assistants increasingly appealing to customers, but they come at a price.
“[Status update] data gives platforms [like Google and Amazon] a privileged position that no one manufacturer enjoys,” said Brad Russell, the Research Director of smart home devices at research firm Parks Associates Inc.
While Amazon says it doesn’t sell the data it gathers to third parties or uses it for targeted advertising, that data is still of tremendous value to the company. In much the same way it can tell how many times per year Alexa users ask for the time, then create a product based on that data, Amazon can now tell where you spend your time in your house, when you’re awake and when you’re sleeping and countless other life patterns you’re only vaguely aware of yourself.
Google, too, profits from this data, though it seems more reluctant to admit it.
“We do ask our partners to let us know when the state of a device changes … so that it can be accurately represented on our smart displays and apps,” said a Google spokesperson. “We distill that data to update the app – making sure that people can see what’s happening in their homes.”
So Google and Amazon profit from the data they gather with their devices and services however, that might not be the only problem with the policy.
Quiet concerns
Last year, Bloomberg’s Matt Day talked to two smart home company executives who said they asked Amazon and Google for “concessions … related to user privacy or transparency and guarantees about use of the data, but [were] rebuffed.”
I found a similar mix of developers either overtly critical of the policy or unwilling to speak on the record for fear of retaliation.
Smart lock developer August was the most direct: “August has made and will continue to make recommendations to Google and Amazon about limiting the real-time data requirements in hopes that our suggestions will be implemented in the future,” said Chief Technology Officer Christopher Dow.
The crucial piece seems to be something called the data minimization principle. If you work for an employer that handles sensitive information, you may already be familiar with the logic: Only data that is relevant and essential should be processed and collected. Not only does enacting this principle ensure ethical use of data by the company, but it also exposes less customer data to potential privacy breaches.
Amazon and Google would likely argue that status updates are essential for a smoothly running smart home. But neither company has clearly stated that it disposes of the data after its relevance expires.
Perhaps these privacy concerns ultimately boil down to customer discretion. Scott Beck, CTO of home security developer Abode, seemed less willing to place the onus of customer privacy on Google and Amazon alone when we spoke over email.
“Because … the abode Smart Security Kit [is] HomeKit compatible and that functionality is processed locally,” said Beck, “customers wary about their data being shared out with Google and Amazon still have a viable alternative solution for voice assistant support through abode’s HomeKit compatibility.”
But to make an informed decision, customers must first be properly informed. And as analyst Brad Russell said, “consumers are not getting a choice as [to] whether they want to share what amounts to occupancy data. In an ideal world, consumers would be enabled to make that choice voluntarily.”
Over a year after status updates were introduced on Google and Amazon platforms — and despite significant resistance from developers — it seems unlikely that anything will be able to sway the tech giants from their current course.
“[Individual developers] have no leverage,” said Russell. “This might be a case of ‘the horse has already left the barn.'”