Background

Efforts to develop technologies with voice recognition have been ongoing since the 1960s. Though significant advances in this field were seen in the 1990s with the advent of personal computers (PCs), the biggest breakthrough was the introduction of Siri (a voice-based virtual assistant) on the Apple iPhone in 2011. The use of voice-controlled technologies is not limited to mobile phones and smart speakers; now, they are also integrated with other smart devices such as PCs (as in the case of Microsoft’s Cortana), TVs, and cars.¹

However, the increased use of voice interfaces (VIs) has led to the emergence of a host of concerns, specifically surrounding user privacy. According to a 2020 study, about 33% of adults surveyed reported that privacy concerns were a top reason for not purchasing devices with built-in VI systems; this figure saw a significant increase from 16% in 2018 and 23% in 2019.² This article aims to analyse the privacy concerns surrounding VIs, both now and in the future.

The spectrum of VI devices

The wide prevalence of microphone-enabled devices today has ushered in an “era of Ubiquitous Listening”.³ VI devices can be categorised into three kinds –

• Manually activated devices – The person presses a button that causes the device to turn on and begin recording.

• Speech-activated devices – These devices remain in an inert state of passive processing. The device re-records local information without transmitting or storing any information and only begins actively recording when it detects its trigger word or ‘wake word’,⁴ such as ‘Hey Siri’ or ‘Ok Google’.

• Always on devices – These devices are designed to record and transmit data all the time until turned off.⁵

Privacy concerns arise, particularly, in the latter two categories, where devices can access, record, and store the data of the individual.⁶ Most people do not understand when a VI is listening and where their data is being stored.⁷ The data thus collected is often exploited for targeted advertising.⁸ Patent filings at the United States Patent and Trademark Office (USPTO) indicate an increase in the development of always-on devices that listen to things beyond the device’s wake word to perform increasingly sophisticated analysis.⁹

Primary concerns related to privacy

The same features of speech recognition that make such devices appealing are also those that give rise to privacy concerns as VIs become increasingly integrated with our daily lives.¹⁰ Though such services typically require user permission to work, it is usually granted if people are interested in its use.¹¹ A survey of Android users found that only 17% of respondents paid attention to permissions during app installations and only 3% were able to answer questions on these permissions.¹² Unlike phones or devices that are used by specific individuals, VIs such as Google Home and Amazon Echo can collect data from people who have not consented to their conversation being recorded. This could include visitors, workers, and even children.

1. Listening in to private conversations One of the main issues concerning voice-based virtual assistants is that the device can be activated through the accidental use of wake words. This constant listening has raised concerns regarding devices eavesdropping on private conversations as well as the processing and sharing of data with third parties including law enforcement agencies.¹³

The Supreme Court of India recognised the right to privacy as implicit in the right to life and liberty under Article 21. This includes the right to be left alone. A citizen has the right to safeguard their own privacy as well as that of their family, educational details, etc. Such information can only be published with the person’s consent.¹⁴ One of the major privacy concerns associated with the use of constantly listening VIs is that there is a high chance of third parties listening in on private conversations through the device.

These devices mostly record information on hearing the wake word. However, people may unintentionally cause the device to begin recording if a word similar to the wake word is spoken. A study found that more than 1,000 terms can activate VI devices, highlighting the scope of the potential risk to privacy.¹⁵ The phrases were not just limited to those that sounded very similar to the wake words, but also remote words such as ‘unacceptable’ (to which Alexa was activated) and ‘tobacco’ (to which Echo was activated). This finding is further reiterated by the results of a study that found that VI devices were accidentally activated by 64% of people using it, in a month.¹⁶

Recently, it was revealed that the big five tech companies – Amazon, Apple, Facebook, Alphabet/ Google, and Microsoft – have been using human contractors to analyse a small percentage of VI recordings. These recordings, although anonymous, can potentially contain personal information, resulting in an infringement of user rights.¹⁷ A report also found that the information passed on included sensitive personal information such as the latitude and longitude coordinates associated with the voice data, which could indicate a person’s home address.¹⁸

Third-party access to the personal information of individuals not only raises questions regarding privacy but also paves the way for other uses of this data such as for profiling and surveillance.

2. Access and use of VI data by law enforcement Digital data has become increasingly useful to law enforcement and security agencies, with the police relying on wearables and smart devices to verify the claims of people made during an investigation.¹⁹ The first instance of the use of VI data as evidence was in a 2015 murder case in the United States, in which a man was found dead in a hot tub. Investigators issued a warrant to Amazon, requiring the company to turn over information and audio recordings captured by the suspect’s Echo speaker.²⁰ VI devices have since been used both to exonerate²¹ as well as to hold suspects guilty of crimes.²²

   This risks creating a culture of state surveillance of the daily activities of citizens with potentially worrying consequences.²³ As more of such data is collected, we must ensure that it receives robust protection.²⁴

3. Data used for advertisement strategies VI manufacturers use the data collected from people using the devices to enhance their advertisement strategies. Patents filed in the United States reveal how these devices can be used for massive information collection and intrusive digital advertising.²⁵ Such data is collected on the pretext of providing customers with advertisements customised to their interests.²⁶ VIs greatly benefit advertisers who rely on complex data sets to make essential advertising decisions. The massive amount of data gathered from app and platform VI interactions allow for efficient processing, analysis, and access of data.²⁷ Although the practice is currently uncommon, and manufacturers currently have policies that specifically restrict advertisements on VI devices, there is potential for their use as a mode of advertisement that informs users of content that caters to their interests.²⁸

4. The privacy of children on VI devices Two-thirds of India’s internet users are in the 12–29 years age group, with those in the 12–19 age group accounting for about 21.5% of the total internet usage in metro cities.²⁹ Children today utilise the internet to access information, education, and other opportunities.³⁰ The risk to privacy is one of the primary concerns pertaining to children’s use of the internet. Children on the internet are less likely to have a comprehensive understanding of the consequences of privacy infringement, making them a vulnerable group that needs added protection.³¹

   Chapter IV of the Personal Data Protection Bill, 2019 (PDP), lays down special conditions for the processing of a child’s data. Such processing must be done with the intention of ensuring the best interests of the child after taking appropriate steps to verify their age and on receiving the consent of a parent or guardian.³² The European Union’s General Data Protection Regulation (GDPR)³³ and the Children’s Online Privacy Protection Rule (COPPA)³⁴ in the United States also provides similar protections. These provisions have, however, not laid down explicit consequences for non-compliance with these rules; the Federal Trade Commission in the US has been slow to impose hefty fines for such acts and the still-young GDPR has not dealt extensively with such issues.³⁵

Voice biometrics and the future steps for voice technologies

One of the more recent advancements in this area is the use of voice biometrics to authenticate the person using the device. Voice biometrics require that the system first process a voice sample to extract speaker-specific characteristics to build a statistical model, referred to as a voiceprint or a voice signature. Following this, any new input is compared with the existing voice signature for verification.³⁶ Data collected through VIs may also fall within the purview of biometric data. The Supreme Court of India, in the landmark case of Justice Puttaswamy v. Union of India, characterised biometric data as that which is intrinsically linked to humane characteristics.³⁷ The Personal Data Protection (PDP) Bill classifies biometric data as sensitive personal data that requires explicit consent for processing.³⁸

Voice biometrics seem to be the proposed way forward for VIs. Google has confirmed that it is working on a new Google Assistant feature that can be used to authorise financial transactions through voice biometrics.³⁹ Unlike identifiers such as phone numbers, address or email ids, biometrics cannot be discarded or replaced. This raises significant privacy issues relating to how such data are collected, processed, and stored. The data may be used for purposes other than that for which they were initially collected (a phenomenon also known as function creep).⁴⁰

Recent advancements in technology pose threats to the privacy of individuals who make use of these services. This issue becomes particularly relevant when dealing with an individual’s personal information or the information of people whose consent has not been obtained, such as children or people who are excluded from going through the privacy policies due to accessibility reasons or old age.

Conclusion

While VIs provide not just convenience but also an easier way to navigate the internet for some people, concerns around privacy and data protection loom large. While there is a need for VIs that are better at understanding the consumer, there is also a need to understand how these systems get their training data. With more voice technologies moving to always listening systems that can send targeted ads and use voice as a verification and identification system, there is a need to look closely at the privacy risks resulting from the collection, usage, and processing of voice data.