Skills are what Amazon calls programs that run on their popular voice-activated assistant called Alexa. People can buy these skills on skills stores, just like you can buy apps for your smartphone. However, there are privacy risks and security concerns for these skills.
Researchers at North Carolina State University collected over 90,000 skills from seven different skill stores using an automated program. The then analyzed the skills using an automated review process.
Developer Name
The first issue they found was that Amazon does not verify the name of the developer displayed for the skill in the skill stores. This means anyone can use the name of a well reputed company to register to sell their skills.
Invocation Phrase
The next issue involves Amazon allowing multiple skills to use the same invocation phrase. This means that when you activate one skill, you may be activating another skill that uses the same invocation phrase. Hence you may be giving out your information to other developers unknowingly.
Back End Code
The third issue the developer found was that the developers of the skills can change the code after the skills are approved by Amazon. This means they can modify the code to get additional information from users, or worse, perform malicious behavior.
Privacy Policies
Finally, the researchers found that 23.3 percent of skills that request personal data do not have privacy policies or have misleading privacy policies. The privacy policies are required by Amazon if a skill request sensitive personal data like location, phone numbers, full names, etc.
Amazon’s Alexa is a very popular voice-assistant, with more than 100 million devices sold. However, like all technology that makes our lives more convenient, care should be taken to ensure privacy and security.
