Security & Privacy

As more people install smart speakers like Amazon Echo, Google Home and Apple HomePod in their homes, questions whether these devices present a security risk have begun to surface. Is your smart speaker spying on you? Does it put your privacy at risk? The fact that you have a device that is actively listening to everything you say — waiting for command words, like “Alexa” and “Siri” — opens up the possibility of your data being misused, or even intercepted by hackers.

As with all “smart home” devices, the convenience of the technology is not without risk. For example, if you buy a security camera, or even a baby monitor, the devices ship with default passwords that are well known by hackers. If people don’t change the password, then it’s possible for hackers to access them. While many, even most people may read the instructions and change the password, countless others ignore this advice and simply leave the default settings, potentially letting malicious people have eyes on their home. This is dangerous in two ways: the first is that your activities can be recorded, and the second is that these cameras can show when you are not home, allowing criminals to know when it’s safe to burglarize your house.

With voice activated smart speakers, it’s a bit different.

Do smart speakers record everything, all the time?

Smart speakers are not designed to record everything you do, instead they only respond to a specific wake word or phrase; for instance, “Alexa” or “Hey, Siri.” They listen to everything waiting for those command words or phrases, and they do in fact record and save some of what it hears, which is a reasonable concern for anyone worried about privacy. After all, sometimes smart speakers activate when you don’t expect it — for instance, by saying, “Hey, seriously,” when around an Apple HomePod or iPhone.

As an example of a smart speaker spying on its owner, an early Google Home Mini was found to record everything its owner said. Google fixed this privacy issue, but this shows how easy it is for these devices to “mistakenly” do more than they should.

Fortunately, with Amazon’s Alexa, you can change the activation word. You could make it something more complicated, so it’s very hard to accidentally wake it up, which is especially important if you have someone in your home named Alexa. Users also have the ability to track and delete what Alexa has recorded. Unfortunately, you cannot do this with Apple’s devices (yet).

The convenience of these devices is their ability to respond automatically when you address them. Apple’s HomePod almost magically hears you say, “Hey, Siri,” even when music is playing loud. But the flip side of this is that they hear you all the time. Of course, the technology you carry with you every day may have been doing this for years already; your smartphone also has a voice assistant, and if you have this feature turned on, it listens to everything you say.

Some smart speakers like the Amazon Echo have a microphone mute button, so you can rest assured that the device won’t accidentally pick up part of conversations when you don’t plan on talking to it for a while. Other devices like the Apple HomePod do not offer any way of muting the mic, however.

What data does your smart speaker collect about you?

The risks go beyond simply having your voice recorded.

Smart speakers and the companies that sell them store a lot of data about you. Even if they don’t keep a record of everything you say, Amazon, Google and Apple have vast stores of data about your activities, your commands, and your questions. Apple claims that all this data is anonymous, though that isn’t the case when, for example, you play music on Apple Music or rent a movie on your Apple TV. These transactions have to be linked to your user account, as do commands and questions on the HomePod regarding emails, text messages, reminders, and other personal account-related information. With Amazon, you can order just about anything by voice, so that data has to be linked to your account as well.

You can turn off the voice assistant. You’ll still be able to access it, but you need to do so manually. With Amazon’s Echo devices, you press a button; with the HomePod, you tap the top of the device. The downside is that turning off the voice assistant reduces the convenience of the device, since you can’t just call out from across a room to start playing music or to order something.

You may feel more comfortable deleting your voice-related activity from time to time. You can do this on Amazon and Google devices, but not on Apple’s devices.

• For Google Home, go to myactivity.google.com, click the three dots at the top of the page, choose Delete Activity By, then, in the All Products section, choose Voice & Audio. Click Delete.
• For Amazon’s Echo, go to amazon.com/myx, sign in, then click Your Devices. Select your Echo device, then click Manage Voice Recordings. Click Delete.

These devices encrypt everything they hear, and I’m fairly confident that Amazon, Google, and Apple take this very seriously and ensure your security and privacy. But it won’t be long before there are a plethora of such devices made by companies less concerned about you and your data. For now, we all need to think carefully whether we want a microphone listening to everything we do in our homes.

Does it concern you that smart speakers are always listening? Do you think the convenience of a voice activated smart speaker outweighs its security and privacy risks? Share your comments below!

How can I learn more?

Each week on the Intego Mac Podcast, we discuss topics like the ones covered in this article, as well as the latest Apple security and privacy news. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Kirk McElhearn