Abstract
Many households include children who use voice personal assistants (VPA) such as Amazon Alexa. Children benefit from the rich functionalities of VPAs and third-party apps but are also exposed to new risks in the VPA ecosystem. In this article, we first investigate “risky” child-directed voice apps that contain inappropriate content or ask for personal information through voice interactions. We build SkillBot—a natural language processing-based system to automatically interact with VPA apps and analyze the resulting conversations. We find 28 risky child-directed apps and maintain a growing dataset of 31,966 non-overlapping app behaviors collected from 3,434 Alexa apps. Our findings suggest that although child-directed VPA apps are subject to stricter policy requirements and more intensive vetting, children remain vulnerable to inappropriate content and privacy violations. We then conduct a user study showing that parents are concerned about the identified risky apps. Many parents do not believe that these apps are available and designed for families/kids, although these apps are actually published in Amazon’s “Kids” product category. We also find that parents often neglect basic precautions, such as enabling parental controls on Alexa devices. Finally, we identify a novel risk in the VPA ecosystem: confounding utterances or voice commands shared by multiple apps that may cause a user to interact with a different app than intended. We identify 4,487 confounding utterances, including 581 shared by child-directed and non-child-directed apps. We find that 27% of these confounding utterances prioritize invoking a non-child-directed app over a child-directed app. This indicates that children are at real risk of accidentally invoking non-child-directed apps due to confounding utterances.
- [1] . 2019. More than smart speakers: Security and privacy perceptions of smart home personal assistants. In Proceedings of the 15th Symposium on Usable Privacy and Security (SOUPS’19). 451–466.Google Scholar
- [2] . 2021. Privacy norms for smart home personal assistants. In Proceedings of the CHI Conference on Human Factors in Computing Systems. 1–14.Google ScholarDigital Library
- [3] . 2022. Alexa Simulator. Retrieved from https://developer.amazon.com/docs/devconsole/tes t-your-skill.html#test-simulator.Google Scholar
- [4] . 2022. Alexa Simulator limitations. Retrieved from https://developer.amazon.com/docs/devconsole/tes t-your-skill.html#alexa-simulator-limitations.Google Scholar
- [5] . 2022. Alexa Skills Kit. Retrieved from https://developer.amazon.com/alexa/alexa-skills- kit.Google Scholar
- [6] . 2022. Amazon Alexa Skills. Retrieved from https://www.amazon.com/alexa-skills/b?ie=UTF8&n ode=13727921011.Google Scholar
- [7] . 2022. Host a custom skill as a web service. Retrieved from https://developer.amazon.com/docs/custom-skills/ host-a-custom-skill-as-a-web-service.html.Google Scholar
- [8] . 2022. Understand How Users Invoke Custom Skills. Retrieved from https://developer.amazon.com/docs/custom-skills/ understanding-how-users-invoke-custom-skills.html.Google Scholar
- [9] . 2022. Understand Name-free Interactions. Retrieved from https://developer.amazon.com/docs/custom-skills/ understand-name-free-interaction-for-custom-skills.html.Google Scholar
- [10] . 2013. Online advertising on popular children’s websites: Structural features and privacy issues. Comput. Hum. Behav. 29, 4 (2013), 1510–1518.Google ScholarDigital Library
- [11] . 2020. Dangerous Skills Got Certified: Measuring the Trustworthiness of Skill Certification in Voice Personal Assistant Platforms. Association for Computing Machinery, New York, NY, 1699–1716. Google ScholarDigital Library
- [12] . 2018. Security and privacy analyses of Internet of Things children’s toys. IEEE Internet Things J. 6, 1 (2018), 978–985.Google ScholarCross Ref
- [13] . 2020. Complying with COPPA: Frequently Asked Questions. Retrieved from https://www.ftc.gov/tips-advice/business-center/ guidance/complying-coppa-frequently-asked-questions.Google Scholar
- [14] . 2021. Universal POS tags. Retrieved from https://universaldependencies.org/u/pos/.Google Scholar
- [15] . 2018. Kids Are Spending More Time with Voice, but Brands Shouldn’t Rush to Engage Them. Retrieved from https://www.emarketer.com/content/kids-are-spending-more-time-with-voice-but-brands-shouldnt-rush-to-engage-them.Google Scholar
- [16] . 2021. SkillVet: Automated traceability analysis of amazon Alexa skills. IEEE Trans. Depend. Secure Comput. (2021). https://ieeexplore.ieee.org/abstract/document/9619970.Google ScholarCross Ref
- [17] . 2000. Social-desirability bias and the validity of self-reported values. Psychol. Market. 17, 2 (2000), 105–120.Google ScholarCross Ref
- [18] . 2017. Can’t remove/edit freetime content! Anyone have a fix? Retrieved fromhttps://www.amazonforum.com/forums/devices/fire- tablets/1815-cant-remove-edit-freetime-content-anyone-have-a.Google Scholar
- [19] . 2018. FreeTime Unlimited Alexa Skills Not Available in Parent Dashboard. Retrieved from https://www.amazonforum.com/forums/devices/echo- alexa/497656-freetime-unlimited-alexa-skills-not-available-in.Google Scholar
- [20] . 2018. Alexa Skill not Kid Friendly (FreeTime)? Retrieved fromhttps://forums.plex.tv/t/alexa-skill-not-kid-fri endly-freetime/343477.Google Scholar
- [21] . 2020. SkillExplorer: Understanding the behavior of skills in large scale. In 29th USENIX Security Symposium (USENIX Security’20). USENIX Association, 2649–2666. Retrieved from https://www.usenix.org/conference/usenixsecurity20/presentation/guo.Google Scholar
- [22] . 2011. Why parents help their children lie to Facebook about age: Unintended consequences of the “Children’s online privacy protection act.” First Monday 16, 11 (2011).Google Scholar
- [23] . 2016. PriBots: Conversational privacy with chatbots. In Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS’16).Google Scholar
- [24] . 2017. A framework for preventing the exploitation of IoT smart toys for reconnaissance and exfiltration. In Proceedings of the International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage. Springer, 581–592.Google ScholarCross Ref
- [25] . 2020. spaCy: Industrial-strength Natural Language Processing in Python. Google ScholarCross Ref
- [26] . 2003. Do defaults save lives?Science 302, 5649 (2003), 1338–1339. . Retrieved from
arXiv:https://science.sciencemag.org/content/302/5649/1338.full.pdf. Google ScholarCross Ref - [27] . 2018. Skill squatting attacks on amazon alexa. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 33–47. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/kumar.Google Scholar
- [28] . 2019. Emerging threats in internet of things voice services. IEEE Secur. Privacy 17, 4 (
July 2019), 18–24. Google ScholarCross Ref - [29] . 2017. “No telling passcodes out because they’re private”: Understanding children’s mental models of privacy and security online. In Proceedings of the ACM Conference on Human-Computer Interaction. 64.Google Scholar
- [30] . 2018. Alexa, are you listening? Privacy perceptions, concerns and privacy-seeking behaviors with smart speakers. In Proceedings of the ACM Conference on Human-Computer Interaction. 1–31.Google Scholar
- [31] . 2021. Hey Alexa, is this skill safe?: Taking a closer look at the Alexa skill ecosystem. In Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS’21).Google ScholarCross Ref
- [32] . 2002. Definition of Question Classes. Retrieved from https://cogcomp.seas.upenn.edu/Data/QA/QC/defini tion.html.Google Scholar
- [33] . 2020. Measuring the effectiveness of privacy policies for voice assistant applications. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’20). Association for Computing Machinery, New York, NY, 856–869. Google ScholarDigital Library
- [34] . 2001. The power of suggestion: Inertia in 401(k) participation and savings behavior. Quart. J. Econ. 116, 4 (2001), 1149–1187.Google ScholarCross Ref
- [35] . 2018. Towards a comprehensive analytical framework for smart toy privacy practices. In Proceedings of the 7th Workshop on Socio-Technical Aspects in Security and Trust. ACM, 64–75.Google ScholarDigital Library
- [36] . 2021. Alexa, who am I speaking to?: Understanding users’ ability to identify third-party apps on Amazon Alexa. ACM Trans. Internet Technol. 22, 1 (2021), 1–22.Google ScholarDigital Library
- [37] . 2015. Three questions about the Internet of things and children. TechTrends 59, 1 (2015), 76–83.Google ScholarCross Ref
- [38] . 2014. The Stanford CoreNLP natural language processing toolkit. In Association for Computational Linguistics (ACL) System Demonstrations. 55–60. Retrieved from http://www.aclweb.org/anthology/P/P14/P14-5010.Google Scholar
- [39] . 2006. Recommendations implicit in policy defaults. Psychol. Sci. 17, 5 (2006), 414–420.Google ScholarCross Ref
- [40] . 2017. Toys that listen: A study of parents, children, and internet-connected toys. In Proceedings of the CHI Conference on Human Factors in Computing Systems. ACM, 5197–5207.Google ScholarDigital Library
- [41] . 2021. Owning and sharing: Privacy perceptions of smart speaker users. In Proceedings of the ACM Conference on Human-Computer Interaction. 1–29.Google Scholar
- [42] . 2020. Young children’s perceptions of ubiquitous computing and the Internet of Things. Brit. J. Edu. Technol. 51, 1 (2020), 84–102.Google ScholarCross Ref
- [43] . 2022. Azure Content Moderator. Retrieved from https://docs.microsoft.com/en-us/azure/cognitive -services/content-moderator/.Google Scholar
- [44] . 2015. Children seen but not heard: When parents compromise children’s online privacy. In Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 776–786.Google ScholarDigital Library
- [45] . 2022. Frequently Answered Questions. Retrieved from https://dpcld.defense.gov/Privacy/About-the-Offi ce/FAQs/#2.Google Scholar
- [46] . 2021. Alexa, we need to talk: A data literacy approach on voice assistants. In Proceedings of the Designing Interactive Systems Conference. 495–507.Google Scholar
- [47] . 2018. Universal dependency parsing from scratch. In Proceedings of the ACL Conference on Shared Tasks: Multilingual Parsing from Raw Text to Universal Dependencies. ACL, 160–170. Retrieved from https://nlp.stanford.edu/pubs/qi2018universal.pdf.Google ScholarCross Ref
- [48] . 2017. Towards a privacy rule conceptual model for smart toys. In Computing in Smart Toys. Springer, 85–102.Google ScholarCross Ref
- [49] . 2018. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS’18).Google ScholarCross Ref
- [50] . 2018. Alexa is adding FreeTime skills that I cannot remove. Retrieved from https://www.reddit.com/r/alexa/comments/aba5u6/a lexa_is_adding_freetime_skills_that_i_cannot/.Google Scholar
- [51] . 2018. How can I know what the Freetime Unlimited skills are? Retrieved fromhttps://www.reddit.com/r/amazonecho/ comments/9nzuwj/how_can_i_know_what_the_freetime_unlimited_skills/.Google Scholar
- [52] . 2017. “Is our children’s apps learning?” Automatically detecting COPPA violations. In Proceedings of the Workshop on Technology and Consumer Protection (ConPro’17), in Conjunction with the 38th IEEE Symposium on Security and Privacy (IEEE S&P’17).Google Scholar
- [53] . 2018. “Won’t somebody think of the children?” Examining COPPA compliance at scale. Proc. Privacy Enhanc. Technol. 2018, 3 (2018), 63–83.Google ScholarCross Ref
- [54] . 2018. “Won’t somebody think of the children?” Examining COPPA compliance at scale. PoPETs 2018 (2018), 63–83.Google Scholar
- [55] . 2021. BeautifulSoup. Retrieved from https://www.crummy.com/software/BeautifulSoup/.Google Scholar
- [56] . 2008. The association of parenting style and child age with parental limit setting and adolescent MySpace behavior. J. Appl. Dev. Psychol. 29, 6 (2008), 459–471.Google ScholarCross Ref
- [57] . 2014. Parents’ concerns about their teenage children’s internet use. J. Family Issues 35, 1 (2014), 75–96.
arXiv:https://doi.org/10.1177/0192513X12467754 Google ScholarCross Ref - [58] . 2018. Who’s watching your child? Exploring home security risks with smart toy bears. In Proceedings of the IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI’18). IEEE, 285–286.Google ScholarCross Ref
- [59] . 2003. The penn treebank: An overview. In Treebanks. Springer, 5–22.Google Scholar
- [60] . 2016. High accuracy rule-based question classification using question syntax and semantics. In Proceedings of the 26th International Conference on Computational Linguistics: Technical Papers (COLING’16). The COLING 2016 Organizing Committee, Osaka, Japan, 1220–1230. Retrieved from https://www.aclweb.org/anthology/C16-1116.Google Scholar
- [61] . 2001. Privacy policies on children’s websites: Do they play by the rules?Report Series No. 33 at The Annenberg Public Policy Center of the University of Pennsylvania.Google Scholar
- [62] . 2017. Security & privacy in smart toys. In Proceedings of the Workshop on Internet of Things Security and Privacy. ACM, 19–24.Google ScholarDigital Library
- [63] . 2018. Online tracking of kids and teens by means of invisible images: COPPA vs. GDPR. In Proceedings of the 2nd International Workshop on Multimedia Privacy and Security. ACM, 96–103.Google ScholarDigital Library
- [64] . 2022. WebPurify for Children’s Apps and Websites. Retrieved from https://www.webpurify.com/childrens-apps-website s/.Google Scholar
- [65] . 2018. All your Alexa are belong to us: A remote voice control attack against echo. In Proceedings of the IEEE Global Communications Conference (GLOBECOM’18). 1–6. Google ScholarDigital Library
- [66] . 2019. Dangerous skills: Understanding and mitigating security risks of voice-controlled third-party functions on virtual personal assistant systems. Proceedings of the IEEE Symposium on Security and Privacy (SP’19). 1381–1396.Google Scholar
- [67] . 2019. Life after speech recognition: Fuzzing semantic misinterpretation for voice assistant applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19).Google ScholarCross Ref
- [68] . 2019. “I make up a silly name”: Understanding children’s perception of privacy risks online. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI’19). ACM, New York, NY, Article
106 , 13 pages. Google ScholarDigital Library - [69] . 2016. Automated analysis of privacy requirements for mobile apps. In Proceedings of the Association for the Advancement of Artificial Intelligence Fall Symposium Series (AAAI’16).Google Scholar
Index Terms
- SkillBot: Identifying Risky Content for Children in Alexa Skills
Recommendations
Creating Safe Places: Understanding the Lived Experiences of Families Managing Cystic Fibrosis in Young Children
CHI '24: Proceedings of the CHI Conference on Human Factors in Computing SystemsWhile previous HCI research has examined chronic care management for children, less is known about supporting families with young children facing serious illnesses. We interviewed 12 families affected by cystic fibrosis (CF) to understand their ...
Zoom gesture analysis for age-inappropriate internet content filtering
AbstractThe Internet contains large amounts of adult content. With only a few taps, or mis-taps, an under-aged user can be exposed to age-inappropriate content. Currently, this can be avoided by creating age-restricted profiles or restricting ...
Highlights- Age estimation using zoom-in and zoom-out touchscreen gesture data.
- We envision ...
Comments