Alexa, does the Echo Dot Kids protect children’s privacy?

Alexa, does the Echo Dot Kids protect children’s privacy?

8:06am, 9th May, 2019
A coalition of child protection and privacy groups has filed a complaint with the Federal Trade Commission (FTC) urging it to investigate a kid-focused edition of smart speaker. The complaint against Amazon Echo Dot Kids, which has been lodged with the FTC by groups including the Campaign for a Commercial-Free Childhood, the Center for Digital Democracy and the Consumer Federation of America, argues that the ecommerce giant is violating the Children’s Online Privacy Protection Act (Coppa) — including by failing to obtain proper consents for the use of kids’ data. As with its other smart speaker Echo devices the Echo Dot Kids continually listens for a wake word and then responds to voice commands by recording and processing users’ speech. The difference with this Echo is it’s intended for children to use — which makes it subject to US privacy regulation intended to protect kids from commercial exploitation online. The complaint, which can be read in full via the group’s complaint , argues that Amazon fails to provide adequate information to parents about what personal data will be collected from their children when they use the Echo Dot Kids; how their information will be used; and which third parties it will be shared with — meaning parents do not have enough information to make an informed decision about whether to give consent for their child’s data to be processed. They also accuse Amazon of providing at best “unclear and confusing” information per its obligation under Coppa to also provide notice to parents to obtain consent for children’s information to be collected by third parties via the online service — such as those providing Alexa “skills” (aka apps the AI can interact with to expand its utility). A number of other concerns are also being raised about Amazon’s device with the FTC. Amazon released the Echo Dot Kids — and, as we noted at the time, it’s essentially a brightly bumpered iteration of the company’s standard Echo Dot hardware. There are differences in the software, though. In parallel Amazon updated its Alexa smart assistant — adding parental controls, aka its FreeTime software, to the child-focused smart speaker. Amazon said the free version of FreeTime that comes bundled with the Echo Dot Kids provides parents with controls to manage their kids’ use of the product, including device time limits; parental controls over skills and services; and the ability to view kids’ activity via a parental dashboard in the app. The software also removes the ability for Alexa to be used to make phone calls outside the home (while keeping an intercom functionality). A paid premium tier of FreeTime (called FreeTime Unlimited) also bundles additional kid-friendly content, including Audible books, ad-free radio stations from iHeartRadio Family, and premium skills and stories from the likes of Disney, National Geographic and . At the time it announced the Echo Dot Kids, Amazon said it had tweaked its voice assistant to support kid-focused interactions — saying it had trained the AI to understand children’s questions and speech patterns, and incorporated new answers targeted specifically at kids (such as jokes). But while the company was ploughing resource into adding a parental control layer to Echo and making Alexa’s speech recognition kid-friendly, the Coppa complaint argues it failed to pay enough attention to the data protection and privacy obligations that apply to products targeted at children — as the Echo Dot Kids clearly is. Or, to put it another way, Amazon offers parents some controls over how their children can interact with the product — but not enough controls over how Amazon (and others) can interact with their children’s data via the same always-on microphone. More specifically, the group argues that Amazon is failing to meet its obligation as the operator of a child-directed service to provide notice and obtain consent for third parties operating on the Alexa platform to use children’s data — noting that its Children’s Privacy Disclosure policy states it does not apply to third party services and skills. Instead the complaint says Amazon tells parents they should review the skill’s policies concerning data collection and use. “Our investigation found that only about 15% of kid skills provide a link to a privacy policy. Thus, Amazon’s notice to parents regarding data collection by third parties appears designed to discourage parental engagement and avoid Amazon’s responsibilities under Coppa,” the group writes in a summary of their complaint. They are also objecting to how Amazon is obtaining parental consent — arguing its system for doing so is inadequate because it’s merely asking that a credit or debit/debit gift card number be inputted. “It does not verify that the person “consenting” is the child’s parent as required by Coppa,” they argue. “Nor does Amazon verify that the person consenting is even an adult because it allows the use of debit gift cards and does not require a financial transaction for verification.” Another objection is that Amazon is retaining audio recordings of children’s voices far longer than necessary — keeping them indefinitely unless a parent actively goes in and deletes the recordings, despite Coppa requiring that children’s data be held for no longer than is reasonably necessary. They found that additional data (such as transcripts of audio recordings) was also still retained even after audio recordings had been deleted. A parent must contact Amazon customer service to explicitly request deletion of their child’s entire profile to remove that data residue — meaning that to delete all recorded kids’ data a parent has to nix their access to parental controls and their kids’ access to content provided via FreeTime — so the complaint argues that Amazon’s process for parents to delete children’s information is “unduly burdensome” too. Their investigation also found the company’s process for letting parents review children’s information to be similarly arduous, with no ability for parents to search the collected data — meaning they have to listen/read every recording of their child to understand what has been stored. They further highlights that children’s Echo Dot Kids’ audio recordings can of course include sensitive personal details — such as if a child uses Alexa’s ‘remember’ feature to ask the AI to remember personal data such as their address and contact details or personal health information like a food allergy. The group’s complaint also flags the risk of other children having their data collected and processed by Amazon without their parents consent — such as when a child has a friend or family member visiting on a playdate and they end up playing with the Echo together. Responding to the complaint, Amazon has denied it is in breach of Coppa. In a statement a company spokesperson said: “FreeTime on Alexa and Echo Dot Kids Edition are compliant with the Children’s Online Privacy Protection Act (COPPA). Customers can find more information on Alexa and overall privacy practices here: .” An Amazon spokesperson also told us it only allows kid skills to collect personal information from children outside of FreeTime Unlimited (i.e. the paid tier) — and then only if the skill has a privacy policy and the developer separately obtains verified consent from the parent, adding that most kid skills do not have a privacy policy because they do not collect any personal information. At the time of writing the FTC had not responded to a request for comment on the complaint. Over in Europe, there has been growing over the use of children’s data by online services. A report by England’s children’s commissioner late last year warned kids are being “datafied”, and suggested profiling at such an early age could lead to a data-disadvantaged generation. Responding to rising concerns the UK privacy regulator launched a on a last month, asking for feedback on 16 proposed standards online services must meet to protect children’s privacy — including requiring that product makers put the best interests of the child at the fore, deliver transparent T&Cs, minimize data use and set high privacy defaults. The UK government has also recently published a Whitepaper setting out a which has a heavy focus on child safety.
‘Huge awakening’ in data privacy drives big growth for Seattle startup Integris

‘Huge awakening’ in data privacy drives big growth for Seattle startup Integris

11:29pm, 1st April, 2019
Integris CEO Kristina Bergman. (Integris Photo). Back in 2016, a Seattle startup called Integris with a modest $3 million in funding and a vision to help companies manage customer data with integrity. Fast-forward to 2019, when privacy issues are making daily headlines as politicians seek to rein in Big Tech, and business is booming for Integris. In a little over two quarters, Integris more than tripled its team to 30 full-time employees. The startup opened a second office in Vancouver, B.C. and is working with a number of Fortune 500 companies to help them implement data protection and privacy standards. Integris’ growth is driven by new laws in the U.S. and Europe that seek to crack down on tech companies that handle consumer data. The European Union is spearheading the effort with its broad General Data Protection Regulation. In the U.S., federal regulation has been sluggish as states step in to implement their own laws. Last summer, to give consumers more control over their data and dozens of other states are considering similar laws. Related: “When we started three years ago, most people couldn’t spell GDPR … but fast forward a few years and privacy is in the headlines,” said Integris co-founder Kristina Bergman. “It’s front page news in all the major publications and so the biggest thing that we’ve seen is a huge awakening among people everywhere about the impacts of privacy, the importance of privacy, and we’ve seen a lot of market maturity happen over the last few years.” Ironic as it might sound, big tech companies are . Apple and Microsoft have been actively promoting themselves as the secure, privacy-sensitive foils to their younger tech industry peers. It’s catching on. In March, Facebook by doubling down on encrypted, ephemeral messaging. But there is a growing concern in the business community about a future in which companies that handle consumer data are forced to comply with different laws in every state. “The concern is that if the federal government doesn’t step up and unify it in the way that Europe unified privacy legislation under GDPR, we’re going to end up with a privacy legislation framework in the U.S. that’s incredibly fractured, very hard to comply with, and not really feasible and implementable,” said Bergman. That fear is leading a number of tech leaders to support a federal privacy law that would pre-empt state regulations. Related: Integris surveyed 258 business executives at companies with 500 employees or more and at least $25 million in annual revenue as part of released Monday. Of those surveyed, 80 percent believe there should be a federal privacy law, though they may not be ready for it. About half of the respondents said they take inventory of the personal data they store just once a year or in response to an audit. However, 88 percent said their companies are increasing their data privacy management budgets in 2019. “What’s been a boon to the business is not the murkiness but the opportunity that privacy presents,” Bergman said. “In our discussions with companies, they’re looking at privacy increasingly as a differentiator for their business … they look at that as an opportunity to differentiate against their competition by being able to prove that they’re operating with integrity, they’re treating customer data with the utmost care, and they can prove it.” Integris’ goal is to help companies set up best practices in data privacy. The company uses machine learning and other technology to map a company’s sensitive data, apply regulatory obligations, and automate actions like encryption and deletion. On top of its initial $3 million round, last summer to amp up its regulatory compliance services.