What are the security concerns with voice-enabled assistants?

Chris M. Mason
Jennings, Strouss & Salmon PLC

PHOENIX—As some hotels look to add voice-enabled devices to broaden and enhance the guest experience, the question of security arises—as it usually does when new technology is implemented. While hotels strive to address guest desires and expectations, keeping data and information safe is also a critical concern for hoteliers. Enterprise-ready providers have implemented strategies—and are constantly innovating—to ensure guests’ information remains safe. Chris M. Mason, an attorney with the Phoenix office of Jennings, Strouss & Salmon PLC, explores the issues hotels could face.

Hotels are starting to use home assistants and voice-activated devices. What are the major issues that could arise for hotels as these solutions become more commonplace? The primary issues all stem from concerns with privacy. A very recent, highly publicized legal challenge by police authorities for records from Amazon reveals this prospect. Arkansas police have sought recordings stored by Amazon of a home-based Echo used by a murder suspect, in the hopes of finding helpful information for their investigation. The request has brought to the nation’s attention the countervailing privacy concerns and the privacy risks of information recorded through these devices.

Voice-activated, internet-connected, assistants like Amazon Echo and Google Home necessarily record and transmit information and conversations. This is how they function. At their core, they are recording devices. Whenever a user signals the “wake word” or “activation phrase,” the devices begin recording everything said, until the interaction ends, and the information is stored in cloud-based recordings. Anything said during these interactions can potentially be recovered and used.

While many may already intuitively understand this and, consequently, may be more cautious in their use of these devices in hotels and other public venues, what about conversations we never intend to share with Alexa or Google? These devices are “always on,” meaning that they are actively listening for their wake word or activation phrase. Use of a name like Alexa or the phrase “OK Google,” or even approximations of these terms or phrases, may trigger an unintended recording. These wake words may be uttered in television or radio dialogues, or by those in background conversations, and once they are, the recording is on. These risks are very real. Every time an Amazon Echo commercial comes on the television in my living room, and the actors utter the wake term “Alexa,” my Echo triggers and begins recording.

This is not only concerning for those who may be voicing sensitive information at these inopportune times, but these situations also may implicate laws regarding the recording of conversations. Many states prohibit surreptitious recordings of conversations, enforcing these prohibitions with criminal sanctions. Those who are inadvertently recorded may potentially assert a claim against the owner of the device, or others who may have used the devices improperly to record the conversations.

Also, any device of this nature can potentially be used on unsuspecting guests by those with criminal designs. While these devices—and the services through which they are provided—have their own internal protections, any digital device with an internet connection can potentially be hacked. Other criminals could place substitute devices in hotels, which guests may believe are legitimate, and use them to record conversations. The potential scams are as broad as the creative criminal mind can devise.

What questions should hoteliers ask themselves before implementing these devices? The most important question any hotel should ask is whether to use these devices in the first place, based primarily on what, if any, benefit they will find in using them. Certainly, these devices can bring value and efficiencies, but each individual hotel has to ask itself how it might use these types of devices and if the desired uses outweigh potential risks and the costs of implementing precautions. They must also consider the possible precautions to implement.

Who owns the data recorded on these devices? What rights does a business owner have? This is a very complicated issue with no easy answer. Anyone recorded may potentially stake a claim to the information recorded, as may both the owner of the device and the service providers (like Google or Amazon), which provide very comprehensive usage agreements protecting their right to collate and use data gathered by these devices. The best solution is for hotels to include limitations on ownership rights in their notifications to guests and visitors, expressly advising them that they have no right to recover or access any data recorded.

What rights do employees have? So long as the employees are informed that these devices are in use, and these devices are used for legitimate business purposes, employers have the right to use them, subject to state-specific limitations. However, employers may not use them for improper purposes, such as to record employees having conversations about workplace concerns or unionization, or to chill employees in their ability to discuss these types of issues.

Many hotels are looking to implement these solutions in guestrooms. Does this open up any additional legal issues for hotels, particularly as it relates to security and privacy? Why/why not? The same concerns that apply to use of these devices in common areas apply to usage in guestrooms, save perhaps that what may be recorded in guestrooms could have greater sensitivity. Hotels wishing to use these devices in guestrooms should give guests the option and means of deactivating these devices during their stay.

Are there any steps a hotel can take to mitigate its risks? What kinds of policies should hotels implement? Based on how these devices will be used, hotels must consider the specific precautions that they can take to minimize risk. Notifying guests and other hotel visitors in writing that these devices are in operation and may record conversations—including conversations not intended for recording—is just the starting point. Hotels should also consider where to place the devices to limit inadvertent recordings. Employees should be trained on the risks of these devices, and required to execute formal agreements related to confidential treatment of the information gathered by these devices. Those responsible for managing these devices, including the information technology or other similar personnel, should receive additional training. They should be responsible for ensuring that these devices are not hacked or used improperly by third parties, that the recording logs are deleted periodically to minimize risk, and that any other precautions are properly followed. These expectations should be properly documented in written policies.

Voice assistants are relatively new—particularly for hotels—but also in general. From a legal perspective, how do you see this space evolving in the future? Voice-assistant devices are inevitable. It’s not a question of “if” hotels and other consumer enterprises implement them, it is a question of when and for what purposes. The future legal implications are challenging to predict, but employers that take these issues seriously and who implement thoughtful precautions will likely find greater protection and deference. HB

To see content in magazine format, click here.