Is your smart speaker eavesdropping on you? Cunningham’s bill would make it illegal

A digital privacy package introduced to the California Legislature includes a bill by a Central Coast assemblyman seeking to make it illegal for manufacturers of devices such as smart speakers to eavesdrop on consumers for data collection.

With various cases of web-connected “smart” devices sharing user information without their consent in recent months, Assemblyman Jordan Cunningham on Wednesday introduced the Future of Eavesdropping Act, a bill his office said would “prohibit smart speaker manufacturers from storing and data mining voice recordings made with smart speakers.”

“We should be able to enjoy the many benefits of having a home with interconnected devices without the worry that we’ve sacrificed security and privacy for convenience,” Cunningham wrote in the release.

Calling corporate concerns for privacy an “illusion,” Cunningham in a Jan. 28 opinion piece in The San Francisco Chronicle cited recent scandals at Google and Facebook as examples in which “data can be sold to the highest bidder, breaches are covered up and ‘smart speakers’ eavesdrop on us in the privacy of our own home.”

In May, The Washington Post reported that a Portland, Oregon, family said an Amazon Echo device recorded a private conversation and sent it to the family’s contacts without their permission.

In 2017, a tech blogger found that a hardware flaw in the Google Home Mini allowed the device to secretly record users without their knowing. That bug was fixed before the model was officially released to the paying public.

According to the bill, existing law requires “a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” and grants consumers the ability to recover any damages from breaches of those practices through civil litigation.

Manufacturers of smart devices must also equip them with reasonable security features for the information they might collect, contain, or transmit, and that they be designed to protect the device and any information contained therein from unauthorized use or disclosure, the legislation reads.

This bill would prohibit a smart speaker device, as defined, or a specified manufacturer of that device, from saving or storing recordings of verbal commands or requests given to the device, or verbal conversations heard by the device, “regardless of whether the device was triggered using a key term or phrase.”

In the Oregon incident, Amazon said the Echo device began recording after being triggered by a “wake word” from the consumer.

An Amazon spokesperson did not immediately return a request for comment on Cunningham’s bill Thursday.

The smart speaker bill was introduced as part of the #YourDataYourWay policy package Cunningham co-authored with Republican Assembly members James Gallagher, R-Sacramento, Tom Lackey, R-Antelope Valley, and Chad Mayes, R-Riverside.

Other bills in the policy package include:

  • The Family Greenlight Act (Gallagher) would “prohibit a social media website or application from allowing a person under 16 years of age to create an account with the website or application unless the website or application obtains the consent of the person’s parent or guardian prior to creation of the account.” It would also require the California Department of Justice create guidelines on how those applications obtain that consent.
  • The Own Your Own Data Act (Cunningham) would require a social media company to provide users who close their accounts the option to have their personally identifiable information permanently removed from the company’s database and excluded from sale.
  • A 72-hour data breach notification (Mayes) would amend existing law to require that companies notify consumers affected by a data breach within 72 hours. Current law requires companies to send notifications “in the most expedient time possible,” according to the bill.

Each bill is awaiting the scheduling of hearing dates.

“Privacy is not a partisan issue,” Cunningham wrote in The San Francisco Chronicle. “In the 21st century, the threats to our privacy have grown to include technology that has become involved with every aspect of our lives. Our government must adapt to protect privacy in the modern age.”

Related stories from San Luis Obispo Tribune

Matt Fountain is The San Luis Obispo Tribune’s courts and investigations reporter. A San Diego native, Fountain graduated from Cal Poly’s journalism department in 2009 and cut his teeth at the San Luis Obispo New Times before joining The Tribune as a crime and breaking news reporter in 2014.