Is your smart speaker spying on you?

If you’re a smart speaker owner – or even if you’ve just seen one in a friend’s house – you’ve probably asked yourself, “Is that thing spying on me?”

The answer, as it turns out, is yes – sort of.

Just a few weeks ago, a married couple in Portland, Oregon found out that their Amazon Alexa had listened to a conversation they’d had about hardwood floors and sent it to a contact in their digital contact list. They didn’t realize this until they got a call from the husband’s coworker, warning him that he’d been hacked and urging him to unplug the device. Amazon investigated the device and found that it had misunderstood the conversation, hearing its name called and responding to what it thought was a request to send the message.

Admittedly, it’s a fluke – but it’s a telling one. Consumers all across America are welcoming smart speakers and other smart technology into their homes; according to one report, nearly 20 percent of adult Americans have access to a smart speaker. But while these devices offer us a new level of personalization and connectivity, they also open up a new pathway for invasions of our privacy. Innovative data thieves even managed to access a casino’s database of its most extravagant patrons through a cloud-connected thermometer in a fish tank. In other words, the more connectivity, the more vulnerability.

This vulnerability has largely been overlooked in recent discussions about consumer privacy, with most of public and federal ire directed towards major digital platforms like Google, Twitter and Facebook. But smart speakers pose just as real – if not as ubiquitous – a threat to consumer privacy.

When you introduce a device that can overhear your employees’ private conversations about sensitive consumer information, you’ve added yet another way for your organization’s security to be breached and your reputation to be compromised.

Much like these digital platforms, smart speakers are constantly collecting data to increase personalization and speed of service. Instead of the facial recognition of Facebook, there’s the voice recognition of Alexa. Instead of the data collection via a “Like” button or a search bar, the device collects information about your location, favorite products, new sources and music. And instead of logging your typed conversations with contacts, it records the ones you dictate and send to them.

Smart speakers and their connected smart products are predominately used in homes – for now. Increasingly, however, businesses are using them, a move that introduces another level of complexity for IT and CISO workers. Effective digital hygiene is difficult enough with laptops and phones. but when you introduce a device that can overhear your employees’ private conversations about sensitive consumer information, you’ve added yet another way for your organization’s security to be breached and your reputation to be compromised.

As smart speaker sales continue to skyrocket, we must remember to proceed with caution. Our early enthusiasm for services like Facebook and Twitter led many of us to share personal information far more profligately and publicly than we would have thought of doing before these services came into existence. We must learn from experience and share information with these new interactive devices extremely carefully.

Above all, however, our federal leaders need to be on the watch. They’re entirely right to scrutinize and question digital platforms, but they must be sure to direct their attention to smart speakers as well. Privacy is the hallmark of a civilized society – one that trusts its citizens to live, work and purchase as they see fit. Social media and other online companies may have managed to compromise this value significantly over the past several years. But if we can learn from past failures in vigilance and exercise caution in the coming years, we can develop a framework that allows consumers to shop, speak and share safely and securely for years to come.

Tom Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services, such as MyIDCare. He is a Silicon Valley serial entrepreneur and an expert in cyber security technologies.