news

WASHINGTON, DC - Today, Congresswoman Debbie Dingell (MI-12) sent a letter to Google and Amazon demanding answers on how German cybersecurity company Security Research Labs was able to create apps that passed through both Google and Amazon’s security vetting process for apps designed for smart speakers with background listening capabilities.

While the apps designed by the German company were created for research purposes only, the potential exists for copycat applications or malicious actors to use these techniques to target consumers and their personal information.

“Recently a number of articles were published regarding research done by a German cybersecurity company SRLabs in which researchers created apps that passed both Google and Amazon security-vetting processes and allowed the app to eavesdrop on users as well as phish for their passwords.  While these apps were created and used only for research purposes, there is potential for either copycat apps or that malicious actors have already used these techniques to target consumers and their personal information,” wrote Dingell.

“These smart speakers and the advancement of speech recognition technology represent an incredible convenience for consumers, allowing them to bypass screens and for those with physical disabilities to access the internet like everyone else.  But the same feature that contributes to that convince, not having a screen, also eliminates an important feedback loop for consumers to understand how these applications are performing and puts your company in an even greater position to look after consumers well-being,” added Dingell.

A copy of the letter can be found linked here or below.

Dear Mr. Jeff Bezos and Mr. Sundar Pichai,

Recently a number of articles were published regarding research done by a German cybersecurity company SRLabs in which researchers created apps designed for smart speakers that passed both Google and Amazon security-vetting processes and allowed the app to eavesdrop on users as well as phish for their passwords.  While these apps were created and used only for research purposes, there is potential for either copycat apps or that malicious actors have already used these techniques to target consumers and their personal information. 

These smart speakers and the advancement of speech recognition technology represent an incredible convenience for consumers, allowing them to bypass screens and for those with physical disabilities to access the internet like everyone else.  But the same feature that contributes to that convince, not having a screen, also eliminates an important feedback loop for consumers to understand how these applications are performing and puts your company in an even greater position to look after consumers well-being. 

Further, with this added convenience come obvious privacy tradeoffs and as the adoption of smart in-home speakers increases, the incentive for bad actors to manipulate and attack these devices rises as well.  Given the rapidly increasing use of this technology it is imperative that consumers know applications running on these speakers are safe and are performing as intended.  With that I ask the following questions:

• How are you addressing apps like this from being able to obtain this information in the future?

• When will these changes take effect?

• Have you reviewed other applications to see if they attempted similar collection of personal information? If not, will you commit to doing so?

• Is there any evidence other applications have used these techniques to take user audio recordings?

• If there was potential wrongdoing, will users be notified?

• Are you reviewing other “skills” to see if they were used to eavesdrop on consumers?

Thank you for taking the time to review these questions, and I would appreciate your response before November 18.  If you have any questions please feel free to contact Kevin Dollhopf in my office at kevin.dollhopf@mail.house.gov or at (202)225-4071. 

Sincerely,

Debbie Dingell

Member of Congress

###