Data Science Talk Series 

Title: Ensuring Privacy Compliance of Voice Personal Assistant Applications

Abstract: Voice personal assistants (VPAs) such as Amazon Alexa and Google Assistant are rapidly gaining popularity in both domestic and business. Today's VPA services have been largely expanded by allowing third-party developers to build voice apps (named "skill" in the Amazon Alexa platform) and publish them to marketplaces. Many of these apps collect users’ sensitive personal data for various functionalities, which raises significant privacy concerns for users. To ensure the privacy safety of voice apps, VPA platform providers have specified a set of requirements to be adhered to by third-party developers. The collection and processing of such data are also governed by legal frameworks like the General Data Protection Regulation (GDPR).

In this talk, I will present our work on ensuring privacy compliance of voice applications. We first analyzed privacy policy documents from third-party developers in the US marketplace. The results showed that a substantial number of problematic privacy policies exist in the Amazon Alexa and Google Assistant platforms. We also extend our focus to voice apps in European marketplaces, assessing their privacy compliance with GDPR regulations. To understand the actual data collection behaviors in voice apps, we designed a dynamic testing tool named “SkillDetective” and static tool named “SkillScanner” to automatically test voice-app behaviors and report on potential privacy violations. Finally, the limitations in privacy policy documents limitations motive us to explore and design new means of privacy notification. We proposed the concept of Privacy Notice over Voice, an accessible and inclusive mechanism to make users aware of the data practices through the conversational interface.

Bio of the speaker: Song Liao is currently Tenure-Track Assistant Professor in the Department of Computer Science at Texas Tech University. He received his Ph.D. degree from Clemson University in 2024, under the guidance of Dr. Long Cheng. He received his B.S. and M.S. degrees from Xi'an Jiaotong University in 2015 and 2018, respectively. His research interests include IoT security and privacy, data science, and online abuse detection. Specifically, he delved deeply into the policy and privacy compliance of voice assistant applications, conducting a comprehensive series of studies in this area. His works have been published in top conferences, including ACM CCS, Usenix Security, NDSS, WWW, Ubicomp, and KDD. Notably, his work on privacy policy analysis received the Distinguished Paper Award in ACSAC 2020.