Jingwen Yan (Clemson University), Song Liao (Texas Tech University), Mohammed Aldeen (Clemson University), Luyi Xing (Indiana University Bloomington), Danfeng (Daphne) Yao (Virginia Tech), Long Cheng (Clemson University)

Despite the popularity and many convenient features of Amazon Alexa, concerns about privacy risks to users are rising since many Alexa voice-apps (called skills) may collect user data during the interaction with Alexa devices. Informing users about data collection in skills is essential for addressing their privacy concerns. However, the constrained interfaces of Alexa pose a challenge to effective privacy notices, where currently Alexa users can only access privacy policies of skills over the Web or smartphone apps. This in particular creates a challenge for visually impaired users to make informed privacy decisions. In this work, we propose the concept of Privacy Notice over Voice, an accessible and inclusive mechanism to make users aware of the data practices of Alexa skills through the conversational interface: for each skill, we will generate a short and easily understandable privacy notice and play it to users at the beginning of the skill in voice. We first conduct a user study involving 52 smart speaker users and 21 Alexa skill developers to understand their attitudes toward data collection and the Privacy Notice over Voice mechanism. 92.3% of participants liked the design of Privacy Notice over Voice and 70.2% of participants agreed that such mechanism provides better accessibility and readability than traditional privacy policies for Alexa users. Informed by our user study results, we design and develop a tool named SKILLPoV (Skill’s Privacy Notice over Voice) to automatically generate a reference implementation of Privacy Notice over Voice through static code analysis and instrumentation. With comprehensive evaluation, we demonstrate the effectiveness of SKILLPoV in capturing data collection (91.3% accuracy and 96.4% completeness) from skill code, generating concise and accurate privacy notice content using ChatGPT, and instrumenting skill code with the new privacy notice mechanism without altering the original functionality. In particular, SKILLPoV receives positive and encouraging feedback after real-world testing conducted by skill developers.

View More Papers

The Power of Words: A Comprehensive Analysis of Rationales...

Yusra Elbitar (CISPA Helmholtz Center for Information Security), Alexander Hart (CISPA Helmholtz Center for Information Security), Sven Bugiel (CISPA Helmholtz Center for Information Security)

Read More

Trim My View: An LLM-Based Code Query System for...

Sima Arasteh (University of Southern California), Pegah Jandaghi, Nicolaas Weideman (University of Southern California/Information Sciences Institute), Dennis Perepech, Mukund Raghothaman (University of Southern California), Christophe Hauser (Dartmouth College), Luis Garcia (University of Utah Kahlert School of Computing)

Read More

BrowserFM: A Feature Model-based Approach to Browser Fingerprint Analysis

Maxime Huyghe (Univ. Lille, Inria, CNRS, UMR 9189 CRIStAL), Clément Quinton (Univ. Lille, Inria, CNRS, UMR 9189 CRIStAL), Walter Rudametkin (Univ. Rennes, Inria, CNRS, UMR 6074 IRISA)

Read More