Introduction
I am currently working on an audio component within my smart home. If you deal with the topic, you can't get around the topic of Alexa, Google Home & Co. There are currently 2 Amazon Alexa and a smart plug in sale for 34.98$. This is very cheap even for Amazon and in the end I am unsure whether even a rudimentary profit can be made for €34.98. For me it seems logical that Amazon uses such days not only to boost sales but also to make their in-house language assistant more popular. I can definitely understand the approach and I can also understand why the language assistant now has over 300,000 ratings (mostly good...). This makes Alexa the cheapest way to equip an entire home with voice assistants. And whether you're for or against Alexa, Amazon has done a really good job with the voice assistant. Alexa can control many devices, has integrated games and much more. In terms of quality, you can't complain even at the normal price, but I would still like to deal with Alexa in this article and decide for myself whether Alexa is a way of giving my smart home a voice.
Privacy
First, of course, comes the most important topic for me… data protection. My entire smart home is operated locally. My public connection is created by private servers and no data can get out of my network without me noticing. Within my 120 devices, there is just 1 Wi-Fi operated device that would basically be able to contact the manufacturer and that's only because there are no vacuum cleaners with a good local connection (at least I don't know of any in this form ). But this is also enclosed in its own network area behind a firewall and apart from my home assistant and the associated gateway it can communicate with absolutely no one. I use local Tuya for the control and the connection to the manufacturer was done with that. But that's also easy with a vacuum cleaner, I can hardly lock Alexa behind a firewall, because then the range of functions will quickly shrink towards zero. Accordingly... data protection... a tiresome topic that can only be considered in general, because what Amazon writes and what it ultimately does are of course different things.
In principle, Alexa does not spy, that should be said and can be read sufficiently on the Internet and has now been proven by network analyzes (see for example here) and accordingly I don't want to call Alexa a "bug". However, it should be noted that such tests are snapshots and “standard” Alexa installations (more on that in a moment). Accordingly, owning an Alexa does not endanger data protection. Alexa includes a skill interface that can be used by any manufacturer who wants to use it to “teach” Alexa their own things. This can very well be exploited and care should be taken in these spheres. An update can also quickly contain malware or something else, then the device can quickly become a bug (see here) and this can potentially always happen.
Now I would also like to talk to my assistant and this is where the first problems start for me at the latest. Alexa devices themselves initially process voice commands locally. Alexa checks whether an activation word (e.g. "Alexa") has been said. As long as this is not the case, the voice data is usually deleted directly and nothing has happened.
However, as soon as the activation word has been spoken, Alexa's computing power and memory is no longer sufficient and the data is forwarded to the Amazon cloud services. Accents etc. can be recognized and processed much better here. Users can be recognized by their respective voices and guests can no longer speak to Alexa unless the owner allows it. This is where my first problems start. I can understand that Amazon has to process my language on the AWS servers. The functionality of this assistant never fits in so little space as, for example, an Echo Dot. However, for speech recognition that can identify me as a person, my voice or its phonetics must be saved and this is very likely to happen in my profile so that all my Alexa devices can really do this... Even if the following really goes in the direction of black painting, I would not like my analyzed speech to be used by people without good intentions for a speech generator, or to be able to recognize me across other devices... Possibly at a friend's house who also has Alexa... (According to the privacy policy of Amazon does NOT do this, I want to make that very clear here!). But it may be that my friend I'm with is talking to Alexa, I also say something and exactly this recording is analyzed by Amazon within the "Improve Alexa" program. The consent was given by my friend... Only Amazon can know what happens during this, but that would be one way of "legally" getting my data to Amazon. In this case, there is little I can do because it is not my device and Amazon can hardly get the consent of every guest, every user that it could be that speech excerpts are analyzed. I can totally understand that, but I don't want to risk such a matching.
Finally, there are the so-called “skills”. These enable Alexa to do great things with other manufacturers. But this is where I see the biggest problem. In general, I trust Amazon that they do their anonymization well and to be honest, if someone pays attention to IT security, then it's more the big providers like Amazon, but certainly not just any manufacturer who necessarily has a smart home device want to enter the market in order to open up another customer group.
Here comes my main problem, because in addition to the “post install” mentioned at the beginning, there are the very general vulnerabilities. Is the skill programmed well? – What is sent to the manufacturer and does he also store all data securely and encrypted? – I can't answer any of the questions here, because it's also difficult to analyze something here. Because if such a skill is not exactly open source, it will be difficult. No question, the Alexa platform itself is also a black box, but this is the platform of choice, here you initially agreed that you didn't know anything. You just have to trust here, otherwise you can forget something like that anyway and if I have to trust someone, then it's most likely to be the one who already has my data, since I order there almost every day... I have little choice here and inevitably have to give a leap of faith. But I don't give this to every random Chinese manufacturer who has just thrown an IoT product onto the market... And it doesn't have to be the manufacturer either, there can also be another platform, like Tuya or something else, and that's where my joy ends at the latest . Amazon is a US company and no question about the Cloud Act and Patriot Act, it is not so good to store the data there in terms of data protection. But China is ground zero for me. I try not to put anything there unless I absolutely have to... Even my Ali Express account is always a different email address and I always rotate the delivery locations and payment options, as well as the recipient's name. Accordingly, the skills are a data protection no-go for me.
It should also be said that theoretically you can even have the data automatically deleted at Amazon in the data protection settings. However, any personalization will be lost and that undermines the sense of a language assistant a bit for me.
Summary Privacy Policy
In summary, I can say that Alexa in the basic version is quite acceptable for normal people. The US provider has a lot of data about us anyway, since we voluntarily give it out every day and Amazon does a lot to anonymize users and protect their privacy (at least to the outside world...). Accordingly, for the large number of customers, Alexa is an acceptable choice. However, it is better to look three times at the third-party apps and check whether you really need them. In my case, I would try to make apps independent of any third party by integrating Homeassistant.
Functionality
I'm just skimming through this topic as there's just not much to say here. I don't think Alexa is market leader for no reason. Alexa can do a lot, is communicative in any case and an enrichment in everyday life if you use the language assistant. Alexa can be easily integrated into smart home management systems such as Home Assistant, and Alexa also has the ability to act as a “smart home center” itself. Accordingly, I can keep this short and answer this point quite simply with "Yes"... Because there is hardly a system that can keep up with Alexa.
Conclusion
In summary, I can easily say that Alexa is an option for the average user, those interested in technology and every enthusiast. Anyone who avoids Amazon, deletes their browser every day and only surfs with VPN and incognito should avoid this and any other language assistant. However, this does not apply to me in any case. Accordingly, I will check to what extent I could use Alexa in my smart home without any third-party app and whether control signals are forwarded by Alexa to Amazon or device IDs or anything else. All communication with Alexa takes place via TLS1.2 and is therefore currently secure, but I don't want to know any ID's of my local devices from a manufacturer... Finding this out turns out to be a little more difficult than expected if you don't use your own echo. It is important to mention here that I do NOT want to use the ZigBee Hub Alexa but a purely local installation. Once I figure that out, I'll finally be able to decide...