Measuring privacy policy compliance in the Alexa ecosystem: In-depth analysis

Abstract

Virtual Personal Assistant (VPA) services such as Amazon Alexa are quickly and seamlessly integrating into people’s daily lives. The Alexa ecosystem allows third-party developers to build new skills and publish them to the skill market. These skills can be either standalone skills, operating independently without external linking, or skills with account linking, necessitating the user connect to external services to access the skill’s functionality. Skill developers are required to provide privacy policies to disclose their skills’ data practices. The popularity of these skills raises privacy concerns in data handling practices. Privacy policy documents play an important role in addressing users’ privacy concerns and informing them about the data practices. These documents are complex for users to comprehend, and skill developers may intentionally or unintentionally fail to comply. Previous investigations have predominantly focused on scrutinizing the privacy policies of standalone skills, overlooking those associated with companion services and developers with multiple skills. This study aims to bridge this gap by examining the privacy policies of both the skills and their companion services, along with multiple skills published by the same developer, to explore potential differences in data practices. We conduct the first study on the Alexa ecosystem for skills with account linking, where we compare the policy of the skills and their companion services. We automatically extract the data types from both privacy policies for comparison using a machine learning technique. Mismatches between skill and companion service privacy practices were unveiled, with 975 instances of data type collection mismatches between skills and their companion services, along with 692 instances of data type sharing mismatches. We uncover differences in privacy practices among developers; 13 developers publish skills in different categories and three of them employ different privacy policies on their published skills. Among 35 developers who publish skills in the same category ten provide different privacy policies.