Alexa, Who Am i Speaking To?: Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa

David Major; Danny Yuxing Huang; Marshini Chetty; Nick Feamster

doi:10.1145/3446389

Alexa, Who Am i Speaking To? Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa

David Major, Danny Yuxing Huang, Marshini Chetty, Nick Feamster

Electrical and Computer Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Many Internet of Things devices have voice user interfaces. One of the most popular voice user interfaces is Amazon's Alexa, which supports more than 50,000 third-party applications ("skills"). We study how Alexa's integration of these skills may confuse users. Our survey of 237 participants found that users do not understand that skills are often operated by third parties, that they often confuse third-party skills with native Alexa functions, and that they are unaware of the functions that the native Alexa system supports. Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is a native Alexa function. The potential for misunderstanding creates new security and privacy risks: attackers can develop third-party skills that operate without users' knowledge or masquerade as native Alexa functions. To mitigate this threat, we make design recommendations to help users better distinguish native functionality and third-party skills, including audio and visual indicators of native and third-party contexts, as well as a consistent design standard to help users learn what functions are and are not possible on Alexa.

Original language	English (US)
Article number	3446389
Journal	ACM Transactions on Internet Technology
Volume	22
Issue number	1
DOIs	https://doi.org/10.1145/3446389
State	Published - Feb 2022

Keywords

Internet of Things
Smart home
network measurement
privacy
security

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1145/3446389

Cite this

@article{9d12b0330b9a485397f585159840f648,

title = "Alexa, Who Am i Speaking To?: Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa",

abstract = "Many Internet of Things devices have voice user interfaces. One of the most popular voice user interfaces is Amazon's Alexa, which supports more than 50,000 third-party applications ({"}skills{"}). We study how Alexa's integration of these skills may confuse users. Our survey of 237 participants found that users do not understand that skills are often operated by third parties, that they often confuse third-party skills with native Alexa functions, and that they are unaware of the functions that the native Alexa system supports. Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is a native Alexa function. The potential for misunderstanding creates new security and privacy risks: attackers can develop third-party skills that operate without users' knowledge or masquerade as native Alexa functions. To mitigate this threat, we make design recommendations to help users better distinguish native functionality and third-party skills, including audio and visual indicators of native and third-party contexts, as well as a consistent design standard to help users learn what functions are and are not possible on Alexa.",

keywords = "Internet of Things, Smart home, network measurement, privacy, security",

author = "David Major and Huang, {Danny Yuxing} and Marshini Chetty and Nick Feamster",

note = "Funding Information: This work was partially supported by NSF awards CNS-1953740, CNS-1237265, and CNS-1518921, along with industry funding from Cable Labs (including in-kind donation of equipment plus funding), Amazon, Microsoft, Cisco, and Comcast. Authors{\textquoteright} addresses: D. Major, Princeton University, 35 Olden St, Princeton, New Jersey, 08540, USA; email: dj-major@princeton.edu; D. Y. Huang, New York University, 370 Jay St, Brooklyn, New York, 11201, USA; email: dhuang@nyu.edu; M. Chetty and N. Feamster, University of Chicago, 5730 S. Ellis Avenue, Chicago, Illinois, 60637, USA; emails: {marshini, feamster}@ uchicago.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. {\textcopyright} 2021 Association for Computing Machinery. 1533-5399/2021/09-ART11 $15.00 https://doi.org/10.1145/3446389 Publisher Copyright: {\textcopyright} 2021 Association for Computing Machinery.",

year = "2022",

month = feb,

doi = "10.1145/3446389",

language = "English (US)",

volume = "22",

journal = "ACM Transactions on Internet Technology",

issn = "1533-5399",

publisher = "Association for Computing Machinery (ACM)",

number = "1",

}

TY - JOUR

T1 - Alexa, Who Am i Speaking To?

T2 - Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa

AU - Major, David

AU - Huang, Danny Yuxing

AU - Chetty, Marshini

AU - Feamster, Nick

N1 - Funding Information: This work was partially supported by NSF awards CNS-1953740, CNS-1237265, and CNS-1518921, along with industry funding from Cable Labs (including in-kind donation of equipment plus funding), Amazon, Microsoft, Cisco, and Comcast. Authors’ addresses: D. Major, Princeton University, 35 Olden St, Princeton, New Jersey, 08540, USA; email: dj-major@princeton.edu; D. Y. Huang, New York University, 370 Jay St, Brooklyn, New York, 11201, USA; email: dhuang@nyu.edu; M. Chetty and N. Feamster, University of Chicago, 5730 S. Ellis Avenue, Chicago, Illinois, 60637, USA; emails: {marshini, feamster}@ uchicago.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. © 2021 Association for Computing Machinery. 1533-5399/2021/09-ART11 $15.00 https://doi.org/10.1145/3446389 Publisher Copyright: © 2021 Association for Computing Machinery.

PY - 2022/2

Y1 - 2022/2

N2 - Many Internet of Things devices have voice user interfaces. One of the most popular voice user interfaces is Amazon's Alexa, which supports more than 50,000 third-party applications ("skills"). We study how Alexa's integration of these skills may confuse users. Our survey of 237 participants found that users do not understand that skills are often operated by third parties, that they often confuse third-party skills with native Alexa functions, and that they are unaware of the functions that the native Alexa system supports. Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is a native Alexa function. The potential for misunderstanding creates new security and privacy risks: attackers can develop third-party skills that operate without users' knowledge or masquerade as native Alexa functions. To mitigate this threat, we make design recommendations to help users better distinguish native functionality and third-party skills, including audio and visual indicators of native and third-party contexts, as well as a consistent design standard to help users learn what functions are and are not possible on Alexa.

AB - Many Internet of Things devices have voice user interfaces. One of the most popular voice user interfaces is Amazon's Alexa, which supports more than 50,000 third-party applications ("skills"). We study how Alexa's integration of these skills may confuse users. Our survey of 237 participants found that users do not understand that skills are often operated by third parties, that they often confuse third-party skills with native Alexa functions, and that they are unaware of the functions that the native Alexa system supports. Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is a native Alexa function. The potential for misunderstanding creates new security and privacy risks: attackers can develop third-party skills that operate without users' knowledge or masquerade as native Alexa functions. To mitigate this threat, we make design recommendations to help users better distinguish native functionality and third-party skills, including audio and visual indicators of native and third-party contexts, as well as a consistent design standard to help users learn what functions are and are not possible on Alexa.

KW - Internet of Things

KW - Smart home

KW - network measurement

KW - privacy

KW - security

UR - http://www.scopus.com/inward/record.url?scp=85119174171&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85119174171&partnerID=8YFLogxK

U2 - 10.1145/3446389

DO - 10.1145/3446389

M3 - Article

AN - SCOPUS:85119174171

SN - 1533-5399

VL - 22

JO - ACM Transactions on Internet Technology

JF - ACM Transactions on Internet Technology

IS - 1

M1 - 3446389

ER -