Human-centred Security and Privacy in Smart Home Personal Assistants (SPAs)
: Understanding Users’ Perceptions, Preferences and Skill Developers’ Practices

Student thesis: Doctoral ThesisDoctor of Philosophy


Smart Home Personal Assistants (SPAs), such as Amazon Alexa and Google Assistant, are a relatively new technology leveraging advances in machine learning and natural language processing that provide seamless voice-based interactions to users and offering a wide range of capabilities. In order to offer these capabilities, SPAs have a complex ecosystem involving many stakeholders, which currently lack usable security and privacy mechanisms, often leading to users’ security and privacy incidents and concerns. This thesis focuses on two key stakeholders of the SPA ecosystem: end-users of SPA and developers of third-party SPA skills, which are voice applications that extend the capabilities of SPA. Through this thesis, we study end-users’ mental models, perceptions and security and privacy threats/concerns. Also, we study their preferences over the flows of information across the SPA ecosystem. Regarding developers of third-party skills, we study their security and privacy practices when developing, deploying and maintaining skills.

We found that SPA users have incomplete mental models of the ecosystem and different data activities such as how their information is processed, shared, stored and learned by those stakeholders, leading to various of security and privacy concerns. To cope with concerns, users often apply short-term coping strategies like avoiding the use of certain features, but most users simply do not know how to protect themselves. We also studied users’ preferences of the flows of information across the SPA ecosystem based on the contextual integrity theory, and applied association rule mining to distil a set of general privacy norms for SPA, which can be implemented by SPA providers and developers of thirdparty skills as privacy default settings. Regarding third-party developers, we found that security and privacy is often neglected and developers focus on adding and testing new features to boost their skill ratings. Finally, we put together the key findings of this thesis to propose a conceptual framework, highlighting the relationships between the concepts and proposing recommendations for policy, research and practice.
Date of Award1 Sept 2022
Original languageEnglish
Awarding Institution
  • King's College London
SupervisorJose Such (Supervisor) & Luca Viganò (Supervisor)

Cite this