Browse all articles

Privacy and Security Evaluation of the Anki Vector Robot

Topics:   Smart Devices

All kids have a right to digital security.

Girard Kelly | December 13, 2018

As part of the launch of our new smart-device security testing, the Common Sense Privacy Program evaluated a popular smart device called Vector and conducted a hands-on basic security assessment for parents and teachers to learn more. Our findings are intended to help parents and teachers make a better-informed decision about whether to buy this device, and other similar smart devices, for use with their children at home or with students at school.

Software

The Vector Robot mobile application launches with a welcome screen. The app provides login and sign-up options, and after a user clicks "Sign-Up," the app requests personal information, including a birth date to confirm the user's age. If a user provides a birth date that indicates they are under the age of 13, the app requests that a parent or guardian provide consent for the child or student before they can use the device by signing up for an account themselves.

      

After the parent or guardian has provided consent and started the registration process, they must enter personal information, including an email address and a password that meets strong and complex password requirements. After creating an account, the parent or guardian is required to activate their account and provide a preference as to opting out of email marketing and communication.

         

To connect the Vector device to the Vector Robot app, the user must turn on Bluetooth. The Vector device displays the pairing code on its screen, and after pairing it needs to also find a Wi-Fi network to connect to the cloud and download updates.

         

The Vector Robot app provides a simple status screen with helpful recommendations of voice commands to use. Also, the app provides preferences that include the Vector device's location (city) and time zone, but it does not request precise geolocation information. Users are encouraged to say "hey, Vector" and issue their voice commands. Lastly, users have the option of asking Vector to learn their names with an audio recording of the user's name with Vector's microphone and to use facial recognition with Vector's HD camera.

       

Amazon Alexa

The Vector Robot was updated to support Amazon Alexa that can be activated from the main app launch screen. Once you launch Alexa, you are asked to connect the Vector Robot to your Amazon account with your username and password to access personalized results. During activation, the Vector Robot will display a unique code on its display screen that will allow you to connect to your Amazon Account.

      

After activation, Anki requests consent to access the information shared with Alexa Voice Services and provides an opportunity to learn more about Amazon Alexa’s privacy practices with its privacy policyterms, conditions of use, and FAQ. The app provides helpful suggestions on what questions to ask Alexa and indicates in the app when Vector is talking to Alexa. Lastly, the mobile app is updated to allow Vector’s top button to activate Amazon Alexa or “Hey Vector.”

    

Hardware

Vector's hardware is packed to the brim with new technologies, which also means that Vector has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside Vector and read our tips on privacy and security below.

What can all that hardware do?

Vector has a "brain" with a 1.2 GHz quad-core Qualcomm Snapdragon processor. That means Vector can more quickly collect and process information within the device itself. Because Vector is smarter, it does not necessarily need extra help from a mobile phone or tablet. 

Tip: The more information collected and processed, the more privacy and security risk for that information.

Vector can feel with capacitive touch sensors and an accelerometer. That means Vector can collect information about the amount of force that is used to touch it and when and where that force was used.

Tip: Information collected about a child or student's use of a product's features over time is typically called "usage information" or "behavioral information."

Vector has "ears" with a multidirectional, four-microphone array. That means Vector can listen to and process multiple conversations at the same time; filter out background noise; and focus on the direction voices and sounds are coming from.

Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, are collected and processed by Vector that may contain personal or sensitive information. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home. Lastly, when Vector connects with Amazon Alexa, there is a greater risk that personal information will be collected and shared with third parties for their purposes. 

Vector has a voice with speakers that make synthesized sounds and respond to commands. That means Vector knows which sounds it makes and the content of the synthesized conversations it has with users.

Tip: Information about the duration and content of spoken responses Vector gives to users, and when and where Vector gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home.

Vector has "eyes" with a 720p HD camera. That means Vector can collect and process images of its surroundings and make decisions on what it sees with real-time computer vision. Also, this means visual images of children or students using the device can be collected and may identify specific users in the photos with facial recognition.

Tip: Visual information collected about users means that photos are created and processed, and they may include personal or sensitive information about children or students. Photos may specifically identify individuals in photos and include metadata such as the identities of all individuals in photos, as well as the times and locations where the photos were taken.

Vector has balance with drop sensors and an infrared scanner that detect distance. That means that Vector collects information about its surroundings that can be used to identify Vector's location.

Tip: Information collected about a device's surroundings include distances to and from objects, which helps Vector generate a digital map of its location.

Vector has a "face" with a high-resolution IPS color display. That means Vector can display images to children and students on its digital screen.

Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home.

Vector has connectivity with 802.11n Wi-Fi and Bluetooth. That means Vector can send and receive information it has collected or processed.

Tip: Wi-Fi or Bluetooth connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.

Vector has energy with 45 minutes to one hour of use per charge. That means Vector can only collect and process information for a limited amount of time.

Tip: The longer a device is operational, the more information it can collect and process before recharging.

Privacy evaluation

Anki's Vector product is described on their site as a home robot with interactive AI technology. Anki's policy claims that it is not responsible for third-party services or individuals that users may interact with through its services. Anki's policy notes that ads may be displayed to a user based on the user's behavior on the internet (on Anki's websites or other websites), search activity, response to advertisements or emails, pages visited, general location, or other information. Customer data is encrypted between the robot and the cloud, and payment transactions are encrypted in transit, but discussion of what happens in the event of a data breach is missing. There's a COPPA safe harbor certification for other products, but Vector is not listed. Lastly, Vector was updated to support integration with Amazon Alexa, so it's worth reviewing Amazon's privacy policy as well. The full privacy evaluation and standard privacy report are available here

The privacy policy and terms of use used for this evaluation can be found on Vector's website, the iOS App Store, the Google Play Store, and the Amazon Appstore. Additionally, other policies used for this evaluation include the cookie policy. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

For more information about our privacy and security evaluations, read about our Privacy Evaluation Framework and Security Assessment Questions.