Browse all articles

Privacy and Security Evaluation of the Apple HomePod smart speaker

Learn about Apple HomePod's privacy and security features

Girard Kelly | November 26, 2019

The Common Sense Privacy Program evaluates the privacy policies of popular consumer and education technology applications and services that are currently used by millions of children at home and in the classroom. The Privacy Program evaluated the privacy practices of a popular smart tech device called Apple HomePod, which contains a virtual assistant called Siri. 

In addition, we also performed a hands-on basic security test of the device for parents and teachers to learn more about its security practices and how they compare to other popular smart speakers that have virtual assistants. When evaluating whether to use smart tech paired with a mobile app at home or in the classroom, parents and teachers need a comprehensive understanding of both the privacy and security practices of a smart device. Our approach lets us compare what the smart tech company says they do with data with what our limited testing can observe about what they actually do with data. We can observe what data goes to and from the device, but we can't necessarily see what happens with the data when it reaches the external destination. Our findings are intended to help parents and teachers make better informed decisions about whether to buy this device or similar smart devices for use with their children at home or with students at school.

What is smart tech? 

The category of smart devices, or the Internet of Things (IoT), covers all the objects or devices used in your home, office, or school that are connected to the internet. More and more of these smart devices are being used by children as toys at home and with students as learning tools in the classroom every day. Smart tech companies claim their devices provide greater convenience and new learning opportunities for children and students, but they also collect and share more information than ever. Connected devices and household gadgets can collect all kinds of sensitive information -- anything from audio and visual recordings of your home to the names of shows you watch, the number of steps you've taken, your child's precise location, how and when you sleep, and even the foods you eat.

Product Details

Company:

Apple

Name: 

Apple HomePod

Link:

https://www.apple.com/homepod/

Price:

$299

Category:

Smart Speakers and Virtual Assistants

Description: 

Apple HomePod is a smart speaker device that integrates Apple's virtual assistantm, called Siri, which provides customized help to users across all their Apple devices, including their iPhones and connected smart home products.

Intended Audience

 

Home

School

Consumers (over 18)

Consumers can set up and control their Apple HomePod and stream music from Apple Music or other sources with Airplay and can control connected Apple HomeKit accessories.

None.

Kids (under 13)

Kids can use Siri at home to ask questions, play music, and play games.

Kids can use Siri in the classroom to ask questions, play music, and play games.

Students (K-12)

Students can use Siri at home to help answer homework questions, hear the news, set timers, play study music, or make phone calls.

Students can use Siri in the classroom to answer questions during a lesson, translate languages, or even learn how to program with the Siri or HomeKit for developers program.

Bottom Line

Best for Privacy: The product offers easy integration with Apple devices and Airplay-enabled apps, but offers limited features compared to other smart speakers with virtual assistants.

 

Pros

Cons

1.

Data Secure: User data is encrypted between the device, mobile app, and the cloud.

Limited Features: HomePod is primarily designed for playing music and for HomeKit control of connected smart home products.

2.

No Ads or Tracking: Policy states that Apple will not use information about users’ activities for advertising or tracking purposes.

Apple Music Subscription: HomePod users may feel the need to also purchase a paid Apple Music subscription to get the most out of their smart speaker.

3.

Parental Consent: Policy states that parental consent is required to collect or share children’s data.

Expensive: HomePod is the most expensive smart speaker that requires both Wi-Fi internet access and an iOS mobile device to set up and use.

Software

The Apple HomePod is bundled with the following Apple apps:

 Siri

 Apple Home

 Apple Music

Device Set-up

The Apple Home mobile application launches with a welcome screen. The app requests opt-in consent for a user's location information to provide personalized services and automatically detects that a HomePod is powered on and available to be set up. In addition, the Home app asks what room of the house the Homepod is located in and prompts the user to sign up for a paid subscription to Apple Music with a 3-month free trial period. Lastly, the Home app asks the user if they would like to send and receive personal information from the HomePod with the Apple ID account.

         

Parental Controls

A user is prompted to enter their existing Apple ID username and password to personalize their HomePod. If a user does not have an Apple ID, they can create a new Apple ID account and are asked to enter their birth date to confirm the user's age. If a user provides a birth date that indicates they are under the age of 13, the app requests that a parent or guardian provide consent for the child or student. A parent must provide consent through the Family Sharing setting of their Apple ID account, where they can create an Apple ID for their child. A parent must first review Apple's parent privacy disclosure, then enter their child's personal information, including an iCloud.com email address and a password that meets strong and complex password requirements. 

         

Activate Siri

The Home app asks the user for opt-in consent to enable Siri on the mobile device if it is not already activated, and to enable Siri on the HomePod itself. The user is presented with the opportunity to review a pop-up privacy notice for Siri and Apple's terms and conditions. Don't worry, we already read the privacy notice and terms and conditions for you and we summarize our findings in the privacy evaluation below.

         

Personalize HomePod

The Home app asks the user if they would like to personalize the HomePod by syncing the iCloud content of an Apple ID account in order to send and receive personal information from the HomePod device. Afterward, the HomePod saves all the changes and says hello to the new Apple ID user. In addition, the Home app suggests phrases to ask Siri to learn how to use the HomePod.

         

Software Update

After the HomePod is activated, the Home app indicates a software update is available. A user can download and install the update and is presented with an updated terms and conditions agreement to review before installing the software update for HomePod.

         

Custom Settings

Once the software update is complete, the user can now manage their new "Home" and can control devices in different rooms within the app, add or remove information in their settings, and add new connected smart home accessories or scenes by creating a new "Automation." 

         

Welcome Collections

In order to learn more about all the features of HomePod, the Home app displays a tour of the different actions a user can do to interact with Siri to get the best experience out of the HomePod. A user can ask Siri about the weather, learn more about Siri with a user guide, tune into radio apps, and connect third-party smart home accessories with HomeKit.

         

Getting Started

Within the Home app, the collections tour guide helps a user get started with HomePod and shows them how they can send and receive text messages and phone calls, listen to music and podcasts with Airplay, and locate nearby businesses based on their location information. Lastly, the Home app reminds users one more time to sign up for a paid subscription to Apple Music with a 3-month free trial period to get the most out of HomePod.

         

Hardware

The Apple HomePod hardware is packed with new technologies, which also means that the device has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside the Apple HomePod and read our tips on privacy and security below.

Device Collection Details

 

Listening Indicator

Personal Information

Camera Access

Video Access

Microphone Access

Location Access

App:

Yes

Yes

No

No

Yes

Yes

Device:

Yes

Yes

No

No

Yes

Yes

What can all that hardware do?

Apple HomePod has a "brain" with an Apple-designed A8 processor chip. That means HomePod can use advanced signal processing for Siri so it can hear voice commands over the music playing and can more quickly collect and process information within the device itself. Because the Apple HomePod has considerable processing capabilities, it does not necessarily need extra help from a mobile phone or tablet for most tasks. 

Tip: The more information collected and processed, the more privacy and security risk there is for that information.

Apple HomePod can “feel” with a capacitive touch surface to pinpoint the force of your finger on top of the device. That means Apple HomePod can collect information about the amount of force that is used to touch it and when and where that force was used to control the device.

Tip: Information collected about a child’s or student's use of a product's features over time is typically called "usage information" or "behavioral information."

Apple HomePod has "ears" with a six-microphone array, along with an internal bass-EQ microphone. That means Apple HomePod can listen to and process multiple conversations at the same time, filter out music without lowering the volume, and focus on the direction voices and sounds are coming from. After HomePod recognizes the words “Hey Siri,” what a user says is encrypted and sent anonymously to Apple servers without being tied to the user's Apple ID.

Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, may contain personal or sensitive information. This is a risk to a greater number of people's privacy when Apple HomePod is used in a public place, office space, or classroom than when it's used in a private home. For example, houseguests should have the right to know that smart speakers are in use before entering the home, and students should know that smart speakers are in use before entering the classroom.

Apple HomePod has a voice that is spoken through its speakers that make synthesized sounds and respond to commands. That means Apple HomePod knows which sounds it makes and the content of the synthesized conversations it has with users.

Tip: Information about the duration and content of spoken responses Apple HomePod gives to users, and when and where HomePod gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when Apple HomePod is used in a public place, office space, or classroom than when it's used in a private home.

Apple HomePod has a "face" (sort of) with its companion iOS “Home” mobile app. That means Apple HomePod can display images to children and students on a mobile device through the digital screen or through an Airplay-enabled device on a television screen.

Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when Apple HomePod is used in a public place, office space, or classroom than when it's used in a private home.

Apple HomePod has connectivity with 802.11n Wi-Fi. That means Apple HomePod can send and receive information it has collected or processed.

Tip: Wi-Fi connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.

Apple HomePod always has energy with an electrical cord that needs to be plugged into a wall outlet at all times. That means Apple HomePod is always listening for a “wake word” to activate and can collect and process information for an unlimited amount of time.

Tip: The longer a device is operational, the more information it can collect and process.

Apple HomePod connects with other apps and products through Siri Shortcuts and HomeKit. That means other third-party apps and products can connect to Apple HomePod through Siri and can collect and use personal information from the Apple HomePod for a different purpose.

Tip: Devices that allow installing third-party apps can increase the risk that malicious apps are installed that can steal sensitive personal information. Other apps may not have the same privacy and security protections as Apple and may be able to collect personal data including passwords, or eavesdrop on users even after they think Apple HomePod is no longer listening.

 

Security Lab Testing

The Privacy Program conducts a hands-on basic security assessment of the 10 most critical security concerns about the collection and sharing of information from a smart device, a mobile application, and the internet. Parents and educators should be aware of the following security risks for this smart device:

Data Sharing

Evaluating data sharing takes into consideration best practices of keeping personal data inside the application or smart device to help protect privacy. Connecting social media accounts could allow people to share personal information with other people and with third-party companies. In addition, installing third-party apps with a smart device could allow the collection and use of personal information for a different purpose.

 

 

Social Media Accounts

Third-Party App Store

App:

N/A

Yes

Device: N/A Yes
Method: N/A Siri Shortcuts, HomeKit, Podcasts, and Airplay

Device Safety

Evaluating device safety takes into consideration best practices of using privacy protections by default and limiting potential interactions with others. It’s better to start with the maximum privacy that the app or device can provide, and then give users the choice to change the settings. In addition, users talking to other people through the app or device might permit sharing personal information with strangers.

 

Privacy-Protecting Default Controls

Social Interactions

App:

Yes

Yes

Device:

Yes

Yes

Method: Opt-in Phone calls

Account Protection

Evaluating account protection takes into consideration best practices of using strong passwords and providing accounts for children with parental controls. Strong passwords can help prevent unwanted access to personal information. Children under the age of 13 may not understand when they are sharing personal information, so they should be required to create special accounts with more protection under the law. Lastly, parents can help children under the age of 13 use a device or app with digital well-being protections in mind by using parental controls.

 

Strong Passwords

Child Age Gate

Parental Controls 

App:

Yes

Yes

Yes

Method: 

Apple ID

Apple ID Creation

Family Sharing

Device Security

Evaluating device security takes into consideration best practices of securing personal information against unwanted use that is shared between the mobile device, smart tech, and the internet. Keeping personal information encrypted, or masked, protects information while it is on the move. In addition, advertising and tracking requests from the device or app could contain personal information about the user, including what they’re doing with the device or app.

 

 

Wi-Fi Secure

Bluetooth Secure

Ads

Tracking

App:

Yes

Yes

No

No

Device:

Yes

Yes

No

No

Method:

Encryption

Encryption, but no PIN pairing

None

None

Software Updates

Evaluating software updates takes into consideration best practices of keeping a smart device secure with up-to-date software patches and settings. When a company improves its app or device, better privacy and security should be part of the package and should be automatically updated or easy to update.

 

Software updates automatic

Software updates secure

App:

Yes

No

Device:

Yes

No

Method: Apple Update Not encrypted

Privacy Evaluation

In addition to performing a hands-on basic security test, the Privacy Program also evaluates the privacy policies of each smart tech device. We can only evaluate a limited number of privacy and security features with our hands-on testing, so we also need to look at what each company's privacy policy promises it will do. Looking at the policies for a product enables us to see what the company says it will do with the personal information it collects. This allows us to create a truly comprehensive evaluation process with a full, in-depth, 150-point inspection of the privacy policies of a product as well as a basic hands-on security test of its practices. 

Siri

Summary:

Siri is a virtual assistant that is part of Apple's iOS, watchOS, macOS, and tvOS operating systems. The assistant uses voice queries and a natural-language user interface to answer questions, make recommendations, and perform actions by delegating requests to a set of internet services. Apple’s terms state that protecting children is an important priority for everyone at Apple. Apple believes in transparency and giving parents the information they need to determine what is best for their child. In addition, Apple states that Siri searches and requests are associated with a unique identifier and not an Apple ID, so personal information is not gathered to sell to advertisers or other organizations. Apple's terms state that security and privacy are fundamental to the design of all Apple hardware, software, and services. Lastly, Apple's terms state they understand the importance of taking extra precautions to protect the privacy and safety of children who are using Apple products and services.

Siri can be accessed through the Siri website. The Privacy Policy and Terms of Use used for this evaluation can also be found on the Siri website. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Privacy Key Findings

Parents and educators should be aware of the following privacy risks for Apple HomePod. The following privacy ratings and evaluation scores come from our privacy evaluations of the policies of Apple HomePod. This product is available on mobile devices and integrated into smart speakers used at home, in businesses, and inside classrooms.

Rating Criteria

The following table illustrates better, worse, and unclear practices with our privacy rating questions. These worse practices can put consumers’ privacy at risk with the use of personal information for third-party marketing, advertising, tracking, or ad-profiling purposes. The color blue means the product's policies disclose better practices, red means they disclose worse practices, and orange means they are unclear as to whether or not the vendor engages in the practice. 

Overall Score (100)

Sell Data

Third-Party Marketing

Behavioral Ads

Third-Party Tracking

Track Users

Ad Profile

79 No No No No No No

Concern Scores

In addition to each product's overall score, the more detailed concern category scores in the chart below can help explain a product's rating and can also be helpful in making an informed decision about whether and how to use the product at home, at your company, or in the classroom based on your privacy concerns about the following categories.

Overall Score (100)

Data Collection

Data Sharing

Data Security

Data Rights

Data Sold

Data Safety

Ads & Tracking

Parental Consent

School Purpose

79

65

80

85

95

55

60

85

70

10

If you would like to see how the Apple HomePod compares to other popular smart speakers, read our article comparing the Privacy Practices of the Most Popular Smart Speakers with Virtual Assistants.