As part of the launch of our new smart-device security testing, the Common Sense Privacy Program evaluated a popular smart device called Vector and conducted a hands-on basic security assessment for parents and teachers to learn more. Our findings are intended to help parents and teachers make a better-informed decision about whether to buy this device, and other similar smart devices, for use with their children at home or with students at school.
The Vector Robot mobile application launches with a welcome screen. The app provides login and sign-up options, and after a user clicks "Sign-Up," the app requests personal information, including a birth date to confirm the user's age. If a user provides a birth date that indicates they are under the age of 13, the app requests that a parent or guardian provide consent for the child or student before they can use the device by signing up for an account themselves.
After the parent or guardian has provided consent and started the registration process, they must enter personal information, including an email address and a password that meets strong and complex password requirements. After creating an account, the parent or guardian is required to activate their account and provide a preference as to opting out of email marketing and communication.
To connect the Vector device to the Vector Robot app, the user must turn on Bluetooth. The Vector device displays the pairing code on its screen, and after pairing it needs to also find a Wi-Fi network to connect to the cloud and download updates.
The Vector Robot app provides a simple status screen with helpful recommendations of voice commands to use. Also, the app provides preferences that include the Vector device's location (city) and time zone, but it does not request precise geolocation information. Users are encouraged to say "hey, Vector" and issue their voice commands. Lastly, users have the option of asking Vector to learn their names with an audio recording of the user's name with Vector's microphone and to use facial recognition with Vector's HD camera.
Vector's hardware is packed to the brim with new technologies, which also means that Vector has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside Vector and read our tips on privacy and security below.
What can all that hardware do?
Vector has a "brain" with a 1.2 GHz quad-core Qualcomm Snapdragon processor. That means Vector can more quickly collect and process information within the device itself. Because Vector is smarter, it does not necessarily need extra help from a mobile phone or tablet.
Tip: The more information collected and processed, the more privacy and security risk for that information.
Vector can feel with capacitive touch sensors and an accelerometer. That means Vector can collect information about the amount of force that is used to touch it and when and where that force was used.
Tip: Information collected about a child or student's use of a product's features over time is typically called "usage information" or "behavioral information."
Vector has "ears" with a multidirectional, four-microphone array. That means Vector can listen to and process multiple conversations at the same time; filter out background noise; and focus on the direction voices and sounds are coming from.
Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, are collected and processed by Vector that may contain personal or sensitive information. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home. Lastly, when Vector connects with Amazon Alexa, there is a greater risk that personal information will be collected and shared with third parties for their purposes.
Vector has a voice with speakers that make synthesized sounds and respond to commands. That means Vector knows which sounds it makes and the content of the synthesized conversations it has with users.
Tip: Information about the duration and content of spoken responses Vector gives to users, and when and where Vector gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home.
Vector has "eyes" with a 720p HD camera. That means Vector can collect and process images of its surroundings and make decisions on what it sees with real-time computer vision. Also, this means visual images of children or students using the device can be collected and may identify specific users in the photos with facial recognition.
Tip: Visual information collected about users means that photos are created and processed, and they may include personal or sensitive information about children or students. Photos may specifically identify individuals in photos and include metadata such as the identities of all individuals in photos, as well as the times and locations where the photos were taken.
Vector has balance with drop sensors and an infrared scanner that detect distance. That means that Vector collects information about its surroundings that can be used to identify Vector's location.
Tip: Information collected about a device's surroundings include distances to and from objects, which helps Vector generate a digital map of its location.
Vector has a "face" with a high-resolution IPS color display. That means Vector can display images to children and students on its digital screen.
Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when Vector is used in a public place, office space, or classroom than when it's used in a private home.
Vector has connectivity with 802.11n Wi-Fi and Bluetooth. That means Vector can send and receive information it has collected or processed.
Tip: Wi-Fi or Bluetooth connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.
Vector has energy with 45 minutes to one hour of use per charge. That means Vector can only collect and process information for a limited amount of time.
Tip: The longer a device is operational, the more information it can collect and process before recharging.