File(s) under permanent embargo

Scrutinizing Privacy Policy Compliance of Virtual Personal Assistant Apps

conference contribution
posted on 2023-02-22, 02:22 authored by F Xie, Yanjun ZhangYanjun Zhang, C Yan, S Li, L Bu, K Chen, Z Huang, G Bai
A large number of functionality-rich and easily accessible applications have become popular among various virtual personal assistant (VPA) services such as Amazon Alexa. VPA applications (or VPA apps for short) are accompanied by a privacy policy document that informs users of their data handling practices. These documents are usually lengthy and complex for users to comprehend, and developers may intentionally or unintentionally fail to comply with them. In this work, we conduct the first systematic study on the privacy policy compliance issue of VPA apps. We develop Skipper, which targets Amazon Alexa skills. It automatically depicts the skill into the declared privacy profile by analyzing their privacy policy documents with Natural Language Processing (NLP) and machine learning techniques, and derives the behavioral privacy profile of the skill through a black-box testing. We conduct a large-scale analysis on all skills listed on Alexa store, and find that a large number of skills suffer from the privacy policy noncompliance issues.






Publication classification

E1 Full written paper - refereed

Title of proceedings

ACM International Conference Proceeding Series


ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering



Usage metrics