Cross-posted at Fortune.com.
Earlier this month, Burger King aired a 15-second commercial whose intended audience—Google Home devices, web-connected virtual assistants that respond to spoken questions and commands—couldn’t eat a hamburger if they wanted to. The ad ended with a spokesperson using the wake phrase “Okay Google,” followed by an odd-sounding question: “What is the Whopper burger?” This in effect hijacked Google Home devices, causing the machines to read aloud from the Whopper’s Wikipedia page, which Burger King had recently replaced with ad copy.
Some saw the spot as a clever publicity stunt, while others made unkind edits to the Wikipedia entry that Google Home users would hear (Whopper ingredients may include “rat and toenail clippings” and a “medium-sized child”). Google quickly blocked the commercial from activating its devices, but Burger King got around the fix by airing slightly different versions of the ad later the same evening, to the same effect.
This is not the first time a company has triggered voice-activated devices with an ad—Google did it during its Super Bowl commercial for Google Home, seemingly by accident. But the Whopper incident appears to be the first time a major company has done so intentionally, shamelessly, and with such disregard for privacy.
There is no nice way to put this: Burger King hacked Google Home.
There is a good reason why Google uses a wake phrase; it is a way for users to control when their devices are actively listening. Only with the magic words do they begin recording speech and transmitting data to Google for a response. While by no means perfect, this is a critical privacy feature, given that the product is basically a big Internet-enabled microphone placed in otherwise private spaces.
What Burger King did was turn Google’s privacy feature into a bug.
Hopefully, Google Home owners were not having any intimate conversations when the ad aired during late-night TV. But if they were, Google probably now has a transcript of them. What’s more, that information could be obtained by police without a warrant, thanks to an outdated legal doctrine denying Fourth Amendment privacy protections to data shared with “third parties,” like Google.
At the risk of sounding too much like a dad, this really isn’t funny. It was funny when Amazon’s Echo device started ordering dollhouses and sugar cookies, courtesy of a six-year-old’s requests. Burger King, by contrast, ran a commercial that was specifically scripted to take control of users’ devices, cause them to record private conversations, and play audio without user consent. When Google tried to fix the problem, Burger King defiantly devised a workaround to invade American living rooms and bedrooms once again. It was malware disguised as TV ads.
One tech solution to this problem may be a voice recognition feature that permits only authorized users to trigger the device. But the voice prints required to do so would raise privacy issues of their own because they would give companies yet another unique way to identify individuals. Indeed, federal and state laws recognize voice prints as private biometric data requiring controls.
A better solution would be for companies to refrain from making malicious ads and conducting what the New York Times called “corporate warfare in the living room.” But if companies persist with this practice and this ad is a harbinger of things to come, then it may be time for lawmakers to step in. The prospect of a federal policy fix seems dim given the recent repeal of Obama-era Internet privacy rules, but state and local governments may still be able to take action. For example, in response to concerns that Samsung Smart TVs were spying on people in their living rooms, California introduced legislation to fix the problem and protect consumer privacy.
Until practices or policies change, however, consumers would be wise to educate themselves about the privacy and security risks associated with “always on” devices in the home, from Google Homes and Amazon Echoes to smart televisions. Burger King’s hack is an important wake-up call about how vulnerable our personal devices have become. Michael Price is counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU School of Law.