Amazon’s Alexa breaches privacy

Back in 2015, Samsung came under criticism for tucking the following sentence away in its SmartTV security policy:

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

Activists began comparing Samsung’s privacy policy to text from George Orwell’s technological dystopian novel, 1984. Nevertheless, we all continued to buy and embrace these technologies in the pursuit of convenience. But should we have to sacrifice our privacy to keep up with technology?

Amazon's Alexa in the news

This week, an Alexa user from America asked Amazon to launch an investigation after her Echo device recorded a private conversation she had with her husband and sent it to someone in her address book, with no instruction to do so.

The couple only realised that the device had been recording their conversation when one of her contacts telephoned her and told her to unplug her Alexa devices as she was being hacked, having been sent an audio of them talking about hardwood floors.

Despite the fact the user's family home has multiple Echo devices that control everything from the heating to the lights, unsurprisingly, she has said that she felt invaded and that she would never plug the devices back in because she could not trust them.

Amazon responds

A customer service representative from Amazon has confirmed that the conversation had indeed been recorded and sent to a random number in the user's contact list, but no explanation was given as to why or how the device had activated itself and recorded the conversation, let alone why it was then sent out at random.

An updated statement was later provided by Amazon, explaining that:

"Echo woke up due to a word in background conversation sounding like 'Alexa'. Then, the subsequent conversation was heard as a 'send message' request. At which point, Alexa said out loud 'To whom?'….the background conversation was interpreted as a name in the customer's contact list. Alexa then asked out loud, ‘[contact name], right?’. Alexa then interpreted background conversation as 'right'".

Sounds like an unlikely series of events, and Amazon's response has resurrected debate over whether Alexa is in fact always listening, and if so, whether that is something we need to be worried about.

GDPR

The General Data Protection Regulation (GDPR) came into force today (25 May 2018) and brings with it important changes to data protection laws. The gathering and processing of personal data is a valuable asset for many organisations such as Amazon, and failing to protect the security of that personal data can quickly, and seriously, damage a company’s brand.

Technology has made it increasingly easy to share data and we would expect companies like Amazon to have the necessary IT security in place to prevent such serious breaches of data protection legislation.

Anything else?

A private conversation being recorded and sent to someone without your knowledge – it's the worst nightmare of every smart home speaker owner. Amazon maintains that the incident was a malfunction rather than evidence that Alexa is always listening. Either way, it is a clear invasion of privacy which, if it happens again under the GDPR, could have serious consequences for the organisation committing the breach.