If Santa brought you an Alexa device this year, once you hear this news you might turn right around and punt it out the window! A German Amazon user requested that company’s data in him back in August, under the EU’s new, stringent, General Data Protection Regulation. Amazon sent his data — along with a 100MB ZIP file full of recordings of someone else’s Alexa voice commands for the entire month of May 2018.
After receiving no reply to his concerned enquiry to Amazon, the user contacted German tech magazine c’t , and they began to investigate. To parse the severity of the privacy breach, the c’t team attempted to identify the mystery second user through the leaked recordings.
“It was obvious that ‘Customer X’ uses Alexa in multiple locations. He has at least one Echo at home and has a voice-controlled Fire box connected to his TV. A female voice also spoke to Alexa, so there was clearly a woman around at least some of the time. […]
The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.”
The investigative team, after having identified Customer X (and his girlfriend) from the recording, contacted him to warn him. He was shocked at the breach, but even more shocked, they report, at the fact that Amazon hadn’t reached out themselves. (The offending company must at least contact the regulators within 72 hours if a breach occurs.) Amazon ended up calling Customer X, with an apology for the “human error” that released his Alexa commands, three days after c’t approached them.
Amazon has been having giant problems with Alexa, but this is the first time the company has sent a pile of someone’s data to someone else and had it been their unequivocal fault. We know why they’re collecting massive amounts of data on us: in short, monetization. The significant question — which we must ask of Google, Facebook, et al — is if the companies themselves can keep up with what they’re doing. If they’re going to keep innovating devices that make our lives the easiest they’ve ever been in dark exchange for that data, that’s the least they can do.