When you talk to Amazon’s Alexa, it isn’t only a cloud-based digital assistant that listens.
This week, Bloomberg reported that humans are listening in on your Alexa recordings to better train the system. These workers include not just full-time Amazon employees, but international contractors. They even have online chat rooms where they replay the recordings and discuss what you say to Alexa.
The revelation is a good example of how little we know about what companies do with our cloud data, and how little control we have over it.
So what does your Alexa device know about you, and what might others be hearing? That was what Vladimir Katalov set out to show us when we sat down with him at the SecTor 2018 conference.
The CEO of Russian mobile analysis and extraction company Elcomsoft is no stranger to SecTor. His 2018 talk on Amazon Alexa security was his third. In 2017, he talked about how to break the iCloud keychain, and we interviewed him about that too.
His first SecTor talk in 2015 explained how you can find out what Google knows about you. His most recent presentation revisited that topic, this time focusing on Amazon.
He showed us how his simple proof of concept tool could access Amazon and download all the information it had on you across a variety of services. Your history of Alexa interactions is one of the most notable data sets, and the inspiration for the title of his talk. Here, he explained exactly what information Alexa holds on you, and how to get at it:
Even though users have little to no control over the data that cloud services like Amazon store about them, they are installing more sensors that collect it. Alexa listens for its ‘wake word’ and then sends what it hears to the cloud for Amazon’s back-end systems to process.
People get used to asking Alexa for everything. A VentureBeat survey in 2017 found that most Alexa owners used it several times a day, and over three quarters said that it had changed their daily routine in some way. Music, information lookups, weather, news, and timers are the most popular uses.
Some people are using Alexa for more than just listening to their 80s punk playlist, though. Last year, a judge ordered the partial release of Alexa data held in the cloud as part of a double murder trial in Farmington, New Hampshire. Investigators wanted to know if it had recorded the event. Amazon also gave in to investigators in Arkansas, who requested Alexa records as part of a potential homicide.
There have been other, equally creepy reports of how Amazon unintentionally shares your data. In one case, it recorded a conversation between a couple in Portland, sending it to one of the husband’s employees.
Amazon explained that it had coincidentally interpreted part of the background conversation as its wake word, and then thought that someone had asked to send the recording. It then thought it heard a name, and finally misinterpreted part of the conversation as confirmation to go ahead and send. The result? Embarrassment, and a clear if accidental invasion of privacy.
Alexa-related privacy breaches get worse. Late in December, a man in Germany received a zip file of 1,7000 recorded Alexa voice files belonging to someone else after asking Amazon for his own information as part of a GDPR request. Amazon explained that this was again accidental. But that’s the problem with cloud-based systems: There’s always a danger that someone (or something) will make a mistake and that your privacy will suffer.
A creepier future
Beyond accidents and disturbing back-end processes, Amazon also has designs on a future in which Alexa listens to you a lot more, and does even smarter things with the information.
Non-profit consumer advocacy group Consumer Watchdog has identified several virtual assistant patents related to Alexa. One such idea describes how to identify and build interest profiles for different people in the home. Another describes constantly monitoring your background conversation to identify keywords, infer your likes and dislikes, and sell you things based on them. Combining the two would tell Amazon that Jenny really loves to ski, for example, or that Bob is hoping to make pasta tonight.
Amazon has even patented technology that could listen to users to tell if they’re ill, or detect their emotional state, potentially trying to sell them medicine or playing music to match their mood.
The Consumer Watchdog report even showed Google patents for security cameras that could watch and understand your behaviour, targeting advertisements based on the title of the book by your bedside. If you just felt a chill run down your spine, you’re not the only one.
None of these patents may come to fruition, of course—many don’t—but it shows how Amazon and other large, data-slurping digital assistant companies like Google are thinking.
Katalov talks about the security implications of Amazon’s personal information collection, fretting that someone with access to your Amazon account could pry into your personal life in unprecedented ways. Set up 2FA, he warns, and protect physical access to your computer.
This is all good advice, but users might also want to worry about what data they’re putting up in the cloud in the first place. It’s worth thinking about the tradeoff between privacy and convenience. How happy are you with having vast amounts of behavioural data stored in the cloud and processed in ways that you cannot control, just so that you can ask Alexa what you can do with that leftover bacon this evening?