Why you SHOULDN'T trust Alexa

Why you SHOULDN'T trust Alexa

A growing trend among useless household items is the voice controlled smart device. Clearly, these devices are soaring in popularity due to the high demand the populous has had for so many years. Do you recall the days before the fabled Amazon Alexa? The time when the only means we had of browsing the internet were our phones, laptops, desktop computers and tablets. How did we ever live like that?

Here is a collection of incidents that have proven Alexa to be a privacy nightmare.

I’m not even going to try and disguise how I feel about this one, folks. If the previous four sentences didn’t transparently sum up my bias for this sinister device, then I don’t know what to tell you. I cannot wrap my head around the fact that people are willingly purchasing these things. People used to have to stalk you for days, locate your hotel room, carry a police warrant, enter the place when you weren’t there, and find the perfect spot to hide a mic. Nowadays? These things are putting people out of business. Why would you voluntarily bug your own home? Not only that but pay for it as well.

If you still needed convincing, here are some examples of why I feel so strongly about the topic:

No one is listening, right? Have faith.

A big misconception Alexa owners seem to have is that the device only records once you engage with it, by saying “Alexa”, only then will the microphone turn on. For the device to register if the word “Alexa” was uttered, then it needs to have the microphone enabled constantly. Some would argue, “Well is doesn’t upload your voice recordings to be processed unless you say ‘Alexa’“. Are you sure? It would seem that a certain amount of faith has to be placed on the manufacturer not to process ALL audible data, and only process the commands given to the device. Where has the extent of this faith gotten people? As you might imagine, not very far.

In a report from Bloomberg in 2019, it was uncovered that thousands of Amazon employees are routinely listening in on Alexa user’s voice recordings, in an attempt to improve the quality of the system. As written in the article:

“[The team comprises a mix of contractors and full-time Amazon employees who work in outposts from Boston to Costa Rica, India and Romania, according to the people, who signed nondisclosure agreements barring them from speaking publicly about the program. They work nine hours a day, with each reviewer parsing as many as 1,000 audio clips per shift]” - Bloomberg

It seems that Amazon is placing a certain amount of faith in the situation as well. Users may be asking themselves: When were they going to tell us about this? Well the truth is, they kind of already did. In the Alexa Terms of Use, they clearly state:

”[ You control Alexa with your voice. Alexa streams audio to the cloud when you interact with Alexa. Amazon processes and retains your Alexa Interactions, such as your voice inputs, music playlists, and your Alexa to-do and shopping lists, in the cloud to provide, personalize, and improve our services. ]” - Alexa Terms of Use

Apparently they place such care in to how your personal data is handled, they place it in the hands of others at the discretion of NDAs. To what extent is this “processing” monitored or supervised? Who knows? How is a user of the service supposed to discern the level of professionalism, security and responsibility of one of these reviewers and the lab in which they work? Faith, faith, faith…

Alexa Terms of Use
Alexa Terms of Use page

As for the argument that the device only records when you expressly allow it to, well it would appear that there is a bit of contradiction going on, even in the Alexa Terms of Use. Their FAQ on Alexa has two contrasting points:

“[2. Is Alexa recording all my conversations? No. By default, Echo devices are designed to detect only your chosen wake word (Alexa, Amazon, Computer or Echo). The device detects the wake word by identifying acoustic patterns that match the wake word. No audio is stored or sent to the cloud unless the device detects the wake word (or Alexa is activated by pressing a button) ]” - Alexa FAQ

We see this statement proves invalid through what Amazon cutely refers to as “false wakes”:

“[5. What about “false wakes”? In some cases, your Alexa-enabled device might interpret another word or sound as the wake word (for instance, the name “Alex” or someone saying “Alexa” on the radio or television). When this happens, we call that a “false wake.” We have a team of world-class scientists and engineers dedicated to continually improving our wake word detection technology and preventing false wakes from happening]” - Alexa FAQ

This renders the previous claim that: ” No audio is stored or sent to the cloud unless the device detects the wake word”, mute. How frequently do these “false wakes” occur? How can users verify that these “false wakes” don’t get sent to the Romanian data processing lab? The truth is, (you guessed it) they just have to have faith. But don’t worry, with all these “world-class scientists” working on the issue, I’m sure Bezos will make sure your data is never in the wrong hands. Right?

One lucky person wins over 1700 private voice recordings

Back in 2018, a German magazine, Heise Online, first reported on the case in which a German citizen invoked his right, under GDPR, to request a copy of the data Amazon had collected on him. In return, Amazon gifted him with over a thousand voice recordings, collected from an Alexa device. The Verge, expanded on the issue in their article:

“[…] One German user, under the alias ‘Martin Schneider,’ […] got back from Amazon[…] thousands of Alexa voice recordings, which was strange considering he didn’t own an Alexa device.” - The Verge

They continue:

“[…] the man brought the files to [Heisen Online], where reporters were able to piece together who the Alexa user was.[…] Using these files, it was fairly easy to identify the person involved and his female companion; weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture. It turns out that the victim in this case also filed a data request under the new GDPR rules, c’t reports, but somehow the two men received each other’s reports.” - The Verge

As you can see, the sheer amount of data a user regularly provides Alexa with, makes it extremely easy to piece together a profile on that person. In this case, it appears to have been sent by mistake and the recipient was noble enough to raise the alarm and list what he had received as opposed to using the information maliciously.

Supposed mute
Supposed mute

However, you can be sure that not everyone will have their heart in the right place when faced with the same circumstances. This, of course, was just one reported incident. Who’s to say that this hasn’t happened before or since? And who is to say that someone was not using this as a loophole to extract unsuspecting user’s data directly from Amazon? Would you trust Amazon to tell you?

I understand that this argument could be made for any internet-based service, in a way, but when a tech giant such as Amazon is, not only pushing these devices to the public as the perfect Christmas gift or must have gadget every year or attempting to bundle it with as many other products online, it’s hard to not see an agenda popping up. To think that Amazon promotes this product so much because they earn their profit solely off the extremely low prices Alexa devices are sold at, is a bit ridiculous. Big money has always been your data.

Some people know you, better than yourself

Over the past couple of years, Amazon has made a reputation for itself in being extremely aloof when it comes to clarifying just how much of its consumer’s data they provide to government bodies. They had consistently and actively tried to avoid commenting and reporting on the frequency and detail of the reports they were sending, and make no mistake, they didn’t do it for free either.

In the States, no company is obligated under law to disseminate the frequency at which they are pinged by the government for data, but when even Facebook is providing transparency reports on these actions then you know you’re acting sketchy.

These reports are apparently published every six months. ZDNet, covers the issue in more detail in their article, and notably state:

“Amazon, which wasn’t named as a surveillance partner in the leaked NSA documents, publishes the least amount of data in its reports. By comparison, each report has just three pages and contains only basic information, like how many requests the company received and how many were approved or denied. Unlike other companies, Amazon doesn’t even say how many customers were affected. By that logic, a single government data request could amount to any number of customers or potentially all its customers.[…] “ - ZDNet

Just as interesting, the ZDNet article also reports that a freedom of information request was filed by the site Gizmodo in 2016 to verify if the FBI had ever wiretapped an Echo as part of a criminal case:

“the FBI neither confirmed nor denied if it had ever tapped the Echo “ - ZDNet

Whereas an instance in which a motive like this might seem justified at first, it goes without saying that when one person’s backdoor is smashed open, all of ours are. I’m sure I could have found some Snowden quote to put things more elegantly, but you get the picture.

It should also be noted that valuable information, such as the types of data that Amazon collects via Alexa, is textbook material for not only forming a complex profile on an individual, but for creating a regional profile, such as on a neighborhood or town. To that effect, political campaigns, bills, approval rates and targeted social campaigns could also be crafted with greater accuracy.

In Summary

Placing the security and privacy your personal data in the hands of an entity that profits from it, is simply not a great practice. Just as you might be cautious as to what people you invite into the sanctity your home, so to should you be wary of allowing people you can’t even see, listen to your private conversations, read through your online presence, form an extensive list of your interests and make note of your contacts.

I hope that anyone who has had the misfortune of having one of these things in their personal space, looks at it, not as a gadget, but as an agent for corporation willing to spy on your most intimate actions, and think so lowly of you that they use that information for profit.

AlmondWhite's Picture

About AlmondWhite

I'm a coder, artist, writer and all round lazy person. I love Node.js, C#, Python, Sass, Electron and PHP. One day I will contribute to this world in a meningful way or something...

The Forest Somewhere https://medium.com/@almondwhite