Alexa Gets Privacy Black Eye From a GDPR Data Request
German magazine c’t is reporting (N.B. Paywall) that Amazon inadvertently sent recordings from Alexa interactions to the wrong consumer. Apparently, the incident originated in August when a consumer requested information pertaining to their Amazon account interactions. Under the European Union’s General Data Protection Regulation (GDPR) that went into effect earlier this year, companies that capture private consumer information must provide that to consumers upon request. This is where Amazon apparently made the error. Data from a consumer that was not the requester was ultimately sent in response to the request.
This unfortunate case was the result of a human error and an isolated single case.
Over 1,700 files in a 100MB zip file were shared through a link in what an Amazon spokesperson told c’t was a human error. The spokesman went on to characterize to Reuters today that “We resolved the issue with the two customers involved and took measures to further optimize our processes. As a precautionary measure, we contacted the relevant authorities.” This likely was a legal precaution in case the incident was eventually classified as a data breach which requires 72-hour notification to regulators under GDPR provisions.
Privacy, Voice and Mapping to an Individual
The c’t article indicates that files were removed from the link but only after the recipient had downloaded them. There apparently was enough information in the recordings for a c’t reporter to identify the people and contact them. This surfaces some inconvenient privacy issues for all voice assistant providers. c’t says that about 50 of the files contained “personal data.” Although it is not clear how c’t is classifying personal data, the notion that 3% of your communications with Alexa could include data loosely categorized as private is plausible. A translation from the original German using Google Translate offers this insight from the article on how the data was used to identify the Alexa device user:
“It was not difficult to identify the Alexa user from the records. Weather queries on specific locations, the naming of first names and even a surname quickly narrowed the circle of people. It was not long before we were almost certain from the audio files and transcripts that we had identified the foreign Amazon customer and the female person. Information from Facebook and Twitter profiles assigned by us through further research matched and complemented the picture.”
The reporter used this information to contact the Alexa device owner through Twitter. c’t reports that it could determine the types of devices that the consumer used to interact with Alexa which included a smart speaker, Fire TV device, and smartphone. The files also revealed information such as timer and alarm settings and other common requests.
Will Privacy Curtail Smart Speaker Adoption?
An irony here is that the consumer receiving the voice recordings is not even an Alexa user. However, it appears both the recipient of the data and the person in the Alexa recordings submitted data requests with Amazon about the same time and the files were sent to the wrong person. Amazon did contact both parties earlier this month to explain what had happened and communicate that it was an inadvertent error. Another irony is that before GDPR, this error was unlikely to have ever occurred. Amazon would not have been compelled to provide the information and the privacy issue would not have arisen.
However, the incident is instructive. Consumers are increasingly aware that their digital footprints can reveal a lot about their lives. Aside from an inadvertent Alexa call earlier this year, there have not been specific examples of how always-listening smart speakers and other voice assistant access points could be used to collect personal information about individuals. The incident in Germany provides a real-world example that all voice assistant providers will now need to confront. It also suggests that Orange’s focus on privacy in its recent Djingo announcement could be a good strategy. Then again, Orange will also need to acknowledge that Djingo too will be recording voice conversations that could reveal private consumer information and that they also offer access to Alexa through the device.