Amazon wrongfully shared 1700 recordings from Amazon device of one user with a total stranger

Millions of people own smart home devices like the Amazon Echo and Echo Dot—equipped with the Alex cloud-based artificial intelligence service—which have concerning implications for privacy rights. While, Amazon’s own policies promise that only the user and Amazon will listen to what those devices record, it was recently reported that Amazon failed to follow its own policy when it erroneously shared one user’s information with a total stranger.

In August 2018, a German customer exercised his right under the EU General Data Protection Regulation (GDPR)—which gives people have the right to review the personal data that companies collect on them—and requested his personal data file from Amazon: unfortunately, instead of receiving his own information, he received a 100MB ZIP file relating to someone else. This file contained approximately 1,700 recordings of commands made to an Alexa personal assistant device, PDF files of the Alexa device’s interpretations of that person’s voice commands, and files relating to that person’s Amazon searches. In November 2018, the German customer notified Amazon that he had received files relating to someone else, but he did not receive a response from the company.

Reportedly concerned by the implications of what had happened, the German customer then anonymously shared these recordings with the German publication, c’t Magazine, which explored how revealing this information was and what sort of detailed profile they could construct of the stranger’s life. The magazine successfully located the stranger and informed him of the mistake, finding that he had not yet been notified about it by Amazon.

This case is an example of the privacy threats posed by personal assistant devices and the data collected by private companies such as Amazon.

 

Source: https://www.heise.de/downloads/18/2/5/6/5/3/9/6/ct.0119.016-018_engl.pdf

Author: Holger Bleich

Publication: c’t Magazine