How Amazon Echo ["Alexa"]Users Can Control Privacy
Tony Bradley , Contributor Jan 5, 2017 @ 12:12 PM
If you have an Amazon Echo or Echo Dot in your home, you know that simply uttering the word “Alexa” brings the device to life so it can respond to your requests and commands. Law enforcement officials in Bentonville, Arkansas are hoping that Alexa is always listening and recording voices, though, and has asked Amazon to turn over data in an effort to solve a murder crime. The idea that Alexa is always listening or may somehow incriminate you is a concern for owners of the Amazon IoT (Internet of Things) devices.
We just acquired both an Echo and an Echo Dot in our home. The devices are pretty awesome, really. The microphone’s ability to pick up the word “Alexa” being spoken—at almost any volume and from almost anywhere in the house—is amazing. I can ask Alexa to give me the current news or weather information, play some music, answer questions like “How many ounces are in a pint?” or “What is the distance between Venus and Neptune?”. Using the add-on Alexa Skills, I can also say things like “Alexa, have the Neato clean the house” to activate our Neato Connected robot vacuum.
The question, however, in the wake of the request from Bentonville police, is just how much is Alexa listening and can that listening infringe on personal privacy or be used against you by law enforcement?
"Privacy and security of IoT is big right now following recent attacks like the Mirai botnet and malware targeting specific brands of smart TVs," declared Cris Thomas, a respected security expert and spokesperson for Tenable Network Security. "While I can't speak with authority on Alexa specifically, one of the privacy risks of IoT devices is that they are always listening."
I reached out to Amazon for comment. An Amazon spokesperson informed me, “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
Amazon also pointed to a very helpful Alexa and Alexa Device FAQ page that provides more detail on how the Echo devices work. More importantly, it also provides information for how to shut off the Echo / Echo Dot microphone if you don’t want Alexa to listen at all, or review and delete things Alexa may have recorded you saying.
Obviously, the Echo and Echo Dot microphones must be active in order for the devices to hear you say “Alexa” from across the room. Unless you say “Alexa”, press the button on top of the device, or hold down the button on an Amazon remote, though, that listening is only local and is not stored. You will know when the device is streaming audio and storing what you say in the cloud because the blue ring on top of the Echo or Echo Dot will be illuminated.
If you don’t want the device to listen at all, you can push the microphone button on top of the Echo or Echo Dot. Both the ring and the button itself will illuminate bright red to let you know it is not listening.
Amazon also lets you review and delete things you’ve said to Alexa. In the Settings of the Alexa app your interactions are grouped by questions or requests. Amazon explains that you can tap an entry to see more detail or replay the audio stored in the cloud so you can hear what Alexa heard. The feature is designed for providing feedback to help improve the accuracy and performance of Alexa.
You can also delete recordings. The Amazon FAQ states, “You can delete specific voice recordings associated with your account by going to History in Settings in the Alexa App, drilling down for a specific entry, and then tapping the delete button. Or, you can delete all voice recordings associated with your account for each of your Alexa-enabled products, by selecting the applicable product at the Manage Your Content and Devices page at www.amazon.com/mycd or contacting customer service.”
However, Tenable's Thomas cautions, "As we've seen in the past, manufacturers are incentivized to rush products to market without thinking through the privacy and security implications, which is almost always bad for the consumers who buy these devices in good faith, only to wind up victims of a breach--or as the case may be, only to have their words used against them in the courts."
"In order to limit the potential for abuse it's imperative that companies providing voice assistant technology store only what is absolutely necessary to provide great service to the customer and nothing more," explains Slawek Ligier, VP of engineering for Barracuda. "If the data is not available, it could not be released even when requested. There is no reason to record everything said in the presence of the device, and there is really no good reason to store the voice itself for an extended period of time."
It's also important to note that Amazon is not necessarily the only--or even the primary--concern. Ajay Arora, co-founder and CEO of Vera, says that setting up an "always on" device like an Amazon Echo in your house is essentially like inviting Big Brother into your home. "It's important to be cautious when bringing such devices into your home. There have been numerous reports of IoT devices such as baby monitors being hacked and strangers watching and talking to your children. Another example is when Samsung admitted their smart TVs are always listening for their commands--urging users to not say anything you wouldn't say in public in front of your TV."
"For years we've been hearing about how companies are invading our privacy, when--in fact--we are the ones who are giving it up too easily for convenience," sums up Arora. "We have to be smart about this or it could get really messy."
The bottom line is that unless the word “Alexa” comes up in conversation first, the device most likely is not recording anything sensitive. The voice clips stored in the cloud are almost entirely innocuous things like “Play music by Adele” or “What will the weather be like on Saturday?”.
Regardless of what Alexa does or does not hear, Amazon claims unequivocally that it respects customer privacy and will not willingly turn over personal information unless legally compelled to do so.