Amazon accidentally sent about 1,700 recordings from Alexa-connected devices to the wrong person, as revealed in reporting by Holger Bleich for German magazine Heise.
According to Heise, a German Amazon-user requested the company for all data pertaining to him—which is their right per the "Right of Access" clause in the General Data Protection Regulation (GDPR) law, passed in the European Union in April of this year. (The clause requires companies to provide users with a copy of the personal information that they're using upon request from the user.)
But Amazon accidentally sent this person 1,700 voice recordings from a stranger, including recordings that happened in the shower. The person who made the GDPR request didn’t even own any Alexa-connected devices. Bleich, who was given access to the data with permission by both parties, noted that it was very easy to extrapolate details about the victim’s life using the recordings.
“The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music,” the article reads. “Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.”
In response to this incident, according to Heise, Amazon gave the victim of the voice recordings a free Amazon Prime membership, and free Echo Dot and Spot devices.
The problem here isn’t the “Right of access” GDPR clause, which can give people transparency into what they're divulging to tech companies in using their services and allow them to make informed choices as consumers (that is, assuming consumers have real agency in the companies they use.)
The real problem is that “smart,” internet-connected devices are regularly recording and constantly uploading details of your everyday life, and sometimes, these recordings can end up in the wrong hands. And as noted by Bleich, the situation could have been avoided altogether if Amazon deleted data gathered by Echo devices within a certain amount of days. Currently, the company keeps all data indefinitely, and justifies this by claiming that Alexa needs to constantly “learn” from data in order to serve users.
This isn’t the first time that voice data gathered by Alexa has accidentally been shuffled off to the wrong place. Earlier this year, conversations between a couple and Oregon was accidentally sent to a random contact. This mistake was reportedly caused by Echo (incorrectly) hearing the activation word “Alexa,” followed by “voice message” and a person’s contact name. As Wired described it, the incident was "the Echo equivalent of a butt-dial."
In other words, what happened in Oregon was a pretty innocuous device mistake in and of itself, but innocuous device mistake can become dangerous when a sensitive motherload of information is involved.
Similarly, what happened in Germany is an instance of minor human error. As Amazon said in a statement to Business Insider, "This was an unfortunate case of human error and an isolated incident." But something as simple as sending the wrong file is hugely consequential when the file contains intimate moments in the shower, and details about your habits and personal relationships.