Security Experts:

Alexa May Be Recording More Than You Realize

Executives may need to reconsider whether Amazon's Alexa personal assistant is listening to more than just their commands. Or perhaps the telephone conference attendee who pauses to gather details from Alexa is giving the device more than just his or her own comments.

Privacy concerns over just how much information is received and stored by personal assistants are not new -- but have now been quantified. An EU citizen, exercising his GDPR rights, asked Amazon for information on all his personal information held by the firm. What he received, two months later, was a link to a 100Mb zip file containing 1,700 Alexa audio files. He doesn't own an Amazon Echo device and has never used the Alexa service; and it was not his voice that was recorded.

Strike 1 against Amazon for breaching the privacy of the true owner. Strike 2 comes with the detail of those recordings.

Forbes magazine set the scene in August 2018. Charles Radclyffe, a visiting fellow at the University of Bristol, wrote, "When you press the 'mute' button on an Amazon Echo, the top ring glows with a red indicator to confirm that Alexa is no longer listening. It's elegant, simple, but disguises a very deep design problem. Alexa is designed to be always listening. The default is therefore for the microphone to be on, the light to be off."

This is confirmed by the recordings received by the EU citizen. He reportedly contacted Amazon, but received no reply. The link to the downloadable file became inactive -- but he had already downloaded it. He shared his story and the files with c't magazine, part of the Heise group.

c't magazine examined the files to see if they could determine the true owner of the recordings. They succeeded. But in doing so, they also discovered the amount of data stored by Alexa. They discovered the 'victim' of the Amazon error had a girlfriend, and were able to identify her. They heard the surname of a friend who they identified via social media, giving them a view of his wider circle of friends. They even heard him in the shower.

When the magazine contacted this person, he was shocked -- and confirmed that he had heard nothing from Amazon even though the original recipient of the files had reported the error. Neither party heard anything from Amazon until three days after c't magazine contacted it.

Amazon subsequently told Reuters, "This unfortunate case was the result of a human error and an isolated single case. We resolved the issue with the two customers involved and took measures to further optimize our processes. As a precautionary measure we contacted the relevant authorities."

Unfortunately, this is not the first privacy incident involving Alexa. In May 2018, the KIRO 7 news service reported another incident: Alexa recorded and sent a private conversation between a couple to one of the husband's employees. The employee immediately called back and told them to unplug their Alexa devices, fearing they had been hacked.

Amazon's explanation was that Alexa first misinterpreted something in the conversation as a wake-up command, and then misinterpreted other comments as an instruction to send the recording to the employee. While this is possible, it does confirm that the use and location of Alexa devices -- and any other personal assistant -- should be carefully considered.

Earlier this year, Alexa was awarded the Bielefield, Germany, Big Brother 'data octopus' award. By design, it must always be listening in order to know when to act -- these two incidents demonstrate that this listening can lead to privacy complications.

Related: Amazon Alexa Can Be Used for Snooping, Researchers Say 

Related: Siri, Alexa, Google Now Vulnerable to Ultrasound Attacks

Related: Amazon Echo, Google Home Vulnerable to BlueBorne Attacks 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.