Alexa’s fall from grace began when an Amazon customer made use of his right to personal data access granted by the new EU General Data Protection Regulation (GDPR). His request not only gave him access to his own Amazon search data, but also to around 1,700 Alexa voice files recorded in a stranger’s living room, bedroom, and shower. The vigilant customer informed Amazon of the error, but Amazon ignored his warning and simply deleted the files from their server.
Luckily, the source had saved the files locally and sent them (confidentially of course) to c't's in-house experts for analysis. Based on details such as the people’s names and local weather forecasts recorded in the files, they were quickly able to identify the unfortunate Echo user whose data Amazon had illegally revealed. The victim was shocked when c't told him what had happened, especially considering that Amazon hadn’t bothered to tell him, even though they knew the leak had occurred.
This data privacy disaster occurred because amazon.de saves Alexa voice recordings indefinitely and because the processes it uses to leverage them have serious security issues. This is the worst case scenario that data security and consumer rights experts have been warning us about. It is impossible to tell whether this really is an isolated incident as Amazon claims.
Amazon Alexa allegedly recorded a Portland family’s private conversation and sent the audio to a person in their contact list, KIRO 7 reported. Danielle, who declined to use her last name, said she recently received a call from her husband’s employee, who told her: “Unplug your Alexa devices right now. You’re being hacked.” The employee said he’d received a recording of a conversation between Danielle and her husband about hardwood floors. Danielle said she contacted an Amazon representative, who apologized profusely but did not explain what led Alexa to record the conversation. “We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future," Amazon said in a statement. The company, which has been selling facial-recognition technology to law enforcement, also stressed it “takes privacy very seriously.”