Amazon experienced yet another successful holiday season, and the Echo Dot was the top-selling item on its website for the third consecutive year. As Alexa continues to make its way into millions of households worldwide, users should proceed with caution when integrating convenient, yet risky, smart technology into their homes.
Recently, an Alexa user requested data about his personal activities, and when complying with the request, Amazon accidentally sent him access to 1,700 audio recordings of a complete stranger. While I realize that this data leak was an isolated error, the depth of information Amazon collects overall should disturb us.
Clearly, Amazon is not storing only basic information such as your name, mailing and email address – but also everyday interactions with any Alexa enabled device and the household conversations in the background. The most worrying part? I bet the people who interacted 1,700 times with Alexa had no idea that Amazon recorded, stored and planned to keep this type of information from the Alexa personal assistant for who knows how long.
Adoption of voice-powered devices is up by 20 percent in two years; now nearly 50 million adults with access to such smart devices. It’s time to get serious about the right to privacy.
A primer on personal privacy
Privacy means an individual has the choice to seclude themselves, or information about themselves, and express themselves selectively. The reality is that with modern day technology, personal privacy is limited.
Data is stored and shared by vendors, typically legally with users’ permission, whether they noticed giving that permission or not. Users commonly breeze through a software vendor’s terms and conditions agreement, and blindly accept that the device is collecting a wide range of personal information, sometimes far beyond what’s necessary. It’s an invasion of privacy — all for the convenience offered by technology.
The next issues are that the data stored and shared by the software vendor may make its way into the hands of third parties. For example, the government may want to know more about certain individuals, so they can tap into the information captured by these devices. Hackers can also steal user information for fraudulent activities, such as identity theft. Sometimes, vendors may not even be aware of how the data they are collecting on users could be misused.
The three types of privacy invaders
There are three types of privacy invaders. The most common type of invader is information collectors. Information collectors store real-time and historical information about you over time, often including data such as your locations, daily movements, and medical history. GPS navigation apps and devices, smartwatches, fitness trackers, and smart scales all collect this type of data.
Some privacy invaders are vendors whose users freely and knowingly allow the vendor access to their personal information under the impression that it will be handled securely and responsibly. Some of these vendors may lack security awareness or practices and may unintentionally put user’s privacy at risk. A great example of this is a dating application like Tinder, which is a case when you need to share your data in order for the app to work as intended.
There are also silent listeners, devices that collect and store data in the form of audio recordings. Smart speakers, TVs, and even some children’s toys have the ability to store and record what users are saying, often without users being aware of it. The Amazon Alexa users I mentioned earlier had no idea the extent of the Alexa recordings, or how much you could discover about a person with access to that data.
What you can do to protect your right to privacy
Most people will never give up technology — in fact, it is a safe bet that we’ll continue to see smart device usage increase. That’s why it is essential to have a general understanding of the data you’re sharing and how it might be used or abused. While most of us feel like we have nothing to hide, that doesn’t mean that malicious users can’t exploit data we consider innocuous.
I urge users to choose trusted vendors who have clear user policies, regularly update their software, prioritize privacy, and have a good track record of appropriate responses to any data breaches or security concerns in the past. Contact vendors directly if you think their privacy disclosure is complex or missing from agreements.
And remember, these devices are always listening, tracking, and learning more about you. Perhaps their sole goal is to make your life more convenient, but there’s a price to pay for that convenience.
Erez Yalon, Head of Security Research at Checkmarx
- Take control of your online privacy with the best VPN