Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Amazon Error Allowed Alexa User To Eavesdrop on Another Home (reuters.com) 91

A user of Amazon's Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of "a human error" by the company. From a report: The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c't reported. "This unfortunate case was the result of a human error and an isolated single case," an Amazon spokesman said on Thursday. The first customer had initially got no reply when he told Amazon about the access to the other recordings, the report said. The files were then deleted from the link provided by Amazon but he had already downloaded them on to his computer, added the report from c't, part of German tech publisher Heise.
This discussion has been archived. No new comments can be posted.

Amazon Error Allowed Alexa User To Eavesdrop on Another Home

Comments Filter:
  • Single case? (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday December 20, 2018 @09:42AM (#57835908) Homepage Journal

    "This unfortunate case was the result of a human error and an isolated single case," an Amazon spokesman said on Thursday.

    "Why is this even possible?", internet users said on Thursday.

    • Re:Single case? (Score:5, Insightful)

      by DarkOx ( 621550 ) on Thursday December 20, 2018 @09:47AM (#57835948) Journal

      Its possible because Amazon and others have convinced people its a great idea to have hot mic; under third party control in their homes.

      Its possible because people are stupid.

      • Re:Single case? (Score:4, Interesting)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday December 20, 2018 @09:56AM (#57836028) Homepage Journal

        Its possible because Amazon and others have convinced people its a great idea to have hot mic; under third party control in their homes.

        That's not even what I'm talking about. Why is it even possible for an Amazon employee to make these voice files available to other users through the interfaces available to them? It's understandable why the data is there, but not understandable why someone can make the files available to another user with a click. Even if it's done with a backdoored system, those files ought to be encrypted to the user.

        • Re:Single case? (Score:5, Insightful)

          by pr0t0 ( 216378 ) on Thursday December 20, 2018 @10:06AM (#57836086)

          I think a better interpretation of your question should be, why do they have and keep these recordings? The conversation should have gone like this:

          Customer: I'd like to listen to all of the recordings of my interactions with the Alexa device.

          Acceptable answers:
          Amazon: I'm sorry, we do not keep recordings of your interactions with our products.
          or
          Amazon: I'm sorry, all recordings are anonymized. We cannot access recordings by user, location, or time of recording because that information is not stored.

          • I think a better interpretation of your question should be, why do they have and keep these recordings?

            A user who doesn't care if an always-listening device is in their house might well want access to recordings of everything they've ever said to it. Besides all the actual reasons, Amazon might also want to retain your voice samples for technical reasons; as a training corpus for future versions of their recognition engine, for example. But nobody wants their files to be able to be accidentally listened to by someone else...

          • The recordings are stored so they can be used to train the AI driving Alexa.
            • by pr0t0 ( 216378 )

              Sure, but I'm guessing they do not need the users' account number, IP address, MAC address, or precise time of day to do that.

              Every attempt to anonymize that data should be made. Full stop.

          • "I'm sorry. The voice recognition happens inside the device, not on our servers. This wasn't possible 10 years ago, but computers have gotten faster and AI good enough to recognize what you're saying without the assistance of an off-site server [nuance.com]. So we never get a copy of what you're saying. After your voice query is recognized, its text version is sent over the Internet if necessary, but we don't keep a record of those either."
          • This was an "error?" This is like my neighbor's unencrypted VPN traffic getting routed to my email. Lot of on purpose shit has to happen for this to pan out.
          • The latter would be impossible. One of the features of Alexa is to learn your voice so that it can track your preferences, recent playlist, etc...

            I agree that recordings shouldn't be easily accessible by any Amazon employee - or any random person for that matter. There should be solid procedures when it comes to the recordings, say anything over a week or two old gets archived somewhere, beyond 6 months is deleted. In order to retrieve recordings requires verification of identity and two-person integrity on

        • by DarkOx ( 621550 )

          I knew you were asking how/why this can occur on a technical or process level. Clearly some bad engineering design choices from a security standpoint were made. My assumption would be 'requirements' around keeping the data useful and available for mining/analysis/sale now or in future resulted in a misfeature.

          The core issue though is no amount of engineering is going to make a fundamentally bad idea into a good product. Its not smart to let someone company have this kind of access to your personal life.

          • Kinda like why you trust your Dentists to help you care for your teeth well. He makes money when you take his/her advice but if you are getting bad advice and the result is your are uncomfortable all the time you might go somehere else. Its in their interest to care for you well.

            Right. And that's why it's in Amazon's best interests to give your data more care than this. Incidents like these translate directly into reduced sales, because even people who don't really care about security of privacy get creeped out by them.

            • by DarkOx ( 621550 )

              Incidents like these translate directly into reduced sales

              No they really don't. Security conscious types were never going to get an always on voice assistant. Its also not very likely to make anyone stop using amazon because honestly there isn't a replacement for Amazon.com (in terms of being one stop shopping for ANYTHING); certainly not for Prime. Its not going to make your company not choose AWS either.

              Look at facebook! How many privacy incidents have they had, how much negative press, and yet #DELETEfacebook went basically nowhere. Same is true all be it

          • "Alexa, connect me with customer service." She reads me the definition of customer services from Wikipedia. Disconnected all my dots and threw them in my computer parts bin.
        • That's not even what I'm talking about. Why is it even possible for an Amazon employee to make these voice files available to other users through the interfaces available to them?

          Because extracting those files it is a manual process so that employee has to be given access to all recordings from accounts that are entitled to a download of their extracted audio files through GDPR.

          To limit access to files for the requesting account the permission system would need to know to which accounts that employee needs to have access today. (and if you do that manually, errors might happen there)

        • by dj245 ( 732906 )

          Its possible because Amazon and others have convinced people its a great idea to have hot mic; under third party control in their homes.

          That's not even what I'm talking about. Why is it even possible for an Amazon employee to make these voice files available to other users through the interfaces available to them? It's understandable why the data is there, but not understandable why someone can make the files available to another user with a click. Even if it's done with a backdoored system, those files ought to be encrypted to the user.

          This happened before, again to a single customer. My understanding of that incident was that the two devices had the same hardcoded device ID. This could potentially happen if the device IDs are assigned in sequence, and one run started with same number of the previous run.

      • by gweihir ( 88907 )

        Its possible because Amazon and others have convinced people its a great idea to have hot mic; under third party control in their homes.

        Its possible because people are stupid.

        Indeed. There are numerous indicators people are generally stupid, but this one is a true gem.

      • Those who would give up a their essential privacy to purchase a little temporary convenience deserve neither privacy nor convenience.

        That's my misquote of the day.

    • A honest answer would probably be: "Well, you see, we actually wanted to send that link to one of our advertising partners..."

      Let's wait and see what cover story PR will spin.

    • FBI MODE!

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This isn't the only case we've heard of exactly this type of phenomenon. There's been another incident where exactly this happened, and yet another where someone could hear live conversations directly from someone else's Alexa device. Until people realize live mics in the home under someone else's control are a bad idea, which I'm not convinced will ever happen, we'll keep hearing about these sorts of incidents.

      One of my more paranoid friends is convinced in a few years you'll be ostracized if you don't h

      • One of my more paranoid friends is convinced in a few years you'll be ostracized if you don't have these devices implanted in every room because if you don't, you clearly are trying to hide something

        I don't think so, at least, not that fast. Enough normal people think they're a bad idea (it's not just nerds) that it will take more than a few years, if ever. Mind you, I can see it happening in China, or in hardcore theocracies, and I can see western nations turning into the latter of those (or hell, being owned by the former) but neither within just a few years. I've been wrong before, though.

      • by Kjella ( 173770 )

        One of my more paranoid friends is convinced in a few years you'll be ostracized if you don't have these devices implanted in every room because if you don't, you clearly are trying to hide something and shouldn't associate with the "normal, decent god fearing" humans that want to be sure they are safe and secure at all times. I used to think he was babbling bullishit, but the way we're going I'm not so sure.

        Nobody official cares if I turn off my cell phone and go "off the grid", nor will anyone care if you don't have any device listening. The primary goal is to establish who all the people you don't have to worry about because their lives are transparent. It doesn't matter if you can defeat facial recognition with a hoodie and sunglasses, they'll see 9 out of 10 going about their daily business, you can pay cash but they'll see 9 in 10 use plastic and so on. They want to know all the mundane things people do s

    • by Mascot ( 120795 )

      "Why is this even possible?", internet users said on Thursday.

      Didn't strike me as any great mystery. Amazon is too big and clunky to have gotten their GDPR ducks in a row and are manually handling requests that should be automated.

      The longer version: For whatever reason Amazon has not made accessing your Echo recordings something you can just do at will (I assume this to be the case, otherwise the request would make no sense, but I don't own an Echo so I don't really know). The user made a request for the recordings, which falls under personal information, thus the GD

    • by gweihir ( 88907 )

      "Isolated single case" = "we screwed up massively, but we are not admitting it"

  • Tell me... (Score:5, Insightful)

    by Viol8 ( 599362 ) on Thursday December 20, 2018 @09:48AM (#57835958) Homepage

    Just how fucking beyond stupid do you have to be to willingly bug your own home with one of these devices? Or is just the ultimate expression of apathy when you can't even be bothered to use a touchscreen to find or do what you need? I think the passengers in the Wall-E film are a closer reality than anyone believed.

    • I have multiple of these devices. Great for looking up recipes.
    • by RobinH ( 124750 )
      I agree, but explain to me how the microphone on your smartphone is any different. It's always listening, just say, "Hey Siri..." or "OK Google..."
      • I disabled "Ok google" feature on my phone (ok.. you need to "trust" it's really turned-off). This is why my next will be a Librem 5 (https://puri.sm/products/librem-5/).
      • explain to me how the microphone on your smartphone is any different. It's always listening, just say, "Hey Siri..." or "OK Google..."

        I've turned that off. Of course, I'm trusting that this is actually the case. But wait, I'm not that trusting. I'm happy to turn my phone off, put it in a box or whatever if I'm having a sensitive conversation. It's different from a device designed first and foremost to always listen.

      • I agree, but explain to me how the microphone on your smartphone is any different. It's always listening, just say, "Hey Siri..." or "OK Google..."

        I trust it because, 1) I've disabled it so that it doesn't respond to voice, only manual triggering (thus much more difficult to invoke accidentally), and 2) at least with Android, it's open source, and although I haven't personally looked at the source, enough people have that I'm fairly confident if it were doing something to upload recordings without my permissions, somebody would likely have figured it out by now.

        • by Anonymous Coward

          Sorry the "OK, Google" functionality is NOT open source. Try again.

    • This is the result of entire generations of people never having known anything but life in a civilized world. They've never had to wake up to the sound of bombardement sirens in the middle of the night, they've never had strangers with governement badges bust down their door and take one of their loved ones away, never to be seen again. They've never had to call the police for an emergency, just to have police ask for bribes before they do anything, if they do anything, except maybe gang-rape their daughter

    • Well, to be honest I guess we're ALL fucking beyond stupid for willingly bugging ourselves with a listening device in our pockets; our cell phones. They have the same capabilities as these.

      My current TV has no mic or camera, but my next TV I will likely have to keep off the network or physically remove the mic & camera in it. I don't even trust being able to disable it in software and there probably won't be any models without those "features".

      • You can disable siri. i know that Apple could be devious and be scarfing all your voice recordings anyway, but still. We live in a world where we have to cope with one of the "bigs." for me that big is still Apple.
    • Not too long ago, if the feds were caught installing bugs in people's homes en masse, people would be howling about Constitutional violations of privacy and demanding action be taken to punish the perpetrators. These days, however, the feds don't even have to worry about bugging homes because idiots everywhere are actually paying money to do it themselves. All the feds have to do to get the data is get a warrant signed off by a secret judge in a secret court with zero oversight or transparency to force a co

    • I bought an Alexa and put it in my living room some months ago, and I get your point. I do feel somewhat ashamed by the privacy aspect of it. I grew up with tech through the 90s and developed just as much of a belief in strong privacy as anyone else here. I shred every document with my name on it before throwing it away. I fought against our government census simply on grounds of principle for privacy. I've been a huge advocate all along.

      So what changed? I was honest with myself on this question, a
    • Don't forget Idiocracy [imdb.com].
    • by antdude ( 79039 )

      I also see this in doctor offices too. Ugh.

  • by Anonymous Coward

    Hahaha.

    In 5 years Normies will be asking how all their voice data was collected and traded by Amazon.

    "Wait Alexa RECORDS my voice?"

  • Why would anybody be foolish enough to get one of these things?
    • by tk77 ( 1774336 )

      I got one on discount and it was pretty useful, though admittedly I really only used it to control my hue lights and entertainment system when I would misplace the remote. However, as soon as these issues started, I unplugged it and its been that way ever since.

  • ..then just imagine what they can do when they intend to listen in on you!
    Not going to mince words: you are STUPID if you allow these devices in your home! FFS at least unplug the gods-be-damned thing when you're not actively using it!

    You've been warned. Repeatedly.
  • "Errors" always seem to allow access to personal information.

    Which makes you wonder what they are intentionally selling to their, uh, "partners".

  • by 110010001000 ( 697113 ) on Thursday December 20, 2018 @10:18AM (#57836160) Homepage Journal
    It was just a hash collision when generating the link. Will be fixed in the next update.
  • Here is the link to the original Story in german: https://www.heise.de/newsticke... [heise.de] And in english: https://www.heise.de/newsticke... [heise.de]
  • by BringsApples ( 3418089 ) on Thursday December 20, 2018 @10:23AM (#57836188)
    I see how many people here already think the alexa thing is stupid, nice. But, sadly, there's not very many of us. I've seen people of all ages with these things in their house. They talk to it with eyebrows down, shouting at it, like it's their house-maid. The damn thing is involved with their emotions!

    With the ever increases in security measures sweeping through the world, there may be a day when we'll all be tracking ourselves, just to prove our social-standing/citizenship.
  • Seriously, who would find what I say at home interesting?

    You might prove that I really am crazy, that I really do talk to myself when no one is around to hear and that my shower concerts are cringe worthy affairs. But all that really means is you are more likely to knock before you enter my home...

    • You might prove that I really am crazy, that I really do talk to myself when no one is around to hear and that my shower concerts are cringe worthy affairs.

      Actually, that's very common behavior. Some people talk to themselves to self-comfort, some as an aid to memory. I was just skimming an article on this recently, but can't seem to find it...

  • Comment removed based on user account deletion
  • by Anonymous Coward

    What are my neighbors saying?

  • The headline is factually wrong, and the way things are going here, that is intentional. So Slashdot is lying to us, again.

  • I use them as examples to add to my Middle School Computer class. I started this one with "how many of you use voice assistants?"

    Then I introduced the story. These case studies are great for making the stuff I teach seem relevant.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...