An Amazon user in Germany was just able to gain access to an estimated 1,700 voice recordings of an Alexa user — because, get this, of a glitch at the Amazon company.
That’s some glitch. It came by way of a “human error,” Amazon reported. But here’s the bigger glitch. In the end, these erroneously shared files gave eavesdroppers the access to enough snippets of private in-home conversations that they were soon able to piece together the Alexa user’s identity.
Wonder how many more human errors of this type have been made?
It’s no comfort an Amazon spokesperson called the eavesdropping an “isolated single case,” as Reuters reported. Not when 1,700 audio files were involved.
But here’s what transpired: A customer in Germany, citing legal rights under the European Union’s General Data Protection Regulation, requested access to all the data Amazon had stored on his own account, particularly in relation to his online searches. Amazon emailed him a zip file with all the requested information — and much to this user’s surprise, the data he received contained hundreds of .wav files as well as a PDF detailing scores of voice commands made through Alexa. Why the surprise?
Well as it happens, this guy doesn’t even own an Alexa.
He’d never even used the device before, Gizmodo reported.
Interesting, yes? Quite. So this user in Germany turned around and asked Amazon for an explanation. But instead of replying, Amazon seemingly deactivated all the links to the files in question. If it sounds shady — it is. Too bad for Amazon, but the guy had already saved the files. It wasn’t long before he contacted c’t magazine, a publication of the German tech publisher Heise, to share his story with staff, who in turn listened to the audio files and ultimately, “piece[d] together a detailed picture of the customer concerned and his personal habits.”
In other words: This poor Alexa user had his private life secretly tapped. And not just his. His visiting female companion’s, too.
This is what c’t magazine wrote, Gizmodo reported: “We were able to navigate around a complete stranger’s private life without his knowledge, and the immoral, almost voyeuristic nature of what we were doing got our hair standing on end. The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.”
The magazine actually contacted the spy victim. And, predictably, he freaked. He was “audibly shocked,” is how c’t put it.
As would we all — as should we all.
But what’s perhaps more shocking is Amazon’s response.
“This was an unfortunate case of human error and an isolated incident,” the company said in a statement. “We have resolved the issue with the two customers involved and have taken steps to further improve our processes. We were also in touch on a precautionary basis with the relevant regulatory authorities.”
In case you missed it, that means: Move along, nothing to see here.
Unfortunately, as this “human error” demonstrates — there’s plenty to hear, though.
• Cheryl Chumley can be reached at firstname.lastname@example.org or on Twitter, @ckchumley.