If the rest of the world weren’t on fire, 2018 might be remembered as the year of reckoning for social media. Every week there’s a new report of a company gathering and selling data without users’ permission. The latest installment comes from the Amazon Echo.
In Oregon, a user’s Echo device recorded a conversation between the owner and her husband, then sent the audio to an acquaintance of the owner without her knowledge or permission. The acquaintance contacted the owner upon receiving the message, worried that the device might have been hacked.
“At first, my husband was like, ‘No, you didn’t,’” the owner said. “And [the acquaintance was] like, ‘You sat there talking about hardwood floors.’ And we said, ‘Oh gosh, you really did!’”
The story was originally reported by the CBS affiliate in Seattle, who was able to do what the owner was not: prompt a response from Amazon.
The company claims that the owner and her husband inadvertently activated the system and confirmed that the message should be sent via the Echo’s Alexa voice activation. They claim that these commands are recorded in the system’s logs, but the owner says that she was sitting next to the speaker with the volume at 7, and never heard any of Alexa’s voice prompts.
“I’m never plugging that device in again,” she said. “I can’t trust it.”
Amazon minimized the incident, saying that they have “determined this was an extremely rare occurrence… As unlikely as this string of events is, we are evaluating options to make this case even less likely.”
But the timing wasn’t great.
The admission came as Facebook confirmed it had been sharing user data with more than 60 device makers, including Apple and Samsung, since 2007. Facebook faced more uproar earlier this year when it acknowledged that it sold millions of users’ private data to political consultancy Cambridge Analytica, which used this data to target vulnerable voters during the 2016 US Presidential Election and the Brexit Campaign. Facebook CEO Mark Zuckerberg faced a Congressional inquiry into that breach and was also called to testify before the EU assembly.
Earlier this year, the New York Times published a report from researchers at Berkeley and Georgetown Universities that shows that Amazon’s Alexa, Apple’s Siri, and Google’s Assistant are all vulnerable to voice commands inaudible to humans. These commands could be embedded in a variety of online media or over the radio, and could be used to unlock doors, wire money, or engage in other mischief.
Amazon, Apple, and Google are all aware of these risks — though there’s no proof that these vulnerabilities have been exploited outside of the researchers’ labs. But the Amazon Echo incident in Oregon demonstrates that it doesn’t take a malicious outside actor to violate users’ privacy.