"something that Amazon claimed, wrongly, that it had discovered."
To be fair they did discover it. They just forgot to say how they discovered it. Somebody told them about it.
A German man was very confused when he received, at his request, all the information that Amazon possessed on him. He had requested the data dump through Europe's GDPR privacy law, and among the records of his Amazon searches and purchases, he was surprised to find no less than 1,700 recordings of him using Amazon's Alexa- …
I wonder how much blame accrues to the recent migration of DB technology?
My Amazon profile is completely trashed since about 4 weeks ago, when I was told I had contravened the community guidelines. My reviews were deleted. No appeal allowed.
I have no idea what I had done (Amazon keeping that to themselves) other than what I had been doing for ten years as far as writing reviews goes. Then they told me that I was back in their good books but most of the profile was gone and the rest had bizarre settings - a review of a Paula Poundstone book was flagged as "hidden" with no way to unhide it for example).
Requests for more info go unanswered, so now I have a mail filter to bin the begging-for-reviews letters from Amazon and their sellers and those "can you answer" spams.
I'd be angry about what is tantamount to cyber bullying (I was quite proud of my "Caged Women" review and the comments people made were hugely entertaining) except that Amazon making me live the Piranha bros sketch for real, me playing Stig O'Tracy to their Dinsdale Piranha, has me laughing hysterically.
"We understand Amazon nailed your head to the floor (figuratively)"
"Nahnahnahnahnah! They wouldn't do that!"
"But we have film of them doing so."
"Oh. Well, they did that, yeah. But they 'ad to. I 'ad broken the unwritten law."
"What had you done?"
"Well, they didn't tell me that, but they gave me their word it was the case and that's good enough for me."
Next week your Alexa will receive a mandatory update with a new EULA forbidding disclosure of news embarrassing to Amazon.
Further, the man who requested the data dump has been reported as a hacker, since his request caused considerable work for the Alexa team, distracting them from the Video Alexa project. The HAL9000 eye hardware is complete but the 24/7 video stream from the bathroom location isn't compressing as well as expected, owing to your disgusting rug-back. Alexa has proactively ordered grooming products for you and shared the footage through your "Amazon Personal Goals" page to help with motivation.
What is the current legal status concerning Amazon's collection of Alexa request audio? Are they supposed to delete all such audio after finishing a request?
I'm wondering if they want to save requests in order to better deal with future interactions. But they have to parse that audio during a request anyway, so presumably all they would need is the parsed data, not the actual audio.
Also, the fact that they freely disbursed the audio at all means they didn't consider it a big deal to have it in the first place. I'm totally confused. Did they save audio merely so they could comply, and if so, with what? Does the GDPR require this?
A privacy expert on German TV last night said that this is disgraceful and that Amazon should be deleting the audio after an appropriate amount of time, say 24 hours.
As to the GDPR, one of its key tennets is information minimization, you are only allowed to collect and keep the information that is absolutely necessary to provide the service - and using that information for other, non-related services doesn't count. So once the request has been completed, there is no real reason for keeping the information around - they can't use it for advertising purposes, for example.
"So once the request has been completed, there is no real reason for keeping the information around..." Not quite correct. If your Alexa initiates a 'contractual' agreement on your behalf (ie "Alexa, buy me a new toy Yoda") then the record must be kept for as long you can refute the contract.
> Not quite correct. If your Alexa initiates a 'contractual' agreement on your behalf (ie "Alexa, buy me a new toy Yoda") then the record must be kept for as long you can refute the contract.
True, but you have to confirm the order. So Amazon knows which Alexa recordings relate to orders and which don't. So no reason to retain the non-order recordings.
Under GDPR you can keep data indefinitely for "scientific or historical research purposes or statistical purposes". For example, keeping voice and the transcript to compare against an improved voice recognition mechanism would seem like a perfectly valid scientific purpose.
No need to notify the user or for informed consent.
It is a grey area. If it is clearly visible and the people know it is there, it isn't.
On the other hand, some helicopter parents were using watches with built-in audio for their children, so they could contact them in an emergency, but the devices also let the parents listen to what the child is currently doing - and what those around the child are doing - which is illegal under German law. You cannot listen in on anyone, especially children (so if there were any other children within the vicinity of your child, that would be illegal) and listening in on teachers, for example, in the classroom is also illegal.
The owners of such devices had to either return them to the seller or hand them over to authorities for destruction.
I don't understand what all the hand-wringing is about. Just kill the damn things already. The companies that produced these devices have a long history of giving you something they tell you is free or at a reasonable-ish price and then using it to gather as much information as possible in order to make a return on their investment. Any challenges to this model have been met with their best efforts to get past them no matter what. They have demonstrated a clear pattern of behavior and an unwillingness to change. The only way to prevent this behavior is to ban their products.
I'm confused, what possible kind of 'human error' could see the audio recordings of one Alexa, which I assume was working perfectly for the gentleman who owned it and therefore must have been integrated with his own account, delivered to a completely different account owner? It stinks of a systemic coding oversight to me. It might be rare and obscure but if it happened to this person I'll bet it's not unique.
I'm confused, what possible kind of 'human error' could see the audio recordings of one Alexa, which I assume was working perfectly for the gentleman who owned it and therefore must have been integrated with his own account, delivered to a completely different account owner?
Occam's razor suggests to me:
1. Find Alexa ID(s) for requester from "account information" tool.
2. (Mis)type ID into "get recordings" tool.
"I was working for a larger supplier of goods and cloud services, when I got a request from a user about the data we had about him...."
...management didn't want to invest in adequate business procedures and the retrieval UI was developed by a JavaScript rat high on StackOverflow copypasta, so the obvious happened ...
...and then we got reamed in the courts...
They could drop Oracle, but evidently their database are not in good shape... why a human was involved in gathering information that should be far easy to get in a total automated fashion - as long as data are properly stored and referenced...
If I were Ellison, I would use that easily against Bezos...
"and therefore must have been integrated with his own account, delivered to a completely different account owner?"
There's no mention in the article as to whether the rest of the data was the correct data requested by the applicant. Depending on what else the applicant received other than the voice recordings, it raises the question as to how Amazon store their data and possibly why they are using different keys or identifiers for the different types of data. Was it just a fat finger episode and he got all the data for the wrong account? Or are Amazons systems not capable of automatically linking all data for an account via a single and consistent identifiers?
To be a pedantic Information Governance type breach reporting isn't mandatory under GDPR for all incidents, it is mandatory in certain circumstances based upon volume of data/persons, sensitivity of data and the risk of prejudice among other things.
A school teacher losing the list of pupils who attended a swimming lesson would be a breach but not reportable whereas a teacher losing the list of pupils on a three day residential trip which included health data (which is common due to allergies and the no of kids with other medical conditions attending mainstream school) would be a breach and it would be reportable.
"The GDPR requires you to alert the relevant regulatory authorities of any data breach"
Unfortunately, it doesn't. There's an element of discretion available to the data controller: "... unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons" (Recital 85, Article 33.1). The lack of clear criteria for assessing relevant natures and levels of risk is one of the Regulation's major weaknesses.
Does anyone else think future sound analysis system seem to be the obvious reason for keeping search recordings?
All those lovely background sounds revealing lots more about you and what's happening when you order. Currently they only have 'assumed' search requests heading home, they'll be keeping the 'Oops we accidentally left permanently recording everything switched on (for testing) after the firmware update' excuse for future use.
GDPR violation excuse - 'We need the recording for training purposes' (billions of them)
GDPR violation excuse - 'We need the recording for training purposes' (billions of them)
If that is the case, they cannot use the audio for Alexa queries... You cannot collect information for one purpose and use it for another.
For example, if you have a telephone recording system and say that you are recording for training purposes, you cannot then use the audio for any othe purposes, E.g. as evidence of breach of contract in a court case.
Wrong, defence of legal claims is an exemption under Schedule 2(1)(5) of the DPA 2018 in the UK and there will be similar ones in other EU nations.
Its what was S35 under the old DPA which implemented the old EU DP directive
Mine's the one with a copy of the GDPR and the DPA 2018 in the pockets
Evidently. Actual "AI" - or better "machine learning" - is based on feeding to software huge amounts of data. Who has the most data to train systems have a competitive advantage.
I'm not surprised they stored the data whatever they say in their ToS or privacy pages - and that's why they need to be regulated. Chinese companies may hoard a lot of data, but they will be limited by the fact that those data will be mostly Chinese - hardly a competitive advantage.
Anyway, Alexa is on its road of becoming a telescreen, and the next Facebook.
Clearly human intervention was required to compile the response to the GDPR request, and it looks like Amazon employees can get access to that.
What do they do with the video recordings from the Echo Narcissist or whatever it's called?
I think you'd be crazy to let a microphone connected to a US megacorp in your house, let alone a camera.
RE: "I think you'd be crazy to let a microphone connected to a US megacorp in your house, let alone a camera."
Unless you are disabled / infirm and the said microphone allows you to do many things with great ease that you previously had difficulty doing, or are a carer for said person and find it a great aid to looking after them. Your lifestyle isn't the only one. Before you say about it - yes there are other non-connected solutions - but they aren't as easy to use for an 86 year old, or as easy to configure for someone who hasn't go the time.
Fine, that's a narrow use case for which a reasonable argument can be made. However, that doesn't fit the overwhelming majority of cases.
Personally, I'm not against the existence of these sorts of devices, I just think they need to come with big red warning labels.
actually, NO, that is not a narrow use case. I gave one to my 82 year old father for that exact purpose. I want him to be able to turn lights on before he gets out of bed. I want him to be able to get help should he fall... etc, etc. etc. Its a narrow use case that applies to about 100 million people... when does a narrow use case become a major use case?
"actually, NO, that is not a narrow use case. I gave one to my 82 year old father for that exact purpose. I want him to be able to turn lights on before he gets out of bed. I want him to be able to get help should he fall... etc, etc. etc. Its a narrow use case that applies to about 100 million people... when does a narrow use case become a major use case?"
I agree, there are cases, especially for the infirm or disabled, where something like Alexa is a real boon. But isn't it sad that one of the best use cases is also those people least able to fight back against the privacy invasive nature of the device and service? A privacy tax on stupid is one thing, but a privacy tax on the most vulnerable in society?
Over 20 years old, but not getting any love.
However companies see it as more advantageous to use their own server than embed it.
I've used perfectly good embedded voice control of PC, car radio, phone on things 10 to 20 years old. Corporate bosses are not interested in improving the local SW, or providing it at all. Hence your <whatever> controlled by an App, which can can be voice controlled is via TWO servers on the Internet, Google/Apple/MS/Amazon Voice to Text (and Machine Learning is just a (partially) human curated dataflow database, not real AI), then the App uses the IoT maker's Server.
So no privacy and it's subject to hijacking, exploitation and failure due to Internet connection and/or server failure. It will end badly see "No Silver Lining" "Ray McCarthy".
.. technology. It is after all how I go about securing an income each month.
But this.... I'd rather try and start a fire with a wet scarf and a potato, huddled in a cave with some politicians and my least favourite relatives.
All hungry and baying for me to get some mouldy goat steaks cooked.
Creepy and Invasive stuff, that worryingly seems to get ever more popular, and thus pervasive...
Zuckerburg clearly doesn't...
Mark Zuckerberg tapes over his webcam. Should you?
Does covering his laptop camera and microphone with tape make Facebook’s boss paranoid, or are they really after him? Probably a bit of both
Amazon yesterday: "This was an unfortunate case of human error and an isolated incident." (emphasis mine)
And yet, seven months ago: You know that silly fear about Alexa recording everything and leaking it online? It just happened.
(And I'm going to assume that Google and Apple and all the other companies also store people's voice recordings)
I am not condoning the storage of Alexa recordings, but it should not be a surprise to anyone. I setup an Echo for my elderly mother precisely for the reasons someone previously mentioned for use with a disabled person. In doing so, I installed the Echo app on her iPad so that we could setup certain services. While looking around the app I found that it can provide your complete history of Alexa use including being able to playback the audio recordings it made when you had made a request.
If you do own an Echo device, checkout the app. It's kind of creepy.
Here's an idea: anyone with one of these devices, every time you go out, leave a recording playing of you saying "Alexa, what's the weather forecast for Tashkent?" on a repeating loop. Eventually they'll run out of disk space. Also, using locations that you have no intention of going to will screw with their algorithms.
There is an upside, you know. Consider that if the police should ever subpoena your Alexa records in order to bring you to justice (you swine) your shyster of a lawyer might get you off after they've been played, by claiming to a believing jury of credulous loons that in fact you aren't you - at least when it comes to Alexa.
"So inspector Organs, it is your contention that my client murdered six people in that house, and that the recordings taken from my client's Alexa device clearly indicate advance planning, including ordering axes, tomahawks, knives and so forth, is this not so?"
"It is."
"Then would you please explain to the jury why my client, who has spoken throughout in his native Midlands nasal whine, elects to order his weapons of choice in a deep Scots burl? And that the slow performance of the Amazon website that day has him swearing in what our expert witness has identified as Lowland Scots Gaelic? A language with which my client has demonstrated no affinity whatsoever? Indeed, his secondary school French teacher has given testimony under oath that her experience was that my client had little enough grasp of his native English and in four years of enforced language education demonstrated no capacity whatsoever for learning another! How do you reconcile these disparate facts inspector?"
"Er"
"In fact Inspector, ladies and gentlemen of the jury, I plan to show evidence this day that my client has never in his life so much as travelled North of Sheffield! That he has no Scotsmen in his family tree! That this murderous, growling Celtic voice we have heard is in fact one Angus McGillycuddy, a retired dockworker from Fife who currently resides at 'Nae Mare Rovin' Like', 43 Bonnie Prince Charlie Lane, Glasgow, where he is current mace-bearer and treasurer of the Only Gude Sassenach Is A Deed Sassenach Club."
(Chaos in the public gallery, cries of Order! Order! from Mr Justice Wonce, banging of the gavel, shouts of "Thaas tellin' him Jimmeh!" from the dock etc)
I presume all these devices work by shipping audio to a backend where all the processing is done, right? That is, there's very little local processing going on and really a lot of opportunity for snooping / data gathering.
Yes, but it's not so much 'a lot of opportunity for' as it is 'the sole reason for'
Quite a few Smart devices I would have no problem with except that they bundle everything off to some data centre for processing and back which requires a net connection and it's generally revealed that assurances that the information is deleted once the data transaction is complete are bogus.
And you can include speech recognition in that.
To stop companies giving stupid PR answers to your questions, always report the name of the spokesperson who gave you the answer. After a while they will get so embarrassed that they start giving proper answers to your questions.
Similarly, when someone says they cannot comment on individual cases, ask them Why?
To stop companies giving stupid PR answers to your questions, always report the name of the spokesperson who gave you the answer. After a while they will get so embarrassed that they start giving proper answers to your questions.
They will, of course, reply truthfully.
Some years ago I did some programming work for a small software company -- let's call them ITCo -- that was small enough that the telephone support was handled on a rota basis by developers. In order to stop callers asking for specific developers by name (some of us were much more tolerant of the support role than others) we always replied "Dr. Itco" when callers asked for our name.
I expect this technology to record any transactions I make using the device. However, I don't expect it to record local information, such as when I ask it to turn off the lights or change the thermostat.
Moreover, I don't expect it to record casual conversations and noises. This is absolutely an invasion of privacy.
Furthermore... if any device is recording, and this recording exceeds 30 seconds, the device should beep or provide another alert to let me know it is recording.
It's time our lawmakers step up and begin to tighten controls on what technology can do.
This includes the capturing of day-to-day information on us. Such as, purchasing merchandise using a credit card--and what I purchased--and then selling this information.
Alexa is bad enough, but people bought the device and knew the data was being sent to central servers, somewhere, but when you think about Windows 10, everywhere, and how hard it is to disable cortana, you need gpedit.msc
and regedit.exe
, two programs the average Windows user does not know how to use. How is that GDPR-compliant ? And why does Microsoft store data of people for what appears to be indefinitely ? I recently had the joy of inspecting some metadata of data collected by MS (you only ever get to see the metadata) on a relative and was shocked.
The person in question had a microsoft account, needed it to use the Windows store to download I dunno what, once, some years ago, so I looked up the data with him and 5 seconds later, was asked to completely disable Cortana, web search, and slurping ... imagine the millions that are being milked for data without knowing .... MS is bankrupt ... all we need to do is wake the punters up!