An Amazon customer decided to request a data dump under the European GDPR data privacy law and instead got someone else’s data, including 1,700 audio recordings from this person’s chats with his Alexa-powered Echo.
A flagship IoT gadget, the Amazon Echo is a personal assistant that listens to voice commands like “what’s the weather, play my music, read the latest news, turn on the lights,” etc. Its brain is in the cloud, meaning it constantly sends these commands to remote servers owned by Amazon. And its “always-on” nature means it does this day in and day out. Normally, this wouldn’t be a problem. But when Amazon relies on individual employees to fulfill GDPR requests, it can be.
It’s the story of amazon.de customer Martin Schneider (not his real name) who used these rights to ask Amazon to release personal data it has on file about him. As reported by heise.de, a couple of months later, Schneider was sent a download link to a 100MB ZIP file. From the report:
“About 50 of the zipped files contained data relating to everyday things like Amazon searches, but there were also around 1,700 WAV files and a PDF cataloging unsorted transcripts of Alexa’s interpretations of his voice commands. Schneider was extremely surprised to find these files as he doesn’t use Alexa and doesn’t own any Alexa-enabled devices. He listened to some random sample files but didn’t recognize any of the voices they contained.”
Realizing that Amazon sent him someone else’s data, he emailed the retailer to inform it of the massive blunder. Amazon failed to reply but invalidated the download link for the data dump. Schneider contacted heise.de and told them the story. The magazine analyzed the data and identified its owner — Neil Schmidt (not his real name) who, along with his girlfriend, could be heard in the recordings.
“We had scored a direct hit and Neil Schmidt (not his real name) was audibly shocked when we told him about the personal data Amazon had sent to a stranger. He started going through everything he and his friends had asked Alexa and wondered what secrets they might have revealed. He also confirmed that we had correctly identified his girlfriend,” the magazine wrote.
Asked to produce answers for the mishap, Amazon was initially quiet. It later ceded to Heise’s emails and said one of their staff had made a one-time error, adding that the problem was also resolved with the two parties involved. This “resolution” meant Amazon called up the two parties to inform them of the blunder, going by the report. Amazon also claimed to have discovered the error themselves, which they hadn’t.
GDPR expert Dr. Carlo Piltz told the publication that disclosure of private audio files to an unauthorized third party contravenes various sections of the General Data Protection Regulation, including the requirement to maintain reasonable data security and the obligation to ensure that data is only released to its authorized owner.
“There is a broad range of factors that affect each case, and we are still learning how to interpret and apply them,” Piltz added. “In this case, it is now up to the authorities to investigate and decide whether to fine Amazon.”
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsNovember 14, 2024
September 06, 2024