What happens when you don’t own an Amazon Alexa-equipped smart speaker, but, following a request for data, you get over a thousand recordings with the personal assistant? One Amazon customer in Germany got to find out.
The German magazine c’t has the report about a person, going by the alias “Martin Schneider”, who requested the data that Amazon has collected on them. Schneider can do this following the rollout of the European Union’s General Data Protection Regulation, or GDPR. Schneider requested a look at the data that Amazon had collected on him, but that’s not what he received.
Instead, due to what Amazon calls “human error”, Amazon accidentally set Schneider 1,700 recordings of conversations and commands delivered to Alexa on a smart speaker. The issue is that Schneider does not own an Alexa-enabled smart speaker, and it was quickly revealed that the 1,700 records were not his at all. Schneider tried to get in touch with Amazon about the issue, but was ultimately unable to do so. As a result, he took the recordings to the magazine who was able to piece together, through the data collected, who the recordings belonged to.
Within the recordings, the actual owner is noted as offering up a variety of commands to control Spotify, it’s recognized that there is a spouse that lives in the house with the owner of the recordings, and controlling smart devices like the thermostat and more.
“Using these files, it was fairly easy to identify the person involved and his female companion; weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends,” the report reads. “Public data from Facebook and Twitter rounded out the picture.” It turns out that the victim in this case also filed a data request under the new GDPR rules, c’t reports, but somehow the two men received each other’s reports.”
For Amazon’s part, the company says that this was a fluke and that the company is reviewing its processes to make sure that it does not happen again. The company also says that it was in touch with the proper regulatory committees in light of the mistake as well.
This is actually not the first time that Amazon has run into an issue where personal data, or conversations, were handed off to a third party. In that first case, which took place in May of this year, Alexa automatically recorded a conversation between a couple in Oregon and then, without the couple’s knowledge, sent that recorded conversation to a third contact.
At the time, Amazon said this was an unlikely event, and one that shouldn’t have happened in the first place. The company said it would be investigating the issue further to reduce the chance it ever happened again. I guess the good news here is that we haven’t heard of a similar situation all these months later.