The recently filed lawsuit against Amazon’s Alexa Voice Services fascinates me. It alleges that Amazon is recording children who use Alexa without appropriate consent. It’s a legal technicality. Even though mom or dad bought the Echo, put it in the house and taught the kids to talk to it, Washington and several other states require dual-party consent to record a conversation.
A quick fix would be for Amazon to build the required consent language into the terms and conditions for using Alexa. Except by doing so, Amazon would have to admit that Alexa is recording conversations.
This raises the question: Is Alexa recording conversations? And even if it isn’t, do these lawyers believe that there actually is someone listening or reading the commands and that the data collection methodology is somehow different from giving a 10-year-old a smartphone or tablet and letting the child play a game on it?
Willful ignorance is dangerous, but not understanding the difference between data privacy and digital is way more dangerous.
Data privacy versus digital identity
Data privacy is currently an undefined, vague notion of the value and usefulness of someone’s personal data. Data privacy advocates are calling for strict regulatory frameworks to protect people from third parties who might benefit from aggregating and enriching their digital profiles. It is a fool’s errand.
As long as people are addicted to publishing personal information or remain willing to give away their usage data to enhance the quality of their online enjoyment, the quest for data privacy is an iterative game of Whack-a-Mole.
Conversely, digital identity advocates suggest a clearly defined methodology that authenticates your identity and allows you to control who sees your data and how it should be used.
For example, a minor with a fully authenticated digital ID could not open an account on a site that was prohibited by law from allowing minors to open accounts. This would not require the transfer of personal information; simply checking the ID against an anonymized database would allow compliance with the law without the exchange of personal data.
To be clear, there is a fierce academic debate as to which approach might be a better solution. But it seems obvious that removing the ability to easily create fake accounts, ensuring that people are who they say they are and holding people accountable for their online actions as we hold them accountable for their offline actions would go a long way toward solving the problem.
How does my Echo device work?
With this framework, it helps to know that Amazon says Echo devices do not store recordings; instead, it uses automatic speech recognition (ASR) to determine what has been said, analyze the text with a natural language understanding AI and do its best to act on the input. The text is then stored on Amazon’s cloud and displayed in your Alexa app’s history stack.
Amazon insists that no audio is sent or saved to the cloud unless your Echo hears the wake word (i.e., “Alexa,” “Echo,” “Amazon” or “Computer,” for Star Trek fans).
Earlier this year, Bloomberg found otherwise, reporting that Amazon employees were listening to what you were saying via Alexa and transcribing your speech to help make the service better. And while Amazon says no audio is stored unless Echo hears its wake word, Amazon employees said they’d routinely hear and transcribe audio recorded by Alexa “without any prompt at all.”
The heart of the lawsuit
As the Seattle lawsuit claims, since the Alexa system can identify individual speakers based on their voices, despite being inadequate at the moment, Amazon could ask any new user speaking to the Echo for consent.
“But Alexa does not do this,” the lawsuit claims. “At no point does Amazon warn unregistered users that it is creating persistent voice recordings of their Alexa interactions, let alone obtain their consent to do so.”
The problem is not data privacy; the problem is digital identity.
Taking one step further, the lawsuit’s concern is “that Amazon is developing voiceprints for millions of children that could allow the company and potentially governments to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home.”
This last bit sounds like the plaintiff’s lawyers have watched one too many episodes of Black Mirror.
The problem is not data privacy; the problem is digital identity. Amazon says its voice profiles “can automatically recognize the voices of users in your household over time to improve personalization of certain Alexa features” so that Alexa can call you by name and personalize your experience. Amazon says if it doesn’t hear a user’s voice in three years, the acoustic model for that user is deleted.
Ultimately, voice recognition and digital identification of the user is a “must have” feature. Sadly, as anyone who’s spent enough time with Alexa knows, Amazon is not there yet.
Listening and storing without a wake word
Last month, Amazon filed a patent that would allow your Echo to listen and record your audio, even without hearing a wake word. “According to the patent, it would allow users to more naturally communicate with their devices, saying phrases like ‘Play some music, Alexa’ rather than starting each command with ‘Alexa.’”
Amazon used to publicize that it only stored 60-seconds of audio on local storage, which would be replaced by the next minute of audio if it didn’t hear a wake word. Though Amazon no longer explicitly says it locally stores audio prior to hearing a wake word, this patent makes it clear that such a storage feature would be in effect.
The analog hole
Voice-enabled technology requires some special security features, such as a secondary system, because voices can be recorded. If a human can hear something, so can an audio recording device. This is known as the “analog hole,” which makes any audio-only system, like a voice-activated smart lock for your door, vulnerable.
All you need is a high-quality voice-activated recording device, which can be purchased for under $200, hidden near the smart lock. Hit the playback button to open the door. (By the way, you saw that trick in the original movie War Games—the trick still works.)
In practice, the door lock API requires the user to opt-in and speak the PIN code. However, current systems do not access Amazon’s voice identification system, so anyone who knows your PIN code can say it or record it and play it back to enter your home.
The digital identity solution
Digital identity will solve most of these issues as voice identification technology matures. Of course, the nature of innovation and continuous improvement is that there are known unknowns.
“Alexa, could there be a future configuration problem or hack or simple mistake at Alexa Voice Services that has a significantly negative impact?” Not surprisingly, it responded, “I can’t help you with that one.”
Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it.