An Amazon Alexa user from Germany decided to exercise his rights under the EU’s GDPR and demanded his personal data recorded by the company. Instead, he received 1,700 audio recordings of someone else he doesn’t know.
The man demanded a copy of all the data Amazon has on him. Two months later he received a 100MB file which contained some of his own data related to the Amazon searches he made.
But there were hundreds of audio files and Alexa transcripts too in the received files — none of which he could recognize. What’s surprising is that he doesn’t even own any Echo device.
So he reported this to Amazon and asked for further information, but he didn’t get an answer. Later, he saved the files and shared the story with Germanys’ C’t magazine.
The magazine started its own investigation and listened to the files. It was able to put together an informative picture of who the other user is.
They were also able to figure out his personal habits, devices he owns, taste in music, the identity of his girlfriend; it even managed listened to him in the shower (creepy, right!?).
Finally, they tracked down the other user who was unaware that Amazon had shared his personal data with someone else. He also confirmed that all those audio clips belonged to him and that Amazon didn’t inform him about the leak.
Amazon, in its defense, said that this goof-up was a result of a one-time error made by a staff member. However, the company still stands liable to fines under EU law.
In short, this story once again confirms our fears about whether virtual assistants can really be trusted. Amazon always insists that Echo devices are not listening constantly unless they are activated. But the given number of such incidents only prove otherwise.