It was this years Super Bowl, Eagles vs. Patriots, and I invited some friends over to watch the game together. As one of them sat down he spotted my Echo Dot and immediately determined, “oh, Amazon listens too, then, hu?”. Well, is that so? I asked him, if Siri was listening for its keyword in his iPhone and if Apple was listening as well, then. He shut it down, of course Apple was not listening! Is Alexa actually invading your privacy? What’s the issue with Alexa and your privacy?
Why have Alexa at all?
Yes, I am concerned with IT Security but still I enjoy playing around with smart home and IoT. I don’t mean remote controlled light bulbs, but an actual smart home. One that knows when to turn things on, when to set a certain light mood, how to heat the house. A house that you wouldn’t have to remote control at all. That would be a smart home. It’s not smart to pull out your phone, unlock it and open an app, just to turn on the lights. That’s the opposite of smart. So Alexa to me is a fast way, that feels smart and more comfortable, to remote control things until we get to the envisioned level. It’s a gimmick to make things easier to use. Set a timer when boiling eggs, ask for todays weather when getting dressed, small things like that.
So, it does listen then?
That’s the question it comes down to, isn’t it? Especially after news of a hack that turned it into an eavesdropping device made their round. I understand the concern, but hackers had to get physical access to your device. That’s not impossible, but more unlikely than say, sending you a targeted phishing mail and turning your laptop or mobile phone into a device of the same nature.
According to Amazon and Rohit Prasad (Vice President and Head Scientist at Alexa Machine Learning) Alexa has a recording span of just a few seconds (I have heard of about three seconds) and contains only four algorithms. Each algorithm can identify one of the available keywords and if you set the Echo to recognize the word Alexa that specific algorith is activated. So yes, the Echo is listening, but it stores only a few seconds to see if the wake word has been said. If the wake word is not found, it deletes the recording and starts all over.
Alexa and the Amazon Cloud
Amazon comes into play when Alexa does recognize the wake word. If you actually said Alexa the Echo will send the recording to the Amazon Cloud Service for processing. The entire AI is in the cloud as the Echo itself is just too dumb to do it itself. That recording is stored in the cloud. What could happen though, is that a false interpretation of a similar word is initiating the communication between Alexa and the cloud. If you said Alex or Alexis and that was recognized as the wake word, the communication would be sent to Amazon. To reduce these false positives, Amazon implemented a cloud-based wake word recognition. The wake word is analyzed first, to see if you really asked Alexa and if that was the case, only then a speech analysis would take place.
Siri as the only anonymous assistant?
I do need to mention that it seems, Apple is the only one to not link assistant data to your personal account. While Alexa is tied to your Amazon account (Google does the same), Apple states that Siri is not linked to your iTunes account. Apple seems to link Siri to a random identifier that is generated by the device. They do have a way to identify devices belonging to the same base, as your Mac’s Siri will be connected to your iPhones Siri. There is the question, though, what happens after a device upgrade when you set up your device as a new one? As I understood, Siri would have to learn everything from scratch again. But you do gain more anonymity. Amazon knows what I have asked Alexa.
Siri, Google, Alexa and your privacy
Is your privacy invaded by these devices? That depends on your personal judgement. I personally think that Alexa does not pose more danger than my smartphone. I don’t want to drift into whataboutism and just point at other dangers but that was a consideration for me when I bought the device. There are ground rules. Don’t let someone physically hack your device, check the skills you install, turn it off when you’re not home. Rules that apply for all connected devices. The risk you have to accept is, there might be false positives that establish a connection to the Amazon cloud. After a false positiv you might say something that you don’t want Amazon to store. As Amazon itself says,
you can always check your history in the Alexa app. That requires trust in the company to actually delete it. I don’t want to judge their trustworthiness, but if that is something you absolutely cannot live with, then I can understand why you wouldn’t want to get such a device.
Please keep the awareness
I really like that people start to be aware about things like privacy and IT security. The only thing I’d ask for is, to do it consistently and educated. Ask the same questions towards Facebook, towards Google, towards apps you install on your phone, towards suspicious mails you get. Why do apps need a certain permission. Did I expect that mail and am I really the niece or nephew of a Nigerian prince? Why does Facebook offer everything for free and how do they make their money, then? Educate yourself about it and then decide whether you actually want to use a certain service. And honestly, if you still decide to do it, that’s okay! I decided to get an Echo Dot, but I knew what I got myself into.